Samba3 OpenLDAP Krb5 Active Directory


Seamless Integration:
Active Directory Services
and Samba 3.0
FVLUG  December 8, 2003
Wim Kerkhoff
Overview

What is Microsoft Active Directory Services?

What is Samba?

Windows 2000 Server configuration

Linux/Samba3 configuration

Test Kerberos authentication

Winbind/PAM configuration

Test PAM using SSH/FTP

Some screenshots, demos

Summary
What is Active Directory
Services?

Unified Environment

Easier to Manage in Win2k then NT4

Group Policies

Handles all sorts of things: DNS, trust
relationships, etc& . Everything goes in
ADS/LDAP

ADS Domain Controllers replace NT
PDC/BDCs

LDAP
What is Samba?
 Samba is a file and print server for Windows-based
clients using TCP/IP as the underlying transport
protocol. In fact, it can support any SMB/CIFS-
enabled client. One of Samba's big strengths is that
you can use it to blend your mix of Windows and
Linux machines together without requiring a separate
Windows NT/2000/2003 Server. Samba is actively
being developed by a global team of about 30 active
programmers and was originally developed by
Andrew Tridgell.
SMB? CIFS? History

 SMB: Acronym for  Server Message
Block . This is Microsoft's file and printer
sharing protocol

 CIFS: Acronym for  Common Internet File
System . Around 1996, Microsoft
apparently decided that SMB needed the
word "Internet" in it, so they changed it to
CIFS
Some quotes on SMB

 People inside Microsoft know it's a bad operating
system and they still continue obviously working on it
because they want to get the next version out because
they want to have all these new features to sell more
copies of the system. - Linux Torvalds, 1998

 Several megabytes of NT-security archives, random
whitepapers, RFCs, the CIFS spec, the Samba stuff, a
few MS knowledge-base articles, strings extracted from
binaries, and packet dumps have been dutifully waded
through during the information-gathering stages of this
project, and there are *still* many missing pieces. 
1997 article on CIFS
Samba Features

NT4/Win2k/Win3k Domain/Member Controllers

Emulate any version of Windows

Domain workstation, Peer to Peer

Can run in  native or  mixed modes for Win2k

Trusted Server/Client

Authenticate against LDAP/MySQL etc, even as
Primary Domain Controller

No-strings Support: OSS

Performance/reliability/cost

Dynamic SMB
What can t Samba do?

Active Directory Server.

Group Policy Objects (in Active Directory).

Machine Policy Objects.

Logon Scripts in Active Directory.

Software Application and Access Controls in
Active Directory.
Windows 2000 Install Overview

Do a typical install of 2000/2003 Server

Run  dcpromo to become the ADS Domain
Controller

Add a user account, set the password

Add an administrator account, set the
password

That s it!
Linux/Samba3 installation
overview

This is what I did; a couple of ways of doing it

Download root.bin+rescue.bin, and use them
to install Debian Woody

Don t run tasksel/dselect. Immediately dist-
upgrade to Sarge or Sid

Apt-get install samba smbclient winbind
smbclient ssh krb5-clients krb5-user
Configuring Linux

Since Active Directory Services uses DNS for
everything, make sure the basics work before
continuing. Make sure /etc/resolv.conf has the
domain/nameserver settings for Win2k

Test resolving (eg ping the short hostname of the
ADS server)

Make sure Linux hostname is set correctly

Optionally created records in ADS DNS. Not having
to rely on WINS or browse lists is nice
Configure Kerberos

Debian does a fine job of doing this for you. If
Debian is not being used or it isn t working,
create a simple krb.conf from scratch:
[libdefaults]
default_realm = ADS.NYETWORK.ORG
[realms]
ADS.NYETWORK.ORG = {
kdc = BULL
admin_server = BULL
}
[domain_realm]
.ads.nyetwork.org = ADS.NYETWORK.ORG
Configure Samba

Enter the realm/domain info into the debconf
wizard for the samba package to have nice
starting point

Change/Add these settings:
workgroup = ADS
realm = ADS.NYETWORK.ORG
security = ADS
password server = bull.ads.nyetwork.org

Restart samba
Test Kerberos / ADS

Sync the clocks!

