Seamless Integration: Active Directory Services and Samba 3.0

1
Seamless Integration Active Directory Services
and Samba 3.0

• FVLUG December 8, 2003
• Wim Kerkhoff

2
Overview

• What is Microsoft Active Directory Services?
• What is Samba?
• Windows 2000 Server configuration
• Linux/Samba3 configuration
• Test Kerberos authentication
• Winbind/PAM configuration
• Test PAM using SSH/FTP
• Some screenshots, demos
• Summary

3
What is Active Directory Services?

• Unified Environment
• Easier to Manage in Win2k then NT4
• Group Policies
• Handles all sorts of things DNS, trust
  relationships, etc. Everything goes in ADS/LDAP
  
• ADS Domain Controllers replace NT PDC/BDCs
• LDAP

4
What is Samba?

• Samba is a file and print server for
  Windows-based clients using TCP/IP as the
  underlying transport protocol. In fact, it can
  support any SMB/CIFS-enabled client. One of
  Samba's big strengths is that you can use it to
  blend your mix of Windows and Linux machines
  together without requiring a separate Windows
  NT/2000/2003 Server. Samba is actively being
  developed by a global team of about 30 active
  programmers and was originally developed by
  Andrew Tridgell.

5
SMB? CIFS? History

• SMB Acronym for Server Message Block. This is
  Microsoft's file and printer sharing protocol
  
• CIFS Acronym for Common Internet File System.
  Around 1996, Microsoft apparently decided that
  SMB needed the word "Internet" in it, so they
  changed it to CIFS

6
Some quotes on SMB

• People inside Microsoft know it's a bad
  operating system and they still continue
  obviously working on it because they want to get
  the next version out because they want to have
  all these new features to sell more copies of the
  system. - Linux Torvalds, 1998
• Several megabytes of NT-security archives,
  random whitepapers, RFCs, the CIFS spec, the
  Samba stuff, a few MS knowledge-base articles,
  strings extracted from binaries, and packet dumps
  have been dutifully waded through during the
  information-gathering stages of this project, and
  there are still many missing pieces. 1997
  article on CIFS

7
Samba Features

• NT4/Win2k/Win3k Domain/Member Controllers
• Emulate any version of Windows
• Domain workstation, Peer to Peer
• Can run in native or mixed modes for Win2k
• Trusted Server/Client
• Authenticate against LDAP/MySQL etc, even as
  Primary Domain Controller
  
• No-strings Support OSS
• Performance/reliability/cost
• Dynamic SMB

8
What cant Samba do?

• Active Directory Server.
• Group Policy Objects (in Active Directory).
• Machine Policy Objects.
• Logon Scripts in Active Directory.
• Software Application and Access Controls in
  Active Directory.
  

9
Windows 2000 Install Overview

• Do a typical install of 2000/2003 Server
• Run dcpromo to become the ADS Domain
  Controller
  
• Add a user account, set the password
• Add an administrator account, set the password
• Thats it!

10
Linux/Samba3 installation overview

• This is what I did a couple of ways of doing it
• Download root.binrescue.bin, and use them to
  install Debian Woody
  
• Dont run tasksel/dselect. Immediately
  dist-upgrade to Sarge or Sid
  
• Apt-get install samba smbclient winbind smbclient
  ssh krb5-clients krb5-user
  

11
Configuring Linux

• Since Active Directory Services uses DNS for
  everything, make sure the basics work before
  continuing. Make sure /etc/resolv.conf has the
  domain/nameserver settings for Win2k
• Test resolving (eg ping the short hostname of the
  ADS server)
  
• Make sure Linux hostname is set correctly
• Optionally created records in ADS DNS. Not having
  to rely on WINS or browse lists is nice
  

12
Configure Kerberos

• Debian does a fine job of doing this for you. If
  Debian is not being used or it isnt working,
  create a simple krb.conf from scratch
  

libdefaults default_realm ADS.NYETWOR
K.ORG realms ADS.NYETWORK.ORG kdc BU
LL admin_server BULL domain_realm
.ads.nyetwork.org ADS.NYETWORK.ORG
13
Configure Samba

• Enter the realm/domain info into the debconf
  wizard for the samba package to have nice
  starting point
  
• Change/Add these settings
• Restart samba

workgroup ADS realm ADS.NYETWORK.ORG secu
rity ADS password server bull.ads.nyetwork.o
rg

