Seamless Integration between Active Directory Services and
Download
Report
Transcript Seamless Integration between Active Directory Services and
Seamless Integration:
Active Directory Services
and Samba 3.0
FVLUG – December 8, 2003
Wim Kerkhoff
Overview
What is Microsoft Active Directory Services?
What is Samba?
Windows 2000 Server configuration
Linux/Samba3 configuration
Test Kerberos authentication
Winbind/PAM configuration
Test PAM using SSH/FTP
Some screenshots, demos
Summary
What is Active Directory
Services?
Unified Environment
Easier to Manage in Win2k then NT4
Group Policies
Handles all sorts of things: DNS, trust
relationships, etc…. Everything goes in
ADS/LDAP
ADS Domain Controllers replace NT
PDC/BDCs
LDAP
What is Samba?
“Samba is a file and print server for Windows-based
clients using TCP/IP as the underlying transport
protocol. In fact, it can support any SMB/CIFSenabled client. One of Samba's big strengths is that
you can use it to blend your mix of Windows and
Linux machines together without requiring a
separate Windows NT/2000/2003 Server. Samba is
actively being developed by a global team of about
30 active programmers and was originally
developed by Andrew Tridgell.”
SMB? CIFS? History
“SMB: Acronym for ‘Server Message
Block’. This is Microsoft's file and printer
sharing protocol”
“CIFS: Acronym for ‘Common Internet File
System’. Around 1996, Microsoft
apparently decided that SMB needed the
word "Internet" in it, so they changed it to
CIFS”
Some quotes on SMB
“ People inside Microsoft know it's a bad operating
system and they still continue obviously working on it
because they want to get the next version out because
they want to have all these new features to sell more
copies of the system.” - Linux Torvalds, 1998
“Several megabytes of NT-security archives, random
whitepapers, RFCs, the CIFS spec, the Samba stuff, a
few MS knowledge-base articles, strings extracted
from binaries, and packet dumps have been dutifully
waded through during the information-gathering
stages of this project, and there are *still* many
missing pieces.” – 1997 article on CIFS
Samba Features
NT4/Win2k/Win3k Domain/Member Controllers
Emulate any version of Windows
Domain workstation, Peer to Peer
Can run in “native” or “mixed” modes for Win2k
Trusted Server/Client
Authenticate against LDAP/MySQL etc, even as
Primary Domain Controller
No-strings Support: OSS
Performance/reliability/cost
Dynamic SMB
What can’t Samba do?
Active Directory Server.
Group Policy Objects (in Active Directory).
Machine Policy Objects.
Logon Scripts in Active Directory.
Software Application and Access Controls in
Active Directory.
Windows 2000 Install Overview
Do a typical install of 2000/2003 Server
Run ‘dcpromo’ to become the ADS Domain
Controller
Add a user account, set the password
Add an administrator account, set the
password
That’s it!
Linux/Samba3 installation
overview
This is what I did; a couple of ways of doing it
Download root.bin+rescue.bin, and use them
to install Debian Woody
Don’t run tasksel/dselect. Immediately distupgrade to Sarge or Sid
Apt-get install samba smbclient winbind
smbclient ssh krb5-clients krb5-user
Configuring Linux
Since Active Directory Services uses DNS for
everything, make sure the basics work before
continuing. Make sure /etc/resolv.conf has the
domain/nameserver settings for Win2k
Test resolving (eg ping the short hostname of the
ADS server)
Make sure Linux hostname is set correctly
Optionally created records in ADS DNS. Not having
to rely on WINS or browse lists is nice
Configure Kerberos
Debian does a fine job of doing this for you. If
Debian is not being used or it isn’t working,
create a simple krb.conf from scratch:
[libdefaults]
default_realm = ADS.NYETWORK.ORG
[realms]
ADS.NYETWORK.ORG = {
kdc = BULL
admin_server = BULL
}
[domain_realm]
.ads.nyetwork.org = ADS.NYETWORK.ORG
Configure Samba
Enter the realm/domain info into the debconf
wizard for the samba package to have nice
starting point
Change/Add these settings:
workgroup = ADS
realm = ADS.NYETWORK.ORG
security = ADS
password server = bull.ads.nyetwork.org
Restart samba
Test Kerberos / ADS
Sync the clocks!
