X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;ds=sidebyside;f=moonshot%2Fmech_eap%2FREADME.samba4;fp=moonshot%2Fmech_eap%2FREADME.samba4;h=84989a64a7479baef2cdb2d1a1f0346627d17a8b;hb=93077f669adbc6b7fca7d44dbdf235fd23b7f2ce;hp=0000000000000000000000000000000000000000;hpb=fd1c603f1d0754f9c8c5901684cabc889010ed00;p=moonshot.git

diff --git a/moonshot/mech_eap/README.samba4 b/moonshot/mech_eap/README.samba4
new file mode 100644
index 0000000..84989a6
--- /dev/null
+++ b/moonshot/mech_eap/README.samba4
@@ -0,0 +1,47 @@
+Notes on using Moonshot with Samba4.
+
+Samba
+-----
+
+* Download Samba4 and apply patches for mechanism agnosticism.
+* Join Samba as a member server or domain controller (only tested former):
+
+Shibboleth
+----------
+
+* Add to attribute-map.xml:
+
+    <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp urn:x-radius:1679163525"
+                     id="urn:mspac:" binary="true"/>
+
+FreeRADIUS
+----------
+
+Install the rlm_mspac module and configure per below.
+
+* Create /usr/local/etc/raddb/modules/mspac with the following:
+
+    mspac {
+        keytab = /etc/krb5.keytab
+        spn = host/host.fqdn@KERBEROS.REALM
+    }       
+
+* Add mspac to instantiate in radiusd.conf
+* Add mspac to post-auth in sites-enabled/inner-tunnel
+
+You will need to have a TGT for the host service principal before starting
+radiusd. It's possible to extract the password by editing secrets.ldb, which
+you can put in a keytab.
+
+Testing
+-------
+
+The Samba server doesn't require any specific command line arguments, although
+on OS X it was necessary to start it with -M single to function under gdb.
+
+For the client, the mechanism can be specified on the command line:
+
+smbclient --password samba --mechanism 1.3.6.1.4.1.5322.22.1.18 '\\host\share'".
+
+There is no Moonshot SSPI implementation as yet, so it is not possible to test
+with a Windows client.