Beruflich Dokumente
Kultur Dokumente
Using Samba & Kerberos Technology for Mac OSX & AD-based SSO
Identity Management
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
USING SAMBA & KERBEROS TECHNOLOGY FOR MAC OSX & AD-BASED SSO
IDENTITY MANAGEMENT 3
1.0 Introduction 3
1.1 Our Implementing Plan 3
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Using Samba & Kerberos Technology for Mac OSX & AD-based SSO
Identity Management
1.0 Introduction
A popular thing to do with Samba these days is to join a Samba 3 host to a Windows Active Directory
domain using Kerberos ticketing. You may freely set up any number of Samba servers in a Windows
network and Mac OSX without joining them to the domain giving you the power of single-sign-on (SSO)
identity management to all your network resources. You can share files, map drives and provide
centralized printer services. The advantages of domain membership are central management and
authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without
requiring local Linux system accounts, which is a lovely time- and hassle-saver. We have also joined Mac
OS X to the network to achieve a complete system integration of the three major operating systems.
Figure 1 shows a simple network that would be one AD server, One Samba and a few client workstations,
connected through a router or switch (most home network routers have at least four ports of switch
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
included in the device). This grows over time, usually by adding more switches, routers, clients and
additional storage on the server.
This HowTo training manual we assume that you already have a functioning Win2k3 Active Directory
domain, and know how to run it. AD is very dependent on DNS (domain name system) so I'll assume your
DNS house is also in order, if not check out this excellent HowTo setup and configure a DNS server . On
your Linux box you'll need Samba 3, version 3.0.8 or newer. Plus MIT Kerberos 5, version 1.3.1 or newer,
and OpenLDAP. (The Samba documentation states that Heimdal Kerberos, version 0.6.3 or newer, also
works. The examples in this HowTo use MIT Kerberos.) Debian users need the krb5-user, krb5-config,
krb5-doc, and libkrb53 packages. Red Hat and Red Hat family users need the krb5 and krb5-client RPMs.
The Samba system is based upon a stock standard RHE5 system with the samba 3 software.
Samba:
1. system-config-samba
2. samba-common
3. samba-client
4. samba
Kerberos:
1. pam_krb5
2. krb5-workstation
3. krb5-client
4. krb5-libs
5. krbafs
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
]# rpm –qa | grep samba* \\ the start * allows you to parse all
installed Samba files
In case you get blank result, then Samba is not installed. Best way to get Samba is to compile it from the
source file. However, I have found that the RPM files obtained via Yum, if you use CentOS4 and later,
Fedora Core 8 and later, or Yast with OpenSuse 11.1 contain all the required files. To install all Samba
files with RHE5, do the following:
The next task is to verify that your Samba installation has been compiled to support Kerberos, LDAP,
Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command
has a switch for printing build information. You will see a lot more lines of output than are shown here:
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fortunately, in our case all the required support for Kerberos, ADS and Winbind is present. However, if
you are in the unfortunate position of missing any of these, which will be indicated by a blank line, you
need to recompile Samba, or installed per your Linux box as indicated above. Also, see Chapter 37 of the
Official Samba-3 HOWTO and Reference Guide.
Configure /etc/hosts
Even if your DNS servers are perfect in every way, it is always a good idea to add important servers to
your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go
down:
]# rpm –qa | grep krb* \\ the start * allows you to parse all installed krb files
The next task is to configure and test the Kerberos installation, but first we have to ensure that the
servers’ clocks are synchronized.
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
1. On Linux SAMBA server, click System > Administration > Data & Time, then click Network Time
Protocol tab. Check "Enable Network Time Protocol",
2. Click button and enter our AD domain hostname: "server02.medtech.com", click OK to
close Date/Time Properties dialog box.
