Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Kefa Rabah
GTS Institute, Vancouver Canada
krabah@gtechsi.org www.gtechsi.org
USING SAMBA 3 CLIENT TECHNOLOGY AND KERBEROS FOR WINDOWS 2008 AD-
BASED IDENTITY MANAGEMENT 3
1.0 Introduction 3
2
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
1.0 Introduction
A popular thing to do with Samba these days is to join a Samba 3 client to a Windows server 2008 Active
Directory domain using Kerberos ticketing technology. Samba is the standard Windows interoperability
suite of programs for Linux/UNIX. Samba is Free Software licensed under the GNU General Public
License, the Samba project is a member of the Software Freedom Conservancy.
You may freely set up any number of Samba servers in a Windows network and Mac OSX without joining
them to the domain giving you the power of single-sign-on (SSO) identity management to all your network
resources. You can share files, map drives and provide centralized printer services. The advantages of
domain membership are central management and authentication, and single sign-on. Using Winbind
allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a
lovely time- and hassle-saver. We have also joined Mac OS X to the network to achieve a complete
system integration of the three major operating systems.
Windows Server® 2008 R2: Microsoft wants administrators of Windows Server 2008 editions (which
ships in the usual flavors of Standard, Enterprise, Data Center and Itanium-specific code) to think of the
server as playing certain roles. Server roles are aggregated objects that suit commonly thought-of
services, such as print services, file sharing, DNS, DHCP, Active Directory Domain Controller and IIS-
based Web services. Microsoft has defined 18 roles in all.
Windows Server 2008 offers improvement in Web delivery, virtualization, security and management.
Windows Server 2008 provides increased administration and virtualization options in addition to increased
security and flexibility. New functionality such as Server Core, PowerShell, Windows Deployment
Services, Server Manager and many others provide reasons to consider adapting to Windows Server
2008.
Red Hat Enterprise Linux (RHEL) is a Linux distribution produced by Red Hat and targeted toward the
commercial market, including mainframes. Red Hat Enterprise Linux is released in server versions for x86,
x86_64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86_64. All of Red Hat's
official support and training, and the Red Hat Certification Program center on the Red Hat Enterprise
Linux platform
On one certified platform, Red Hat Enterprise Linux offers your choice of: (i) Applications - Thousands of
certified ISV applications; (ii) Deployment - Including standalone or virtual servers, cloud computing, or
software appliances; (iii) Hardware - Wide range of platforms from the world's leading hardware vendors.
This gives IT departments’ unprecedented levels of operational flexibility. And it gives ISVs unprecedented
3
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
market reach when delivering applications. Certify once, deploy anywhere. All while providing world-class
performance, security, and stability. And unbeatable value. This is why today Red Hat is the platform of
choice.
4
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
Figure 1 shows a simple network that would be one AD server, One Samba and a few client workstations,
connected through a router or switch (most home network routers have at least four ports of switch
included in the device). This grows over time, usually by adding more switches, routers, clients and
additional storage on the server.
2. Promote Win2k8 Server Enterprise Edition into Active Directory Domain Controller using the
"DCPROM" command, with following parameters:
3. Issue the NSLOOKUP command to test that your server is correctly installed and configured
appropriately to act as Active Directory DC, as shown in Fig. 1.
Fig. 1
Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out our excellent hands-on manual entitled “Install Configure and Upgrade Linux
CentOS5 Server v1.1” to get you started.
5
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
The Samba system is based upon a stock standard RHEL5 system with the Samba 3 software.
Samba:
1. system-config-samba
2. samba-common
3. samba-client
4. samba
Kerberos:
1. pam_krb5
2. krb5-workstation
3. krb5-client
4. krb5-libs
5. krbafs
You can query your system if these packages are installed by running:
rpm -q package-name
]# rpm –qa | grep samba* \\ the start * allows you to parse all
installed Samba files
6
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
In case you get blank result, then Samba is not installed. Best way to get Samba is to compile it from the
source file. However, I have found that the RPM files obtained via Yum, if you use CentOS4 and later,
Fedora Core 8 and later, or Yast with OpenSUSE 11.1 contain all the required files. To install all Samba
files with RHE5, do the following:
Upgrade Samba3
First you need to upgrade Samba3 to at least version 3.0.28a or newer, for it to work with Windows Server
2008. To do this, head over to here and grab the latest stable version.
The next task is to verify that your Samba installation has been compiled to support Kerberos, LDAP,
Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command
has a switch for printing build information. You will see a lot more lines of output than are shown here:
7
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
Fortunately, in our case all the required support for Kerberos, ADS and Winbind is present. However, if
you are in the unfortunate position of missing any of these, which will be indicated by a blank line, you
need to recompile Samba, or installed per your Linux box as indicated above. Also, see Chapter 37 of the
Official Samba-3 HOWTO and Reference Guide.
