Thursday, August 29, 2013

How to Configure Samba for AD Access

This page will describe how to configure server01  server  with Samba to define access to AD. We will change from existing model of security = TestShare1 to security = ADS and use AD Groups to manage access. 
 
Define TestShare1 Requirements:  See (put link to table doc I made) 
 
TestShare1 Name 
Windows Access 
Linux Access  
TestShare1 
MyPriGroup (rw) 
Grp_users(rw), MyPriGroup (rw 
Group2 
Group2_RW,  
MyPriGroup  (Read and Execute), 
Grp_users (Read and Execute) 
Grp_users (Read and Execute), 
 Group2_RW, 
MyPriGroup (Read and Execute) 
Share3 
Group3  
User1 RW 
No Linux Access 
User1 RW 
Share4 
Group4 
No Linux Access 
 
Samba Installed Versions 
samba-common-3.0.33-3.29.el5_7.4 
samba-3.0.33-3.29.el5_7.4 
 
 
Create required new groups. 
  • Linux LDAP Access Group = Grp_users 
  • Samba Basic Access Group = Grp_data  
 
  • Modify ldap_access_filter line in /etc/sssd/sssd.conf file. 
    • Modify ldap.conf with below 
    • note - if not using sssd, configure appropriate krb5/ldap files. 
      • Removed this line in ldap.conf 
        # Override the default gid 
        #nss_override_attribute_value gidNumber 32840 
         
     
    #This is the DN of a group if you wanted to restrict who can logon to the comput 
    er. User must have a valid account/and be a member of that group 
    pam_groupdn CN=My_GrouP_LinuxAccess_Users,OU=User Groups,DC=myDomain,DC=com 
    pam_member_attribute member 
     
Pre Configuration Requirements 
  • Use default system build from Wayne, using sssd 
    • note:   Verify ldap authentication works with standard config. 
    • Run this command on sssd systems 
      • [root@Server01 ~]# authconfig --update --enablekrb5 --enableldap 
    • will test again on non-sssd boxes. 
  • Create 2nd filesystem, ext3, mounted with acl on /Site1 
  • Verify Samba is installed  
    • [twalters@Server01 ~]$ yum list installed samba* 
    Installed Packages 
    samba.x86_64                       3.0.33-3.29.el5_7.4                 installed 
    samba-common.x86_64                3.0.33-3.29.el5_7.4                 installed 
     
     
    • Old samba Versions installed on node 
      [root@server01 etc]# rpm -qa |grep samba 
      samba3x-winbind-3.5.4-0.70.el5_6.1 
      system-config-samba-1.2.41-5.el5 
      samba3x-3.5.4-0.70.el5_6.1 
      samba3x-common-3.5.4-0.70.el5_6.1 
     
     
  • Turn off selinux and iptables (unless needed)   
Test Samba Config for KRB/LDAP 
# smbd -b | grep ADS 
   WITH_ADS 
   WITH_ADS 
# smbd -b | grep KRB 
   HAVE_KRB5_H 
View Authconfig Information 
  • authconfig --test 
 
Check KRB5 Authenticaion  - realms in krb5.conf must be in UPPERCASE.  
  •  kinit twalters@MYDOMAIN.COM 
Password for twalters@MYDOMAIN.COM: 
  • Klist to view ticket 
 
 
 
How to Configure System 
 
  1. Set NTP to use the correct server for your Active Directory domain: 
    • Configure to MyDomain standard 
    • Test ntp time and verify offset. 
      • [root@Server01 ~]# service ntpd stop 
      Shutting down ntpd:                                        [  OK  ] 
      [root@Server01 ~]# ntpdate ntp.myDomain.com 
      28 Oct 14:34:00 ntpdate[4693]: adjust time server 10.0.0.123 offset -0.000529 sec 
      [root@Server01 ~]# service ntpd start 
      Starting ntpd:                                             [  OK  ] 

       
  2. Make backups of system configuration files 
    1. Mkdir ~/bakfiles 
    2. These files need to be copied to ~/bakfiles/*bak 
    /etc/resolv.conf, 
    /etc/nsswitch.conf 
    /etc/hosts 
    /etc/samba/smb.conf 
     
  3. Edit resolv.conf to match below: 
    $ cat /etc/resolv.conf 
    domain myDomain.com 
    search local myDomain.com 
    nameserver 192.168.1.10 
    nameserver 192.168.1.5 
     
