Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff
Overview What is Microsoft Active Directory Services? What is Samba? Windows 2000 Server configuration Linux/Samba3 configuration Test Kerberos authentication Winbind/PAM configuration Test PAM using SSH/FTP Some screenshots, demos Summary
What is Active Directory Services? Unified Environment Easier to Manage in Win2k then NT4 Group Policies Handles all sorts of things: DNS, trust relationships, etc…. Everything goes in ADS/LDAP ADS Domain Controllers replace NT PDC/BDCs LDAP
What is Samba? “Samba is a file and print server for Windows-based clients using TCP/IP as the underlying transport protocol. In fact, it can support any SMB/CIFS- enabled client. One of Samba's big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.”
SMB? CIFS? History “SMB: Acronym for ‘Server Message Block’. This is Microsoft's file and printer sharing protocol” “CIFS: Acronym for ‘Common Internet File System’. Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS”
Some quotes on SMB “ People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system.” - Linux Torvalds, 1998 “Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have been dutifully waded through during the information-gathering stages of this project, and there are *still* many missing pieces.” – 1997 article on CIFS
Samba Features NT4/Win2k/Win3k Domain/Member Controllers Emulate any version of Windows Domain workstation, Peer to Peer Can run in “native” or “mixed” modes for Win2k Trusted Server/Client Authenticate against LDAP/MySQL etc, even as Primary Domain Controller No-strings Support: OSS Performance/reliability/cost Dynamic SMB
What can’t Samba do? Active Directory Server. Group Policy Objects (in Active Directory). Machine Policy Objects. Logon Scripts in Active Directory. Software Application and Access Controls in Active Directory.
Windows 2000 Install Overview Do a typical install of 2000/2003 Server Run ‘dcpromo’ to become the ADS Domain Controller Add a user account, set the password Add an administrator account, set the password That’s it!
Linux/Samba3 installation overview This is what I did; a couple of ways of doing it Download root.bin+rescue.bin, and use them to install Debian Woody Don’t run tasksel/dselect. Immediately dist- upgrade to Sarge or Sid Apt-get install samba smbclient winbind smbclient ssh krb5-clients krb5-user
Configuring Linux Since Active Directory Services uses DNS for everything, make sure the basics work before continuing. Make sure /etc/resolv.conf has the domain/nameserver settings for Win2k Test resolving (eg ping the short hostname of the ADS server) Make sure Linux hostname is set correctly Optionally created records in ADS DNS. Not having to rely on WINS or browse lists is nice
Configure Kerberos Debian does a fine job of doing this for you. If Debian is not being used or it isn’t working, create a simple krb.conf from scratch: [libdefaults] default_realm = ADS.NYETWORK.ORG [realms] ADS.NYETWORK.ORG = { kdc = BULL admin_server = BULL } [domain_realm].ads.nyetwork.org = ADS.NYETWORK.ORG
Configure Samba Enter the realm/domain info into the debconf wizard for the samba package to have nice starting point Change/Add these settings: Restart samba workgroup = ADS realm = ADS.NYETWORK.ORG security = ADS password server = bull.ads.nyetwork.org
Test Kerberos / ADS Sync the clocks! Run: kinit someUser, then enter password Run: klist to see Kerberos tickets Authenticate as a user with Administrator rights in the domain, then: net ads join –U adminuser Should now see a message that your computer is in the domain Computer will show up in Active Directory Computers list smbclient ‘\\bull\c$’ –U adminuser -k
Screenshot: Linux
Screenshot: Windows 2000
Winbind – unified logons Combination of Windows RPC, PAM, NSS switch Add this to smb.conf: Restart samba/winbind Run wbinfo –u and wbinfo –g to see all the ADS users and groups The default is to have all ADS accounts come through as Domain+User. Can also have Domain\User or even just User. winbind seperator = + idmap uid = idmap gid = winbind enum users = yes winbind enum groups = yes template homedir = /home/ads/%U template shell = /bin/bash
Pluggable Authentication Modules (PAM) Auth Modules available for LDAP, Kerberos, Netware, Radius, MySQL, PostgreSQL, or write your own Stackable, configurable per service (SSH vs login vs cron etc) Module types: auth, account, session, password Control flags: required, requisite, sufficient, optional Other interesting session/login modules: motd, mkhomedir, lastlog, mail, tally, time, limits mkhomedir doesn’t work with SSH because of privilege seperation
Changes required to default PAM files Add winbind to /etc/nsswitch.conf for passwd/group/shadow getent passwd will now show a unified /etc/passwd getent group will now show a unified /etc/group Modify the files in /etc/pam.d to allow logins via either pam_winbind.so or pam_unix.so Easiest is to modify common-auth and common- account. However not all services use them. Also, mkhomedir doesn’t work with SSH, but works fine with login and ftp. More details can be found in the Samba docs or
Can browse the network without password prompts
Can even manage shares from MMC, like any other server
Can use chown with ADS users fresh:/tmp# touch file.txt fresh:/tmp# ls -l file.txt -rw-r--r-- 1 root root 0 Dec 6 02:02 file.txt fresh:/tmp# chown ADS+AdminUser file.txt fresh:/tmp# ls -l file.txt -rw-r--r-- 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt : add
SSH works
Example script commands Some functionality isn’t provided by Samba itself, but comes from scripts you set up yourself Share management User/Group management Abort/Shutdown Logon scripts admin users = ADS+AdminUser, ADS+Administrator add share command = /etc/samba/modify_samba_config.pl delete share command = /etc/samba/modify_samba_config.pl
Where does Samba cache special things? ls -1 account_policy.tdb group_mapping.tdb ntdrivers.tdb ntforms.tdb ntprinters.tdb passdb.tdb printers registry.tdb secrets.tdb share_info.tdb winbindd_idmap.tdb tdbdump can be used to examine *.tdb files TDB is a Trivial DataBase system, like gdbm
Other possibilities Print servers, including auto-install of win32 drivers DFS – Distributed File Systems SSL WINS Replication File System Access Control Lists using extended attributes of ext3 Single Sign On in Apache Stackable VFS: audit, recycle, databaseFS, vscan Samba 4 goal: Go through specs one line at a time, do things proper instead of through reverse engineering. Better support for NAS, clustering, high end stuff. Better use in non-Windows environments.
Summary More information available at is probably THE most complete reference, covering many scenarios Google is your friend, as always Questions