3. Next step is update NTP and also synchronize the server clocks:
Note: Kerberos is very finicky if time difference is off by more than 5 minutes. So a simple test in our
case gave:
]# ntpdate -u 192.168.83.10
3 Oct 10:12:04 ntpdate[4268]: step time server 192.168.83.10 offset
7.988582 sec
• Which gives a poor time offset, repeat the same procedure again:
]# ntpdate -u 192.168.83.10
3 Oct 10:12:07 ntpdate[4269]: adjust time server 192.168.83.10 offset
0.003387 sec
7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
[libdefaults]
default_realm = MEDTECH.COM
clockskew = 300
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MEDTECH.COM = {
kdc = server02.medtech.com
admin_server = server02.medtech.com
}
[domain_realms]
medtech.com = MEDTECH.COM
.medtech.com = MEDTECH.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Very important: Use uppercase where it shows. Now try to connect, and mind your cases:
]# kinit Administrator@MEDTECH.COM
Password for Administrator@MEDTECH.COM
Now test to see if your krb5 infrastructure is working and able to provide the key exchange and
authentication. To do this, use klist command:
Note: To destroy the krb ticket, use kdestroy command, followed by klist command to verify that indeed
the ticket has been destroyed.
Occasionally, you will be required to renew your Network Authentication Ticket if it expires, as shown in
the Fig. 2:
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 2
1. Click System > Administration > Authentication, and then under User Information tab, check
Enable Winbind Support (a) Click Configure Winbind button to access Winbind Settings dialog
box (b), see Fig. 3.
2. From Winbind Settings dialog box (b), complete the settings as shown and click OK.
Fig. 3
3. Next let’s test if we managed to connect Windows AD domain, to achieve this issue the following
command:
9
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Success! We can connect to our AD domain and pull some information about the server. The next step is
to clean-up and configure Samba to suit our requirements.
[homes]
10
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
[musicstore]
comment = Samba music center
path = /data/musicstore
valid users = krabah, root, @smbusers, "@MEDTECH+domain users"
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
[datastore]
comment = Samba data center
path = /data/datastore
valid users = krabah, root, @smbusers, "@MEDTECH+domain users"
read only = No
create mask = 0777
directory mask = 0777
guest ok = Yes
[public]
comment = Samba Public files
path = /data/public
public = yes
write list = @smbusers, "@MEDTECH+domain users"
browseable = yes
[shared]
comment = Samba Totally open shared area
path = /data/shared
public = yes
read only = no
browseable = yes
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
browseable = No
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
11
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: The important things to pay attention to here are the name of our samba machine (netbios name),
the workgroup, and the Active Directory stuff.
1. The workgroup is the name of your AD domain, in this case MEDTECH. Server string is a comment
describing the server, make this anything you want. Log level runs from 0, for no logging, to 10,
extreme logging. See man smbd.conf for the rest.
2. The shared directory /data/share is only for the users: krabah, root, @smbusers,
"@MEDTECH+domain users". It is writable which means the listed security users have read, write,
and execute permissions to the shared directory. Any files/directories created in the shared directory
will have the permission 0777 allow for universal permission to all domain security users.
3. The [public] and [shared] sections, which create the \\SERVER\public and
\\SERVER\shared are publicly shared directories, respectively (where, as usual, SERVER is the
name of your Samba server). These shares have nearly the same settings, but with one difference.
With the [public] share, only members of the Samba & domain users group (represented by the
@smbusers, "@MEDTECH+domain users")
Warning! You should only create a completely open share like the one here if you trust the
people who have access to your Samba server; open FTP servers, for example, have been
compromised in the past and abused as drop boxes for pirated software.
4. After you've added these shares to your smb.conf configuration file, remember to either restart
Samba or tell it to reload its configuration files, however, before doing that run the : testparm
command.
