mostly the Samba.org topics... Jura's blog...

Wednesday Apr 16, 2008

...even more simple configuration of the samba server in ADS domain

I was playing with samba configuration to precise as less of the setup steps should be really done to start the samba as the domain member server in Active Directory domain. I was motivated there by the users who sending me the support requests of their's configurations which are not running where I want to show this task is really simple (if there are not a "space research" expectations :-) )

The following steps ensure the samba to join to the AD domain named SMBSETUP successfully:

  • Box running the samba should be properly added into the DNS so the /etc/resolv.conf should be created and the /etc/inet/hosts should contain the FQDN than the "dns" should be added as one of the sources of "hosts" and "ipnodes" tables into the /etc/nsswitch.conf
  • /etc/krb5/krb5.conf should be edited to be pointing the realm and kdc so here should be at least the following items. 
    [libdefaults]
 default_realm = SMBSETUP.CZECH.SUN.COM
 default_keytab_name = FILE:/etc/krb5.keytab

[realms]
 SMBSETUP.CZECH.SUN.COM = {
  kdc = adsdc.smbsetup.czech.sun.com
  admin_server = adsdc.smbsetup.czech.sun.com
 }
 MOUREK.CZECH.SUN.COM = {
  kdc = sunprg6.mourek.czech.sun.com
  admin_server = sunprg6.mourek.czech.sun.com
 }

[domain_realm]
 smbsetup.czech.sun.com = SMBSETUP.CZECH.SUN.COM
 mourek.czech.sun.com = MOUREK.CZECH.SUN.COM

...then on the w2k3-side should be done:
  • create the user having the same login as the hostname of the samba box is and assign a password to him
  • running the ktpass from the "Windows Support Tools" create the private key (user's password signed) for the samba box

...than continue on the samba box again:
  • transfer this key to the samba box by the secure way
  • install the key from the file to the /etc/krb5/krb5.keytab using the ktutil
  • ensure the "samba" "winbind" "wins" and "swat" services are disabled nor any of the "smbd", "winbindd", "nmbd" daemons is not running
  • ensure the all samba private data from the previous trials in the /etc/sfw/private , /var/samba/locks/* are clean or save the old "idmap" info if you need to continue on the prevous samba setup where the tdb-backend of the idmap was used to store the idmap mappings.
  • create the /etc/sfw/smb.conf properly. This step depends on configuration used. Bottom are simple examples.
  • join the AD domain using the command: 
     /usr/sfw/sbin/net ads join -U 'Administrator%passwd'
  • enable the "winbind" service 
     svcadm enable winbind
  • test if the domain users are known using the /usr/sfw/bin/wbinfo utility 
     /usr/sfw/bin/wbinfo -u
  • enable the "samba" and "wins" services 
     svcadm enable wins samba

smb.conf configuring idmap backend using the RID (part of the SID) to map the SID to POSIX uid/gid
this simple idmap backend ensure the mapping will be tha same on several samba servers running in the same domain on the network so it can be used for clustering of the samba services where the shared volume can be shared by the several samba servers ...for instance using the NFSv4, SAM QFS.
Here is also the second Win domain MOUREK configured in this example. There should be also the interdomain (cross-realm) trust set-up between the SMBSETUP and MOUREK domains on the DCs and both realms should be configured in the /etc/krb5/krb5.conf .
[public] share in this configuration share the ZFS volume so the appropriate module should be set to handle the ACL correctly. 

[global]
   security = ads
   auth methods = winbind guest sam
   realm = SMBSETUP.CZECH.SUN.COM
   workgroup = SMBSETUP
   use kerberos keytab = true
   winbind refresh tickets = true
   server string = Samba 3.0.28 ADS

# winbind configuration: 

#  winbind separator is default set to '\' - so it is fine

   winbind normalize names = no
   winbind use default domain = no
   winbind enum users = no
   winbind enum groups = no
   winbind nss info = template
   template homedir = /samba/home/%D/%U
   template shell = /bin/true

   idmap domains = SMBSETUP MOUREK

   idmap config SMBSETUP:backend = rid
   idmap config SMBSETUP:base_rid  = 500
   idmap config SMBSETUP:range = 10000 - 29999

   idmap config MOUREK:backend = rid
   idmap config MOUREK:base_rid  = 500
   idmap config MOUREK:range = 30000 - 49999

   invalid users = root bin daemon lp sys tty

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/samba/log/log.%m
   log level = 3 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 5 \
   winbind: 5 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0
# Put a capping on the size of the log files (in Kb).
   max log size = 1024

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
;   socket options = TCP_NODELAY 