Configure /etc/hosts
Even if your DNS servers are perfect in every way, it is always a good idea to add important servers to
your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go
down:
]# rpm –qa | grep krb* \\ the start * allows you to parse all installed krb files
The next task is to configure and test the Kerberos installation, but first we have to ensure that the
servers’ clocks are synchronized.
8
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
1. On Linux SAMBA server, click System > Administration > Data & Time, then click Network Time
Protocol tab. Check "Enable Network Time Protocol",
3. Next step is update NTP and also synchronize the server clocks:
Note: Kerberos is very finicky if time difference is off by more than 5 minutes. So a simple test in our
case gave:
]# ntpdate -u 192.168.83.6
25 Nov 17:29:36 ntpdate[3691]: step time server 192.168.83.6 offset
1.185447 sec
• Which gives a poor time offset, repeat the same procedure again:
]# ntpdate -u 192.168.83.6
25 Nov 17:30:04 ntpdate[4269]: adjust time server 192.168.83.6 offset
0.002115 sec
9
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
[libdefaults]
default_realm = RABAHTECH.COM
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
RABAHTECH.COM = {
kdc = server01.rabahtech.com
admin_server = server01.rabahtech.com
}
[domain_realms]
rabahtech.com = RABAHTECH.COM
.rabahtech.com = RABAHTECH.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
2. Very important: Use uppercase where it shows. Now try to connect, and mind your cases (Note
you!):
]# kinit Administrator@RABAHTECH.COM
Password for Administrator@RABAHTECH.COM:
3. Now test to see if your krb5 infrastructure is working and able to provide the key exchange and
authentication. To do this, use klist command:
10
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
Note: To destroy the krb ticket, use kdestroy command, followed by klist command to verify that
indeed the ticket has been destroyed.
4. Occasionally, you will be required to renew your Network Authentication Ticket if it expires, as shown
in the Fig. 2:
Fig. 2
1. Click System > Administration > Authentication, and then under User Information tab, check
Enable Winbind Support (a) Click Configure Winbind button to access Winbind Settings dialog
box (b), see Fig. 3.
2. From Winbind Settings dialog box (b), complete the settings as shown and click OK.
11
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
Fig. 3
3. Next let’s test if we managed to connect Windows AD domain, to achieve this issue the following
command:
4. Success! We can connect to our AD domain and pull some information about the server. The next
step is to clean-up and configure Samba to suit our requirements.
12
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
[homes]
comment = Home Directories
valid users = %D%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[musicstore]
comment = Samba music center
path = /data/musicstore
valid users = krabah, root, @smbusers, "@RABAHTECH+domain users"
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
[datastore]
comment = Samba data center
path = /data/datastore
valid users = krabah, root, @smbusers, "@RABAHTECH+domain users"
read only = No
create mask = 0777
13
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
[public]
comment = Samba Public files
path = /data/public
public = yes
write list = @smbusers, "@RABAHTECH+domain users"
browseable = yes
[videos]
comment = Samba videos store area
path = /data/videos
public = yes
read only = no
guest ok = yes
browseable = yes
[FTP-Server]
comment = READ ONLY - Corp FTP Server
path = /var/ftp
write list = @smbusers, "@RABAHTECH+domain users"
force user = ftp
force group = ftp
create mask = 0755
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
browseable = No
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
Note: The important things to pay attention to here are the name of our samba machine (netbios
name), the workgroup, and the Active Directory stuff.
2. The workgroup is the name of your AD domain, in this case RABAHTECH. Server string is a comment
describing the server, make this anything you want. Log level runs from 0, for no logging, to 10,
extreme logging. See man smbd.conf for the rest.
3. The shared directory /data/share is only for the users: krabah, root, @smbusers,
"@RABAHTECH+domain users". It is writable which means the listed security users have read,
14
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada
write, and execute permissions to the shared directory. Any files/directories created in the shared
directory will have the permission 0777 allow for universal permission to all domain security users.
4. The [public] and [shared] sections, which create the "\\SERVER\public" and
"\\SERVER\shared" are publicly shared directories, respectively (where, as usual, SERVER is the
name of your Samba server). These shares have nearly the same settings, but with one difference.
With the [public] share, only members of the Samba & domain users group (represented by the
@smbusers, "@RABAHTECH+domain users")
Warning! You should only create a completely open share like the one here if you trust the
people who have access to your Samba server; open FTP servers, for example, have been
compromised in the past and abused as drop boxes for pirated software.
5. After you've added these shares to your "smb.conf" configuration file, remember to either restart
Samba or tell it to reload its configuration files, however, before doing that run the : testparm
command.
The full document has moved to Docstoc.com. You can access and download it from here:
• Using Samba 3 Client Technology and Kerberos for Win2k8 AD-based identity management
OR
• http://www.docstoc.com/docs/64801981/Using-Samba-3-Client-Technology-and-Kerberos-for-
Win2k8-AD-based-identity-management
-----------------------------------------------
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.