Windows Integrating Samba 3<偷>

Windows Integrating Samba 3 to: " "Summary:

This How-To will walk you through integrating your Samba file and print servers in to a Windows 2003 Domain.

Full Article:

The launch of Windows 2003 in April has made organizations think about whether they were ready to upgrade previous Windows NT and 2000 farms to Microsoft's most talked about OS. There have been rave reviews up to this point, and I myself do think that this is a very good achievement for them and also one that will benefit existing Windows infrastructures.

With that said, on the other side of the tracks, we see that penguin in the sky, making headlines as well. Some organizations have already took the leap, and have started bringing in Linux very slowly, as well as some of the more bold organizations willing to totally replace their existing Windows infrastructure with Linux.

I was then pitted with the question, can we integrate Linux, from a file and print sharing perspective, in to Windows 2003 domains? Well, up until now, Samba, file and print sharing services for Linux and Unix variants, has been revolutionary in doing just such a thing within Windows NT and Windows 2000 domains. But, we all know Microsoft doesn't want its open-source rival to be that tightly integrated with its Windows products, or so I would gather, at the current time. I then began wondering whether they had changed the behavior of the SMB (server message block) protocol in Windows 2003 at all. From a security standpoint, they have, within relation to Active Directory. Does this mean that the hard work of the Samba team has gone in vain after the release of Windows 2003? Or, do we have to wait for Samba to "catch up"?

Please read on as the answers to your questions are answered. The guide that follows will show you how to integrate your Samba servers running Linux in to your newly stocked Windows 2003 domains with Active Directory, using Samba 3 Alpha (current stage of development), Kerberos for authentication with Active Directory, and Winbind for making windows users available to the Samba server.

------------------------------->

The test machines used for this guide are as follows:

Windows 2003 Primary Domain Controller - IP Address: 172.16.1.6 - HOSTNAME: pershootqawin

FULL DOMAIN NAME: TEST.LOCAL
DOMAIN: TEST


Red Hat Linux 9 - IP Address: 172.16.1.7 - HOSTNAME: pershootqalx


Tools needed:

You'll need to have the OpenLDAP development and core packages:

rpm -qa | grep openldap

openldap-devel-2.0.27-8
openldap-2.0.27-8


You'll also need Kerberos 5 libraries, workstation and development packages:

rpm -qa | grep krb5

krb5-libs-1.2.7-10
krb5-workstation-1.2.7-10
krb5-devel-1.2.7-10


PAM core, development and kerberos 5 are needed as well:

rpm -qa | grep pam

pam_smb-1.1.6-7
pam-0.75-48
pam_krb5-1.60-1
pam-devel-0.75-48


I would also install the pam smb package as well.


To install, rpm -ivh package_name.rpm



You'll also need the samba 3.0 alpha 23 source code which can be downloaded from here.


You will also need the standard compilation tools (gcc, make, etc.).


cd /tmp

wget http://www.nixbeta.org/files/samba-3.0alpha23.tar.gz (If you didn't download the source from the above link)


cd /usr/src

tar zxf /tmp/samba-3.0alpha23.tar.gz (If you did get it from wget as shown above, otherwise replace /tmp/ with the path of where you downloaded and stored the samba 3.0 alpha 23 source code)


cd samba-3.0alpha23/source

/configure --prefix=/opt/samba --with-winbind --with-pam-winbind --with-smbmount; make; make install

mkdir /root/samba-lib.BK

mv /lib/libnss_winbind* /root/samba-lib.BK
mv /lib/security/pam_winbind* /root/samba-lib.BK


cp nsswitch/libnss_winbind.so /lib
cp nsswitch/pam_winbind.so /lib/security


cd /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2


/sbin/ldconfig -v | grep winbind


libnss_winbind.so -> libnss_winbind.so (this is what you should see on the output of the ldconfig command)


mkdir /root/conf.BK

mv /etc/krb5.conf /root/conf.BK

Download the kerberos 5 config here, and place it in the /etc directory.


cd /etc

wget http://www.nixbeta.org/files/krb5.conf (If you downloaded the kerberos 5 config file from the link above, you dont have to do this line)

In the instructions below, you want to replace PREFIX_DOMAIN.SUFFIX_DOMAIN (TEST.LOCAL in the config file you just downloaded) and prefix_domain.suffix_domain (test.local in the downloaded config file) with the respective name parts in your domain name. To obtain this information from your Domain Controller, right click on my computer->computer name tab->and the full name of your domain will be listed below the Full computer name line on the computer name tab. You will also want to replace IP_ADDRESS in the instructions below (172.16.1.6 in the config file) to the domain controller's IP address. To obtain this information from the domain controller, click start->run->enter in cmd then hit enter. In the command window type ipconfig, and take note of the IP address line. If you are not comfortable with vi (unix and linux file editor), I have included which vi commands are needed below.


