The Samba-3 Enchilada: Overview, Authentication, Integration

Similar documents
The Samba-3: Overview, Authentication, Integration

Samba in Business. John H Terpstra

Migration of NT4 to Samba-3

Making the Migration to Linux using Vampire. Matt Skipton Technology Specialist Datacenter & Workgroup Novell, Inc.

UPDATING SAMBA-3. Chapter Introduction

Red Hat Enterprise Linux Red Hat Enterprise Linux Deployment Guide

Samba. Alain Knaff. Linuxdays, Samba. Alain Knaff. Installing. Basic config PDC. Printing. Misc gimmicks. Conclusion

SDC EMEA 2019 Tel Aviv

Implementing a Primary Domain Controller for Windows 2000 Clients using Samba

CIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies

The return of the vampires

FreeIPA Cross Forest Trusts

Linux with Active Directory

HP OpenVMS CIFS File Security and Management

OpenLDAP Everywhere Revisited

HP CIFS Server Administrator's Guide Version A.03.01

IdMap and Nss Info Interface Changes in Samba

Samba-3: Integration and Cost Reduction

configure samba for some basic file service tasks

ACCOUNT INFORMATION DATABASES

LDAP Authentication In Linux

Network-based File Sharing (1)

Lorikeet Integrated Authentication

Replacing Windows Servers with Linux

Likewise Open provides smooth integration with Active Directory environments. We show you how to install

HP CIFS Server Administrator Guide version A

Chapter 6: Connecting Windows Workstations

ClearCase and Samba. A Supported Configuration. Lonnie Roscillo and Sue Meany. December 12, ClearCase Support Whitepaper

Project #3: Implementing NIS

15. Creating a Samba Server in Knoppix v.3

Clustered NAS For Everyone Clustering Samba With CTDB. NLUUG Spring Conference 2009 File Systems and Storage

Sample Configuration File

Part Five. Appendixes

Applied Biosystems SQL*LIMS Technical Support Technical Note

Gerald Carter Samba Team/HP

Andrew Bartlett Hawker College

Copyright 2007, 2003, 2000 O Reilly Media, Inc. All rights reserved. Printed in the United States of America.

Filesharing. Jason Healy, Director of Networks and Systems

User Management: How do I authenticate against Active Directory using Centrify? How do I authenticate against Active Directory using Centrify?

Beyond the Horizon. What's after Samba 3.0? (Or is the earth really flat?)

System Administration

Windows Authentication With Multiple Domains and Forests

QuickSpecs. HP Advanced Server V5.1B-5 for UNIX. Overview. Retired

HP Advanced Server V5.1B-3 for UNIX. Overview

Oracle Solaris Cluster Data Service for Samba Guide

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

680 Subject Index. fake directory create times, 524 fake oplocks, 167, 524 File Naming Conventions, 162 File System, 160 case sensitivity, 161

Kerberos-enabled applications. Core services for UNIX shell programs and applications. Kerberos environment. Centrify DirectControl Service Library

Developing Management Strategies and Tools for Samba. Jeffrey Bianchine

Clustered NAS For Everyone Clustering Samba With CTDB A Tutorial At sambaxp 2009

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

444 Subject Index. cache, 402 cache directories, 363 caching, 372

10 userdel: deleting a user account 9. 1 Context Tune the user environment and system environment variables [3]

Cross-realm trusts with FreeIPA v3

Chapter 5: User Management. Chapter 5 User Management

SAMBA Project Documentation. Abstract. SAMBA Team. Last Update : Mon Apr 1 08:47:26 CST 2002

"Charting the Course... Enterprise Linux Security Administration Course Summary

Linux authentication using the System Security Services Daemon (SSSD) explained

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Samba ARMed and Ready

User & Group Administration

Windows Authentication With Multiple Domains and Forests

The Important Details Of Windows Authentication

The System Security Services Daemon (SSSD) explained

User accounts and authorization

Install and Configure Samba - CentOS 7

VAS 2.6 ADMINISTRATION GUIDE

Network-based File Sharing

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

SerNet. Samba Status Update. SNIA SDC 2011 Santa Clara, CA. Volker Lendecke SerNet Samba Team

ONTAP 9. SMB/CIFS Reference. December _H0 Updated for ONTAP 9.3

by Adam Stokes draft 1 Purpose? This document is a rough draft intended on integrating Samba 3 with Red Hat Directory Server 7.1 (RHDS).