  4. Edit nsswitch.conf to match 
    1. [root@Server01 etc]# cat nsswitch.conf | grep -v ^# 
    2. passwd:     files sss ldap 
    shadow:     files sss ldap 
    group:      files sss ldap 
    hosts:      files dns wins 
     
    bootparams: nisplus [NOTFOUND=return] files 
    ethers:     files 
    netmasks:   files 
    networks:   files 
    protocols:  files winbind 
    rpc:        files 
    services:   files winbind 
    netgroup:   files sss ldap 
    publickeynisplus 
    automount:  files sss ldap 
    aliases:    files nisplus 

     
  5. Edit hosts file to include ldap/AD servers 
    [root@Server01 etc]# cat hosts 
    127.0.0.1       localhost.localdomain localhost 
    192.168.184.131 Server01  Server01.myDomain.com 
    192.168.1.10      myAD2.myDomain.com 
    192.168.1.5      myAD1.myDomain.com 

     
  6. Configure /etc/samba/smb.conf  [global] section 
    [global] 
            workgroup = MYDOMAIN 
            netbios name = SERVER01 
            realm = MYDOMAIN.COM 
            server string = SMB03 
            security = ADS 
            password server = 192.168.1.5 
            log level = 5 
            log file = /var/log/samba/log.smbd 
            max log size = 50 
            server signing = AUTO 
            client use spnego = YES 
            ntlm auth = YES 
            lanman auth = NO 
            use kerberos keytab = YES 
            encrypt passwords = YES 
            socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
            local master = NO 
            domain master = NO 
            dns proxy = NO 
            idmap uid = 500-30000000 
            idmap gid = 500-30000000 
            template shell = /bin/false 
            winbind enum users = NO 
            winbind enum groups = NO 
            winbind use default domain = YES 
            winbind refresh tickets = YES 
     
  7. Copy or edit krb5 file from existing box. 
    1. If using sssd built box, follow AD/Linux integration docs to configure krb5.conf  
     
  8. Start smb service and set to start on boot 
    1. [root@Server01 etc]# service smb start 
    Starting SMB services:                                     [  OK  ] 
    Starting NMB services:                                     [  OK  ] 
     
    1. root@Server01 etc]# chkconfig smb on 
    [root@Server01 etc]# chkconfig --list smb 
    smb             0:off   1:off   2:on    3:on    4:on    5:on    6:off 
     
  9. Start krb and attach to domain: 
    1. Kinit username@DOMAIN.COM 
      [root@Server01 etc]# kinit twalters@MYDOMAIN.COM 
      Password for twalters@MYDOMAIN.COM: 
    2. net ads join -U admin_username 
     
  10. Verify the bind to Active Dirctory is good 
    1. [root@Server01 etc]# net ads info 
    LDAP server: 192.168.1.5 
    LDAP server name: myAD1.myDomain.com 
    Realm: MYDOMAIN.COM 
    Bind Path: dc=MYDOMAIN,dc=COM 
    LDAP port: 389 
    Server time: Fri, 28 Oct 2011 14:50:26 PDT 
    KDC server: 192.168.1.5 
    Server time offset: 0 
     
    1. [root@Server01 etc]# net ads testjoin 
    Join is OK 
     
    1. Test getent 
      1. [root@Server01 myDomain]# getent passwd twalters 
      twalters:*:600904:32840:Walters, Todd:/home/twalters:/bin/bash 
      [root@Server01 myDomain]# getent group Group2_rw 
      GROUP2_RW:*:20794: 

     
  11. Create Kerberos ticket and verify the contents 
    [root@Server01 etc]# net ads keytab create 
    [root@Server01 etc]# klist -ke 
    Keytab name: FILE:/etc/krb5.keytab 
    KVNO Principal 
    ---- -------------------------------------------------------------------------- 
       2 host/Server01.myDomain.com@MYDOMAIN.COM (DES cbc mode with CRC-32) 
       2 host/Server01.myDomain.com@MYDOMAIN.COM (DES cbc mode with RSA-MD5) 
       2 host/Server01.myDomain.com@MYDOMAIN.COM (ArcFour with HMAC/md5) 
       2 host/Server01@MYDOMAIN.COM (DES cbc mode with CRC-32) 
       2 host/Server01@MYDOMAIN.COM (DES cbc mode with RSA-MD5) 
       2 host/Server01@MYDOMAIN.COM (ArcFour with HMAC/md5) 
       2 SERVER01$@MYDOMAIN.COM (DES cbc mode with CRC-32) 
       2 SERVER01$@MYDOMAIN.COM (DES cbc mode with RSA-MD5) 
       2 SERVER01$@MYDOMAIN.COM (ArcFour with HMAC/md5) 
     
