Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim...
-
Upload
mavis-blake -
Category
Documents
-
view
216 -
download
0
Transcript of Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim...
Seamless Integration: Active Directory Services
and Samba 3.0
FVLUG – December 8, 2003
Wim Kerkhoff
Overview
What is Microsoft Active Directory Services? What is Samba? Windows 2000 Server configuration Linux/Samba3 configuration Test Kerberos authentication Winbind/PAM configuration Test PAM using SSH/FTP Some screenshots, demos Summary
What is Active Directory Services?
Unified Environment Easier to Manage in Win2k then NT4 Group Policies Handles all sorts of things: DNS, trust
relationships, etc…. Everything goes in ADS/LDAP
ADS Domain Controllers replace NT PDC/BDCs
LDAP
What is Samba?
“Samba is a file and print server for Windows-based clients using TCP/IP as the underlying transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.”
SMB? CIFS? History
“SMB: Acronym for ‘Server Message Block’. This is Microsoft's file and printer sharing protocol”
“CIFS: Acronym for ‘Common Internet File System’. Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS”
Some quotes on SMB
“ People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system.” - Linux Torvalds, 1998
“Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have been dutifully waded through during the information-gathering stages of this project, and there are *still* many missing pieces.” – 1997 article on CIFS
Samba Features
NT4/Win2k/Win3k Domain/Member Controllers Emulate any version of Windows Domain workstation, Peer to Peer Can run in “native” or “mixed” modes for Win2k Trusted Server/Client Authenticate against LDAP/MySQL etc, even as
Primary Domain Controller No-strings Support: OSS Performance/reliability/cost Dynamic SMB
What can’t Samba do?
Active Directory Server. Group Policy Objects (in Active Directory). Machine Policy Objects. Logon Scripts in Active Directory. Software Application and Access Controls in
Active Directory.
Windows 2000 Install Overview
Do a typical install of 2000/2003 Server Run ‘dcpromo’ to become the ADS Domain
Controller Add a user account, set the password Add an administrator account, set the
password That’s it!
Linux/Samba3 installation overview
This is what I did; a couple of ways of doing it Download root.bin+rescue.bin, and use them
to install Debian Woody Don’t run tasksel/dselect. Immediately dist-
upgrade to Sarge or Sid Apt-get install samba smbclient winbind
smbclient ssh krb5-clients krb5-user
Configuring Linux
Since Active Directory Services uses DNS for everything, make sure the basics work before continuing. Make sure /etc/resolv.conf has the domain/nameserver settings for Win2k
Test resolving (eg ping the short hostname of the ADS server)
Make sure Linux hostname is set correctly Optionally created records in ADS DNS. Not having
to rely on WINS or browse lists is nice
Configure Kerberos
Debian does a fine job of doing this for you. If Debian is not being used or it isn’t working, create a simple krb.conf from scratch:
[libdefaults] default_realm = ADS.NYETWORK.ORG[realms]
ADS.NYETWORK.ORG = {kdc = BULLadmin_server = BULL
}[domain_realm] .ads.nyetwork.org = ADS.NYETWORK.ORG
Configure Samba
Enter the realm/domain info into the debconf wizard for the samba package to have nice starting point
Change/Add these settings:
Restart samba
workgroup = ADSrealm = ADS.NYETWORK.ORGsecurity = ADSpassword server = bull.ads.nyetwork.org
Test Kerberos / ADS
Sync the clocks! Run: kinit someUser, then enter password Run: klist to see Kerberos tickets Authenticate as a user with Administrator rights in
the domain, then: net ads join –U adminuser Should now see a message that your computer is in
the domain Computer will show up in Active Directory
Computers list smbclient ‘\\bull\c$’ –U adminuser -k
Screenshot: Linux
Screenshot: Windows 2000
Winbind – unified logons Combination of Windows RPC, PAM, NSS switch Add this to smb.conf:
Restart samba/winbind Run wbinfo –u and wbinfo –g to see all the ADS users and
groups The default is to have all ADS accounts come through as
Domain+User. Can also have Domain\User or even just User.
winbind seperator = +idmap uid = 10000-20000idmap gid = 10000-20000winbind enum users = yeswinbind enum groups = yestemplate homedir = /home/ads/%Utemplate shell = /bin/bash
Pluggable Authentication Modules (PAM)
Auth Modules available for LDAP, Kerberos, Netware, Radius, MySQL, PostgreSQL, or write your own
Stackable, configurable per service (SSH vs login vs cron etc)
Module types: auth, account, session, password Control flags: required, requisite, sufficient, optional Other interesting session/login modules: motd,
mkhomedir, lastlog, mail, tally, time, limits mkhomedir doesn’t work with SSH because of privilege
seperation
Changes required to default PAM files Add winbind to /etc/nsswitch.conf for
passwd/group/shadow getent passwd will now show a unified /etc/passwd getent group will now show a unified /etc/group Modify the files in /etc/pam.d to allow logins via either
pam_winbind.so or pam_unix.so Easiest is to modify common-auth and common-
account. However not all services use them. Also, mkhomedir doesn’t work with SSH, but works fine with login and ftp.
More details can be found in the Samba docs or http://www.kernel.org/pub/linux/libs/pam/
Can browse the network without password prompts
Can even manage shares from MMC, like any other server
Can use chown with ADS users
fresh:/tmp# touch file.txt
fresh:/tmp# ls -l file.txt
-rw-r--r-- 1 root root 0 Dec 6 02:02 file.txt
fresh:/tmp# chown ADS+AdminUser file.txt
fresh:/tmp# ls -l file.txt
-rw-r--r-- 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt
:add
SSH works
Example script commands
Some functionality isn’t provided by Samba itself, but comes from scripts you set up yourself
Share management User/Group management Abort/Shutdown Logon scripts
admin users = ADS+AdminUser, ADS+Administratoradd share command = /etc/samba/modify_samba_config.pldelete share command = /etc/samba/modify_samba_config.pl
Where does Samba cache special things?ADS+AdminUser@fresh:/var/lib/samba$ ls -1account_policy.tdbgroup_mapping.tdbntdrivers.tdbntforms.tdbntprinters.tdbpassdb.tdbprintersregistry.tdbsecrets.tdbshare_info.tdbwinbindd_idmap.tdb tdbdump can be used to examine *.tdb files TDB is a Trivial DataBase system, like gdbm
Other possibilities Print servers, including auto-install of win32 drivers DFS – Distributed File Systems SSL WINS Replication File System Access Control Lists using extended
attributes of ext3 Single Sign On in Apache Stackable VFS: audit, recycle, databaseFS, vscan Samba 4 goal: Go through specs one line at a time,
do things proper instead of through reverse engineering. Better support for NAS, clustering, high end stuff. Better use in non-Windows environments.
Summary
More information available at http://www.fvlug.org/wiki/Samba
http://www.samba.org http://ca.samba.org/samba/docs/man/ is
probably THE most complete reference, covering many scenarios
Google is your friend, as always Questions