Index 299. Special Characters * (asterisk) deactivating users, 110 with rpm command, 51

Advanced iscsi Management April, 2008

Identity Management Scaling Out and Up

Advanced Network and System Administration. Accounts and Namespaces

Configuring and Managing WAAS Legacy Print Services

Setting Up SAMBA. And the response was: salmonberry samba sawtimber scramble. Thus, the name Samba was born.

2 SCANNING, PROBING, AND MAPPING VULNERABILITIES

User Accounts. The Passwd, Group, and Shadow Files

1 of 6. How to set up Permissions. Re: How to set up Permissions. Re: How to set up Permissions. Re: How to set up Permissions

DELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.5

Wireless and Dorm Printing Overview

Clustering Samba With CTDB A Tutorial At sambaxp 2010

Clustering Samba With CTDB A Tutorial At sambaxp 2010

Configuring and Managing WAAS Print Services

Windows Authentication With Multiple Domains and Forests

What you need to know about Windows Security

Pre-Assessment Answers-1

STORAGE CONSOLIDATION WITH IP STORAGE. David Dale, NetApp

DELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.3

STORAGE CONSOLIDATION WITH IP STORAGE. David Dale, NetApp

SISTEM OPERASI PELAYAN (SERVER) SKS 3104 SISTEM OPERASI RANGKAIAN SIJIL SISTEM KOMPUTER & SOKONGAN KOLEJ KOMUNITI PAYA BESAR

Współdzielenie plików samba Pakiety do instalacji: samba, smbclient apt-get install samba smbclient

Realms and Identity Policies

Running And Troubleshooting A Samba/CTDB Cluster. A Tutorial At sambaxp 2011

Windows Authentication With Multiple Domains and Forests

Active Directory Integration

0Activity Answers. Table A1-1: Operating system elements and security mechanisms. The Security Accounts Manager (SAM)

The CephFS Gateways Samba and NFS-Ganesha. David Disseldorp Supriti Singh

Transcription:

: Overview, Authentication, Integration John H Terpstra, CTO PrimaStasys Inc. jht@primastasys.com or jht@samba.org Page 1

About the speaker Long term Samba-Team member Author of official Samba documentation The Official Samba-3 HOWTO and Reference Guide ISBN: 0131453556 (Sept 2003) Open Source version: Samba-HOWTO-Collection Samba-3 by Example ISBN: 0131472216 (Mar 2004) Open Source version: Samba-Guide Author of additional books Hardening Linux, ISBN: 0072254971 (Jul 2004) OpenLDAP by Example, ISBN: 0131488732 (Nov 2004) More in production Page 2

Agenda Overview of Samba-3.0.x Samba Administration CIFS Security Security Modes / Models Backend Choices Infrastructure Tools Integrating Samba-3 into MS Windows Networks NT4 Style Domains Active Directory Finding Information Page 3

Overview Samba-3 Components: smb.conf file controls behavior smbd, nmbd, winbindd are the operative daemons nsswitch.conf file for identity management Infrastructure tools user and machine scripts share management scripts domain management tools Eg: SRVTOOLS.EXE, NESUS.EXE, MMC Group Management Page 4

Administration How do you want to manage Samba? From MS Windows clients (workstations) From UNIX server Management from MS Windows clients requires: Interface scripts Add / Delete / Modify users Add / Delete / Modify groups Add machines (Domain Member Servers / Clients) Change User Group Membership Create / Delete / Modify Shares Printer control programs Pre-execution Scripts Windows Administration Tools Page 5

