Linux/Samba/Domain Member

From Omnia
< Linux‎ | Samba
Revision as of 00:58, 11 August 2014 by Kenneth (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Summary

Samba

Samba Configuration Option Quick Reference

Install Samba

# Install Samba Server
yum install samba
# Install Samba Client (mount.cifs, smbclient)
yum install samba-client

Mounting Samba Shares

HOWTO Setup Samba:

mount -t cifs //server/share /mnt/samba -o username=username

Samba Configuration File

/etc/samba/smb.conf

NOTE: Whenever you modify this file you should run the command "testparm" to check that you have not many any basic syntactic errors. [1]

Joining a Domain

Samba: Chapter 7. Adding Domain Member Servers and Clients

  • Delete the tdb files that cache Samba information
cd /etc/samba
rm *tdb
  • Configure Samba (/etc/samba/smb.conf):
[global]
        # note: set to short domain name
        workgroup = OEEY
        # note: set to full domain name
        realm = CORPORATE.OEEY.COM
        netbios name = DATA
        password server = snowbird.contractpal.com
        username map = /etc/samba/smbusers

        security = ADS
        encrypt passwords = yes
        passdb backend = tdbsam

        winbind uid = 10000-65000
        winbind gid = 10000-65000
        winbind enum users = yes
        winbind enum groups = yes
        #  winbind use default domain = yes

        debuglevel = 1

        # disable printers
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        #nt acl support = yes
        #acl map full control = yes
        #dos filemode = yes

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

[files]
        path = /test
        comment = Test
        read only = No
        create mask = 0750
        browseable = Yes
        guest ok = no
        preserve case = yes
        #nt acl support = yes

[test]
        path = /test
        public = no
        browsable = yes
        read list = @"OEEY\domain users"
        write list = @"OEEY\domain users"
        create mask = 0777
        directory mask = 0777
        force create mode = 0777
        force directory mode = 0777

[release]
        path = /Release
        public = no
        browsable = yes
        read list = @"OEEY\domain users"
        write list =
        read only = yes
  • Validate your Samba configuration:
testparm -s
  • Join ADS domain:
# Samba does not need to be running at this step, but the smb.conf will be parsed
net ads join -UAdministrator
# for debugging purposes:
net ads join -UAdministrator%mypassword -d3

NOTE: never execute the net rpc join command in an attempt to join the Samba server to the domain, unless you wish not to use the Kerberos security protocols. [2]

  • Test ADS connection:

Simple ADS information:

net ads info

One can also check that the connection was made by checking the secrets.tdb file.

tdbdump secrets.tdb

Or way more information than you care for:

net ads status -UAdministrator%mypassword
  • Configure Kerberos (/etc/krb5.conf):
[libdefaults]
default_realm = CORPORATE.OEEY.COM
dns_lookup_kdc = true
...
[realms]
 CORPORATE.OEEY.COM = {
  kdc = snowbird.contractpal.com:88
  admin_server = snowbird.contractpal.com:749
  default_domain = contractpal.com
 }
...
[domain_realm]
.corporate.OEEY.com = CORPORATE.OEEY.COM
corporate.OEEY.com = CORPORATE.OEEY.COM
  • Test Kerberos connection:
kinit Administrator
klist
  • Test Winbind:
service winbind restart

# list domain users
wbinfo -u
# list domain groups
wbinfo -g

List winbind database information:

tdbdump /var/cache/samba/winbindd_idmap.tdb
tdbdump /var/cache/samba/winbindd_cache.tdb
  • Edit /etc/nsswitch.conf
# passwd, group, hosts: winbind
passwd:     files winbind
#shadow:     files winbind
shadow:     files
group:      files winbind

hosts:      files wins
#possibly use:
#hosts:      files dns winbind
  • Test nss:
# should now show domain users
getent passwd

# should now show domain groups
getent passwd
  • Edit samba PAM configuration (/etc/pam.d/samba):
#%PAM-1.0

# USE WINBIND FOR AUTHENTICATION
auth sufficient         /lib/security/pam_winbind.so try_first_pass
account sufficient      /lib/security/pam_winbind.so try_first_pass
session sufficient      /lib/security/pam_winbind.so try_first_pass
  • Start samba:
service smb start
  • Test samba connection:
smbclient -L DATA -UAdministrator

Old bad way of joining a domain (do not use):

#Join Domain: "sudo net rpc join -W OEEY -U Administrator -S snowbird -I 10.161.101.8"

Joining Domain References

List users and groups of domain

This article shows a cool script.

