Seamless Integration: Active Directory Services

and Samba 3.0

FVLUG – December 8, 2003

Wim Kerkhoff

Overview

What is Microsoft Active Directory Services? What is Samba? Windows 2000 Server configuration Linux/Samba3 configuration Test Kerberos authentication Winbind/PAM configuration Test PAM using SSH/FTP Some screenshots, demos Summary

What is Active Directory Services?

Unified Environment Easier to Manage in Win2k then NT4 Group Policies Handles all sorts of things: DNS, trust

relationships, etc…. Everything goes in ADS/LDAP

ADS Domain Controllers replace NT PDC/BDCs

LDAP

What is Samba?

“Samba is a file and print server for Windows-based clients using TCP/IP as the underlying transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.”

SMB? CIFS? History

“SMB: Acronym for ‘Server Message Block’. This is Microsoft's file and printer sharing protocol”

“CIFS: Acronym for ‘Common Internet File System’. Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS”

Some quotes on SMB

“ People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system.” - Linux Torvalds, 1998

“Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have been dutifully waded through during the information-gathering stages of this project, and there are *still* many missing pieces.” – 1997 article on CIFS

Samba Features

NT4/Win2k/Win3k Domain/Member Controllers Emulate any version of Windows Domain workstation, Peer to Peer Can run in “native” or “mixed” modes for Win2k Trusted Server/Client Authenticate against LDAP/MySQL etc, even as

Primary Domain Controller No-strings Support: OSS Performance/reliability/cost Dynamic SMB

What can’t Samba do?

Active Directory Server. Group Policy Objects (in Active Directory). Machine Policy Objects. Logon Scripts in Active Directory. Software Application and Access Controls in

Active Directory.

Windows 2000 Install Overview

Do a typical install of 2000/2003 Server Run ‘dcpromo’ to become the ADS Domain

Controller Add a user account, set the password Add an administrator account, set the

password That’s it!

Linux/Samba3 installation overview

This is what I did; a couple of ways of doing it Download root.bin+rescue.bin, and use them

to install Debian Woody Don’t run tasksel/dselect. Immediately dist-

upgrade to Sarge or Sid Apt-get install samba smbclient winbind

smbclient ssh krb5-clients krb5-user

Configuring Linux

Since Active Directory Services uses DNS for everything, make sure the basics work before continuing. Make sure /etc/resolv.conf has the domain/nameserver settings for Win2k

Test resolving (eg ping the short hostname of the ADS server)

Make sure Linux hostname is set correctly Optionally created records in ADS DNS. Not having

to rely on WINS or browse lists is nice

Configure Kerberos

Debian does a fine job of doing this for you. If Debian is not being used or it isn’t working, create a simple krb.conf from scratch:

[libdefaults] default_realm = ADS.NYETWORK.ORG[realms]

ADS.NYETWORK.ORG = {kdc = BULLadmin_server = BULL

}[domain_realm] .ads.nyetwork.org = ADS.NYETWORK.ORG

Configure Samba

Enter the realm/domain info into the debconf wizard for the samba package to have nice starting point

Change/Add these settings:

Restart samba

workgroup = ADSrealm = ADS.NYETWORK.ORGsecurity = ADSpassword server = bull.ads.nyetwork.org

Test Kerberos / ADS

Sync the clocks! Run: kinit someUser, then enter password Run: klist to see Kerberos tickets Authenticate as a user with Administrator rights in

the domain, then: net ads join –U adminuser Should now see a message that your computer is in

the domain Computer will show up in Active Directory

Computers list smbclient ‘\\bull\c$’ –U adminuser -k

Screenshot: Linux

Screenshot: Windows 2000

Winbind – unified logons Combination of Windows RPC, PAM, NSS switch Add this to smb.conf:

Restart samba/winbind Run wbinfo –u and wbinfo –g to see all the ADS users and

groups The default is to have all ADS accounts come through as

Domain+User. Can also have Domain\User or even just User.

winbind seperator = +idmap uid = 10000-20000idmap gid = 10000-20000winbind enum users = yeswinbind enum groups = yestemplate homedir = /home/ads/%Utemplate shell = /bin/bash

Pluggable Authentication Modules (PAM)

Auth Modules available for LDAP, Kerberos, Netware, Radius, MySQL, PostgreSQL, or write your own

Stackable, configurable per service (SSH vs login vs cron etc)

Module types: auth, account, session, password Control flags: required, requisite, sufficient, optional Other interesting session/login modules: motd,

mkhomedir, lastlog, mail, tally, time, limits mkhomedir doesn’t work with SSH because of privilege

seperation

Changes required to default PAM files Add winbind to /etc/nsswitch.conf for

passwd/group/shadow getent passwd will now show a unified /etc/passwd getent group will now show a unified /etc/group Modify the files in /etc/pam.d to allow logins via either

pam_winbind.so or pam_unix.so Easiest is to modify common-auth and common-

account. However not all services use them. Also, mkhomedir doesn’t work with SSH, but works fine with login and ftp.

More details can be found in the Samba docs or http://www.kernel.org/pub/linux/libs/pam/

Can browse the network without password prompts

Can even manage shares from MMC, like any other server

Can use chown with ADS users

fresh:/tmp# touch file.txt

fresh:/tmp# ls -l file.txt

-rw-r--r-- 1 root root 0 Dec 6 02:02 file.txt

fresh:/tmp# chown ADS+AdminUser file.txt

fresh:/tmp# ls -l file.txt

-rw-r--r-- 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt

:add

SSH works

Example script commands

Some functionality isn’t provided by Samba itself, but comes from scripts you set up yourself

Share management User/Group management Abort/Shutdown Logon scripts

admin users = ADS+AdminUser, ADS+Administratoradd share command = /etc/samba/modify_samba_config.pldelete share command = /etc/samba/modify_samba_config.pl

Where does Samba cache special things?ADS+AdminUser@fresh:/var/lib/samba$ ls -1account_policy.tdbgroup_mapping.tdbntdrivers.tdbntforms.tdbntprinters.tdbpassdb.tdbprintersregistry.tdbsecrets.tdbshare_info.tdbwinbindd_idmap.tdb tdbdump can be used to examine *.tdb files TDB is a Trivial DataBase system, like gdbm

Other possibilities Print servers, including auto-install of win32 drivers DFS – Distributed File Systems SSL WINS Replication File System Access Control Lists using extended

attributes of ext3 Single Sign On in Apache Stackable VFS: audit, recycle, databaseFS, vscan Samba 4 goal: Go through specs one line at a time,

do things proper instead of through reverse engineering. Better support for NAS, clustering, high end stuff. Better use in non-Windows environments.

Summary

More information available at http://www.fvlug.org/wiki/Samba

http://www.samba.org http://ca.samba.org/samba/docs/man/ is

probably THE most complete reference, covering many scenarios

Google is your friend, as always Questions