14
Test Kerberos / ADS

• Sync the clocks!
• Run kinit someUser, then enter password
• Run klist to see Kerberos tickets
• Authenticate as a user with Administrator rights
  in the domain, then
  
• net ads join U adminuser
• Should now see a message that your computer is in
  the domain
  
• Computer will show up in Active Directory
  Computers list
  
• smbclient \\bull\c U adminuser -k

15
Screenshot Linux
16
Screenshot Windows 2000
17
Winbind unified logons

• Combination of Windows RPC, PAM, NSS switch
• Add this to smb.conf
• Restart samba/winbind
• Run wbinfo u and wbinfo g to see all the ADS
  users and groups
  
• The default is to have all ADS accounts come
  through as DomainUser. Can also have Domain\User
  or even just User.
  

winbind seperator idmap uid 10000-20000 id
map gid 10000-20000 winbind enum users yes w
inbind enum groups yes template homedir /home
/ads/U template shell /bin/bash
18
Pluggable Authentication Modules (PAM)

• Auth Modules available for LDAP, Kerberos,
  Netware, Radius, MySQL, PostgreSQL, or write your
  own
  
• Stackable, configurable per service (SSH vs login
  vs cron etc)
  
• Module types auth, account, session, password
• Control flags required, requisite, sufficient,
  optional
  
• Other interesting session/login modules motd,
  mkhomedir, lastlog, mail, tally, time, limits
  
• mkhomedir doesnt work with SSH because of
  privilege seperation
  

19
Changes required to default PAM files

• Add winbind to /etc/nsswitch.conf for
  passwd/group/shadow
  
• getent passwd will now show a unified
  /etc/passwd
  
• getent group will now show a unified /etc/group
• Modify the files in /etc/pam.d to allow logins
  via either pam_winbind.so or pam_unix.so
  
• Easiest is to modify common-auth and
  common-account. However not all services use
  them. Also, mkhomedir doesnt work with SSH, but
  works fine with login and ftp.
• More details can be found in the Samba docs or
  http//www.kernel.org/pub/linux/libs/pam/
  

20
Can browse the network without password prompts
21
Can even manage shares from MMC, like any other
server
22
Can use chown with ADS users

• fresh/tmp touch file.txt
• fresh/tmp ls -l file.txt
• -rw-r--r-- 1 root root 0 Dec 6
  0202 file.txt
  
• fresh/tmp chown ADSAdminUser file.txt
• fresh/tmp ls -l file.txt
• -rw-r--r-- 1 ADSAdminUser root 0 Dec 6
  0202 file.txt
  
• add

23
SSH works
24
Example script commands

• Some functionality isnt provided by Samba
  itself, but comes from scripts you set up
  yourself
  
• Share management
• User/Group management
• Abort/Shutdown
• Logon scripts
• admin users ADSAdminUser, ADSAdministrator
• add share command /etc/samba/modify_samba_config
  .pl
  
• delete share command /etc/samba/modify_samba_con
  fig.pl
  

25
Where does Samba cache special things?

• ADSAdminUser_at_fresh/var/lib/samba ls -1
• account_policy.tdb
• group_mapping.tdb
• ntdrivers.tdb
• ntforms.tdb
• ntprinters.tdb
• passdb.tdb
• printers
• registry.tdb
• secrets.tdb
• share_info.tdb
• winbindd_idmap.tdb
• tdbdump can be used to examine .tdb files
• TDB is a Trivial DataBase system, like gdbm

26
Other possibilities

• Print servers, including auto-install of win32
  drivers
  
• DFS Distributed File Systems
• SSL
• WINS Replication
• File System Access Control Lists using extended
  attributes of ext3
  
• Single Sign On in Apache
• Stackable VFS audit, recycle, databaseFS, vscan
• Samba 4 goal Go through specs one line at a
  time, do things proper instead of through reverse
  engineering. Better support for NAS, clustering,
  high end stuff. Better use in non-Windows
  environments.

27
Summary

• More information available at http//www.fvlug.org
  /wiki/Samba
  
• http//www.samba.org
• http//ca.samba.org/samba/docs/man/ is probably
  THE most complete reference, covering many
  scenarios
  
• Google is your friend, as always
• Questions