5. Save your changes and run testparm command to test your samba configuration:
]# testparm
6. This checks smb.conf for syntax errors. Any errors must be corrected before going ahead. Once all
is ok, you can start up Samba, as follows:
12
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2. Add existing users (krabah, root and musicusers & their password) to Samba account by
performing the following procedure:
3. Add existing user: musicusers & password and enable its account by performing the following
procedure:
4. To add Machine accounts (e.g., WinXP ) & their password to Samba server by performing the
following procedure:
]# mkdir -p /var/lib/samba/profiles/szulu
]#
]# chown szulu.users /var/lib/samba/profiles/szulu
]#
]# mkdir -p /var/lib/samba/profiles/krabah
]#
]# chown krabah.users /var/lib/samba/profiles/krabah
]#
]# mkdir -p /var/lib/samba/profiles/root
]#
]# chown root.users /var/lib/samba/profiles/root
]#
]# mkdir -p /var/lib/samba/profiles/Administrator
]#
]# chown Administrator.users /var/lib/samba/profiles/Administrator
13
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Note: ldconfig creates the necessary links and cache to the most recent shared libraries found in the
directories specified on the command line.
Note:
1. chmod 755 means read and execute access for everyone and also write access for the owner of the
file.
2. chmod 777 makes files writeable.
Deleting users from your Samba domain is a two stage process in which you have to remove the user
from the Linux server and also remove the user's corresponding smbpasswd entry. Here's how:
2. Delete the Linux User by following the normal deletion process. For example, to delete the user kjude
and all her files from the Linux server use:
Sometimes you may not want to delete the user's files so that they can be accessed by other users at
some other time. In this case you can just deactivate the user's account using the passwd -l username
command.
14
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
1. Debian & OpenSuse users may need to install the winbind package separately. For OpenSuse
users, they can install winbind using (yast -i samba-winbind). RPM users will find it in the
samba-common RPM. First, using your favorite text editor, edit /etc/nsswitch.conf. The first
three lines are the most important; the others vary according to your system:
]# /etc/init.d/smb start
]# /etc/init.d/winbind start
2. Now we have a time offset that is ok, which upon testing using net ads info gives a zero time
offset:
3. Finally, join your Samba Linux box to Active Directory using net command as follows:
15
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
• Hurrah! Success. The Samba box will now appear as a machine account under "Computers" in
your “AD Users and Computers” console. Now stop Samba until the final steps are
completed.
5. Next verify that windbind is working and able to communicate and get some information off our AD
domain controller. The following commands verify RPC status and pull lists of users and groups from
the AD domain controller:
# wbinfo -t
checking the trust secret via RPC calls succeeded
6. Next test using wbinfo -u command, and we should get a list of users in the format
"MEDTECH+<username>" as follows
# wbinfo -u
RHE5+krabah
RHE5+szulu
RHE5+musicusers
RHE5+administrator
MEDTECH+administrator
MEDTECH+guest
MEDTECH+support_388945a0
MEDTECH+krbtgt
MEDTECH+dsmith
MEDTECH+rgomez
MEDTECH+root
MEDTECH+iusr_server02
MEDTECH+iwam_server02
MEDTECH+krabah
MEDTECH+mwong
MEDTECH+8edae942-8bab-4f97-9
MEDTECH+fds
MEDTECH+sqlservice
]# wbinfo -g
MEDTECH+domain computers
MEDTECH+domain controllers
MEDTECH+schema admins
MEDTECH+enterprise admins
MEDTECH+domain admins
16
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
MEDTECH+domain users
MEDTECH+domain guests
MEDTECH+group policy creator owners
MEDTECH+dnsupdateproxy
MEDTECH+engineering gg
MEDTECH+sales gg
MEDTECH+human resources gg
MEDTECH+exchange domain servers
MEDTECH+medtech staff
MEDTECH+medtech students
8. We can now use the getent utility to get a unified list of both the local Linux samba box and DC
users and groups. That is, it verifies that indeed the logins and passwords are coming from the AD
server, and not the local machine. When run, it generates a list of data similar in format to the Linux
/etc/passwd and /etc/group files respectively.
]# getent passwd
MEDTECH+administrator:*:10000:10004:Administrator:/home/MEDTECH/administrat
or:/bin/bash
]# /usr/bin/getent group
• If winbind is not working and local authentication is still active, they will not have the MEDTECH\
prefix.
10. It is now a good idea to do one more test to ensure your Active Directory usernames are valid on the
Samba box system. Try the following:
11. After this we can fix up our init.d startup scripts to automate the startup of winbindd and not start
NSCD.
