Samba and Active Directory
From Chesupportwiki
Integrating Active Directory authentication on Windows Server 2003 with Samba 3.x on Gentoo running 2.6.22
Contents |
USE Flags
Minimum
Integrating Active Directory authentication with Samba expects the following USE flags as a minimum:
ADS async samba kerberos ldap pam quotas syslog winbind sasl
Typical
The suggested ones for a typical server are:
-X x86 apache2 bash-completion bzip2 cli dba docs gif gd \ imap imagemagick libpng jpeg java kerberos ldap mod_php math mysql mysqli \ pcre perl innodb php png python pam raid rrdtool samba session \ sasl simpleserver soap sqlite snmp ssl unicode winbind vhosts \ xml xml2 zlib
Required Packages
The obvious packages needing to be installed are:
net-fs/samba sys-libs/pam net-nds/openldap app-crypt/mit-krb5
Emerge them and modify the configuration files. The working existing versions for authenticating a share:
net-fs/samba-3.0.24-r3 sys-libs/pam-0.78-r5 net-nds/openldap-2.3.35-r1 app-crypt/mit-krb5-1.5.3-r1
Probably a good idea since it was removed @ 3.0.25 --Gregorcy 10:05, 26 March 2008 (MDT)
emerge mount-cifs
03/21/2008 we are going to use this combination:
net-fs/samba-3.0.28 sys-libs/pam-0.99.9.0 net-nds/openldap-2.3.41 app-crypt/mit-krb5-1.6.3-r1
Configuration Files
/etc/samba/smb.conf
[global]
workgroup = CHEMENG
realm = CHEMENG.UTAH.EDU
server string = Some info about the server
security = ADS
password server = domain_controller_1 domain_controller_2 (space separated, no domain suffix)
log level = 3
log file = /var/log/samba/%m
max log size = 50
preferred master = No
dns proxy = No
wins server = 1.2.3.4
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
[Something Share]
comment = This is my share. There are many like it but this one is mine.
path = /var/this-share
valid users = "@DOMAIN+Domain Users"
admin users = "@DOMAIN+Domain Admins"
read only = No
create mask = 0740
directory mask = 0750
inherit permissions = Yes
inherit acls = Yes
# Volumes are for older windows clients, not required
volume = My-awesome_share
--Gregorcy 12:18, 21 March 2008 (MDT)
For humboltd:
[global]
workgroup = <DOMAIN.
realm = <DOMAIN..UTAH.EDU
server string = CHE humboltd file server
security = ADS
obey pam restrictions = Yes
password server = <dc1> <dc2>
log level = 3
log file = /var/log/samba/%m
max log size = 100
preferred master = No
dns proxy = No
wins server = <wins ip>, <wins ip>
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
[homes]
comment = Home Directories
path = /home/<DOMAIN>/%U
valid users = %D+%U
read only = No
directory mask = 0700
browseable = No
root preexec = /etc/samba/mkhomedir.sh %U
/etc/nsswitch.conf
passwd: compat winbind shadow: compat group: compat winbind hosts: files dns wins networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
Depending on the version of PAM installed, the changes may need to tweaked, these config files are from PAM-0.78-r5 for reference:
/etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so <------ Add auth required pam_tally.so file=/var/log/faillog onerr=succeed no_magic_root <--- is different in PAM 99 auth required pam_shells.so auth required pam_nologin.so auth include system-auth account required pam_access.so account include system-auth account required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed no_magic_root <----- is different in PAM 99 password include system-auth session required pam_env.so session optional pam_lastlog.so session optional pam_motd.so motd=/etc/motd session optional pam_mail.so # If you want to enable pam_console, uncomment the following line # and read carefully README.pam_console in /usr/share/doc/pam* #session optional pam_console.so session include system-auth
/etc/pam.d/system-auth (older Pam)
#%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so
/etc/pam.d/system-auth (Works with PAM 1.0.1)
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 100 quiet account sufficient pam_winbind.so use_first_pass account required pam_permit.so password requisite pam_cracklib.so retry=3 type= password sufficient pam_unix.so nullok use_authtok md5 shadow password sufficient pam_winbind.so use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_winbind.so use_first_pass
/etc/pam.d/samba
auth required pam_smbpass.so nodelay account include system-auth session include system-auth password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
/etc/pam.d/sshd
auth required pam_shells.so auth required pam_nologin.so auth sufficient pam_winbind.so <--- This allows SSH access to the domain users auth include system-auth account include system-auth password include system-auth session include system-auth
/etc/krb5.conf
[libdefaults]
default_realm = YOUR_DOMAIN.EDU
[realms]
YOUR_DOMAIN.EDU = {
kdc = your-domain-controller.domain.edu
}
[domain_realms]
.your-domain-controller.domain.edu = YOUR_DOMAIN.EDU
Edit /etc/conf.d/samba to include winbind in it's startup process. At the beginning of the file change:
daemon_list="smbd nmbd"
to
daemon_list="smbd nmbd winbind"
Join the domain
You will need to have an account with Domain joining privileges (Domain Admins, Domain Joiners, etc)
net ads join -U AccountWithDomainJoiningPriv
Restart samba:
/etc/init.d/samba restart
Testing on Server
Kerberos
Test kerberos is working and authenticating against the domain controller using kinit:
kinit username@YOUR_DOMAIN.EDU
If you are returned to a prompt with no error messages, you were successful. klist will provide you with information about your kerberos ticket:
klist
Password file
Samba will pull the users into the results of the password file, by running
getent passwd
you should get returned to you all the local users on the server as well as the domain accounts with the most recently added listed last
Jump on a windows machine and browse to the share, if everything went well and according to plan, you should be able to authenticate and use the share.
