From 86784f9e23d376adcba4911ebe472429de12edf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89tienne=20BERSAC?= Date: Tue, 7 May 2024 10:56:41 +0200 Subject: [PATCH] Configure Samba for Kerberos authentication --- .gitignore | 1 + docker-compose.yml | 5 +++-- ldaprc | 4 ++++ test/fixtures/samba/kerberos.sh | 21 +++++++++++++++++++++ test/krb5.conf | 17 +++++++++++++++++ 5 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/samba/kerberos.sh create mode 100644 test/krb5.conf diff --git a/.gitignore b/.gitignore index c96270ae..2d7b3e04 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ dist/ docker-compose.override.yml # test/conftest.py creates .env files .env +test/samba.keytab diff --git a/docker-compose.yml b/docker-compose.yml index 9c30aef5..47c7b790 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,15 +6,16 @@ services: environment: REALM: bridoulou.fr ADMIN_PASS: 1Ntegral - DNS_BACKEND: "NONE" volumes: + - ./test/fixtures/samba/kerberos.sh:/docker-entrypoint-init.d/00-kerberos.sh + - ./test:/test # Use to export keytab in kerberos.sh - ./test/fixtures/samba/nominal.sh:/docker-entrypoint-init.d/95-nominal.sh - ./test/fixtures/samba/extra.sh:/docker-entrypoint-init.d/96-extra.sh hostname: samba1 domainname: ldap2pg.docker labels: com.dnsdock.alias: samba1.ldap2pg.docker - command: [-d=1] + command: [-d=3] postgres: image: postgres:${PGVERSION-16}-alpine diff --git a/ldaprc b/ldaprc index 56fbbc2b..6f0227f7 100644 --- a/ldaprc +++ b/ldaprc @@ -4,3 +4,7 @@ TLS_REQCERT allow NETWORK_TIMEOUT 5 TIMEOUT 5 REFERRALS off +SASL_AUTHCID Administrator +# Disable canonicalization which trigger Kerberos SPN ldap/172.X.Y.Z instead of ldap/samba1.ldap2pg.docker. +# With canonicalisation, GSSAPI fails with "Server not found in Kerberos database". +SASL_NOCANON on diff --git a/test/fixtures/samba/kerberos.sh b/test/fixtures/samba/kerberos.sh new file mode 100644 index 00000000..8252ee7c --- /dev/null +++ b/test/fixtures/samba/kerberos.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -x +samba-tool spn add ldap/samba1.ldap2pg.docker SAMBA1$ +samba-tool spn add ldap/localhost SAMBA1$ +samba-tool spn add ldap/localhost.localdomain SAMBA1$ + +# Get Gateway (field 3) from default route (destination is 0.0.0.0). +gateway_hex="$(grep -E '^\w+\s+00000000' /proc/net/route | cut -f 3)" +gateway_bytes=( # IP is little endian. + $((16#${gateway_hex:6:2})) + $((16#${gateway_hex:4:2})) + $((16#${gateway_hex:2:2})) + $((16#${gateway_hex:0:2})) +) +printf -v gateway "%d.%d.%d.%d" "${gateway_bytes[@]}" + +samba-tool spn add "ldap/$gateway" SAMBA1$ +samba-tool spn list SAMBA1$ +samba-tool domain exportkeytab /test/samba.keytab --principal=Administrator +chown -v "$(stat -c %u:%g "${BASH_SOURCE[0]}")" /test/samba.keytab diff --git a/test/krb5.conf b/test/krb5.conf new file mode 100644 index 00000000..5559c481 --- /dev/null +++ b/test/krb5.conf @@ -0,0 +1,17 @@ +[libdefaults] + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_realm = BRIDOULOU.FR + default_keytab_name = FILE:test/samba.keytab + +[realms] + BRIDOULOU.FR = { + kdc = samba1.ldap2pg.docker + admin_server = samba1.ldap2pg.docker + } + +[domain_realm] +.ldap2pg.docker = BRIDOULOU.FR +ldap2pg.docker = BRIDOULOU.FR