From 93077f669adbc6b7fca7d44dbdf235fd23b7f2ce Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 16 May 2011 10:58:53 +0200 Subject: [PATCH] Add readme for Samba --- moonshot/mech_eap/README.samba4 | 47 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 moonshot/mech_eap/README.samba4 diff --git a/moonshot/mech_eap/README.samba4 b/moonshot/mech_eap/README.samba4 new file mode 100644 index 0000000..84989a6 --- /dev/null +++ b/moonshot/mech_eap/README.samba4 @@ -0,0 +1,47 @@ +Notes on using Moonshot with Samba4. + +Samba +----- + +* Download Samba4 and apply patches for mechanism agnosticism. +* Join Samba as a member server or domain controller (only tested former): + +Shibboleth +---------- + +* Add to attribute-map.xml: + + + +FreeRADIUS +---------- + +Install the rlm_mspac module and configure per below. + +* Create /usr/local/etc/raddb/modules/mspac with the following: + + mspac { + keytab = /etc/krb5.keytab + spn = host/host.fqdn@KERBEROS.REALM + } + +* Add mspac to instantiate in radiusd.conf +* Add mspac to post-auth in sites-enabled/inner-tunnel + +You will need to have a TGT for the host service principal before starting +radiusd. It's possible to extract the password by editing secrets.ldb, which +you can put in a keytab. + +Testing +------- + +The Samba server doesn't require any specific command line arguments, although +on OS X it was necessary to start it with -M single to function under gdb. + +For the client, the mechanism can be specified on the command line: + +smbclient --password samba --mechanism 1.3.6.1.4.1.5322.22.1.18 '\\host\share'". + +There is no Moonshot SSPI implementation as yet, so it is not possible to test +with a Windows client. -- 2.1.4