1 / 27

Seamless Integration: Active Directory Services and Samba 3.0

Seamless Integration: Active Directory Services and Samba 3.0. FVLUG – December 8, 2003 Wim Kerkhoff. Overview. What is Microsoft Active Directory Services? What is Samba? Windows 2000 Server configuration Linux/Samba3 configuration Test Kerberos authentication Winbind/PAM configuration

winona
Download Presentation

Seamless Integration: Active Directory Services and Samba 3.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Seamless Integration: Active Directory Services and Samba 3.0 FVLUG – December 8, 2003 Wim Kerkhoff

  2. Overview • What is Microsoft Active Directory Services? • What is Samba? • Windows 2000 Server configuration • Linux/Samba3 configuration • Test Kerberos authentication • Winbind/PAM configuration • Test PAM using SSH/FTP • Some screenshots, demos • Summary

  3. What is Active Directory Services? • Unified Environment • Easier to Manage in Win2k then NT4 • Group Policies • Handles all sorts of things: DNS, trust relationships, etc…. Everything goes in ADS/LDAP • ADS Domain Controllers replace NT PDC/BDCs • LDAP

  4. What is Samba? “Samba is a file and print server for Windows-based clients using TCP/IP as the underlying transport protocol. In fact, it can support any SMB/CIFS-enabled client. One of Samba's big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows NT/2000/2003 Server. Samba is actively being developed by a global team of about 30 active programmers and was originally developed by Andrew Tridgell.”

  5. SMB? CIFS? History • “SMB: Acronym for ‘Server Message Block’. This is Microsoft's file and printer sharing protocol” • “CIFS: Acronym for ‘Common Internet File System’. Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS”

  6. Some quotes on SMB • “ People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system.” - Linux Torvalds, 1998 • “Several megabytes of NT-security archives, random whitepapers, RFCs, the CIFS spec, the Samba stuff, a few MS knowledge-base articles, strings extracted from binaries, and packet dumps have been dutifully waded through during the information-gathering stages of this project, and there are *still* many missing pieces.” – 1997 article on CIFS

  7. Samba Features • NT4/Win2k/Win3k Domain/Member Controllers • Emulate any version of Windows • Domain workstation, Peer to Peer • Can run in “native” or “mixed” modes for Win2k • Trusted Server/Client • Authenticate against LDAP/MySQL etc, even as Primary Domain Controller • No-strings Support: OSS • Performance/reliability/cost • Dynamic SMB

  8. What can’t Samba do? • Active Directory Server. • Group Policy Objects (in Active Directory). • Machine Policy Objects. • Logon Scripts in Active Directory. • Software Application and Access Controls in Active Directory.

  9. Windows 2000 Install Overview • Do a typical install of 2000/2003 Server • Run ‘dcpromo’ to become the ADS Domain Controller • Add a user account, set the password • Add an administrator account, set the password • That’s it!

  10. Linux/Samba3 installation overview • This is what I did; a couple of ways of doing it • Download root.bin+rescue.bin, and use them to install Debian Woody • Don’t run tasksel/dselect. Immediately dist-upgrade to Sarge or Sid • Apt-get install samba smbclient winbind smbclient ssh krb5-clients krb5-user

  11. Configuring Linux • Since Active Directory Services uses DNS for everything, make sure the basics work before continuing. Make sure /etc/resolv.conf has the domain/nameserver settings for Win2k • Test resolving (eg ping the short hostname of the ADS server) • Make sure Linux hostname is set correctly • Optionally created records in ADS DNS. Not having to rely on WINS or browse lists is nice

  12. Configure Kerberos • Debian does a fine job of doing this for you. If Debian is not being used or it isn’t working, create a simple krb.conf from scratch: [libdefaults] default_realm = ADS.NYETWORK.ORG [realms] ADS.NYETWORK.ORG = { kdc = BULL admin_server = BULL } [domain_realm] .ads.nyetwork.org = ADS.NYETWORK.ORG