12. Finally, as root run net ads info command to display the AD domain server information.
1. Modify /etc/pam.d/samba (on woody) or the appropriate pam file to add "sufficient" for auth
and account using pam_winbind.so. These need to go BEFORE the pam_unix.so calls for
samba. My /etc/pam.d/samba is as follows:
3. Finally, to have our ActiveDirectory users be able to login to our server, we have to modify our
/etc/pam.d/login as follows:
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
4. 11. It is useful to add an extra entry to the file /etc/pam.d/system-auth to enable the creation of
home directories on first login to the Linux system by a user. In the session section of this file towards
the end, add the line:
18
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
After we save this file, we should now be able to login to our Linux machine with the username
MEDTECH+Administrator, and get yourself a login prompt. Now the system may complain if you do
not have the specified home directory created (in this case /home/MEDTECH/Administrator)
Fig. 4
7. Voila! All is working. :) Browse your server and see...
Fig. 5
19
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2. From the Windows Network your can access other network machines’ shares form both Windows and
Mac machines as shown in Fig. 6.
Fig. 6
# smbclient //MACHINENAME/sharename
If you want to pass a different username to the Samba Server, execute the command (replace
username with your username).
If a password is associated with the username, you will be prompted for it. Once you are authorized
by the SMB protocol, you will be at a smb: \> prompt. This is similar to an ftp session where get, put,
pwd, ls, etc. can be used to navigate. Type help for a list of commands.
20
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
• To log to any machine, just double-click its icon and provide your proper credentials and you’re
good to go.
Fig. 7
4. You can access the resources on RHE5 (Samba server) just as you do with Windows WORKGROUP, Fig. 8. In
this case I had logged in as root user, as is indicated by root folder.
21
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 8
Fig. 9
• Mounting and Unmounting shared drives can also be done through DOS prompt.
- To mount share homes from rhe5:
net use F: \\rhe5\datastore /USER:krabah
22
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
• Click on Properties; check-in Member of Domain; type-in the Domain Name, which you have
specified on the Samba server; OK.
• When you reboot the machine, you should be able to logon to the Domain with your user name
and password stored on the Samba server.
• You home directory would be mapped as drive Z. When you logon to the Domain at first time,
Windows creates folder profile in your home directory.
• Your Samba server can act as an SMB client accessing Windows shares.
• Right click on folder shares; choose sharing; check-in Share this folder; name it "win2k3-shares";
click on Permissions; Add; in MEDTECH domain put your login name and password; add also
Administrator; click Apply; OK.
# df -h
• Unmount it:
# umount /mnt/smb
# df -h
23
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Type-in password
1. Mac OS X has built-in capabilities through Samba to play nicely with Windows & Linux networks. An
early step to working seamlessly with a Windows workgroup is joining that network.
2. Open the Directory Access utility (under Applications -> Utilities).
3. If the window is locked (padlock closed on the lower left), click on the padlock to unlock it.
4. Select SMB and click Configure…
5. Type in the name of the desired workgroup in the Workgroup field, e.g., in our case MEDTECH, enter
a WINS server (if appropriate) and click OK, then Apply.
5. Alternatively, from Mac OSX server you can access your other network machines. Click Go menu >
Connect to Server …. Enter the smb://<samba – IP address> to access your Network servers
as shown in the Fig. 10.
24
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
6. Enjoy and have fun – from Linux Samba – Windows – to Mac OSX!
Fig. 11
2. In the Internet & Network, click Network to access the Network dialog box, Fig.
3. In the TCP/IP configuration of your network device, add a DNS server and Search domain for
local DNS resolution, see Fig. 12:
Fig. 12
25
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 13
2. In the Active Directory configuration, enter the Domain name and Computer name:
Fig. 14
26
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
3. Under Advanced Options, User Experience, set home location to use SMB, and set default user
shell /bin/bash, see Fig. 15.
