Seamless Integration: Active Directory Services and Samba 3.

0
FVLUG December 8, 2003 Wim Kerkhoff

Overview

What is Microsoft Active Directory Services? What is Samba? Windows 2000 Server configuration Linux/Samba3 configuration Test Kerberos authentication Winbind/PAM configuration Test PAM using SSH/FTP Some screenshots, demos Summary

What is Active Directory Services?

Unified Environment Easier to Manage in Win2k then NT4 Group Policies Handles all sorts of things: DNS, trust relationships, etc. Everything goes in ADS/LDAP ADS Domain Controllers replace NT PDC/BDCs LDAP

What is Samba?
Samba is a file and print server for Windows-based clients using TCP/IP as the underlying transport protocol. In fact, it can support any SMB/CIFSenabled client. One of Samba's big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.

SMB? CIFS? History

SMB: Acronym for Server Message Block. This is Microsoft's file and printer sharing protocol CIFS: Acronym for Common Internet File System. Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS

Some quotes on SMB

People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system. - Linux Torvalds, 1998 Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have been dutifully waded through during the information-gathering stages of this project, and there are *still* many missing pieces. 1997 article on CIFS

Samba Features

NT4/Win2k/Win3k Domain/Member Controllers Emulate any version of Windows Domain workstation, Peer to Peer Can run in native or mixed modes for Win2k Trusted Server/Client Authenticate against LDAP/MySQL etc, even as Primary Domain Controller No-strings Support: OSS Performance/reliability/cost Dynamic SMB

What cant Samba do?

Active Directory Server. Group Policy Objects (in Active Directory). Machine Policy Objects. Logon Scripts in Active Directory. Software Application and Access Controls in Active Directory.

Windows 2000 Install Overview

Do a typical install of 2000/2003 Server Run dcpromo to become the ADS Domain Controller Add a user account, set the password Add an administrator account, set the password Thats it!

Linux/Samba3 installation overview

This is what I did; a couple of ways of doing it Download root.bin+rescue.bin, and use them to install Debian Woody Dont run tasksel/dselect. Immediately distupgrade to Sarge or Sid Apt-get install samba smbclient winbind smbclient ssh krb5-clients krb5-user

Configuring Linux

Since Active Directory Services uses DNS for everything, make sure the basics work before continuing. Make sure /etc/resolv.conf has the domain/nameserver settings for Win2k Test resolving (eg ping the short hostname of the ADS server) Make sure Linux hostname is set correctly Optionally created records in ADS DNS. Not having to rely on WINS or browse lists is nice

Configure Kerberos

Debian does a fine job of doing this for you. If Debian is not being used or it isnt working, create a simple krb.conf from scratch:
[libdefaults] default_realm = ADS.NYETWORK.ORG [realms] ADS.NYETWORK.ORG = { kdc = BULL admin_server = BULL } [domain_realm] .ads.nyetwork.org = ADS.NYETWORK.ORG

Configure Samba

Enter the realm/domain info into the debconf wizard for the samba package to have nice starting point Change/Add these settings:
workgroup = ADS realm = ADS.NYETWORK.ORG security = ADS password server = bull.ads.nyetwork.org

Restart samba

Test Kerberos / ADS

Sync the clocks! Run: kinit someUser, then enter password Run: klist to see Kerberos tickets Authenticate as a user with Administrator rights in the domain, then:
net ads join U adminuser

Should now see a message that your computer is in the domain Computer will show up in Active Directory Computers list
smbclient \\bull\c$ U adminuser -k

Screenshot: Linux

Screenshot: Windows 2000

Winbind unified logons

Combination of Windows RPC, PAM, NSS switch Add this to smb.conf:

winbind seperator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/ads/%U template shell = /bin/bash

Restart samba/winbind Run wbinfo u and wbinfo g to see all the ADS users and groups The default is to have all ADS accounts come through as Domain+User. Can also have Domain\User or even just User.

Pluggable Authentication Modules (PAM)

Auth Modules available for LDAP, Kerberos, Netware, Radius, MySQL, PostgreSQL, or write your own Stackable, configurable per service (SSH vs login vs cron etc) Module types: auth, account, session, password Control flags: required, requisite, sufficient, optional Other interesting session/login modules: motd, mkhomedir, lastlog, mail, tally, time, limits mkhomedir doesnt work with SSH because of privilege seperation

Changes required to default PAM files

Add winbind to /etc/nsswitch.conf for passwd/group/shadow getent passwd will now show a unified /etc/passwd getent group will now show a unified /etc/group Modify the files in /etc/pam.d to allow logins via either pam_winbind.so or pam_unix.so Easiest is to modify common-auth and commonaccount. However not all services use them. Also, mkhomedir doesnt work with SSH, but works fine with login and ftp. More details can be found in the Samba docs or http://www.kernel.org/pub/linux/libs/pam/

Can browse the network without password prompts

Can even manage shares from MMC, like any other server

Can use chown with ADS users

fresh:/tmp# fresh:/tmp# -rw-r--r-fresh:/tmp# fresh:/tmp# -rw-r--r-touch file.txt ls -l file.txt 1 root root 0 Dec chown ADS+AdminUser file.txt ls -l file.txt 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt

6 02:02 file.txt

:
add

SSH works

Example script commands

Some functionality isnt provided by Samba itself, but comes from scripts you set up yourself Share management User/Group management Abort/Shutdown Logon scripts

admin users = ADS+AdminUser, ADS+Administrator add share command = /etc/samba/modify_samba_config.pl delete share command = /etc/samba/modify_samba_config.pl

Where does Samba cache special things?

ADS+AdminUser@fresh:/var/lib/samba$ ls -1 account_policy.tdb group_mapping.tdb ntdrivers.tdb ntforms.tdb ntprinters.tdb passdb.tdb printers registry.tdb secrets.tdb share_info.tdb winbindd_idmap.tdb

tdbdump can be used to examine *.tdb files TDB is a Trivial DataBase system, like gdbm

Other possibilities

Print servers, including auto-install of win32 drivers DFS Distributed File Systems SSL WINS Replication File System Access Control Lists using extended attributes of ext3 Single Sign On in Apache Stackable VFS: audit, recycle, databaseFS, vscan Samba 4 goal: Go through specs one line at a time, do things proper instead of through reverse engineering. Better support for NAS, clustering, high end stuff. Better use in non-Windows environments.

Summary

More information available at http://www.fvlug.org/wiki/Samba http://www.samba.org http://ca.samba.org/samba/docs/man/ is probably THE most complete reference, covering many scenarios Google is your friend, as always Questions