  13. Configure Samba • Enter the realm/domain info into the debconf wizard for the samba package to have nice starting point • Change/Add these settings: • Restart samba workgroup = ADS realm = ADS.NYETWORK.ORG security = ADS password server = bull.ads.nyetwork.org

  14. Test Kerberos / ADS • Sync the clocks! • Run: kinit someUser, then enter password • Run: klist to see Kerberos tickets • Authenticate as a user with Administrator rights in the domain, then: • net ads join –U adminuser • Should now see a message that your computer is in the domain • Computer will show up in Active Directory Computers list • smbclient ‘\\bull\c$’ –U adminuser -k

  15. Screenshot: Linux

  16. Screenshot: Windows 2000

  17. Winbind – unified logons • Combination of Windows RPC, PAM, NSS switch • Add this to smb.conf: • Restart samba/winbind • Run wbinfo –u and wbinfo –g to see all the ADS users and groups • The default is to have all ADS accounts come through as Domain+User. Can also have Domain\User or even just User. winbind seperator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/ads/%U template shell = /bin/bash

  18. Pluggable Authentication Modules (PAM) • Auth Modules available for LDAP, Kerberos, Netware, Radius, MySQL, PostgreSQL, or write your own • Stackable, configurable per service (SSH vs login vs cron etc) • Module types: auth, account, session, password • Control flags: required, requisite, sufficient, optional • Other interesting session/login modules: motd, mkhomedir, lastlog, mail, tally, time, limits • mkhomedir doesn’t work with SSH because of privilege seperation

  19. Changes required to default PAM files • Add winbind to /etc/nsswitch.conf for passwd/group/shadow • getent passwd will now show a unified /etc/passwd • getent group will now show a unified /etc/group • Modify the files in /etc/pam.d to allow logins via either pam_winbind.so or pam_unix.so • Easiest is to modify common-auth and common-account. However not all services use them. Also,mkhomedir doesn’t work with SSH, but works fine with login and ftp. • More details can be found in the Samba docs or http://www.kernel.org/pub/linux/libs/pam/

  20. Can browse the network without password prompts

  21. Can even manage shares from MMC, like any other server

  22. Can use chown with ADS users fresh:/tmp# touch file.txt fresh:/tmp# ls -l file.txt -rw-r--r-- 1 root root 0 Dec 6 02:02 file.txt fresh:/tmp# chown ADS+AdminUser file.txt fresh:/tmp# ls -l file.txt -rw-r--r-- 1 ADS+AdminUser root 0 Dec 6 02:02 file.txt : add

  23. SSH works

  24. Example script commands • Some functionality isn’t provided by Samba itself, but comes from scripts you set up yourself • Share management • User/Group management • Abort/Shutdown • Logon scripts admin users = ADS+AdminUser, ADS+Administrator add share command = /etc/samba/modify_samba_config.pl delete share command = /etc/samba/modify_samba_config.pl

  25. Where does Samba cache special things? ADS+AdminUser@fresh:/var/lib/samba$ ls -1 account_policy.tdb group_mapping.tdb ntdrivers.tdb ntforms.tdb ntprinters.tdb passdb.tdb printers registry.tdb secrets.tdb share_info.tdb winbindd_idmap.tdb • tdbdump can be used to examine *.tdb files • TDB is a Trivial DataBase system, like gdbm

  26. Other possibilities • Print servers, including auto-install of win32 drivers • DFS – Distributed File Systems • SSL • WINS Replication • File System Access Control Lists using extended attributes of ext3 • Single Sign On in Apache • Stackable VFS: audit, recycle, databaseFS, vscan • Samba 4 goal: Go through specs one line at a time, do things proper instead of through reverse engineering. Better support for NAS, clustering, high end stuff. Better use in non-Windows environments.

  27. Summary • More information available at http://www.fvlug.org/wiki/Samba • http://www.samba.org • http://ca.samba.org/samba/docs/man/ is probably THE most complete reference, covering many scenarios • Google is your friend, as always • Questions

More Related