CIFS Security Security Modes affect network design Network Operation Controls Workgroups Domains Authentication Methods Local UNIX security and Windows Users and Groups Access Control Lists Much abused Need to understand HOW ACLs will be backed up and copied to other servers Satisfy yourself that there is no other solution before using ACLs Page 6

Security Modes / Models There are only 2 security models Share Mode Like Windows for Workgroups Has passwords for Full Control Read Only User Mode Like MS Windows NT/2K Uses username and password Page 7

Samba Security Modes Set via smb.conf file [global] parameter security = XXXXX security = SHARE Accepts password from client, sequentially scans /etc/passwd until the first match is found security = USER (default) Uses username and password from client Encrypted Password Support Default for all security modes Page 8

Share Mode smb.conf file [global] # Default workgroup = WORKGROUP, we want MIDEARTH workgroup = MIDEARTH # Behavior like Windows for Workgroups security = share # We want a read only anonymous file server [Plans] path = /home/plans read only = Yes guest ok = Yes Page 9

User Mode smb.conf file # Global parameters [global] # Default is security = USER workgroup = BILLMORE # The following are for CUPS printing support printcap name = CUPS disable spoolss = Yes printing = cups # Get rid of the printer wizard in NT/200x show add printer wizard = No Page 10

Samba-Specific Security Modes security = SERVER Obsoleted, uses pass-through authentication Used with password server parameter to redirect authentication to a specified server security = DOMAIN Machine is an NT4 style Domain Member Server (DMS) Can be a workstation or a server Does NOT mean it is a Domain Controller security = ADS Machine is a member of an Active Directory Domain Page 11

NT4 Style Domains Samba-3 supports NT4 style Domain architecture Can be an NT4 style PDC or BDC Can NOT be a mixed: ie: Samba-3 PDC or BDC with NT4 BDC or PDC Page 12

NT4 Domain Controller (PDC) # Global parameters [global] workgroup = PROMISES # Netbios name default is hostname # We want name DIAMOND in browser netbios name = DIAMOND # Maps UNIX root to Windows Administrator username map = /etc/samba/smbusers # Netlogon server defines Domain Control domain logons = Yes Page 13

NT4 Domain Controller (BDC) # Global parameters [global] workgroup = PROMISES # Netbios name default is hostname # We want DIAMOND netbios name = DIAMOND # Maps UNIX root to Windows Administrator username map = /etc/samba/smbusers domain logons = Yes # Default domain master = Yes means is PDC,We want BDC domain master = No Note: Must join the Domain! net rpc join -Uroot%password Page 14

NT4 Domain Member (DMS) Can be (same configuration): Domain Member Server (DMS) Domain Member Client (DMS) # Global parameters [global] workgroup = BILLMORE # The following means be a DMS security = DOMAIN Page 15

Samba is Scalable Samba-3 scales beyond MS Windows NT4 Can have LDAP directory behind it NT4 can NOT have an LDAP directory behind it For that you need Windows 200x Active Directory Page 16

Samba-3 Exclusions Samba-3 is NOT an Active Directory replacement Samba-3 is a unique entity that has emerged from years of wrestling with Windows networking issues It is scalable and flexible Requires appropriate backend Page 17

Scalability: Definition First and foremost: Network clients can get uninterrupted services Network logon service File and Print service etc. This means: The right service in the right place at all times Load distribution Replication Upset/disaster recovery Page 18

Scalability: Load Distribution Achieved by: Sufficient network bandwidth Either local or WAN Distribution of servers Network Logon services File and Print services Other hosted services Web, Mail, Proxy, SQL, etc. (Not Samba issues) Page 19