Run: kinit someUser, then enter password
Run: klist to see Kerberos tickets
Authenticate as a user with Administrator rights in
the domain, then:
net ads join –U adminuser
Should now see a message that your computer is in
the domain
Computer will show up in Active Directory
Computers list
smbclient ‘\\bull\c$’ –U adminuser -k
Screenshot: Linux
Screenshot: Windows 2000
Winbind – unified logons
Combination of Windows RPC, PAM, NSS switch
Add this to smb.conf:
winbind seperator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/ads/%U
template shell = /bin/bash
Restart samba/winbind
Run wbinfo –u and wbinfo –g to see all the ADS users and
groups
The default is to have all ADS accounts come through as
Domain+User. Can also have Domain\User or even just User.
Pluggable Authentication
Modules (PAM)
Auth Modules available for LDAP, Kerberos, Netware,
Radius, MySQL, PostgreSQL, or write your own
Stackable, configurable per service (SSH vs login vs
cron etc)
Module types: auth, account, session, password
Control flags: required, requisite, sufficient, optional
Other interesting session/login modules: motd,
mkhomedir, lastlog, mail, tally, time, limits
mkhomedir doesn’t work with SSH because of privilege
seperation
Changes required to default
PAM files
Add winbind to /etc/nsswitch.conf for
passwd/group/shadow
getent passwd will now show a unified /etc/passwd
getent group will now show a unified /etc/group
Modify the files in /etc/pam.d to allow logins via either
pam_winbind.so or pam_unix.so
Easiest is to modify common-auth and commonaccount. However not all services use them. Also,
mkhomedir doesn’t work with SSH, but works fine with login
and ftp.
More details can be found in the Samba docs or
http://www.kernel.org/pub/linux/libs/pam/
Can browse the network
without password prompts
Can even manage shares from
MMC, like any other server
Can use chown with ADS
users
fresh:/tmp#
fresh:/tmp#
-rw-r--r-fresh:/tmp#
fresh:/tmp#
-rw-r--r--
:
add
touch file.txt
ls -l file.txt
1 root
root
0 Dec
chown ADS+AdminUser file.txt
ls -l file.txt
1 ADS+AdminUser root
0 Dec
6 02:02 file.txt
6 02:02 file.txt
SSH works
Example script commands
Some functionality isn’t provided by Samba
itself, but comes from scripts you set up
yourself
Share management
User/Group management
Abort/Shutdown
Logon scripts
admin users = ADS+AdminUser, ADS+Administrator
add share command = /etc/samba/modify_samba_config.pl
delete share command = /etc/samba/modify_samba_config.pl
Where does Samba cache
special things?
ADS+AdminUser@fresh:/var/lib/samba$ ls -1
account_policy.tdb
group_mapping.tdb
ntdrivers.tdb
ntforms.tdb
ntprinters.tdb
passdb.tdb
printers
registry.tdb
secrets.tdb
share_info.tdb
winbindd_idmap.tdb
tdbdump can be used to examine *.tdb files
TDB is a Trivial DataBase system, like gdbm
Other possibilities
Print servers, including auto-install of win32 drivers
DFS – Distributed File Systems
SSL
WINS Replication
File System Access Control Lists using extended
attributes of ext3
Single Sign On in Apache
Stackable VFS: audit, recycle, databaseFS, vscan
Samba 4 goal: Go through specs one line at a time,
do things proper instead of through reverse
engineering. Better support for NAS, clustering, high
end stuff. Better use in non-Windows environments.
Summary
More information available at
http://www.fvlug.org/wiki/Samba
http://www.samba.org
http://ca.samba.org/samba/docs/man/ is
probably THE most complete reference,
covering many scenarios
Google is your friend, as always
Questions