#============================ Share Definitions ==============================

;[homes]
;   path = /samba/home/%D/%U
;   read only = no

[printers]
  printable = no

[public]
   path = /samba/public
   comment = Public data directory
   read only = no
   browseable = yes
   dos filemode = yes
   inherit permissions = Yes
   inherit acls = Yes
   ea support = yes
   map acl inherit = yes
   store dos attributes = yes
   vfs objects = zfsacl
   nfs4: mode = simple
   nfs4: acedup = merge

idmap part of the samba configuration altered for using of the SFU (MS Services for UNIX) ...requires the Win 2003-R2 Server where the POSIX identities can be set directly as the user's attributes directly 
 ...
#  winbind configuration: 

   winbind nested groups = yes
;  winbind normalize names = yes
;  winbind use default domain = yes
;  winbind enum users = yes
;  winbind enum groups = yes
   winbind nss info = sfu

   idmap domains = SMBSETUP

   idmap config SMBSETUP:backend = ad
   idmap config SMBSETUP:default = yes
   idmap config SMBSETUP:range = 500 - 100000
   idmap config SMBSETUP:schema_mode = sfu
 ...

tdb-backend using the tdb's (trivial databases) to store the idmap mappings. This is stored locally so using this backend the the mappings is not ensured to be consistent on the 2 different samba nodes because the winbind doing this mapping on demand. Also loosing of the local tdb's making the ACL info on the shares outdated and unusable. This backend was default (and only the possible) in pre-3.0.25 releases of the samba. 
 ...
# winbind configuration: 

;  winbind enum users = yes
   template homedir = /samba/pchome/%D/%U

   idmap domains = SMBSETUP
   idmap config SMBSETUP:default = yes
   idmap config SMBSETUP:backend = tdb
   idmap config SMBSETUP:range = 10000-20000

   idmap alloc backend = tdb
   idmap alloc config:range = 10000-20000
 ...

Posted at 07:09PM Apr 16, 2008 by jurasek in Samba | Comments[2] | Permalink

Saturday Sep 01, 2007

Active Directory domain CIFS member server

This is not a "rocket technology" but I am using this guide doing setup of the Samba server in lab to serve as the CIFS volume server authenticating users against the ADS Domain Controller.

Prerequisities

  • ADS domain has the name derived from its DNS domain name i.e. smbsetup.czech.sun.com
  • Name of the ADS Kerberos realm is the same as the DNS domain name (written in capitals) i.e. SMBSETUP.CZECH.SUN.COM

Steps to setup:

  • Prepare S10 box with naming services set to DNS where the nameserver is the AD server and domain is AD domain:
    • upgrade to Solaris 10 update 8/07 and apply all patches above the 119757-08 (sparc) 119758-08 (i386) or install the OpenSolaris based on Nevada build ≥ 72
    • DS is using DNS to hostnames resolving so /etc/nsswitch.conf should contain: 
       ...
 hosts: files dns
 ipnodes: files dns
 ...
      because the ADS is using DNS to hostnames resolving.
    • /etc/resolv.conf should have also the search aliases set because the machines are resolved using their short names i.e.: 
      domain smbsetup.czech.sun.com
nameserver 172.16.111.65
search smbsetup.czech.sun.com
    • /etc/hosts should contain the full canonical name of the box and also its short name: 
      127.0.0.1       localhost
172.16.111.13   s10-pc.smbsetup.czech.sun.com   s10-pc  loghost
    • here you should start the dns/client service svcadm enable dns/client ...and most probably reboot. All steps above can be also performed as DNS-namig setup after the sys-unconfig. Also the Kerberos v5 settings can be performed (partialy) in the system setup after the sys-unconfig first boot.
    • Info about the realms, kdcs and DNS domain must be set in /etc/krb5/krb5.conf 
      
[libdefaults]
 default_realm = SMBSETUP.CZECH.SUN.COM

[realms]
 SMBSETUP.CZECH.SUN.COM = {
  kdc = adsdc.smbsetup.czech.sun.com
  admin_server = adsdc.smbsetup.czech.sun.com
 }

[domain_realm]
 smbsetup.czech.sun.com = SMBSETUP.CZECH.SUN.COM

  • Setup the DC to accept this node:
    • in "Active Directory Users and Computers" add the user account of the same name as the computer's hostname as the user's "Full Name" and set the password and check the "Password Never Expire" flag to it. User name most be the same as the users login and the hostname of the node.
    • in "dnsmgmt" create the new dns A-record with the hostname and IP of this box i.e. "s10-pc" and "172.16.111.13". Also check the "Create also the PTR record" for the reverse (IP to hostname) resolving.
    • create the key for the computer mapped to user of the same name as the computer is by command line (cmd.exe) utility
      ktpass -princ HOST/s10-pc@SMBSETUP.CZECH.SUN.COM -mapuser s10-pc -pass p@sswd -out s10-pc.keytab
      please note the "ktpass" utility is the part of the "Windows Support Tools" which are not part of the default W2k3 server installation and have to be manualy installed from the W2k3-server installation CD
    • transport the created file containing the machine keys to the S10 machine. Do this tranport by secure way because the keys are very sensitive information. Please do not use the /usr/sfw/bin/smbclient -U Administrator '\\ADSserver\cifs_share because the cifs is not a secure protocol in this point. smile
  • Joining the S10 box to the domain
    • install keys running the ktutil and issuing the following "ktutil" subcommands:
      • rkt s10-pc.keytab read the keys from the s10-pc.keytab file
      • list lists keys read from the file
      • wkt /etc/krb5/krb5.keytab write the keys into the system
      • '^D' for quit the "ktutil"
    • remove the original s10-pc.keytab file and make the /etc/krb5/krb5.keytab unreadable for non-root users to prevent to compromite the machine
    • synchronize the system time of the samba CIFS server with the "time of the domain" using the ntpdate adsdc command doing the NTP (Network Time Protocol) time synchronization to the time of the domain controller.
    • initialize keys to be used by the kerberos services kinit s10-pc@SMBSETUP.CZECH.SUN.COM ...by the password of the user to which the box was mapped to
    • test if everythig passed by listing the TGT (Ticket Granting the Tickets) by the klist command
    • issuing the command svcs samba swat wins winbind check if all of the samba services are "disabled"
    • remove all previous samba "garbage" in /etc/sfw/private/, /var/samba/locks/ and /var/samba/logs/ directories
    • create the /etc/sfw/smb.conf i.e. using this template: 
      [global]

   realm = SMBSETUP.CZECH.SUN.COM
   workgroup = SMBSETUP
   security = ADS
   use kerberos keytab = true
   ;password server = adsdc.smbsetup.czech.sun.com
   encrypt passwords = yes
   server string = Samba 3.0.x ADS


# winbind configuration: 

   winbind separator = +
   ; winbind enum users = yes
   template homedir = /samba/pchome/%D/%U

   idmap domains = SMBSETUP
   idmap config SMBSETUP:default = yes
   idmap config SMBSETUP:backend = tdb
   idmap config SMBSETUP:range = 10000-20000

   idmap alloc backend = tdb
   idmap alloc config:range = 10000-20000

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/samba/log/log.%m
   ;log level = 1 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 7 winbind: 2 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0
   log level = 10
# Put a capping on the size of the log files (in Kb).
   max log size = 1024

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
;   socket options = TCP_NODELAY 


#============================ Share Definitions ==============================

[public]
   path = /samba/public
   comment = Public data directory
   read only = no
   browseable = yes
   user = @"SMBSETUP+domain users"
   vfs objects = zfsacl
   nfs4: mode = special


;[pub]
;   path = /sambaufs/public
;   comment = Pub
;   read only = no
;   browseable = yes
;   user = @"SMBSETUP+domain users"

[printers]
  printable = no
    • change the /etc/pam.conf to the contents of the /etc/pam.conf-winbind
    • modify the /etc/nsswitch.conf to users/groups lookup into the winbind table: 
       ...
 passwd: files winbind
 group: files winbind
 ...
    • ensure if the samba volume directories ("/samba/public" in this example) exists and have the appropriate access rights (0777 for instance smile )
    • join into the domain /usr/sfw/sbin/net ads join -U 'Administrator%p@sswd'
    • create keytab /usr/sfw/sbin/net ads keytab create -U 'Administrator%p@sswd'
    • start the "winbind" service issuing the svcadm enable winbind command
    • check if the winbind is able to obtaun the user/group info from DC /usr/sfw/bin/wbinfo -u for users or /usr/sfw/bin/wbinfo -g for groups
    • check getent passwd if the Win-domain users are mapped to the POSIX users if the "winbind enum users" option in /etc/sfw/smb.conf is set to "yes" ...do not do it in case of domains having thousands of users ...it can harm the CIFS server's performance
    • enable also the other samba services svcadm enable samba wins to allow of the starting of the CIFS session establishing by domain clients

Posted at 04:52AM Sep 01, 2007 by jurasek in Samba | Comments[24] | Permalink

About This Weblog

I am not a blogger...

Archives

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Feeds

Search

Bookmarks

Other Blog Links

Today's Page Hits: 2