Scalability: Network Logon Domain Control The core of Network Logon provision (3A's): Authentication Authorization Access Control Enable Domain Control by: domain logons = Yes On DMS machines: Use Winbind for IDMAP support Page 20

Scalability: Location of NT4 Style uses one PDC and BDCs Not structured Active Directory has LDAP based hierarchy Rule of thumb is on DC per 30-50 workstations This is an unreliable rule, some sites operate well with one DC for hundreds of workstations Good advice: network segment that has the PDC should have a BDC also Page 21

POSIX Only Backend Choices Can be /etc/passwd based, or through NSS If NSS, can be in LDAP, NIS, etc. Plain Text smbpasswd file based tdbsam Stores Security Account Manager (SAM) information in a binary file: ldapsam /etc/samba/passdb.tdb OR /usr/local/samba/lib/private/passdb.tdb Stores POSIX and SAM data in LDAP Page 22

Auxiliary Backends Experimental / Special Interest Backends XML SQL Page 23

Backend Configuration Control is via the smb.conf parameter in [global] known as passdb backend Recommended options: smbpasswd (default) tdbsam ldapsam Page 24

Infrastructure Tools Scripts provide glue between Windows network management environment and Samba host OS Called by Samba (smbd) Three Classes of Scripts (see next slide) Identity Resource Control Page 25

Script Class: Identity Mgmt Identity management add/delete/modify user scripts add/delete/modify group scripts add machine script change password Page 26

Scripts for POSIX Backend POSIX Backend means accounts in: /etc/passwd, /etc/shadow, /etc/group SMB Passwords in: /etc/samba/smbpasswd /etc/samba/passdb.tdb (passdb backend = smbpasswd) (passdb backend = tdbsam) SMB passwords are maintained by Samba add user script = /usr/useradd -m %u delete user script = /usr/userdel -r %u add group script = /usr/groupadd %g delete group script = /usr/groupdel %g add user to group script = /usr/usermod -G %g %u add machine script = /usr/useradd -s /bin/false -d /dev/null %u Page 27

Scripts for LDAP Backend Must store both POSIX account information as well as Samba SAM information in LDAP Does not work if only SAM info is stored in LDAP Requires LDAP Server (OpenLDAP is a good one) Requires LDAP Client tools pam_ldap (for login only) nss_ldap (for ID resolution) Page 28

smbldap_tools Scripts add user script = /opt/idealx/smbldap-useradd -a -m '%u' delete user script = /opt/idealx/smbldap-userdel '%u' add group script = /opt/idealx/smbldap-groupadd -p '%g' delete group script = /opt/idealx/smbldap-groupdel '%g' add user to group script = /opt/idealx/smbldap-groupmod -m '%u' '%g' delete user from group script = /opt/idealx/smbldap-groupmod -x '%u' '%g' set primary group script = /opt/idealx/smbldap-usermod -g '%g' '%u' add machine script = /opt/idealx/smbldap-useradd -w '%u' Note: Macros need to be quoted Configuration control file is in: /etc/smbldap_tools/smbldap.conf Page 29

Script Class: Resource Mgmt Resource management add/delete share add/delete printer Page 30

Script Class: System Control System Control shutdown abort shutdown etc. Page 31

IDMAP Backend Local storage OR LDAP based Cross Domain Identity Management Used to store mappings of foreign domain / machine SIDs to local UID/GIDs If stored in LDAP can provide consistent UID/GIDs for each NT SID encountered Needed for foreign machine SIDs and foreign domain SIDs Page 32

Configuration of IDMAP Local IDMAP file Must run winbindd Usually located in: or or /var/spool/samba/winbindd_idmap.tdb /var/cache/samba/winbindd_idmap.tdb /usr/local/samba/var/locks/winbindd_idmap.tdb [global]... idmap uid = 15000-20000 idmap gid = 15000-20000... Page 33

