Using Samba 3 Client Technology and Kerberos for Win2k8 AD-based identity management

Document Sample
Using Samba 3 Client Technology and Kerberos for Win2k8 AD-based identity management Powered By Docstoc
					GTS Institute ICT Labs                      Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




                 Global Technology Solutions Institute
        Systems Integration Hands-on Linux Labs Training Manual

   Using Samba 3 Client Technology and Kerberos for Windows2008
                  AD-based identity management

                                        Kefa Rabah
                             GTS Institute, Vancouver Canada
                           krabah@gtechsi.org                  www.gtechsi.org

Table of Contents                                                                                     Page No.

USING SAMBA 3 CLIENT TECHNOLOGY AND KERBEROS FOR WINDOWS 2008 AD-
BASED IDENTITY MANAGEMENT                                                                                          3

1.0 Introduction                                                                                                   3

Hands-on Lab Sessions                                                                                              4
 1.1 Our Implementation Plan                                                                                       4

Part 1: Clean Install Windows Server 2008 Active Directory DC                                                      5

Part 2: Install and Configure Samba 3 on Linux                                                                     5
  Step 1: Install & Configure Samba 3                                                                              6
    1.1: Install and Check necessary packages                                                                      6

Part 3: Install & Configure Samba 3                                                                                6

Part 4: Install & Configure Kerberos 5                                                                          8
  Step 1: Install Kerberos                                                                                      8
  Step 2: Server Clocks Synchronization                                                                         9
  Step 3: Configure and Test Kerberos                                                                          10

Part 5: Use Winbind Authentication to Setup Samba-Windows Connectivity                                         11
  Step 1: Configure Samba                                                                                      12
  Step 2: Add Users & Machines to Samba Account                                                                15
  Step 3: Add Users Profiles & Netlogon to Samba Account                                                       16
  Step 4: How to Delete Users from Your Samba Domain                                                           17

Part 6: Enabling Winbind on Linux Box                                                                          18
  Step 1: Modify /etc/nsswitch.conf. file                                                                      18
  Step 2: (Re)starting Samba and Winbind                                                                       18

Part 7: Configure Pluggable Authentication Module (PAM)                                                        23

Part 8: Accessing your Client & Server Machines                                                                25
    8.1 Connecting to a Samba Machine in Linux                                                                 26
    8.2 Configuring Windows Machines                                                                           27
  Step 1: Access Shares on the Windows desktop.                                                                28
                                                                                                                1
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                     ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



  Step 2: Mounting shared drives on Windows                                                                   29
  Step 3: Binding to the Domain Controller.                                                                   30
  Step 4: Accessing Windows shares from the Linux node.                                                       30

Part 9: Easier Web Access to Shared Data                                                                      31

Part 10: SSH Support                                                                                          33

Part 11: Hands-on Labs Assignments                                                                            33

Linux Administration Training                                                                                 34




A GTSI Open Access Technical Academic Publications
Delivering Cutting-edge Technology at your Fingertips in the 21st Century

                                                                                                                  2
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



                   Global Technology Solutions Institute
             Systems Integration Hands-on Labs Training Manual

  Using Samba 3 Client Technology and Kerberos for Windows 2008
                  AD-based identity management

By Kefa Rabah, krabah@gtechsi.org                          November 25, 2010                   GTS Institute



1.0 Introduction
A popular thing to do with Samba these days is to join a Samba 3 client to a Windows server 2008 Active
Directory domain using Kerberos ticketing technology. Samba is the standard Windows interoperability
suite of programs for Linux/UNIX. Samba is Free Software licensed under the GNU General Public
License, the Samba project is a member of the Software Freedom Conservancy.

You may freely set up any number of Samba servers in a Windows network and Mac OSX without joining
them to the domain giving you the power of single-sign-on (SSO) identity management to all your network
resources. You can share files, map drives and provide centralized printer services. The advantages of
domain membership are central management and authentication, and single sign-on. Using Winbind
allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a
lovely time- and hassle-saver. We have also joined Mac OS X to the network to achieve a complete
system integration of the three major operating systems.