Added for HOME directories
We need a script to massage the home directories: - Set permissions - Set the .forward for warnquota - Make sure the home directory is there
This is what we are using:
#!/bin/bash
# Creates home directories when account is created
# gregorcy
# Created: 03/21/2008
# Last Mod: 03/26/2008
###################################################################
#
# Variables
hostname=`hostname`
blessed="The permissions have been fixed "
subject1="does not have valid email in our LDAP"
subject2="Something is wrong on $hostname !!! the user $1 home directory has not been created"
emailto="EMAIL@SOMETHING"
emailmes="/tmp/emailmessage.txt"
ldapmail=`ldapsearch -D "cn=ACCOUNT,ou=OU,dc=DOMAIN,dc=ROOT,dc=edu" -b "ou=OU,dc=DOMAIN,dc=ROOT,dc=edu" -w <PASSWORD> -x -LLL "(sAMAccountName=$1)" mail | grep mail | sed 's/......//'`
# functionville
function createbless () {
touch /home/DOMAIN/$1/.blessed
echo "$blessed" >> /home/DOMAIN/$1/.blessed
chown root:root /home/DOMAIN/$1/.blessed
chmod 700 /home/DOMAIN/$1/.blessed
}
# scriptage
if [ ! -e /home/DOMAIN/$1 ]; then
echo "Why was the directory not found?"> $emailmes
echo "script killed">> $emailmes
mail -s "$subject2" EMAIL@SOMETHING < $emailmes
rm -r $emailmes
exit 0
fi
if [ ! -e /home/DOMAIN/$1/.blessed ]; then
#mkdir /home/DOMAIN/$1
chown "$1:DOMAIN+Domain Users" /home/DOMAIN/$1
chmod -R 700 /home/DOMAIN/$1
if [ -z $ldapmail ]; then
echo "Add the attribute mail to the user $1"> $emailmes
echo "then manually :( create the .forward in /home/DOMAIN/$1" >> $emailmes
mail -s "$1 $subject1" EMAIL@SOMETHING < $emailmes
rm -r $emailmes
createbless $1
exit 0
fi
touch /home/DOMAIN/$1/.forward
echo "$ldapmail" >> /home/DOMAIN/$1/.forward
chown root:root /home/DOMAIN/$1/.forward
chmod 700 /home/DOMAIN/$1/.forward
createbless $1
fi
exit 0
# Notes
# LDAP Search String
# ldapsearch -D "cn=ADS,ou=Service,dc=chemeng,dc=utah,dc=edu" -b "ou=CHE_Users,dc=chemeng,dc=utah,dc=edu" -w Gnome8713AD -x -LLL "(sAMAccountName=00112413)" mail | grep mail
# Output looks like this:
# mail: email@eng.utah.edu
XFS File system
Using XFS file system with quota support:
File Systems
---> XFS File system support
---> XFS Quota support
Emerge some xfs utilities
emerge xfsdump xfsprogs
Mount the file system with "quota" support
/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/sda3 / ext3 noatime 0 1
/dev/sda2 none swap sw 0 0
/dev/sdb1 /home xfs noatime,quota 0 1
/dev/cdrom /mnt/cdrom audo noauto,ro 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0
XFS Administration
To administer an XFS filesystem you use the app:
# xfs_quota -x
Some command examples:
xfs_quota> help <-- shows a list of commands & there syntax
xfs_quota> report
User quota on /home (/dev/sdb1)
Blocks
User ID Used Soft Hard Warn/Grace
---------- --------------------------------------------------
root 2564 0 0 00 [--------]
gregorcy 12 0 0 00 [--------]
tester2 4 0 0 00 [--------]
samba 0 0 0 00 [--------]
test50 51040 40960 51200 00 [6 days]
xfs_quota> state
User quota state on /home (/dev/sdb1)
Accounting: ON
Enforcement: ON
Inode: #261 (3 blocks, 3 extents)
Group quota state on /home (/dev/sdb1)
Accounting: OFF
Enforcement: OFF
Inode: #262 (4 blocks, 3 extents)
Project quota state on /home (/dev/sdb1)
Accounting: OFF
Enforcement: OFF
Inode: #262 (4 blocks, 3 extents)
Blocks grace time: [7 days 00:00:30]
Inodes grace time: [7 days 00:00:30]
Realtime Blocks grace time: [7 days 00:00:30]
xfs_quota> path
Filesystem Pathname
[000] /home /dev/sdb1 (uquota)
Create the default quota
**NOTE this command is not recursive**
xfs_quota> limit bsoft=40M bhard=50M -d
Create a quota for a user:
xfs_quota> limit bsoft=40M bhard=50M test50
Create a quota for a user on the command line:
xfs_quota -x -c 'limit bsoft=100M bhard=100M test99' /home
View reports from the command line:
xfs_quota -x -c 'report' /home