Test joining the domain:

wbinfo -t
checking the trust secret via RPC calls succeeded

To view domain users:

wbinfo -u 

To view domain groups:

wbinfo -g

To view user details (not local unix user):

wbinfo -i <user>

To view user groups id:

wbinfo -r <user>

To see all users (including those from winbind): [3]

getent passwd

Authenticate: [4]

wbinfo -a testuser%testpass

Test challenge/response:

wbinfo -a [domain]\\[user]%[password]

PAM and Samba

This article shows how to use winbind for Samba PAM authentication:

/etc/pam.d/samba:

See /etc/pam.d/samba

How can I configure my Red Hat Enterprise Linux system to use pam_winbind.so so users can log into the server using their domain username and password?

It is also assumed that the domain user's home directory has already been created on the system in the correct location, because winbind cannot create home directories.

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_winbind.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account     required      /lib/security/$ISA/pam_permit.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

A single line can be added to the session section of /etc/pam.d/system-auth file, to make use of the pam_mkhomedir.so PAM module. This module will automatically create a user's home directory if they have authenticated successfully and if the home directory does not already exist. If pam_mkhomedir.so has to create the user's home directory, the template homedir statement in /etc/samba/smb.conf will be used to determine where to create the user's home directory.

session     required      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so      

Auto creation of home directories:

Using Winbind to Resolve Active Directory Accounts in Debian:

We need to configure our system to create home directories for each of the Active Directory users. Insert a reference to the pam_mkhomedir module in /etc/pam.d/common-session as shown below:
# /etc/pam.d/common-session
session	required	pam_mkhomedir.so skel=/etc/skel/ umask=0022
session	sufficient	pam_winbind.so
session required	pam_unix.so

nsswitch.conf

See /etc/nsswitch.conf

What changes do I need to make to nsswitch.conf for winbind to work?

passwd:       files winbind
shadow:       files
group:        files winbind

IDMAP

Samba: Chapter 14. Identity Mapping (IDMAP)

Winbind

Samba: Chapter 24. Winbind: Use of Domain Accounts


Users and Groups with Samba (Winbind) and Active Directory

How do I set up winbind on our Samba server to create users and groups from our domain controller?

#  WINBIND STUFF
  idmap uid = 15000-20000
  idmap gid = 15000-20000
  winbind enum groups = yes
  winbind enum users = yes
  winbind separator = +
  winbind use default domain = no
  template homedir = /homes/%D/%U
  template shell = /bin/bash

A brief explanation of some of these settings:

   * idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system and also make sure not to assign users to uid numbers in this range after you start using winbind. Also, it's probably a good idea to not change the number range once you start using winbind, as it could cause file ownership or group ownership problems.
   * idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system. The idmap uid cautions noted above apply here as well.
   * winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not. Leave these both set to yes unless you want to turn the functionality off for some reason.
   * winbind separator - the character winbind will use to separate the domain name from the user or group name. Using such a configuration will cause domain usernames to appear like this - "MYDOMAIN+username" and domain group names to appear like this - "MYDOMAIN+Domain Users" for example.
   * The template homedir statement is used to generate the home directory path for domain users. The example given uses variable substitution and would cause winbind-enumerated users' home directories to appear as /homes/MYDOMAIN/username.

Note that if you wish certain (or all) domain users to have a home directory on the Samba server, you will have to create it for them. While the template homedir statement does control where Samba thinks the user's home directory will be, winbind will not actually create the user's home directory for you.


