AD Samba4

From Stadm
Jump to navigationJump to search


Samba 4 Active Directory Install

  • Note: Until this message removed consider the following a work in progress

Installing Samba 4 onto CentOS

  • Install a minimal install of CentOS
  • change the hostname
vi /etc/sysconfig/network
  • Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
  • manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vi ifcfg-eth0
  • Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
  • restart the network
service network restart
  • run yum update
  • install vim or an editor of your choice, vi comes included with minimal
  • SELinux must be disabled:
vim /etc/sysconfig/selinux
  • change "SELINUX=enforcing" to "SELINUX=disabled"
  • restart the computer
shutdown -r now
  • required:
 yum install gcc libacl-devel libblkid-devel gnutls-devel \
  readline-devel python-devel gdb pkgconfig krb5-workstation \
  zlib-devel setroubleshoot-server libaio-devel \
  setroubleshoot-plugins policycoreutils-python \
  libsemanage-python setools-libs-python setools-libs \
  popt-devel libpcap-devel sqlite-devel libidn-devel \
  libxml2-devel libacl-devel libsepol-devel libattr-devel \
  keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
  glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel openldap-devel openldap-clients openldap-servers openldap-servers-sql \
  openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
  setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
  krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl
  • install git, git will be used to download samba if using developer version of samba
yum install git-core
git clone http://gitweb.samba.org/samba.git ~/samba-master
  • master git now located at(3-17-14)
git://git.samba.org/samba.git.
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
  • reboot server so all packages and updates are applied
shutdown -r now
  • Extract the archive if not done so already
  • Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
  • if it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
make
make install

Creating script for starting and stopping samba service

cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
  • change daemon location from /sbin/samba to /usr/loca/samba/sbin/samba, as well as killproc location
  • Delete RDISCOPT variable, remove usage from daemon command
  • change what gets echoed to the screen

Enabling Samba 4 as DC

  • add samba path to $PATH
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
  • run command
/usr/local/samba/bin/samba-tool domain provision
  • the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
  • once the provision tool has finished successfully restart the server
shutdown -r now
  • once system has started enable samba 4 and add it start at boot, change to start with chkconfig after service script is created
/usr/local/samba/sbin/samba
vim /etc/rc.d/rc.local
  • append "/usr/local/samba/sbin/samba" without quotations to the end of the file and then save
  • samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

Configuring DNS

  • DNS forwarding was set up on the domain provision ing using the samba-tool
cat /usr/local/samba/etc/smb.conf
  • there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
  • edit resolv.conf
vim /etc/resolv.conf
  • edit to look exactly like:
domain mydomain.com
nameserver 128.***.***.** 
  • where "128.***.***.***" is the ipaddress of the centos server
  • next go back and edit ifcfg-eth0 in network-scripts
vim /etc/sysconfig/network-scripts/ifcfg-eth0
  • change the file to look like this
DEVICE="eth0"
BOOTPROTO="none"
DNS1="128.***.***.**" #this is host ipaddress
GATEWAY=128.**.***.*
HWADDR="84:B4:C1:0A:**:**"
IPADDR="128.***.***.**"
IPV6INIT="no"
NM_CONTROLLED="yes"
ONBOOT="yes"
PREFIX="24"
TYPE="Ethernet"
  • reboot so that all changes may take effect
shutdown -r now
  • login and test that the DNS is working properly
host -t SRV _ldap._tcp.mydomain.com
  • where mydomain.com is then name of the domain you are on
  • output should look like, where samba is the hostname of your server
_ldap._tcp.mydomain.com has SRV record 0 100 389 samba.mydomain.com
  • test with
host -t SRV _kerberos._udp.mydomain.com
  • output
_kerberos._udp.mydomain.com has SRV record 0 100 88 samba.mydomain.com
  • last test
host -t A samba.mydomain.com.
  • output should return your ip adddress
samba.mydomain.com has address 192.168.0.2
  • if test did not produce those outputs DNS has not been configured properly

Firewall

  • settings:
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT
 
-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

Kerberos

  • make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
  • edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
  • test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
  • if Kerberos is working you will be asked for your password
  • verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

NTP

  • install ntp
yum install ntp
  • start ntp
/etc/init.d/ntpd start
  • add ntp to start up
chkconfig ntpd on