vi krb5.conf

hit j 12 times
then l once
then c then w then press the caps lock key
then insert the prefix of your DOMAIN
then depress the caps lock key
hit Esc
then hit l 2 times
then c then w then press the caps lock key
then insert the suffix of your DOMAIN
then depress the caps lock key
then hit Esc
then hit j once
then l once
then hit x 10 times
then a
insert the IP_ADDRESS of the domain controller
then Esc
then hit j once
then l twice
then c then w
then insert the prefix of your DOMAIN
then hit Esc
then hit l twice
then c then w
then insert the suffix of your DOMAIN
then hit Esc
then hit j three times
then hit then number 2 then d then d again
then hit the number 0 then i
insert this: .prefix_domain.suffix_domain = PREFIX_DOMAIN.SUFFIX_DOMAIN
then hit enter and the next line insert:
prefix_domain.suffix_domain = PREFIX_DOMAIN.SUFFIX_DOMAIN
then hit Esc
then hit colon then w then q then exclamation mark and hit enter



mkdir /opt/samba/netlogon
mkdir /dropzone; chmod 777 /dropzone



vi /opt/samba/lib/smb.conf

hit i then insert these lines (make sure you replace PREFIX_DOMAIN.SUFFIX_DOMAIN with your domain name in caps, IP_ADDRESS_DOMAIN_CONTROLLER with your domain controller's IP address, and PREFIX_DOMAIN with your domain names prefix (ex: for TEST.LOCAL the prefix is TEST)):

#GLOBAL
realm = PREFIX_DOMAIN.SUFFIX_DOMAIN
ads server = IP_ADDRESS_DOMAIN_CONTROLLER
security = ADS
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
workgroup = PREFIX_DOMAIN
winbind uid = 10000-20000
winbind gid = 10000-20000

#FOR WINDOWS 9x
[NETLOGON]
path = /opt/samba/netlogon
read only = yes

#SAMBA SHARE
[DROPZONE]
path = /dropzone
read only = no
public = no
only guest = no
writable = yes


then hit colon then w then q then enter


mkdir /root/pam.BK

cp /etc/pam.d/samba /root/pam.BK
cp /etc/pam.d/login /root/pam.BK



This is the contents of the pam samba file that pershootqalx contains:

#%PAM-1.0
auth required /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required /lib/security/pam_winbind.so
account required /lib/security/pam_pwdb.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth



You will want to insert the lines above that are in italics. Your pam samba config file should look similarly if not almost identically to the lines above (minus the lines in italics) if you are on Red Hat. If it does, I have included the appropriate vi commands for editing the file below, to insert the new lines.


vi /etc/pam.d/samba

hit o
then insert:

auth required /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so

then hit Esc then j two times
then hit o
insert these lines:
account required /lib/security/pam_winbind.so
account required /lib/security/pam_pwdb.so

then hit Esc
then colon then w then q then exclamation mark then enter


This is the contents of the pam login file that pershootqalx contains:

#%PAM-1.0
auth required pam_securetty.so
auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so



You will want to insert the lines above that are in italics. Your pam login config file should look similarly if not almost identically to the lines above (minus the lines in italics) if you are on Red Hat. If it does, I have included the appropriate vi commands for editing the file below, to insert the new lines.


vi /etc/pam.d/login

hit j once then hit o
insert these lines:

auth sufficient /lib/security/pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass


then hit Esc then j two times
then hit o and insert this:
account sufficient /lib/security/pam_winbind.so

then hit Esc
then colon then w then q then exclamation mark then enter


Let's restart xinetd:

/etc/rc.d/init.d/xinetd restart


vi /etc/rc.d/init.d/samba_winbind

hit i then insert these lines:

/opt/samba/sbin/smbd -D
/opt/samba/sbin/nmbd -D
/opt/samba/sbin/winbindd


then hit Esc then colon then w then q then enter


chomod 755 /etc/rc.d/init.d/samba_winbind

cd /etc/rc.d/rc3.d

ln -s /etc/rc.d/init.d/samba_winbind S99samba_winbind

cd ../rc5.d

ln -s /etc/rc.d/init.d/samba_winbind S99samba_winbind

mkdir /root/nsswitch.BK

cp /etc/nsswitch.conf /root/nsswitch.BK

You will need to append the statement winbind to the end of the files statement on your passwd, and group lines in your nsswitch.conf file. They should be located together within the file like so:

passwd: files winbind
shadow: files
group: files winbind


I have included the necessary vi commands to get this done below.


vi /etc/nsswitch.conf

hit / then type passwd then enter

then hit n

then hit the number 3 then d then d then hit i and insert these lines:

passwd: (hit the tab key) files winbind
shadow: (hit the tab key) files
group: (hit the tab key) files winbind


then hit Esc then colon then w then q then exclamation mark then enter


Now on the windows 2003 domain controller:


start-settings->control panel->administrative tools->domain controller security policies

then click on local policies on the left hand side in the pane

then doubleclick security options on the right hand side in the pane

then scroll down to and doubleclick Microsoft Network Server: Digitally sign communications (always)

check Define this policy and select the Disabled radio button, then click apply then ok. You can close that window now.