Windows Server® 2008 R2: Microsoft wants administrators of Windows Server 2008 editions (which
ships in the usual flavors of Standard, Enterprise, Data Center and Itanium-specific code) to think of the
server as playing certain roles. Server roles are aggregated objects that suit commonly thought-of
services, such as print services, file sharing, DNS, DHCP, Active Directory Domain Controller and IIS-
based Web services. Microsoft has defined 18 roles in all.

Windows Server 2008 offers improvement in Web delivery, virtualization, security and management.
Windows Server 2008 provides increased administration and virtualization options in addition to increased
security and flexibility. New functionality such as Server Core, PowerShell, Windows Deployment
Services, Server Manager and many others provide reasons to consider adapting to Windows Server
2008.

Red Hat Enterprise Linux (RHEL) is a Linux distribution produced by Red Hat and targeted toward the
commercial market, including mainframes. Red Hat Enterprise Linux is released in server versions for x86,
x86_64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86_64. All of Red Hat's
official support and training, and the Red Hat Certification Program center on the Red Hat Enterprise
Linux platform

On one certified platform, Red Hat Enterprise Linux offers your choice of: (i) Applications - Thousands of
certified ISV applications; (ii) Deployment - Including standalone or virtual servers, cloud computing, or
software appliances; (iii) Hardware - Wide range of platforms from the world's leading hardware vendors.
This gives IT departments’ unprecedented levels of operational flexibility. And it gives ISVs unprecedented
                                                                                                                  3
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



market reach when delivering applications. Certify once, deploy anywhere. All while providing world-class
performance, security, and stability. And unbeatable value. This is why today Red Hat is the platform of
choice.


Hands-on Lab Sessions
In this Hands-on training manual you’ll learn how install Samba 3 on RHEL5 box and integrate it with
Windows server 2008 R2 Active Directory for centralized identity management. It’s assumed that you
already have a functioning Win2k8 Active Directory DC in place, and know how to run it, if not, then
checkout out. Windows AD is very dependent on DNS (domain name system) so I'll assume your DNS
house is also in order, if not check out this excellent “Install Guide Windows Server 2008 Active Directory
DC”. It’s also assumed that you know how to install and configure RHEL5 distro to host Samba client. On
your Linux box you'll need Samba 3, version 3.5.6 or newer. Plus MIT Kerberos 5, version 1.3.1 or newer,
and OpenLDAP. (The Samba documentation states that Heimdal Kerberos, version 0.6.3 or newer, also
works. The examples in this lab manual use MIT Kerberos.) Debian users need the krb5-user, krb5-config,
krb5-doc, and libkrb53 packages. Red Hat and Red Hat family users need the krb5 and krb5-client RPMs.

1.1 Our Implementation Plan
Because of the enhanced integration with Active Directory (AD), I choose to use Winbind on Red Hat
Enterprise Linux 5 (RHEL5) for my Linux-to- Windows Server 2008 R2 Active Directory (AD) integration
project, which is schematically represented by Fig. 1.




  Fig. 1: A Samba, Windows-AD and Mac OS X systems integration network.




                                                                                                                  4
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



Figure 1 shows a simple network that would be one AD server, One Samba and a few client workstations,
connected through a router or switch (most home network routers have at least four ports of switch
included in the device). This grows over time, usually by adding more switches, routers, clients and
additional storage on the server.

The following setup is used:

192.168.83.6       Server01.rabahtech.com         Win2k8 AD server, hereafter known as "the server"

192.168.83.10      rhe5.rabahtech.com             samba3 "client" machine




Part 1: Clean Install Windows Server 2008 Active Directory DC
1. Clean install of base Windows Server 2008 Enterprise Edition and Windows XP Pro Systems, and
   ensure that they’re effectively updated and patched up with hot fixes.