Windows Domain

Add Windows computer to domain

  • manually edit network settings to point DNS to samba4 server
  • assign static ip so there are no problems with joining computers to domain
  • ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
  • ping FQDN to verify DNS is working
ping samba4.mydomain.com
  • should get replies form both verifying that you can communicate with server and that DNS is functioning
  • run the date command in your server
date
  • Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
  • Right click on "My Computer" and click "Properties"
  • Under "Computer name, domain, and workgroup settings" click change settings
  • Under "Member of" check "Domain"
  • Type in the name of your domain in full uppercase letters, ex.
    • MYDOMAIN.COM
  • When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
  • Once you have joined the domain restart the computer and you can now log in to the domain

Adding Profile path to Samba

  • make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles 
  • Add the following to smb.conf to inlcude that location
vim /usr/local/samba/var/profiles

[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
  • restart samba
/usr/local/samba/bin/smbcontrol all reload-config
  • once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

Change Security on Profiles folder

  • login to the domain as administrator onto a windows 7 computer
  • open up my computer and navigate to "\\servername" , ex. "\\samba4"
  • Right Click on the folder and select properties
  • Change security to allow Domain Administrators Full Control
  • add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data

Install RSAT

  • Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
  • Install, Once installed open up control panel and then open up programs, then programs and features
  • on the left pane click "Turn Windows features on or off"
  • Select all under Remote Server Administration Tool, then click okay

Adding User and profile path

  • From a windows computer with RSAT installed run: dsa.msc
  • create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
  • then run: gpupdate /force
  • Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
  • If you're having Group Policy Issues you can view what has been applied by gpresult
  • From command line run:
gpresult /H filename.html
  • or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
  • Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

Folder Security

  • create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
       path = usr/local/samba/var/data/users
       comment = temp user folders for folder redirection, move to NFS
       read only = No
  • make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
  • login into windows computer using a domain administrator to change permissions on users folder
  • navigate to users folder on windows computer \\domainame.edu
  • right click on users folder and select properties, go to security tab, click on advanced, click change permissions
  • remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
  • add:
    • Administrator: Full Control : This Folder, Subfolder, and Files
    • Domain Admins: Full Control : This Folder, Subfolder, and Files
    • SYSTEM: Full Control : This Folder, Subfolder, and Files
    • CREATOR OWNER: Full Control : Subfolder, and Files
    • Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
  • restart service and check that settings stay
  • using getfacl
getfacl /data/users
  • returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---

Folder Redirection with GPO

  • Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
  • service samba restart
  • Create OU in AD and add a couple users
  • Open up Group Policy Management
  • Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
  • edit linked GPO
  • Go to User Configuration => Policies => Windows Settings => Folder Redirection
  • Click each folder and change setting under "Target" tab to:
    • Setting: Basic - Redirect everyone's folder to the same location
    • Target Folder Location: Create a folder for each user under the root path
    • Root path:\\MYDOMAIN.EDU\users
  • under the "Settings" tab
    • Uncheck "Grant the user exclusive rights to (name_of_folder)"
    • under policy removal: Leave the folder in the new location when policy is removed should remain checked
  • Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
  • Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
  • Double Click Security Zones and Content Ratings
  • A windows may pop up before you can edit settings click "continue"
  • click modify settings, click on Local intranet, click Sites, click Advanced
  • add:
file://mydomain.edu
  • click, close, OK, OK, and Apply
  • Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
  • Navigate to Computer Configuration => Preferences => Windows Settings => Registry
  • create a new registry item
  • add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
  • in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
  • set Value Data to 4
    • 0-7:
      • 1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
      • 2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
      • 4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
  • save and apply

Map a Network Drive with GPO

  • Go to User Configuration => Preferences => Windows Settings => Drive Maps
  • Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
  • click Okay
  • samba must be restarted for GPO to take effect
  • make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

Windows Update GPO

  • Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
  • Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
  • copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
  • Edit GPO
  • Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
  • still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

SSSD

vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]  
[pam]

ACL

  • set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
  • view privileges
net rpc rights list accounts -Uadministrator
setfacl -m "g:groupname:permissions" folder
getfacl x | setfacl -R –setfile = -y

Misc

  • after a yum update portreserve may have been updated and interferes with samba
  • holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
  • go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
  • deleting regedit user profile

http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx

  • Network level Authentication GPO

http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

ID Mapping/Group Mapping

Extending Schema for UIDs

save

http://pig.made-it.com/samba-ldap-member.html http://doub.home.xs4all.nl/samba-ldap/index.html http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss https://wiki.samba.org/index.php/Samba4/Domain_Member http://directory.fedoraproject.org/wiki/Howto:Samba http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

References