You can test the basic user and group enumeration functionality of winbind with wbinfo and getent commands:

# wbinfo -u
MYDOMAIN+vince
MYDOMAIN+Administrator
MYDOMAIN+Guest

# wbinfo -g
MYDOMAIN+Domain Admins
MYDOMAIN+Domain Users
MYDOMAIN+Domain Guests

# getent group
quaggavty:x:102:
quagga:x:92:
radvd:x:75:
radiusd:x:95:
MYDOMAIN+Domain Admins:x:15008:MYDOMAIN+Administrator
MYDOMAIN+Domain Users:x:15009:
MYDOMAIN+Domain Guests:x:15010:MYDOMAIN+Guest

# getent passwd
radvd:x:75:75:radvd user:/:/sbin/nologin
radiusd:x:95:95:radiusd user:/:/bin/false
MYDOMAIN+vince:x:15001:15009:Vince:/homes/MYDOMAIN/vince:/bin/bash
MYDOMAIN+administrator:x:15009:15009:Administrator:/homes/MYDOMAIN/
   administrator:/bin/bash
MYDOMAIN+guest:x:15010:15009:Guest:/homes/MYDOMAIN/guest:/bin/bash

winbindd (8)

Read Write Groups

Domain Groups [5]

write list = @"AMITY+Domain Admins"
write list = @"Domain Admins"

Controlling Access to Shares

Controlling Access to Shares


How can I restrict access in Samba?:

[global]
workgroup = WORKGROUP
netbios name = LOCALHOST
security = share
hosts allow = 127.0.0. 10.

[share1]
comment = First Share
path = /home/share1
#bob janet and all members of groupa are permitted access
valid users = bob janet @groupa
#only machines with 10.0.0.5, 10.2.5.10, and 10.0.1.1-255 are allowed
hosts allow = 10.0.0.5 10.2.5.10 10.0.1.

Mounting disk with loopback device to test ACLs

See Mounting Loopback Device

7. Mount with ACL option

mkdir /mnt/disk.image
mount -t ext3 -o loop,defaults,acl disk.image /mnt/disk.image


Disable Printers

Novice question - How to completely disable printing and /etc/printcap errors:

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

Firewall

Samba and IPTables

netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service

Easier:

system-config-security-tui
(which writes out to /etc/sysconfig/system-config-securitylevel)

Troubleshooting

  1. Check /var/log/messages
  2. Ceheck /var/log/samba/*

Could not connect to server snowbird

$ net rpc join -W OEEY -U Administrator -S snowbird -I 10.161.101.
  Password:
  Could not connect to server snowbird
  The username or password was not correct.
  Connection failed: NT_STATUS_LOGON_FAILURE

Cannot find KDC for requested realm

The log files are repoting:

==> /var/log/samba/log.wb-OEEY <==
[2007/10/10 14:00:21, 0] libads/kerberos.c:ads_kinit_password(208)
  kerberos_kinit_password STAGE$@CORPORATE.OEEY.COM failed: Cannot find KDC for requested realm
[2007/10/10 14:00:21, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain OEEY failed: Cannot find KDC for requested realm

==> /var/log/messages <==
Oct 10 14:00:21 stage winbindd[20879]: [2007/10/10 14:00:21, 0] libads/kerberos.c:ads_kinit_password(208)
Oct 10 14:00:21 stage winbindd[20879]:   kerberos_kinit_password STAGE$@CORPORATE.OEEY.COM failed: Cannot find KDC for requested realm

NT_STATUS_NO_SUCH_USER

==> /var/log/samba/smbd.log <==
[2007/10/10 15:06:44, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [test] -> [test] FAILED with error NT_STATUS_NO_SUCH_USER

The user exists in the domain, but not on the local box.

This means that the /etc/krb5.conf is not setup correctly. Reconfigure the file and try 'kinit administrator'. This should connect to the correct default domain, else you still have the krb5.conf file wrong.

winbindd: idmap uid range missing or invalid

The log files are reporting the following when starting winbind:

==> /var/log/samba/winbindd.log <==
[2007/10/10 14:14:17, 1] nsswitch/winbindd.c:main(953)
  winbindd version 3.0.24-7.fc5 started.
  Copyright The Samba Team 2000-2004
[2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
  winbindd: idmap uid range missing or invalid
[2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(788)
  winbindd: cannot continue, exiting.
[2007/10/10 14:14:17, 1] nsswitch/winbindd.c:main(986)
  Could not init idmap -- netlogon proxy only

==> /var/log/messages <==
Oct 10 14:14:17 stage winbindd[21382]: [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
Oct 10 14:14:17 stage winbindd[21382]:   winbindd: idmap uid range missing or invalid
Oct 10 14:14:17 stage winbindd[21382]: [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(788)
Oct 10 14:14:17 stage winbindd[21382]:   winbindd: cannot continue, exiting.

According to this thread simple include the following lines:

/etc/samba/smb.conf:
  idmap uid = 10000-20000
  idmap gid = 10000-20000

Access is denied upon changing ACL

[Security]
Unable to save permission changes on <FILE>.
Access is denied.

Logon failure: unknown user name or bad password

C:\>net use x: \\stage\files /user:OEEY\administrator
The password or user name is invalid for \\stage\files.

Enter the password for 'OEEY\administrator' to connect to 'stage':
System error 1326 has occurred.

Logon failure: unknown user name or bad password.

This is caused by the username not existing on the local unix machine. See #PAM and Samba

Set ACL failed

==> /var/log/samba/smbd.log <==
[2007/10/10 15:44:32, 2] smbd/posix_acls.c:set_canon_ace_list(2502)
  set_canon_ace_list: sys_acl_set_file type file failed for file c/big (Operation not supported).
[2007/10/10 15:44:32, 2] smbd/posix_acls.c:set_canon_ace_list(2502)
  set_canon_ace_list: sys_acl_set_file type file failed for file c/big (Operation not supported).

This is because the file system does not support ACLs

Add User Not Working

Add user script, with winbind, without PAM (Solaris 9):

add machine script = /path/tothesame/adduserscript %u

The 'add machine script' is used to create machine trusts accounts
when running Samba as a PDC (which you are not in this case)

But if you are using winbindd then the user already exists
in UNIX.  The getpwnam() call for the DOMAIN\user will succeed
and so the 'add user script' will never be called.  This is by
design.  Do you run winbindd on the 2.2.8a server?

The better way to solve your problem is with a 'root preexec'
script of the share in question.

Vista workstation unable to connect to Samba share

\\server\share
The parameter is incorrect.
\\server\share
A device attached to the system is not functioning.
\\server\share
The referenced account is currently locked out and may not be logged on to.

Samba and Vista

Microsoft's security policy on Windows Vista is interestingly set by default to exclude mapping to Samba shares.

To fix this:

  1. click START | Run | secpol.msc.
  2. Go to Local Policies | Security Options and find Network Security: LAN Manager authentication level
  3. Change the settings from Send NTLMv2 response only to Send LM & NTLM - use NTLMv2 session security if negotiated.

Vista defaults to only send the more secure NTLMv2 protocol, which Samba (and, incidentally, some NAS devices) do not support.

If you are using Vista Premium:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel

This controls the security level mandated or allowed for logins. In Vista it defaults to 0x3, which means "NTLMv2 only". This is not supported by Samba, or at least not supported by any of the Samba servers I use (Mac OS X, Debian Sarge, or Buffalo TeraStation). This is despite the fact that the Samba documentation implies that it should work.

The fix is to change it to 0x1, which means "use NTLMv2 if available, or older versions if not." Reboot. Samba shares will work just fine.

If we try \\build\release we get "A device attached to the system is not functioning.". This thread suggests trying by IP address \\10.161.101.12\release\. This worked. Also by full domain \\build.contractpal.com\release\.

"The referenced account is currently locked out and may not be logged on to." This is caused by a non domain member vista box attempting to connect to a samba share that is domain authenticated, but does not have the LM security setting enabled.

Kinit(v5) KDC reply did not match expectations while getting initial credentials

Note: this should probably go under Kerberos

Kinit(v5) KDC reply did not match expectations while getting initial credentials

Answer:

You can get this error when the case of your principal name doesn't match the one returned by the AD KDC. For example: administrator@mydomain.com But the KDC returns the ticket as Administrator@MYDOMAIN.COM

Answer:

Note: If you don't capitalize your realm, you will receive an error

Another article: Using Samba to Authenticate GNU/Linux Against Active Directory

"net ads join" fails, but "net rpc join" works

http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html

Q. When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it?

A. No. This is not okay. It means that your Samba-3 client has joined the ADS domain as a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.

