1
Notes on using Moonshot with Samba4. Replace paths as appropriate.
6
* Download Samba4 and apply patches for mechanism agnosticism which are
7
available at http://www.padl.com/~lukeh/samba/
8
* Join Samba as a member server or domain controller (only tested former)
9
* Extract local service principal key to keytab (currently there do not
10
appear to be tools to do this, but you can get the cleartext password
11
from /usr/local/samba/private/secrets.ldb)
16
* Add a mapping from the PAC RADIUS attribute to urn:mspac: in the file
17
/usr/local/etc/shibboleth/attribute-map.xml:
19
<GSSAPIAttribute name="urn:ietf:params:gss:radius-attribute 26.25622.133"
20
id="urn:mspac:" binary="true"/>
25
Install the rlm_mspac module and configure per below.
27
* Install dictionary.ukerna so MS-Windows-Auth-Data is defined
28
* Create /usr/local/etc/raddb/modules/mspac with the following:
31
keytab = /etc/krb5.keytab
32
spn = host/host.fqdn@KERBEROS.REALM
35
* Add mspac to instantiate stanza in radiusd.conf
36
* Add mspac to post-auth stanza in sites-enabled/inner-tunnel
38
You will need to have a TGT for the host service principal before starting
39
radiusd. It's easiest to do this with kinit -k.
44
The Samba server doesn't require any specific command line arguments, although
45
on OS X it was necessary to start it with -M single to function under gdb.
47
For the client, the GSS EAP mechanism can be specified on the command line:
49
smbclient --password samba --mechanism 1.3.6.1.5.5.15.1.1.18 '\\host\share'".
51
There is no Moonshot SSPI implementation as yet, so it is not possible to test
52
with a Windows client.