  12. Create TestShare1 and use AD group to restrict access 
    1. [Share5] 
            path = /Share5 
            valid users = @"MYDOMAIN\Grp_data    
            writable = yes 
            browseable = yes 
     
     
  13. Restart smb and verify access to TestShare1 
    1. [root@Server01 samba]# service smb restart 
    Shutting down SMB services:                                [  OK  ] 
    Shutting down NMB services:                                [  OK  ] 
    Starting SMB services:                                     [  OK  ] 
    Starting NMB services:                                     [  OK  ] 
     
Configure Mount Points / TestShare1s 
 
  1. Verify mount point has ACL support 
    • [root@Server01 Share3]# mount -v |grep Share5 
    /dev/sdb1 on /Share5 type ext3 (rw,acl) 
     
    • If not enabled then do this, 
      • Edit /etc/fstab and add acl to TestShare1 in options field. 
      • Remount with 'remount -o,acl /TestShare1  
  2. Create 3 TestShare1s under /myDomain 
    1. /myDomain/scratch/TestShare1/ 
    2. /myDomain/scratch/TestShare1/Share3 
    3. /myDomain/scratch/TestShare1/Share4 
    4. /myDomain/scratch/Group2 

 
Configure Share3 TestShare1 
  1. Set Permissions on Share3 
    1.  chgrp -R grp_users Share3/ 
  2. Set Share3 RO Group 
    1. setfacl -m d:g:Group3:r-x Share3/ 
  3. Allow Alladin group RW Access to Share3 via ACL  
    1. setfacl -m g:myPriGroup:rwx Share3/  
     
  4. Get ACL for Share3 
    getfacl Share3/ 
    # file: Share3 
    # owner: root 
    # group: Grp_users 
    user::rwx 
    group::r-x 
    group:myPriGroup:rwx 
    mask::rwx 
    other::r-x 
    default:user::rwx 
    default:group::r-x 
    default:group:Group3:r-x 
    default:mask::r-x 
    default:other::r-x 
     
     
     
Configure TestShare1 TestShare1 
  1. Set permissions and group ownership 
    1. chgrp -R MyPriGroup TestShare1 
    2. # chmod 2770 TestShare1/ 
  2. Set ACL on TestShare1 
    1. [root@Server01 myDomain]# setfacl -m g:myPriGroup:rwx TestShare1/ 
    2. [root@Server01 myDomain]# setfacl -m d:g:myPriGroup:rwx TestShare1/ 
     
  3. Get ACL info for TestShare1 
    [root@Server01 myDomain]# getfacl TestShare1/ 
    # file: TestShare1 
    # owner: root 
    # group: myPriGroup 
    user::rwx 
    group::rwx 
    group:myPriGroup:rwx 
    mask::rwx 
    other::r-x 
    default:user::rwx 
    default:group::rwx 
    default:group:myPriGroup:rwx 
    default:mask::rwx 
    default:other::r-x 
     
 
Configure Group2 TestShare1 
 
  1. Set permissions and group ownership 
    1. [root@Server01 Share5]# chgrp -R Group2_RW Group2/ 
    2. [root@Server01 Share5]# chmod 2770 Group2/ 
  2. Set ACL on Group2 
    [root@Server01 myDomain]# setfacl -m g:myPriGroup:r-x Group2/ 
    [root@Server01 myDomain]# setfacl -m g:Group2_RW:rwx Group2/ 
    ??? [root@Server01 myDomain]# setfacl -m d:g:Group2_RW:rwx Group2/ 
     
  3. Get ACL Info for Group2 [root@server01 scratch]# getfacl Group2/ 
# file: Group2 
# owner: User1 
# group: GROUP2_RW 
user::rwx 
group::rwx 
group:GROUP2_RW:rwx 
mask::rwx 
other::--- 
 
Configure Group Membership 
 
  • For linux access add users to the MyPriGroup group. Will add Group_MyGroup_Users group for access. 
  • For Windows read-only access to\\Server1\Share1 add user list to Group3 
    • List is in email. 
  • For Group2 RW access add user list to Group2_rw 











No comments:

Post a Comment