Configuration of IDMAP Using LDAP backend Must run winbindd Stores mapping data in LDAP Must have same UID/GID range on all clients ldap suffix = dc=abmas,dc=biz ldap admin dn = cn=manager,dc=abmas,dc=biz ldap idmap suffix = ou=idmap Idmap backend = ldap:ldap://frodo.abmas.biz:389 Page 34

Integration into Window Networks Provides authentication integration User logs onto machine (workstation or server) once Has transparent access to resources Provides file and print sharing Samba can integrate into both Windows network designs NT4 ADS Page 35

NT4 Style Domains Native support is built into Samba Requires use of winbindd Use NSS for passwd, group resolution Stores mapping table locally in winbindd_idmap.tdb file Page 36

NT4 Domain Member (DMS) Can be (same configuration): Domain Member Server (DMS) Domain Member Client (DMS) # Global parameters [global] workgroup = BILLMORE # The following means be a DMS security = DOMAIN Page 37

Active Directory Requires compilation with ADS option Requires Kerberos libraries MIT 1.3.1 or later Heimdal 0.61 or later Windows 2003 ADS requires the latest KRB versions Some UNIX and Linux vendors do NOT include ADS support in the Samba they ship! Sun Slackware Others? Page 38

ADS Domain Membership Uses Kerberos authentication protocols Requires correct configuration Example DC: london.abmas.biz security = ADS workgroup = LONDON realm = abmas.biz Requires joining the Domain by: net ads join -Uadministrator%password Page 39

Kerberos for ADS DMS Use default krb5.conf file Do NOT specify the encryption types! If you do, be forewarned that you may break interoperability with Windows 200x Must use latest versions of MIT Kerberos or Heimdal If using Heimdal, you must have an /etc/krb5.conf file to satisfy library needs Page 40

/etc/nsswitch.conf NSS Configuration for ADS DMS # /etc/nsswitch.conf passwd: group: hosts: files winbind files winbind files dns wins Page 41

PAM Configuration for ADS DMS Example: /etc/pam.d/login #%PAM-1.0 auth sufficient pam_unix2.so nullok auth sufficient pam_winbind.so use_first_pass use_authtok auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account sufficient pam_unix2.so account sufficient pam_winbind.so user_first_pass use_authtok password required pam_pwcheck.so nullok password sufficient pam_unix2.so nullok use_first_pass use_authtok password sufficient pam_winbind.so use_first_pass use_authtok session sufficient pam_unix2.so none session sufficient pam_winbind.so use_first_pass use_authtok session required pam_limits.so Page 42

Finding Information ALWAYS Visit the Source! http://www.samba.org/samba/ Documentation Man pages Official Books Listing of published books Mailing Lists General, Technical Bug Tracking System http://bugzilla.samba.org/ Other Sources Page 43

Documentation Official (means part of Samba sources) The Official Samba-3 HOWTO and Reference Guide ISBN: 0131453556 Open source version: Samba-HOWTO-Collection (PDF and HTML) Samba-3 by Example ISBN: 0131472216 Open Source version: Samba-Guide (PDF and HTML) Man Pages Contributed Presentations, etc. on Samba.Org Page 44

The Official Samba-3 HOWTO Page 45

Samba-3 by Example Page 46

Documentation Unofficial There is a lot of it Most is of high quality Much is out of date It is time consuming to keep documentation up to date Many books See: http://www.samba.org/samba/books.html Samba-Team encourage unofficial source work! There is nothing exclusive in the title: Official Documentation Page 47

Q&A / Feedback Please send any questions or comments on this presentation to SNIA: (use your tutorial reflector address here) snia-snw-infrastructure@snia.org Page 48

END» FINISHED» DONE» Questions Page 49

SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced without modification The SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations. This presentation is a project of the SNIA Education Committee. Page 50

Graphics Users SAN Hubs, Switches, Routers SANmark Compliance Servers Disks or JBODs SAN Storage Tape Drive Disk Drive HBA Network NAS Appliance Gateway Page 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback