Kerberos

From Netatalk Wiki
(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
== Environment ==
+
== Enabling SSO with Active Directory ==
Server:
+
Below are the basic steps needed for SSO with Active Directory.
* CentOS 5.5
+
* Kerberos
+
* OpenLDAP
+
* Netatalk-2.1.x
+

Clients:
+
* Snow Leopard
+
* Setup Kerberos: http://clc.its.psu.edu/Labs/Mac/Resources/authdoc/kerberosauthentication.aspx
+
  
== OpenLDAP config ==
+
== Using ktpass on Windows ==
User record:
+
First you must generate a Kerberos service principal for the Netatalk AFP server in AD. This is done with the CLI tool "ktpass" on Windows. The basic syntax is:
<pre>
+
dn: uid=hiroysato,ou=users,dc=mydomain,dc=com
+
uid: hiroysato
+
cn: Hiroyuki Sato
+
objectClass: account
+
objectClass: posixAccount
+
objectClass: top
+
objectClass: apple-user
+
loginShell: /bin/bash
+
uidNumber: 1011
+
gidNumber: 1001
+
gecos: Hiroyuki Sato
+
userPassword: hidden
+
apple-user-homeurl: <home_dir><url>afp://afpserver.mydomain.com/home</url><path>hiroysato<path><home_dir>
+
altSecurityIdentities: Kerberos:hiroysato@MYDOMAIN.COM
+
homeDirectory: /afp/home/hiroysato
+
</pre>
+
  
== Trial and Error ==
+
ktpass -princ afpserver/fqdn@REALM -mapuser mapuser@domain +rndPass -out afpserver.keytab
I tried the follwoing configurations. I would like to mount users' home directory on AFP at login time.  
+
  
=== automout config on LDAP server (did not work) ===
+
* fqdn: fqdn of your Netatalk server
I tried this automount configuration. However, when I access to `/Network/Servers/afpserver.mydomain.com/home`. Can't mount home directory after login.
+
* REALM: Kerberos realm name of AD domain
<pre>
+
* mapuser@domain: name of new user who's password is set to never expire
dn: cn=afpserver.mydomain.com:/home,ou=mounts,dc=mydomain,dc=com
+
cn: afpserver.mydomain.com:/home
+
objectClass: mount
+
objectClass: top
+
mountDirectory: /Network/Servers/
+
mountType: url
+
mountOption: net
+
mountOption: url==afp://;AUTH=Client%20Krb%20v2@afpserver.mydomain.com/home 
+
</pre>
+
  
=== home path changed (did not work) ===
+
Full example:
I change user's home path to `/Volumes' because when I connect afp server. It mounted on /Volumes area
+
The result was login failed on login window ''error has occourd and login failed.''
+
<pre>
+
dn: uid=hiroysato,ou=users,dc=mydomain,dc=com
+
uid: hiroysato
+
cn: Hiroyuki Sato
+
objectClass: account
+
objectClass: posixAccount
+
objectClass: top
+
objectClass: apple-user
+
loginShell: /bin/bash
+
uidNumber: 1011
+
gidNumber: 1001
+
gecos: Hiroyuki Sato
+
userPassword: hidden
+
apple-user-homeurl: <home_dir><url>afp://afpserver.mydomain.com/home</url><path>hiroysato<path><home_dir>
+
altSecurityIdentities: Kerberos:hiroysato@MYDOMAIN.COM
+
homeDirectory: /Volumes/home/hiroysato
+
</pre>
+
  
=== auto_master (worked) ===
+
ktpass -princ afpserver/oi.ad.netafp.com@AD.NETAFP.COM -mapuser ktpassuser@ad.netafp.com +rndPass -out afpserver.keytab
https://trolley.ca/mark/2009/08/16/automounting-afp-shares-for-plex/
+
<pre>
+
cat /etc/auto_master
+
#
+
# added the following line
+
#
+
/afp auto_afp
+
+
# cat /etc/auto_afp
+
home -fstype=afp afp://;AUTH=Client%20Krb%20v2@myhost.mydomain.com/home
+
</pre>
+
  
[[Category:Howtos]]
+
== Configure Netatalk ==
 +
* Copy the keytab to your Netatalk server and set the afp.conf 'k5 keytab' option to the path where you stored it.
 +
* Enable the GSS UAM (add uams_gss.so to 'uam list' in afp.conf -- must be compiled of course)
 +
 
 +
[Category:Howtos]]

Revision as of 14:10, 29 November 2012

Enabling SSO with Active Directory

Below are the basic steps needed for SSO with Active Directory.

Using ktpass on Windows

First you must generate a Kerberos service principal for the Netatalk AFP server in AD. This is done with the CLI tool "ktpass" on Windows. The basic syntax is:

ktpass -princ afpserver/fqdn@REALM -mapuser mapuser@domain +rndPass -out afpserver.keytab

Full example:

ktpass -princ afpserver/oi.ad.netafp.com@AD.NETAFP.COM -mapuser ktpassuser@ad.netafp.com +rndPass -out afpserver.keytab

Configure Netatalk

[Category:Howtos]]

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox