Seamless Integration:
Active Directory Services
and Samba 3.0
FVLUG  December 8, 2003
Wim Kerkhoff
Overview
lð
What is Microsoft Active Directory Services?
lð
What is Samba?
lð
Windows 2000 Server configuration
lð
Linux/Samba3 configuration
lð
Test Kerberos authentication
lð
Winbind/PAM configuration
lð
Test PAM using SSH/FTP
lð
Some screenshots, demos
lð
Summary
What is Active Directory
Services?
lð
Unified Environment
lð
Easier to Manage in Win2k then NT4
lð
Group Policies
lð
Handles all sorts of things: DNS, trust
relationships, etc& . Everything goes in
ADS/LDAP
lð
ADS Domain Controllers replace NT
PDC/BDCs
lð
LDAP
What is Samba?
 Samba is a file and print server for Windows-based
clients using TCP/IP as the underlying transport
protocol. In fact, it can support any SMB/CIFS-
enabled client. One of Samba's big strengths is that
you can use it to blend your mix of Windows and
Linux machines together without requiring a separate
Windows NT/2000/2003 Server. Samba is actively
being developed by a global team of about 30 active
programmers and was originally developed by
Andrew Tridgell.
SMB? CIFS? History
lð
 SMB: Acronym for  Server Message
Block . This is Microsoft's file and printer
sharing protocol
lð
 CIFS: Acronym for  Common Internet File
System . Around 1996, Microsoft
apparently decided that SMB needed the
word "Internet" in it, so they changed it to
CIFS
Some quotes on SMB
lð
 People inside Microsoft know it's a bad operating
system and they still continue obviously working on it
because they want to get the next version out because
they want to have all these new features to sell more
copies of the system. - Linux Torvalds, 1998
lð
 Several megabytes of NT-security archives, random
whitepapers, RFCs, the CIFS spec, the Samba stuff, a
few MS knowledge-base articles, strings extracted from
binaries, and packet dumps have been dutifully waded
through during the information-gathering stages of this
project, and there are *still* many missing pieces. 
1997 article on CIFS
Samba Features
lð
NT4/Win2k/Win3k Domain/Member Controllers
lð
Emulate any version of Windows
lð
Domain workstation, Peer to Peer
lð
Can run in  native or  mixed modes for Win2k
lð
Trusted Server/Client
lð
Authenticate against LDAP/MySQL etc, even as
Primary Domain Controller
lð
No-strings Support: OSS
lð
Performance/reliability/cost
lð
Dynamic SMB
What can t Samba do?
lð
Active Directory Server.
lð
Group Policy Objects (in Active Directory).
lð
Machine Policy Objects.
lð
Logon Scripts in Active Directory.
lð
Software Application and Access Controls in
Active Directory.
Windows 2000 Install Overview
lð
Do a typical install of 2000/2003 Server
lð
Run  dcpromo to become the ADS Domain
Controller
lð
Add a user account, set the password
lð
Add an administrator account, set the
password
lð
That s it!
Linux/Samba3 installation
overview
lð
This is what I did; a couple of ways of doing it
lð
Download root.bin+rescue.bin, and use them
to install Debian Woody
lð
Don t run tasksel/dselect. Immediately dist-
upgrade to Sarge or Sid
lð
Apt-get install samba smbclient winbind
smbclient ssh krb5-clients krb5-user
Configuring Linux
lð
Since Active Directory Services uses DNS for
everything, make sure the basics work before
continuing. Make sure /etc/resolv.conf has the
domain/nameserver settings for Win2k
lð
Test resolving (eg ping the short hostname of the
ADS server)
lð
Make sure Linux hostname is set correctly
lð
Optionally created records in ADS DNS. Not having
to rely on WINS or browse lists is nice
Configure Kerberos
lð
Debian does a fine job of doing this for you. If
Debian is not being used or it isn t working,
create a simple krb.conf from scratch:
[libdefaults]
default_realm = ADS.NYETWORK.ORG
[realms]
ADS.NYETWORK.ORG = {
kdc = BULL
admin_server = BULL
}
[domain_realm]
.ads.nyetwork.org = ADS.NYETWORK.ORG
Configure Samba
lð
Enter the realm/domain info into the debconf
wizard for the samba package to have nice
starting point
lð
Change/Add these settings:
workgroup = ADS
realm = ADS.NYETWORK.ORG
security = ADS
password server = bull.ads.nyetwork.org
lð
Restart samba
Test Kerberos / ADS
lð
Sync the clocks!
lð
Run: kinit someUser, then enter password
lð
Run: klist to see Kerberos tickets
lð
Authenticate as a user with Administrator rights in
the domain, then:
lð
net ads join  U adminuser
lð
Should now see a message that your computer is in
the domain
lð
Computer will show up in Active Directory Computers
list
lð
smbclient  \\bull\c$  U adminuser -k
Screenshot: Linux
Screenshot: Windows 2000
Winbind  unified logons
lð
Combination of Windows RPC, PAM, NSS switch
lð
Add this to smb.conf:
winbind seperator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/ads/%U
template shell = /bin/bash
lð
Restart samba/winbind
lð
Run wbinfo  u and wbinfo  g to see all the ADS users and
groups
lð
The default is to have all ADS accounts come through as
Domain+User. Can also have Domain\User or even just User.
Pluggable Authentication
Modules (PAM)
lð
Auth Modules available for LDAP, Kerberos, Netware,
Radius, MySQL, PostgreSQL, or write your own
lð
Stackable, configurable per service (SSH vs login vs
cron etc)
lð
Module types: auth, account, session, password
lð
Control flags: required, requisite, sufficient, optional
lð
Other interesting session/login modules: motd,
mkhomedir, lastlog, mail, tally, time, limits
lð
mkhomedir doesn t work with SSH because of privilege
seperation
Changes required to default
PAM files
lð
Add winbind to /etc/nsswitch.conf for
passwd/group/shadow
lð
getent passwd will now show a unified /etc/passwd
lð
getent group will now show a unified /etc/group
lð
Modify the files in /etc/pam.d to allow logins via either
pam_winbind.so or pam_unix.so
lð
Easiest is to modify common-auth and common-account.
However not all services use them. Also, mkhomedir doesn t
work with SSH, but works fine with login and ftp.
lð
More details can be found in the Samba docs or
http://www.kernel.org/pub/linux/libs/pam/
Can browse the network
without password prompts
Can even manage shares from
MMC, like any other server
Can use chown with ADS
users
fresh:/tmp# touch file.txt
fresh:/tmp# ls -l file.txt
-rw-r--r-- 1 root root 0 Dec 6 02:02 file.txt
fresh:/tmp# chown ADS+AdminUser file.txt
fresh:/tmp# ls -l file.txt
-rw-r--r-- 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt
:
add
SSH works
Example script commands
lð
Some functionality isn t provided by Samba
itself, but comes from scripts you set up
yourself
lð
Share management
lð
User/Group management
lð
Abort/Shutdown
lð
Logon scripts
admin users = ADS+AdminUser, ADS+Administrator
add share command = /etc/samba/modify_samba_config.pl
delete share command = /etc/samba/modify_samba_config.pl
Where does Samba cache
special things?
ADS+AdminUser@fresh:/var/lib/samba$ ls -1
account_policy.tdb
group_mapping.tdb
ntdrivers.tdb
ntforms.tdb
ntprinters.tdb
passdb.tdb
printers
registry.tdb
secrets.tdb
share_info.tdb
winbindd_idmap.tdb
lð
tdbdump can be used to examine *.tdb files
lð
TDB is a Trivial DataBase system, like gdbm
Other possibilities
lð
Print servers, including auto-install of win32 drivers
lð
DFS  Distributed File Systems
lð
SSL
lð
WINS Replication
lð
File System Access Control Lists using extended
attributes of ext3
lð
Single Sign On in Apache
lð
Stackable VFS: audit, recycle, databaseFS, vscan
lð
Samba 4 goal: Go through specs one line at a time,
do things proper instead of through reverse
engineering. Better support for NAS, clustering, high
end stuff. Better use in non-Windows environments.
Summary
lð
More information available at
http://www.fvlug.org/wiki/Samba
lð
http://www.samba.org
lð
http://ca.samba.org/samba/docs/man/ is
probably THE most complete reference,
covering many scenarios
lð
Google is your friend, as always
lð
Questions