Fig. 15
4. Under the Administrative Advanced Options, allow administration by domain and enterprise
admins, and allow authentication from any domain in the forest, see Fig. 16:
27
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 16
Fig. 17
28
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
2. You will get warning alert as shown in Fig 18; click OK to access Fig. 19.
Fig. 18
Fig. 19
3. Under Directory Access, Authentication, make sure Active Directory is in the search path, see
Fig. 20:
29
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Fig. 20
4. Under Directory Access, Contacts, make sure Active Directory is in the search path, see Fig. 21:
Fig. 21
30
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
4. Under Directory Access, Services tab, configure SMB/CIFS, adding the Workgroup name and WINS
server address, see Fig. 22:
Fig. 22
Step 3: Configure login options:
1. Launch System Preferences, System > Accounts. Under Login Options, uncheck ‘Automatically
login’, and choose ‘Display login window as: Name and password’, see Fig. 23
Fig. 23
31
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Stay tuned as I will continue to update this article from time to time!
Locate your httpd.conf file (mine is in /etc/httpd/conf) and add the code shown in Listing 3.
These two declarations, <Alias> and <Directory>, create http://server/public/ and
http://server/shared/ on the server, turn on fancy directory listings, and allow access from any
Web browser.
Save the file and use the apachectl or httpd command to tell Apache to reload its configuration file
and activate the new URLs.
32
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
In addition to having convenient Samba access to these shared directories, they're accessible to anyone
with a Web browser. Figure 11 shows shared data accessibility via Web browser: http://rhe5/shared/ .
Fig. 11
Do the same additions that you made to /etc/pam.d/login to /etc/pam.d/sshd to support logins
via SSH.
33
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Starting with Windows 2000, Microsoft moved from NTLM to Active Directory (AD) and its integrated
Kerberos authentication services. Kerberos was considerably more secure than NTLM, and it scaled
better, too. And Kerberos was an industry standard already used by Linux and UNIX systems, which
opened the door to integrating with those platforms with Windows.
The resulting plethora of authentication mechanism was unmanageable. In 1995, Sun proposed a
mechanism called Pluggable Authentication Modules (PAM). PAM provided a common set of
authentication APIs that all application developers could use, along an administrator-configured back end
that allowed for multiple “pluggable” schemes. By using the PAM APIs for authentication and Name
Servers Switch (NSS) APIs for looking up user information, Linux application developers could write could
have a single place to configure and manage the authentication process.
Most Linux distributions come with several PAM authentication modules, including modules that support
authentication to an LDAP directory and the authentication using Kerberos. You can use these modules to
authenticate to AD, but there are some significant limitations as we will later in the text.
The particular part of Samba that is most interesting to us for this project is called Windows Winbind.
Winbind is daemon (service in Windows parlance) that runs on Samba clients and acts like a proxy for
communication between PAM and NSS running on the Linux machine and Active Directory on a DC. In
particular, Winbind uses Kerberos and LDAP to retrieve user and group information. Winbind also
provides additional services such as the ability to locate DCs using an algorithm similar to the
DCLOCATOR in AD and the ability to reset AD passwords by communicating with a DC using RPC.
Winbind solves a few problems that simply using Kerberos with PAM doesn’t. In particular, instead of
hard-coding a DC to authenticate to the way the PAM Kerberos module does, Winbind selects a DC by
searching DNS locator records similar to the way the Microsoft DC LOCATOR module does.
LDAP authentication (called LDAP binding) passes the username and password in cleartext over the
network. This is insecure and unacceptable for most purposes. The only way to mitigate this risk of
passing credential in the clear is to encrypt the client-Active directory communication channel using
34
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
something such as SSL. While this certainly doable, it imposes the additional burden of managing the SSL
certificates on both the DC and Linux machines. Furthermore, using the PAM-LDAP module does not
support change, reset or expired passwords.
Have fun
And congrats it works, if you want to configure further items such as mail and other things you may need
to modify the appropriate PAM modules, and isn't covered here.
Stay tuned – this lab module will be regularly updated to make it more practical for business applications.
-----------------------------------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a Center of Excellence
in eLearning.
35
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada