Deploy Samba 3 Client Technology and Kerberos for Active Directory-based identity Management by krabah

VIEWS: 1,131 PAGES: 37

1.0 Introduction A popular thing to do with Samba these days is to join a Samba 3 host to a Windows Active Directory domain using Kerberos ticketing. You may freely set up any number of Samba servers in a Windows network and Mac OSX without joining them to the domain giving you the power of single-sign-on (SSO) identity management to all your network resources. You can share files, map drives and provide centralized printer services. The advantages of domain membership are central management and authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a lovely time- and hassle-saver. We have also joined Mac OS X to the network to achieve a complete system integration of the three major operating systems.

More Info
									GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




                 Global Technology Solutions Institute
        Systems Integration Hands-on Linux Labs Training Manual

Deploy Samba 3 Client Technology and Kerberos for Windows Active
             Directory-based identity management

                                          Kefa Rabah
                               GTS Institute, Vancouver Canada
                           krabah@gtechsi.org                www.gtechsi.org

Table of Contents                                                                                 Page No.

DEPLOY SAMBA 3 CLIENT TECHNOLOGY AND KERBEROS FOR ACTIVE DIRECTORY-
BASED IDENTITY MANAGEMENT                                           3

1.0 Introduction                                                                                             3
   1.1 Our Implementing Plan                                                                                 3

Hands-on Lab Sessions                                                                                        4

Part 1: Install and Check necessary packages                                                                 4

Part 2: Install & Configure Samba 3                                                                          5

Part 2: Install & Configure Kerberos 5                                                                       6
  Step 1: Install Kerberos                                                                                   6
  Step 2: Server Clocks Synchronization                                                                      7
  Step 3: Configure and Test Kerberos                                                                        8

Part 2: Use Winbind Authentication to Setup Samba-Windows Connectivity                                       9
  Step 1: Configure Samba                                                                                   10
  Step 2: Add Users & Machines to Samba Account                                                             13
  Step 3: Add Users Profiles & Netlogon to Samba Account                                                    14
  Step 4: How to Delete Users from Your Samba Domain                                                        15

Part 3: Enabling Windbind on Linux Box                                                                      15
  Step 1: Modify /etc/nsswitch.conf. file                                                                   15
  Step 2: (Re)starting Samba and Winbind                                                                    16

Part 4: Configure Pluggable Authentication Module (PAM)                                                     19

Part 5: Accessing your Client & Server Machines                                                             20
  5.1 Connecting to a Samba Machine in Linux                                                                21
  5.2 Configuring Windows Machines                                                                          21
  Step 1: Access Shares on the Windows desktop.                                                             21
  Step 2: Mounting shared drives on Windows                                                                 23
  Step 3: Binding to the Domain Controller.                                                                 23
  Step 4: Accessing Windows shares from the Linux node.                                                     23
  Step 5: Accessing Network Machines from Mac OS X                                                          24
                                                                                                             1
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada

www.gtechsi.org                                    A GTSI Open Knowledge Access License Technical Publication
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



Part 6: Mac OS/Linux/Windows Single Sign-On                                                                 25
  Step 1: Configure DNS on Mac OS X                                                                         25
  Step 2: Configure Directory Access:                                                                       26
  Step 3: Join the AD Domain:                                                                               29
  Step 4: Test it out:                                                                                      33

Part 7: Easier Web Access to Shared Data                                                                    33

Part 8: SSH Support                                                                                         34

Part 9: Rational for this System Integration                                                                34
  9.1 Windows Authentication                                                                                34
  9.2 Linux Authentication                                                                                  35
  9.3 Samba and Windbind                                                                                    35
  9.4 Three Authentication Strategies                                                                       35
  9.4.1 Using LDAP authentication:                                                                          35
  9.4.2 Using LDAP and Kerberos                                                                             36
  9.4.3 Using Winbind                                                                                       36

Part 10: Hands-on Labs Assignments                                                                          36




A GTSI Open Access Technical Academic Publications
Delivering Cutting-edge Technology at your Fingertips in the 21st Century

                                                                                                             2
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada

www.gtechsi.org                                    A GTSI Open Knowledge Access License Technical Publication
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



                   Global Technology Solutions Institute
             Systems Integration Hands-on Labs Training Manual

Deploy Samba 3 Client Technology and Kerberos for Active Directory-
                   based identity management

By Kefa Rabah, krabah@gtechsi.org                          October 26, 2010                  GTS Institute



1.0 Introduction
A popular thing to do with Samba these days is to join a Samba 3 host to a Windows Active Directory
domain using Kerberos ticketing. You may freely set up any number of Samba servers in a Windows
network and Mac OSX without joining them to the domain giving you the power of single-sign-on (SSO)
identity management to all your network resources. You can share files, map drives and provide
centralized printer services. The advantages of domain membership are central management and
authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without
requiring local Linux system accounts, which is a lovely time- and hassle-saver. We have also joined Mac
OS X to the network to achieve a complete system integration of the three major operating systems.

1.1 Our Implementing Plan
Because of the enhanced integration with Active Directory (AD) and Mac OS X 10, I choose to use
Winbind on Red Hat Enterprise 5 (RHE5) for my Linux-to- Win 2k3 AD and Mac OSX integration project,
which is schematically represented by Fig. 1.




     Fig. 1: A Samba, Windows-AD and Mac OS X systems integration network.


Figure 1 shows a simple network that would be one AD server, One Samba and a few client workstations,
connected through a router or switch (most home network routers have at least four ports of switch

                                                                                                             3
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada

www.gtechsi.org                                    A GTSI Open Knowledge Access License Technical Publication
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



included in the device). This grows over time, usually by adding more switches, routers, clients and
additional storage on the server.



Hands-on Lab Sessions
In this Hands-on training manual we assume that you already have a functioning Win2k3 Active Directory
DC in place, and know how to run it, if not, then checkout out. Windows AD is very dependent on DNS
(domain name system) so I'll assume your DNS house is also in order, if not check out this excellent
“Install Windows Server 2003 Active Directory Domain Controller”. On your Linux box you'll need Samba
3, version 3.0.8 or newer. Plus MIT Kerberos 5, version 1.3.1 or newer, and OpenLDAP. (The Samba
documentation states that Heimdal Kerberos, version 0.6.3 or newer, also works. The examples in this lab
manual use MIT Kerberos.) Debian users need the krb5-user, krb5-config, krb5-doc, and libkrb53
packages. Red Hat and Red Hat family users need the krb5 and krb5-client RPMs.

The following setup is used:

192.168.83.10      Server02.medtech.com           the AD server, hereafter known as "the server"

192.168.83.33      rhe5.groptech.com              samba3 "client" machine


The Samba system is based upon a stock standard RHEL5 system with the Samba 3 software.

The following steps are needed to get the system functioning:

    1.   install and check necessary packages
    2.   configure name resolution using either DNS or a hosts file
    3.   configure samba and winbind
    4.   configure kerberos
    5.   testing Samba and winbind
    6.   good luck

Part 1: Install and Check necessary packages
The following packages are required to successfully run all the commands detailed in this guide:

Samba:

    1.   system-config-samba
    2.   samba-common
    3.   samba-client
    4.   samba

Kerberos:

    1.   pam_krb5
    2.   krb5-workstation
    3.   krb5-client
    4.   krb5-libs
    5.   krbafs

You can query your system if these packages are installed by running:

                                                                                                             4
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada

www.gtechsi.org                                    A GTSI Open Knowledge Access License Technical Publication
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



rpm -q package-name

You‘re done with this section



Part 2: Install & Configure Samba 3

First and foremost check if Samba is installed, as follows:

]# rpm –qa | grep samba*                           \\ the start * allows you to parse all
                                                       installed Samba files

[root@rhe5 ~]# rpm -qa | grep samba*
system-config-samba-1.2.39-1.el5
samba-common-3.0.28-1.el5_2.1
samba-swat-3.0.28-1.el5_2.1
samba-3.0.28-1.el5_2.1
samba-client-3.0.28-1.el5_2.1

In case you get blank result, then Samba is not installed. Best way to get Samba is to compile it from the
source file. However, I have found that the RPM files obtained via Yum, if you use CentOS4 and later,
Fedora Core 8 and later, or Yast with OpenSuse 11.1 contain all the required files. To install all Samba
files with RHE5, do the following:

[root@rhe5 ~]# yum install samba* -y

The next task is to verify that your Samba installation has been compiled to support Kerberos, LDAP,
Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command
has a switch for printing build information. You will see a lot more lines of output than are shown here:


[root@rhe5 ~]# cd /usr/sbin
root@rhe5:/usr/sbin]# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...

root@rhe5:/usr/sbin]# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...

root@rhe5:/usr/sbin]# smbd -b | grep ADS
WITH_ADS

                                                                                                             5
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada

www.gtechsi.org                                    A GTSI Open Knowledge Access License Technical Publication
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



WITH_ADS


root@rhe5:/usr/sbin]# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND




Fortunately, in our case all the required support for Kerberos, ADS and Winbind is present. However, if
you are in the unfortunate position of missing any of these, which will be indicated by a blank line, you
need to recompile Samba, or installed per your Linux box as indicated above. Also, see Chapter 37 of the
Official Samba-3 HOWTO and Reference Guide.

Configure /etc/hosts

Even if your DNS servers are perfect in every way, it is always a good idea to add important servers to
your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go
down:

192.168.83.10                      server02.medtech.com             medtech

You’re done with this section.




Part 2: Install & Configure Kerberos 5

Step 1: Install Kerberos
Our next task is to install Kerberos. Again as with Samba installation, you can compile Kerberos support
using source file or via RPM using Yum, Yast, or Apt depending on your Linux box. Here we have used
CentOS5 RPM via Yum. First verify if Kerberos is installed:


]# rpm –qa | grep krb*                             \\ the start * allows you to parse all installed krb files

[root@rhe5 ~]# rpm -qa | grep krb*
pam_krb5-2.2.14-1.el5_2.1
krb5-devel-1.6.1-25.el5_2.1
krb5-workstation-1.6.1-25.el5_2.1
krb5-server-1.6.1-25.el5_2.1
krb5-libs-1.6.1-25.el5_2.1
krb5-auth-dialog-0.7-1

If not, use Yum to install, as follows:

[root@rhe5 ~]# yum install krb* -y

                                                                                                                6
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada

www.gtechsi.org                                    A GTSI Open Knowledge Access License Technical Publication
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




The next task is to configure and test the Kerberos installation, but first we have to ensure that the
servers’ clocks are 
								
To top