change permissions of a file

3.1.2. I'm logged in as Administrator - why can't I edit permissions or change ownership of a file on a domain-connected Samba share? [6]

Under Linux and probably most Unixes, you can't change permissions on a file unless you are the current owner of the file or root, and you can't change ownership of a file unless you are root. So you will need to make yourself operate as root when you are logged in as Administrator. To do this, add the following line to the section in smb.conf for the share you are trying to administer:

admin users = DOMAINNAME\Administrator

Currently, if you are using the winbind use default domain option then you will need to omit the domain name:

admin users = Administrator

References

Samba Configuration

Inherit ACLs [7]:

inherit acls = yes

Include Configuration Files [8]:

include = /etc/samba/shares.conf

Files

/etc/samba/smb.conf

# Your Workgroup or Domain that you want
# to login to
workgroup = OEEY

netbios name = STAGE

#realm = CORPORATE.OEEY.COM

# Tell Samba to talk to domain controller
# for authentication
security = domain

# Specify the server to get authenticate
# from. You can specify the
# NetBIOS # names of the servers or simply
# put in a "*" here to let
# Samba find the server through broadcast
password server = 10.161.101.8

#add user script = /usr/sbin/useradd -s /bin/false -m %u

# Make sure Samba is using encrypted
# passwords
encrypt passwords = yes

debuglevel = 2

#winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
#template homedir = /home/winnt/%D/%U
#template homedir = /dev/null
template homedir = /home/%D/%U
template shell = /bin/bash
# template primary group = "Domain Users"
winbind use default domain = yes
#winbind enum users = yes
#winbind enum groups = yes
#winbind cache time = 300
# no is default
#winbind nested groups = No

# DISABLE PRINTERS
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

nt acl support = yes
#acl map full control = yes
#dos filemode = yes

[homes]
        read only = no
        create mask = 0750
        browseable = yes
        guest ok = no
        preserve case = yes

[files]
        path = /test
        comment = Test
        read only = No
        create mask = 0750
        browseable = Yes
        guest ok = no
        preserve case = yes
        #nt acl support = yes

[test]
        path = /test
        public = no
        browsable = yes
        read list = @"OEEY\domain users"
        write list = @"OEEY\domain users"
        create mask = 0777
        directory mask = 0777
        force create mode = 0777
        force directory mode = 0777
        directory security mask = 0777
        admin users = DOMAINNAME\Administrator
        force group = "OEEY\domain users"

/etc/nsswitch.conf

...
#passwd:     files
passwd:     files winbind
shadow:     files
#group:      files
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns winbind
...

/etc/pam.d/samba

#%PAM-1.0
#auth       required    pam_nologin.so
#auth       required    pam_stack.so service=system-auth
#account    required    pam_stack.so service=system-auth
#session    required    pam_stack.so service=system-auth
#password   required    pam_stack.so service=system-auth

# USER WINBIND FOR AUTHENTICATION
auth sufficient         /usr/lib/security/pam_winbind.so try_first_pass
account sufficient      /usr/lib/security/pam_winbind.so try_first_pass
session sufficient      /usr/lib/security/pam_winbind.so try_first_pass

/etc/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = CORPORATE.OEEY.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 OEEY = {
  kdc = snowbird:88
  admin_server = snowbird:749
  default_domain = corporate.OEEY.com
 }

[domain_realm]
 .corporate.OEEY.com = CORPORATE.OEEY.COM
 corporate.OEEY.com = CORPORATE.OEEY.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

To Read

Samba PDC + ACL : default ACLs ignored on directory:


Fix a Vista to Mac failure to connect problem:

[Samba] domain user map:

samba30b1 - net join responds failure - but machine accountwas created:

[Samba] create_canon_ace_lists: unable to map SID:

[Samba] Cannot find KDC for requested realm:

Linux Extended Attributes and ACLs:

ACLs on Samba:

Samba ACL Linux:

Installing Fermi Kerberos on a Linux System: (all good articles) http://www.fnal.gov/docs/strongauth/linuxinstall.html http://weblog.bignerdranch.com/?p=6 http://www.linuxjournal.com/article/7336 http://www.net-security.org/advisory.php?id=7909 http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html