If you have just recently promoted this machine to a Domain Controller and have not changed passwords, then:

Then back on the control panel doubleclick Active Directory Users and Computers

Click on Users on the left hand side

Right click on Administrator on the right hand side->reset password

enter in your old password and put an * at the end of it. confirm it. then ok, and ok through the confirmation of logoff and on to take effect box.

Reboot the Domain Controller.


Now back on the samba server:


Let's start up samba and winbind at this point:

/etc/rc.d/init.d/samba_winbind


Now we shall log in to the domain with credentials that posess domain administrative rights:

/usr/kerberos/bin/kinit administrator@PREFIX_DOMAIN.SUFFIX_DOMAIN (replace PREFIX_DOMAIN.SUFFIX_DOMAIN with the respective name parts in your domain name in caps)

Note: Make sure the times are in sync with your domain controller and your samba server, otherwise you will recieve a message like this, "kinit(v5): Clock skew too great while getting initial credentials", and things will not work.


enter the password for administrator (domain administrator password)


Then, we can join the Samba server to the Windows 2003 domain:

/opt/samba/bin/net ads join

You will then see a success message saying that your SAMBA Host has joined your windows 2003 DOMAIN (for example in the test scenario for this guide: Joined 'PERSHOOTQALX' to realm 'TEST.LOCAL')


Lets try to access an administrative share on the domain controller:


/opt/samba/bin/smbclient //pershootqawin/c$ -k (replace pershootqawin with your domain controllers hostname or IP address)

Enter your password for the share if you get prompted to enter one (you shouldn't because you are already logged in to the domain as administrator).

You should then see the following:

added interface ip=172.16.1.7 bcast=172.16.1.255 nmask=255.255.255.0
Doing spnego session setup (blob length=113)
Doing kerberos session setup
OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]


(the 172.16.1.X entries in the first line will reflect your Samba server's IP addressing scheme)


you should then be at an smbclient prompt (smb: >). you can browse the share at this point.

type exit.


To virtually mount a windows share to a point on your samba server (lets use the domain controller's administrative c share):

mkdir /win2k3_C
mount -t smbfs -o username=administrator,password=PASSWORD //pershootqawin/c$ /win2k3_C


cd /win2k3_C
ls

you will now see the contents of your drive C.


Lets make sure winbind is working properly:

/opt/samba/bin/wbinfo -u

You should then see on ouput something similar to the following (TEST below would be your domain name, and names of users would follow after the backslash)

TEST(backslash)Administrator
TEST(backslash)Guest"
TEST(backslash)SUPPORT_388945a0"
TEST(backslash)krbtgt


All is well at this point. You are able to view users on the windows 2003 domain.


On the Windows 2003 domain controller:

start->run, enter in: (type 2 backslashes)pershootqalx(type 1 backslash)dropzone (replace pershootqalx with your samba server's hostname or IP address)


login as: DOMAIN(enter in 1 backslash)username (replace DOMAIN with the prefix of your full domain name. For example: when working with the name TEST.LOCAL, the prefix is TEST), and replace username with a windows username (you can use administrator if you like). then enter the password and click ok). you should now be able to browse dropzone, which is a samba share we created earlier.


If windows kicks back with the login screen:


Note: A bug was noticed in the version of winbindd that is compiled from this alpha release. That is to be expected, as there are probably other bugs in this samba release because it is alpha software at this point. It seems as though the winbindd deamon needs to be "woken up", so to speak. On the login screen that has gotten kicked back to you, for user type in root, and you can leave the password field blank. Windows will then kick back again with the login screen. Now you may enter a windows user for login and that particular user's password, then click ok. You will now be able to browse the samba share.

Just as a side note: If you look at the end of /opt/samba/var/log.winbindd, you will notice that ads_name_to_sid cannot find the user and get_pwnam cant retrieve the password match. This is because there is no user called root in our windows domain. This user only exists only on our samba server.


There you have it, you have just integrated your Samba server in to your Windows 2003 Domain. You can access any machine in the Domain and their shares from the samba server. The same can be done from any windows box in the domain accessing samba shares. The beauty here is that windows users can log in with their own credentials on to samba shares. This is the work of winbindd. Winbind creates maps of domain users and binds them with UID and GID 10000-20000 on to the samba server when those credentials accesses it.

The only security feature we disabled on the Domain Controller is the default signing procedure that takes place on the communication route within Active Directory schema's. On Windows 2000 and Windows NT domains, this signing of packets was not enabled by default. Once Samba nears beta of 3, I have no doubt that the clients attributed will be able to handle the signing procedure. But, as for this alpha stage, smbfs cannot.

I would like to thank Gerald (Jerry) Carter of the SAMBA Team for helping me through some grey areas, and Scott Lowe of the Tech Republic for his SAMBA 3 Active Directory and SAMBA 2 Winbind articles, as they were very insightful and an incredible help to me.

沒有留言:

張貼留言

注意:只有此網誌的成員可以留言。