Wiki Kenny

SAMBA AD WIKI UBUNTU

SAMBA AD TRANQUIL.IT

DOC ACADIACYBERSEC

The following steps need to be performed in order to join the Samba 3 server to the Microsoft Windows Active Directory.

1. Liste numérotée Configure Kerberos.

The most important thing in configuring Kerberos is the /etc/krb5.conf file. There should be an example one in /etc you can modify. If not, then just create one. Here is a copy:

[logging]   
    default = FILE:/var/log/krb5libs.log   
    kdc = FILE:/var/log/krb5kdc.log   
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    default_realm = SAMBA-TEST.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = yes

[realms]   
    SAMBA-TEST.COM = {    
        kdc = SAMBA-TEST.SAMBA-TEST.COM:88    
        admin_server = samba-test:749    
        default_domain = samba-test.com   
}

[domain_realm]   
    .samba-test = samba-test.com   
    samba-test.com = samba-test.com

[appdefaults]   
    pam = {     
        debug = false     
        ticket_lifetime = 36000     
        renew_lifetime = 36000     
        forwardable = true     
        krb4_convert = false   
}

It is recommended that the realm name should be in upper case but this is not a requirement.

In this case, the realm is named the same as the AD Domain name. It just so happens that the AD Domain name is the same as the network domain name, but that is not always the case.

Use your AD DC as the Key Distribution Center (kdc) in your file. You should also list it as the admin server. If you have more than one DC in your AD domain, you can list them as kdc entries.

After you get the krb5.conf file done, you can test it with the kinit command.

Execute:

#kinit username@REALM

Username is the name of an account in your AD Domain. It should prompt you for a password. Enter the password for that user in the AD Domain. NOTE: You must enter the name of the realm in uppercase letters.

If it executes without error, then execute klist to see the Kerberos ticket. If you get any error messages, make sure:

• Liste à puce You have no spelling errors in the krb5.conf file.
• Liste à puce The times are synched on the machines.
• Liste à puce The password has been changed at least once on the username you are using.

After you get a ticket from the AD DC, test it by using Kerberos authentication with the smbclient command to view the shares on the Microsoft Window 2000 AD DC:

#smbclient -L /servername -k

This should return a list of all the shares on the DC.

1. Liste numérotée Configure Samba:

You now need to make the changes to your smb.conf file to enable Kerberos authentication and so you can join the AD domain. The important lines in smb.conf are:

realm = YOUR.REALM    
security = ads    
password server = <ip address or name of DC>    

Here is a copy of my smb.conf file:

[global]              
        workgroup = SAMBA-TEST0          
        server string = Customer-Test            
        netbios name = node2    
        ;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24          
        hosts allow = 127. 192.168.224. 16.138.174.240  
# logs split per machine          
    log file = /var/log/samba/%m.log  
# max 50KB per log file, then rotate          
    max log size = 50
            security = ads          
            passdb backend = tdbsam          
            realm = samba-test.com            
            password server = samba-test.samba-test.com
    local master = yes          
    os level = 255          
    preferred master = yes

[homes]          
    comment = Home Directories          
    browseable = no          
    writable = yes  
    ;       valid users = %S  
    ;       valid users = MYDOMAIN\%S    

[printers]          
    comment = All Printers          
    path = /var/spool/samba          
    browseable = no          
    guest ok = no          
    writable = no          
    printable = yes

After you make the changes to smb.conf and before you start Samba, you need to join the AD domain. Before you do so there are two things that you should check:

• Liste à puce If there is a file named /etc/samba/secrets.tdb either delete, move, or rename it. This file is from your previous connections to the domain. A new one will be created when you join the domain.
• Liste à puce If there is an existing machine account in your AD domain for your Samba server, delete it. A new one will be created when you join the AD domain.

Here are the commands used as root to join the AD domain:

#kinit Administrator@FAHDAZIZ.COM.PK    
#net ads join -U administrator%password

The first command gets the Kerberos ticket you need to authenticate to the AD domain. You need to use the username of an account in your AD domain that has permission to join computers to the domain. The second command joins the domain.

If you successfully join the AD domain, you should receive a message stating that you successfully joined the Domain. You should also see a new /etc/samba/secrets.tdb file. There should also be a new machine account created in your Active Directory. If you look at the properties of the machine account, you should see that the operating system is listed as Samba 3.0.

After you have successfully joined the AD domain, start Samba in RHEL using:

#service smb start

One advantage to using this type of authentication is that you do not need to create Samba accounts on the Linux server with the smbpasswdcommand. There is no need for the /etc/samba/smbpasswd file. Microsoft Windows users only need to be concerned with one user account.

However, each user that accesses the Samba server will still need to have a valid Linux user account on the server that matches the account in the AD domain. The purpose of this account is to control access to the Linux file system. The password for that account does not need to match the Microsoft Windows 2000 AD domain account password. The account does not even need to have the ability to log in locally to the Linux machine. It does have to exist however, and it must have the proper permissions to the directories you are sharing with Samba for the user to access them. This has not changed from Samba 2.2.

Using OpenSSL should work with any Active Directory Server platform. (Windows, Linux etc.). The example below, uses OpenSSL 1.1.0h 27 Mar 2018. If having difficulties using another version of OpenSSL, consult the appropriate OpenSSL documentation.

Requirements:

  Openssl
  FQDN or IP of the Active Directory Server
  LDAPS certificate installed in the Active Directory Server certificate store

Steps:

  Run the following command from your local computer: 
  openssl s_client -showcerts -connect <ip or fqdn of your active directory server>:636
  In the output, copy the certificate portion of the output to a text file

rtal

3. Save the text file as my_ldaps_cert.pem.

The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.

Requirements:

  Openssl installed on your Linux computer
  FQDN or IP of the Active Directory Server
  LDAPS certificate installed in the Active Directory Server certificate store

Perform the following steps:

  Enter the following command from your Linux computer:
  openssl s_client -showcerts -connect <fqdn of your ldap server>:636 -servername < fqdn of your ldap server> </d ev/null 2>/dev/null > my_ldaps_cert.pem
  Example:
  openssl s_client -showcerts -connect mydc.mycompany.com:636 -servername mydc.mycompany.com </d ev/null 2>/dev/null > my_ldaps_cert.pem
  Upload my_ldaps_cert.pem to the PCoIP Management Console. See Installing an Active Directory Certificate in the PCoIP Management Console Administrators' Guide.

The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.

The example below has been successfully tried on both Windows 2008 R2 and Windows 2016 Active Directory servers. Consult with your Active Directory documentation for official methods on obtaining the LDAPs certificate for use in your deployment.

Requirements:

  FQDN or IP of the Active Directory Server
  Administrator username and password of the Active Directory Server
  LDAPS certificate installed in the Active Directory Server certificate store

Perform the following steps:

  On the Active Directory Server, login as administrator.
      Launch mmc.exe.
      From the Console, click on File > Add/Remove Snap-in
      In the Add or Remove Snap-ins, select Certificates, then click Add.
      In the Certificates snap in dialog box, select Computer account, and click Next.
      In the Select Computer dialog, select Local computer: (the computer this console is running on), then click Finish.
      In the Add or Remove Snap-ins window, click OK.
      In the Console, in the left pane, browse to Certificates (Local Computer) > Personal > Certificates. Choose the correct LDAPS certificate. This is the certificate with the following information:
          Issued To: <the fqdn of your LDAP server>
          Issued By: <The Certificate Authority where your admin requested the certificate from>
      Right-click on the certificate and click All Tasks > Export.
      In the Certificate Export Wizard, do the following:
          Select not to export the private key
          Choose Base-64 encoded X.509 file format
          Save the certificate as my_ldaps_cert.pem.

The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.