Run: kinit someUser, then enter password

Run: klist to see Kerberos tickets

Authenticate as a user with Administrator rights in
the domain, then:

net ads join  U adminuser

Should now see a message that your computer is in
the domain

Computer will show up in Active Directory Computers
list

smbclient  \\bull\c$  U adminuser -k
Screenshot: Linux
Screenshot: Windows 2000
Winbind  unified logons

Combination of Windows RPC, PAM, NSS switch

Add this to smb.conf:
winbind seperator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/ads/%U
template shell = /bin/bash

Restart samba/winbind

Run wbinfo  u and wbinfo  g to see all the ADS users and
groups

The default is to have all ADS accounts come through as
Domain+User. Can also have Domain\User or even just User.
Pluggable Authentication
Modules (PAM)

Auth Modules available for LDAP, Kerberos, Netware,
Radius, MySQL, PostgreSQL, or write your own

Stackable, configurable per service (SSH vs login vs
cron etc)

Module types: auth, account, session, password

Control flags: required, requisite, sufficient, optional

Other interesting session/login modules: motd,
mkhomedir, lastlog, mail, tally, time, limits

mkhomedir doesn t work with SSH because of privilege
seperation
Changes required to default
PAM files

Add winbind to /etc/nsswitch.conf for
passwd/group/shadow

getent passwd will now show a unified /etc/passwd

getent group will now show a unified /etc/group

Modify the files in /etc/pam.d to allow logins via either
pam_winbind.so or pam_unix.so

Easiest is to modify common-auth and common-account.
However not all services use them. Also, mkhomedir doesn t
work with SSH, but works fine with login and ftp.

More details can be found in the Samba docs or
http://www.kernel.org/pub/linux/libs/pam/
Can browse the network
without password prompts
Can even manage shares from
MMC, like any other server
Can use chown with ADS
users
fresh:/tmp# touch file.txt
fresh:/tmp# ls -l file.txt
-rw-r--r-- 1 root root 0 Dec 6 02:02 file.txt
fresh:/tmp# chown ADS+AdminUser file.txt
fresh:/tmp# ls -l file.txt
-rw-r--r-- 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt
:
add
SSH works
Example script commands

Some functionality isn t provided by Samba
itself, but comes from scripts you set up
yourself

Share management

User/Group management

Abort/Shutdown

Logon scripts
admin users = ADS+AdminUser, ADS+Administrator
add share command = /etc/samba/modify_samba_config.pl
delete share command = /etc/samba/modify_samba_config.pl
Where does Samba cache
special things?
ADS+AdminUser@fresh:/var/lib/samba$ ls -1
account_policy.tdb
group_mapping.tdb
ntdrivers.tdb
ntforms.tdb
ntprinters.tdb
passdb.tdb
printers
registry.tdb
secrets.tdb
share_info.tdb
winbindd_idmap.tdb

tdbdump can be used to examine *.tdb files

TDB is a Trivial DataBase system, like gdbm
Other possibilities

Print servers, including auto-install of win32 drivers

DFS  Distributed File Systems

SSL

WINS Replication

File System Access Control Lists using extended
attributes of ext3

Single Sign On in Apache

Stackable VFS: audit, recycle, databaseFS, vscan

Samba 4 goal: Go through specs one line at a time,
do things proper instead of through reverse
engineering. Better support for NAS, clustering, high
end stuff. Better use in non-Windows environments.
Summary

More information available at
http://www.fvlug.org/wiki/Samba

http://www.samba.org

http://ca.samba.org/samba/docs/man/ is
probably THE most complete reference,
covering many scenarios

Google is your friend, as always

Questions


Wyszukiwarka

Podobne podstrony:
Active Directory omówienie domyślnych jednostek organizacyjnych
Domena i Active Directory
Active Directory
Ćwiczenia Active Directory omówienie jednostek organizacyjnych
O&O Services Single Sign On on Linux using LDAP with Active Directory (2002)
Ćwiczenia Active Directory i wiersz polecen teoria
Ćwiczenia Active Directory jednostki organizacyjne tworzenie
PrzeglÄ…d Active Directory
Active Directory tworzenie własnej struktury organizacyjnej na potrzeby szkoły
Uslugi Active Direct
active directory
MSP430 Directives
director
barcelona 6 directory v1 m56577569830521452
directorypaths

więcej podobnych podstron