mostly the Samba.org topics... Jura's blog...

« Previous month (Jul 2007) | Main | Next month (Sep 2007) »

Saturday Sep 01, 2007

Active Directory domain CIFS member server

This is not a "rocket technology" but I am using this guide doing setup of the Samba server in lab to serve as the CIFS volume server authenticating users against the ADS Domain Controller.

Prerequisities

  • ADS domain has the name derived from its DNS domain name i.e. smbsetup.czech.sun.com
  • Name of the ADS Kerberos realm is the same as the DNS domain name (written in capitals) i.e. SMBSETUP.CZECH.SUN.COM

Steps to setup:

  • Prepare S10 box with naming services set to DNS where the nameserver is the AD server and domain is AD domain:
    • upgrade to Solaris 10 update 8/07 and apply all patches above the 119757-08 (sparc) 119758-08 (i386) or install the OpenSolaris based on Nevada build ≥ 72
    • DS is using DNS to hostnames resolving so /etc/nsswitch.conf should contain: 
       ...
 hosts: files dns
 ipnodes: files dns
 ...
      because the ADS is using DNS to hostnames resolving.
    • /etc/resolv.conf should have also the search aliases set because the machines are resolved using their short names i.e.: 
      domain smbsetup.czech.sun.com
nameserver 172.16.111.65
search smbsetup.czech.sun.com
    • /etc/hosts should contain the full canonical name of the box and also its short name: 
      127.0.0.1       localhost
172.16.111.13   s10-pc.smbsetup.czech.sun.com   s10-pc  loghost
    • here you should start the dns/client service svcadm enable dns/client ...and most probably reboot. All steps above can be also performed as DNS-namig setup after the sys-unconfig. Also the Kerberos v5 settings can be performed (partialy) in the system setup after the sys-unconfig first boot.
    • Info about the realms, kdcs and DNS domain must be set in /etc/krb5/krb5.conf 
      
[libdefaults]
 default_realm = SMBSETUP.CZECH.SUN.COM

[realms]
 SMBSETUP.CZECH.SUN.COM = {
  kdc = adsdc.smbsetup.czech.sun.com
  admin_server = adsdc.smbsetup.czech.sun.com
 }

[domain_realm]
 smbsetup.czech.sun.com = SMBSETUP.CZECH.SUN.COM

  • Setup the DC to accept this node:
    • in "Active Directory Users and Computers" add the user account of the same name as the computer's hostname as the user's "Full Name" and set the password and check the "Password Never Expire" flag to it. User name most be the same as the users login and the hostname of the node.
    • in "dnsmgmt" create the new dns A-record with the hostname and IP of this box i.e. "s10-pc" and "172.16.111.13". Also check the "Create also the PTR record" for the reverse (IP to hostname) resolving.
    • create the key for the computer mapped to user of the same name as the computer is by command line (cmd.exe) utility
      ktpass -princ HOST/s10-pc@SMBSETUP.CZECH.SUN.COM -mapuser s10-pc -pass p@sswd -out s10-pc.keytab
      please note the "ktpass" utility is the part of the "Windows Support Tools" which are not part of the default W2k3 server installation and have to be manualy installed from the W2k3-server installation CD
    • transport the created file containing the machine keys to the S10 machine. Do this tranport by secure way because the keys are very sensitive information. Please do not use the /usr/sfw/bin/smbclient -U Administrator '\\ADSserver\cifs_share because the cifs is not a secure protocol in this point. smile
  • Joining the S10 box to the domain
    • install keys running the ktutil and issuing the following "ktutil" subcommands:
      • rkt s10-pc.keytab read the keys from the s10-pc.keytab file
      • list lists keys read from the file
      • wkt /etc/krb5/krb5.keytab write the keys into the system
      • '^D' for quit the "ktutil"
    • remove the original s10-pc.keytab file and make the /etc/krb5/krb5.keytab unreadable for non-root users to prevent to compromite the machine
    • synchronize the system time of the samba CIFS server with the "time of the domain" using the ntpdate adsdc command doing the NTP (Network Time Protocol) time synchronization to the time of the domain controller.
    • initialize keys to be used by the kerberos services kinit s10-pc@SMBSETUP.CZECH.SUN.COM ...by the password of the user to which the box was mapped to
    • test if everythig passed by listing the TGT (Ticket Granting the Tickets) by the klist command
    • issuing the command svcs samba swat wins winbind check if all of the samba services are "disabled"
    • remove all previous samba "garbage" in /etc/sfw/private/, /var/samba/locks/ and /var/samba/logs/ directories
    • create the /etc/sfw/smb.conf i.e. using this template: 
      [global]

   realm = SMBSETUP.CZECH.SUN.COM
   workgroup = SMBSETUP
   security = ADS
   use kerberos keytab = true
   ;password server = adsdc.smbsetup.czech.sun.com
   encrypt passwords = yes
   server string = Samba 3.0.x ADS


# winbind configuration: 

   winbind separator = +
   ; winbind enum users = yes
   template homedir = /samba/pchome/%D/%U

   idmap domains = SMBSETUP
   idmap config SMBSETUP:default = yes
   idmap config SMBSETUP:backend = tdb
   idmap config SMBSETUP:range = 10000-20000

   idmap alloc backend = tdb
   idmap alloc config:range = 10000-20000

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/samba/log/log.%m
   ;log level = 1 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 7 winbind: 2 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0
   log level = 10
# Put a capping on the size of the log files (in Kb).
   max log size = 1024

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
;   socket options = TCP_NODELAY 


#============================ Share Definitions ==============================

[public]
   path = /samba/public
   comment = Public data directory
   read only = no
   browseable = yes
   user = @"SMBSETUP+domain users"
   vfs objects = zfsacl
   nfs4: mode = special


;[pub]
;   path = /sambaufs/public
;   comment = Pub
;   read only = no
;   browseable = yes
;   user = @"SMBSETUP+domain users"

[printers]
  printable = no
    • change the /etc/pam.conf to the contents of the /etc/pam.conf-winbind
    • modify the /etc/nsswitch.conf to users/groups lookup into the winbind table: 
       ...
 passwd: files winbind
 group: files winbind
 ...
    • ensure if the samba volume directories ("/samba/public" in this example) exists and have the appropriate access rights (0777 for instance smile )
    • join into the domain /usr/sfw/sbin/net ads join -U 'Administrator%p@sswd'
    • create keytab /usr/sfw/sbin/net ads keytab create -U 'Administrator%p@sswd'
    • start the "winbind" service issuing the svcadm enable winbind command
    • check if the winbind is able to obtaun the user/group info from DC /usr/sfw/bin/wbinfo -u for users or /usr/sfw/bin/wbinfo -g for groups
    • check getent passwd if the Win-domain users are mapped to the POSIX users if the "winbind enum users" option in /etc/sfw/smb.conf is set to "yes" ...do not do it in case of domains having thousands of users ...it can harm the CIFS server's performance
    • enable also the other samba services svcadm enable samba wins to allow of the starting of the CIFS session establishing by domain clients

Posted at 04:52AM Sep 01, 2007 by jurasek in Samba | Comments[24] | Permalink

About This Weblog

I am not a blogger...

Archives

September 2007 »
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
      
Today

Feeds

Search

Bookmarks

Other Blog Links

Today's Page Hits: 63