X-Git-Url: http://www.project-moonshot.org/gitweb/?p=moonshot.git;a=blobdiff_plain;f=moonshot%2Fmech_eap%2FREADME.samba4;fp=moonshot%2Fmech_eap%2FREADME.samba4;h=d0a94d16e3aef0d89c6553d000503946bdab0398;hp=0000000000000000000000000000000000000000;hb=c5fe2bba827ab2f6adbd7f47418a1808bca8c547;hpb=5d7ff928e7e7e371f62d81f9cc1889b6e2565910 diff --git a/moonshot/mech_eap/README.samba4 b/moonshot/mech_eap/README.samba4 new file mode 100644 index 0000000..d0a94d1 --- /dev/null +++ b/moonshot/mech_eap/README.samba4 @@ -0,0 +1,52 @@ +Notes on using Moonshot with Samba4. Replace paths as appropriate. + +Samba +----- + +* Download Samba4 and apply patches for mechanism agnosticism which are + available at http://www.padl.com/~lukeh/samba/ +* Join Samba as a member server or domain controller (only tested former) +* Extract local service principal key to keytab (currently there do not + appear to be tools to do this, but you can get the cleartext password + from /usr/local/samba/private/secrets.ldb) + +Shibboleth +---------- + +* Add a mapping from the PAC RADIUS attribute to urn:mspac: in the file + /usr/local/etc/shibboleth/attribute-map.xml: + + + +FreeRADIUS +---------- + +Install the rlm_mspac module and configure per below. + +* Install dictionary.ukerna so MS-Windows-Auth-Data is defined +* Create /usr/local/etc/raddb/modules/mspac with the following: + + mspac { + keytab = /etc/krb5.keytab + spn = host/host.fqdn@KERBEROS.REALM + } + +* Add mspac to instantiate stanza in radiusd.conf +* Add mspac to post-auth stanza in sites-enabled/inner-tunnel + +You will need to have a TGT for the host service principal before starting +radiusd. It's easiest to do this with kinit -k. + +Testing +------- + +The Samba server doesn't require any specific command line arguments, although +on OS X it was necessary to start it with -M single to function under gdb. + +For the client, the GSS EAP mechanism can be specified on the command line: + +smbclient --password samba --mechanism 1.3.6.1.4.1.5322.22.1.18 '\\host\share'". + +There is no Moonshot SSPI implementation as yet, so it is not possible to test +with a Windows client.