2. Promote Win2k8 Server Enterprise Edition into Active Directory Domain Controller using the
   "DCPROM" command, with following parameters:

    Server name: server01.rabahtech.com
    Domain name: rabahtech.com
    IP address: 192.168.83.6

3. Issue the NSLOOKUP command to test that your server is correctly installed and configured
   appropriately to act as Active Directory DC, as shown in Fig. 1.




                                                                                                     Fig. 1

4. We’re done with this section



Part 2: Install and Configure Samba 3 on Linux

Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out our excellent hands-on manual entitled “Install Configure and Upgrade Linux
CentOS5 Server v1.1” to get you started.
                                                                                                       5
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




Step 1: Install & Configure Samba 3

The Samba system is based upon a stock standard RHEL5 system with the Samba 3 software.

The following steps are needed to get the system functioning:

    1.   install and check necessary packages
    2.   configure name resolution using either DNS or a hosts file
    3.   configure samba and winbind
    4.   configure kerberos
    5.   testing Samba and winbind
    6.   good luck



1.1: Install and Check necessary packages
The following packages are required to successfully run all the commands detailed in this guide:

Samba:

    1.   system-config-samba
    2.   samba-common
    3.   samba-client
    4.   samba

Kerberos:

    1.   pam_krb5
    2.   krb5-workstation
    3.   krb5-client
    4.   krb5-libs
    5.   krbafs

You can query your system if these packages are installed by running:
    rpm -q package-name

You‘re done with this section



Part 3: Install & Configure Samba 3

First and foremost check if Samba is installed, as follows:

]# rpm –qa | grep samba*                           \\ the start * allows you to parse all
                                                       installed Samba files


                                                                                                                  6
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



[root@rhe5 ~]# rpm -qa | grep samba*
system-config-samba-1.2.39-1.el5
samba-common-3.0.28-1.el5_2.1
samba-swat-3.0.28-1.el5_2.1
samba-3.0.28-1.el5_2.1
samba-client-3.0.28-1.el5_2.1

In case you get blank result, then Samba is not installed. Best way to get Samba is to compile it from the
source file. However, I have found that the RPM files obtained via Yum, if you use CentOS4 and later,
Fedora Core 8 and later, or Yast with OpenSUSE 11.1 contain all the required files. To install all Samba
files with RHE5, do the following:

[root@rhe5 ~]# yum install samba* -y

Upgrade Samba3
First you need to upgrade Samba3 to at least version 3.0.28a or newer, for it to work with Windows Server
2008. To do this, head over to here and grab the latest stable version.

[root@rhe5 ~]# rpm -qa | grep samba*
samba3-3.5.6-43.el5
samba3-utils-3.5.6-43.el5
samba3-winbind-3.5.6-43.el5
samba3-client-3.5.6-43.el5

The next task is to verify that your Samba installation has been compiled to support Kerberos, LDAP,
Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command
has a switch for printing build information. You will see a lot more lines of output than are shown here:


[root@rhe5 ~]# cd /usr/sbin
root@rhe5:/usr/sbin]# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...

root@rhe5:/usr/sbin]# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...

root@rhe5:/usr/sbin]# smbd -b | grep ADS
WITH_ADS
WITH_ADS


                                                                                                                  7
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



root@rhe5:/usr/sbin]# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND



Fortunately, in our case all the required support for Kerberos, ADS and Winbind is present. However, if
you are in the unfortunate position of missing any of these, which will be indicated by a blank line, you
need to recompile Samba, or installed per your Linux box as indicated above. Also, see Chapter 37 of the
Official Samba-3 HOWTO and Reference Guide.

Configure /etc/hosts

Even if your DNS servers are perfect in every way, it is always a good idea to add important servers to
your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go
down:

192.168.83.6                       server01.rabahtech.com           rabahtech

You’re done with this section.




Part 4: Install & Configure Kerberos 5

Step 1: Install Kerberos
Our next task is to install Kerberos. Again as with Samba installation, you can compile Kerberos support
using source file or via RPM using Yum, Yast, or Apt depending on your Linux box. Here we have used
CentOS5 RPM via Yum. First verify if Kerberos is installed:


]# rpm –qa | grep krb*                             \\ the start * allows you to parse all installed krb files

[root@rhe5 ~]# rpm -qa | grep krb*
pam_krb5-2.2.14-1.el5_2.1
krb5-devel-1.6.1-25.el5_2.1
krb5-workstation-1.6.1-25.el5_2.1
krb5-server-1.6.1-25.el5_2.1
krb5-libs-1.6.1-25.el5_2.1
krb5-auth-dialog-0.7-1

If not, use Yum to install, as follows:

[root@rhe5 ~]# yum install krb* -y

The next task is to configure and test the Kerberos installation, but first we have to ensure that the
servers’ clocks are synchronized.

                                                                                                                  8
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




You’re done with this section.


Step 2: Server Clocks Synchronization
Before moving to join your Linux box to AD server, check to make sure that the two machine’s clocks are
synchronized, as follows:


1. Set NET TIME on Win 2k8 DC to use to synchronize network clock:




1. On Linux SAMBA server, click System > Administration > Data & Time, then click Network Time
   Protocol tab. Check "Enable Network Time Protocol",

2. Click          button and enter our AD domain hostname: "server01.rabahtech.com", click OK
   to close Date/Time Properties dialog box.

3. Next step is update NTP and also synchronize the server clocks:

    ]# ntpdate -u <server IP address>\\ or "sntp –r <server IP address>"

    Note: Kerberos is very finicky if time difference is off by more than 5 minutes. So a simple test in our
    case gave:

    ]# ntpdate -u 192.168.83.6
    25 Nov 17:29:36 ntpdate[3691]: step time server 192.168.83.6 offset
    1.185447 sec

    •   Which gives a poor time offset, repeat the same procedure again:

    ]# ntpdate -u 192.168.83.6
    25 Nov 17:30:04 ntpdate[4269]: adjust time server 192.168.83.6 offset
    0.002115 sec

We’re now ok and good to go!

                                                                                                                  9
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




Step 3: Configure and Test Kerberos
1. Let's say our Active Directory domain server is "server01.rabahtech.com", and the Samba
   server is named rhe5. This is the absolute minimum Kerberos configuration file,
   "/etc/krb5.conf", for connecting to this domain, as shown in Listing 1:

    Listing 1: krb5.conf code
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
     default_realm = RABAHTECH.COM
     clockskew = 300
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     forwardable = yes

    [realms]
     RABAHTECH.COM = {
      kdc = server01.rabahtech.com
      admin_server = server01.rabahtech.com
     }

    [domain_realms]
      rabahtech.com = RABAHTECH.COM
     .rabahtech.com = RABAHTECH.COM

    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }

2. Very important: Use uppercase where it shows. Now try to connect, and mind your cases (Note
    you!):

    ]# kinit Administrator@RABAHTECH.COM
    Password for Administrator@RABAHTECH.COM:

3. Now test to see if your krb5 infrastructure is working and able to provide the key exchange and
    authentication. To do this, use klist command:



    [root@rhe5 ~]# klist

                                                                                                              10
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: Administrator@RABAHTECH.COM

    Valid starting     Expires            Service principal
    11/25/10 17:36:52 11/26/10 03:37:00 krbtgt/RABAHTECH.COM@RABAHTECH.COM
            renew until 10/04/09 10:14:17

    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached

    Note: To destroy the krb ticket, use kdestroy command, followed by klist command to verify that
    indeed the ticket has been destroyed.

4. Occasionally, you will be required to renew your Network Authentication Ticket if it expires, as shown
   in the Fig. 2:




                                                                                    Fig. 2


5. You’re done with this section.



Part 5: Use Winbind Authentication to Setup Samba-Windows Connectivity
The easiest way to connect Samba to Windows system is via Winbind. To achieve this perform the
following procedure:

1. Click System > Administration > Authentication, and then under User Information tab, check
   Enable Winbind Support (a) Click Configure Winbind button to access Winbind Settings dialog
   box (b), see Fig. 3.

2. From Winbind Settings dialog box (b), complete the settings as shown and click OK.




                                                                                                              11
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0




Fig. 3


3. Next let’s test if we managed to connect Windows AD domain, to achieve this issue the following
   command:

    ]# net ads info
    LDAP server: 192.168.83.6
    LDAP server name: server01.rabahtech.com
    Realm: RABAHTECH.COM
    Bind Path: dc=RABAHTECH,dc=COM
    LDAP port: 389
    Server time: Thu, 25 Nov 2010 17:43:17 PST
    KDC server: 192.168.83.6
    Server time offset: 0

4. Success! We can connect to our AD domain and pull some information about the server. The next
   step is to clean-up and configure Samba to suit our requirements.

5. You’re done with this section.



Step 1: Configure Samba
1. In this section we edit smb.conf file to meet our basic Samba-AD authentication requirements. In this
   example the "/etc/samba/smb.conf" file shows our basic setup for a printer server and home
   shares. Shares are configured in the usual manner, only the global section changes when you join
   to an AD domain.


                                                                                                              12
© April 2007, Kefa Rabah, Global Technology Solutions Institute, Vancouver Canada


www.gtechsi.org                                    ICT202 - Linux Enterprise Infrastructure Engineering Diploma
GTS Institute ICT Labs                    Samba 3 Client Technology & Kerberos for Windows AD Integration v1.0



    Listing 2: “smb.conf” code
    # Global parameters
    [global]
            workgroup = RABAHTECH
            realm = RABAHTECH.COM
            security = ADS
            password server = server01.rabahtech.com
            username map = /etc/samba/smbusers
            log file = /var/log/samba/%m.log
            max log size = 0
            printcap name = cups
            addprinter command = /usr/bin/addprint
            add user script = /usr/sbin/useradd -m %u
            delete user script = /usr/sbin/userdel -r %u
            add group script = /usr/sbin/groupadd %g
            delete group script = /usr/sbin/groupdel %g
            add user to group script = /usr/sbin/groupmod -A %u %g
            delete user from group script = /usr/sbin/groupmod -R 
				
DOCUMENT INFO
Shared By:
Stats:
views:1636
posted:12/2/2010
language:Dutch
pages:35
Description: 1.0 Introduction A popular thing to do with Samba these days is to join a Samba 3 client to a Windows server 2008 Active Directory domain using Kerberos ticketing technology. Samba is the standard Windows interoperability suite of programs for Linux/UNIX. Samba is Free Software licensed under the GNU General Public License, the Samba project is a member of the Software Freedom Conservancy. You may freely set up any number of Samba servers in a Windows network and Mac OSX without joining them to the domain giving you the power of single-sign-on (SSO) identity management to all your network resources. You can share files, map drives and provide centralized printer services. The advantages of domain membership are central management and authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a lovely time- and hassle-saver. We have also joined Mac OS X to the network to achieve a complete system integration of the three major operating systems. Windows Server 2008 R2: Microsoft wants administrators of Windows Server 2008 editions (which ships in the usual flavors of Standard, Enterprise, Data Center and Itanium-specific code) to think of the server as playing certain roles. Server roles are aggregated objects that suit commonly thought-of services, such as print services, file sharing, DNS, DHCP, Active Directory Domain Controller and IIS-based Web services. Microsoft has defined 18 roles in all. Windows Server 2008 offers improvement in Web delivery, virtualization, security and management. Windows Server 2008 provides increased administration and virtualization options in addition to increased security and flexibility. New functionality such as Server Core, PowerShell, Windows Deployment Services, Server Manager and many others provide reasons to consider adapting to Windows Server 2008. Red Hat Enterprise Linux (RHEL) is a Linux distribution produced by
BUY THIS DOCUMENT NOW PRICE: $24.99 100% MONEY BACK GUARANTEED
PARTNER Kefa  Rabah
Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several fields of Science & Technology (www.gtechsi.ca), Information Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity (www.globaopenversity.org), a place to enhance your educating and career goals using the latest innovations and technologies.