Saturday, April 24, 2010

Integrate Ubuntu 9.10 Karmic's Samba With Microsoft Active Directory

Last week, I needed to setup a file server at work. Most of our back office server run Ubuntu except a few Microsoft Active Directory (AD) servers which control our workstations and user accounts. We make sure all of our Linux hosted services integrate with AD via Kerberos and LDAP.

Samba has been able to integrate with AD via winbind for a few years now. There are numerous postings on the net about how to do this. All of them a just a little different and many are a just a touch out of date for various distributions. Here's what I used to get an Ubuntu 9.10 server connected with our Microsoft Windows domain.

ACL Instructions

The normal install of Ubuntu and Debian support the standard Linux POSIX file system permissions. Access Control Lists (ACLs) provide a much more flexible way of specifying permissions on a file or other object than the standard Unix user/group/owner system. A good example you might deal with in production is the need to have "Domain Admins" and "HR" groups have write permission on a folder but the "Domain Users" only should have read access. That's not easy to do with standard POSIX.

Install the acl package:
sudo apt-get install acl

Now edit the partition that will hold your Samba shares so that it mounts with acl enabled. I typically create my shares in the /home/shares folder with my /home being mounted on its own volume.
vim /etc/fstab

Example:
/dev/mapper/vg0-home /home           ext4    acl,defaults        0       2

Please be careful when editing your fstab file. It's a good idea to make a backup of it first especially if you are making changes to the / "root" mount.

Some recommend a reboot at this point but you don't have to if you execute the following remount command.
mount -o remount,rw /dev/mapper/vg0-home

Kerberos Instructions

Install the kerberos packages:
sudo apt-get install ntp krb5-config krb5-user

The package installer will prompt you for Kerberos server information. Don't worry about those just enter something to satisfy it. You are going to replace the cumbersome default krb5.conf with a specific one for Active Directory authentication.

If you already have samba and winbind daemons installed an running, stop them now.
sudo service samba stop
sudo service winbind stop

Now let's setup the Kerberos configuration for authentication with Active Directory.
sudo mv /etc/krb5.conf /etc/krb5.orig
sudo vim /etc/krb5.conf

Copy the following text. Make sure to change SCHOOL.UNIVERSITY.EDU to your domain. Keep it in CAPS, though.
## /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmin.log

[libdefaults]
 default_realm = SCHOOL.UNIVERSITY.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 clock_skew = 300
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SCHOOL.UNIVERSITY.EDU = {
  kdc = AD-CONTROLER1.SCHOOL.UNIVERSITY.EDU
  kdc = AD-CONTROLER2.SCHOOL.UNIVERSITY.EDU
  admin_server = AD-CONTROLER1.SCHOOL.UNIVERSITY.EDU
  default_domain = SCHOOL.UNIVERSITY.EDU
 }

[domain_realm]
 .school.university.edu = SCHOOL.UNIVERSITY.EDU
 .SCHOOL.UNIVERSITY.EDU = SCHOOL.UNIVERSITY.EDU

Note: In my example above, I've listed a secondary Kerberos server for authentication should the first domain controller be unavailable. You can add as many secondary kdc as you want. Remove this line if you only have one AD server.

Test to make sure the Kerberos connection before proceeding. This can save you some troubleshooting headaches later on.
kinit Administrator@SCHOOL.UNIVERSITY.EDU

The command should return clean and using klist should report a valid ticket good for 24 hours.
klist

Now you can setup the Samba configuration.

Samba smb.conf for Active Directory

The default Samba config file is verbose with comments and easy to make a mistake. It is better just to make a backup copy of it and create a clean configuration.

sudo mv /etc/samba/smb.conf /etc/samba/smb.orig
sudo /etc/samba/smb.conf

There are almost countless examples on the net about how to configure you Samba file. Everyone's got a slightly different setup. I've settled on the following for production use.

Note: You will want to make sure to change SCHOOL.UNIVERSITY.EDU with your domain name.
[global]
        dos charset = UTF8
        display charset = UTF8
        workgroup = SCHOOL
        realm = SCHOOL.UNIVERSITY.EDU
        server string = %h
        security = ADS
        map to guest = Bad User
        null passwords = Yes
        obey pam restrictions = Yes
        pam password change = Yes
        password server = AD-CONTROLER1.SCHOOL.UNIVERSITY.EDU
        username map = /etc/samba/smbusers
        max log size = 10
        log file = /var/log/samba/log.%m
        unix extensions = No
        deadtime = 10
        socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536
        load printers = No
        disable spoolss = Yes
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 3600
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind refresh ticket = Yes
        create mask = 0777
        directory mask = 0777
        use sendfile = Yes
        delete veto files = Yes
        veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary It
        map hidden = Yes
        map system = Yes

[HR]
        comment = School HR Server Share
        path = /home/shares/HR
        read only = No
        create mask = 0775
        valid users = @"HR-Dept"

Some key notes about this configuration:
  • socket options - The TCP_NODELAY makes noticeable improvement on file transfer speeds especially if you are using 1G NICs.
  • obey pam restrictions - This integrates your PAM authentication system.
  • veto files - Got Macs on your network? Keep those pesky .Apple file droppings off of your file server
  • valid users - Only members of the HR-Dept user group will have access to the HR file share.
Restart the Samba and Winbind services.
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start

Now you can join the Samba server to the Active Directory Domain.
sudo net ads join -U Administrator

You should see a message that the target domain was joined successfully.

Testing & Troubleshooting

Check you domain membership with the wbinfo -t command. This will validate that workstation trust account is working correctly:
sudo wbinfo -t

You should see your domain users with this command:
sudo wbinfo -u

The -g option should list your domain's groups.
sudo wbinfo -g


Configure System Security

Now modify the /etc/nsswitch.conf file so the system can start recognising your domain accounts.

vim /etc/nsswitch.conf

Append winbind after compat for passwd and group. Leave everything else alone.
passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Edit these PAM config files.

sudo mv /etc/pam.d/common-account /etc/pam.d/common-account.orig
sudo vim /etc/pam.d/common-account

Copy the following.
account sufficient       pam_winbind.so
account required         pam_unix.so

Now edit the common-auth file.
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.orig
sudo vim /etc/pam.d/common-auth

Now create a common-auth that looks like this
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Setup the pam common-session file so new users to the system get created with a standard skel profile and home directory

sudo cp /etc/pam.d/common-session /etc/pam.d/common-session.orig
sudo vim /etc/pam.d/common-session

Your common-session should look like this:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session optional                        pam_krb5.so minimum_uid=1000
session required        pam_unix.so
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
# end of pam-auth-update config

Sudo'ers file

You can grant domain administrators elevated sudo permissions on the server by adding this line to your sudo configuration.

Open the sudo safe editor
sudo visudo

Add the following to the configuration:
# Allow "Domain Admins" from the domain "DOMAIN" to run all commands
%SCHOOL+Domain\ Admins  ALL=(ALL) ALL

You will want to replace SCHOOL with your domain name.




References

ACLs on Samba by Dustin Puryear
Join Samba 3 to Your Active Directory Domain - Carla Schroder
Active Directory Winbind Howto - Ubuntu Community Documentation

2 comments: