auth by 2003 domain

Arrive Technologies Inc.

Specification

Auth by 2003 DomainSamba 3 Authenticating to a Windows 2003 Active Directory

Abstract: This document provides to IT Department

Last Updated: 10-Feb-10

Author(s):

Bao, Cao Cu

Approved on dd-mmm-yy by:

This controlled document is the proprietary of Arrive Technologies Inc..

Any duplication, reproduction, or transmission to unauthorized parties is prohibited.

Copyright 2008

Auth by 2003 Domain

Contents

1. Introduction.......................................................................................................................................... 11.1. Scope................................................................................................................................................. 11.2. Revision History................................................................................................................................. 11.3. Related documentation...................................................................................................................... 1

2. Server Configure.................................................................................................................................. 12.1. Server Configure................................................................................................................................ 1

2.1.1. Network Diagram........................................................................................................................ 12.2. Install and Configuring The Samba Winbind......................................................................................2

3. Firewall.................................................................................................................................................. 44. Configure files...................................................................................................................................... 45. Open Issues.......................................................................................................................................... 86. Appendix a............................................................................................................................................ 87. Appendix B............................................................................................................................................. 8

Copyright 2008. Arrive Technologies Inc. Page iInternal Doc. Subject to Change

Auth by 2003 Domain

1. INTRODUCTION

1.1. Scope

Intergration of LINUX and Microsoft Windows 2003 through a unified logon in network heterogeneous computing environments for a long time.

1.2. Revision HistoryVersion Author(s) Description Date2.0 Bao, Cao Cu 23-05-2009

1.3. Related documentation[1] www.samba.org

2. SERVER CONFIGURE

2.1. Server Configure

2.1.1. Network DiagramServer Name Linuxserv01IP 10.0.0.6Subnet 255.0.0.0Default Gateway 10.0.0.2

DNS10.0.0.2

Password Userroot admin4itlinux

admin !tadminm@in

Computer RequimendITEM Decommended

Computers 1 Pentium 4 3.0GhzMemory 1 GbHard Drive 1 x 80 Gb

SoftwareLinux Centos 4.7OpenldapSamba-tools

Hard Drive :

SATA PORT 1 ST3200820AS /dev/sda (LABEL [1] )

/ 10 Gb /dev/sda2

/home 68 Gb /dev/sda1

/swap 2 Gb /dev/sda3

Edit the /etc/host file :# Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1 localhost10.0.0.6 atvn.com.vn linuxserv0110.0.0.2 atvn.com.vn demon

Edit the /etc/sysconfig file :NETWORKING=yesHOSTNAME=linuxserv01.atvn.com.vnGATEWAY=172.33.32.1

Copyright 2008. Arrive Technologies Inc. Page 1Internal Doc. Subject to Change

http://www.samba.org/

Auth by 2003 Domain

2.2. Install and Configuring The Samba Winbind

Installyum install samba, perl-Crypt-SmbHash, perl-unicode-MAP

Configure nsswitch.conf and Winbind Libraries on LinuxSamba-3 may auto-install the Winbind files into their correct locations on your system.Before you get

too far down the track be sure to check if the following configuration is really necessary. You only need to configure /etc/nsswitch.conf. In order to run the winbindd daemon through nsswitch,the libraries need to be copied the command below to their proper locations:

cp /lib/libnss_winbind.so /lib/cp /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1cp /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1cp /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2

Now, as root you need to edit /etc/nsswitch.conf to allow user and group entries to be visible from the winbindd daemon.

vi /etc/nsswitch.conf

My /etc/nsswitch.conf file looks like this after editing:

passwd: files winbindshadow: files winbindgroup: files winbind

The libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time system reboots.

ldconfig –v | grep winbind

Configure the samba Edit the /etc/samba/smb.conf[global]

Workgroup = ATVNserver string = Server - HCMC Reference Serverpassword server = *

security = domainencrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

# separate domain and username with ’/’, like DOMAIN+username winbind separator = /

# use uids from 16777216 to 33554431 for domain users idmap uid = 16777216-33554431

# use gids from 16777216 to 33554431 for domain groups idmap gid = 16777216-33554431

# allow enumeration of winbind users and groupswinbind enum users = yeswinbind enum groups = yes

# give winbind users a real shell (only needed if they have telnet access) template homedir = /home/ATVN/%U template shell = /bin/bash

winbind use default domain = yes winbind cache time = 10

# PAM Parameters Obey pam restrictions = no

After you ghet those edited then it is a good idea to run testparm and correct any errors that you get. With just the changes that i posted above there shouldn’t be any error.


Auth by 2003 Domain

Next start Samba and join the machine to the ATVN domain using the commandsnet rpc join –S Demon –U sysadmin

Winbindd can now run in “dual daemon model”. This will make it run as two processes. The first will answer all requests from the cache, thus making responses to clients faster. The other will update the cache for the query that the first has just responded. The advantage of this is that responses are accurate and faster. You can enable dual daemon mode by adding -B to the commandline:

winbindd –B

Now, for the real test, try to get some information about the users and groups on PDCwbinfo –u

Administratorbhtcuongbillingbqngoc…………..bththanhccbaocdquan………….

wbinfo –gAdministratorbhtcuongbillingbqngoc…………..bththanhccbaocdquan………….

The function getent can now be used to get unified lists of both local and PDC users and groups. Try the following command:

getent passwdgetent group

It will get a list that looks like /etc/passwd list followed by the domain users and groups with their new UIDs, GIDs, home directories and default shells.

Samba and Winbind will no automatically start when you reboot the server and the immutable bit can be used to prevent accidentall deleting or overwriting a file that must be protected, it also prevents someone from creating a symbolic link to this file. We can change it to do this by default by executing the following command :

chkconfig –level 345 smb on << automatic start the sambachkconfig –level 345 winbind on << automatic start the winbind onchattr +i /etc/smb.conf

Configure Winbind and Pam

The /etc/pam.d/login file can be changed. It now looks like this:

auth required /lib/security/pam_securetty.soauth sufficient /lib/security/pam_winbind.soauth sufficient /lib/security/pam_UNIX.so use_first_passauth required /lib/security/pam_stack.so service=system-authauth required /lib/security/pam_nologin.soaccount sufficient /lib/security/pam_winbindaccount required /lib/security/pam_stack.so service=system-authpassword required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_stack.so service=system-authsession optional /lib/security/pam_console.sosession required pam_mkhomedir.so


Auth by 2003 Domain

Add the commands in this following order : sufficient /lib/security/pam_unix.so use first pass, auth sufficient /lib/security/pam_winbind.so, required pam_securetty.so . above it, to disallow root logins over the network. I also added a : sufficient /lib/security/pam_unix.so use_first_pass line after the winbind.so line to get rid of annoying double prompts for passwords

The /etc/pam.d/system-auth file. Add a command at pam_mkhomedir.so . It now looks like this:auth required /lib/security/$ISA/pam_env.soauth sufficient /lib/security/$ISA/pam_unix.so likeauth nullokauth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocalauth sufficient /lib/security/$ISA/pam_winbind.so use_first_passauth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadowaccount sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quietaccount [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.soaccount required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword sufficient /lib/security/$ISA/pam_winbind.so use_authtokpassword required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.sosession required /lib/security/$ISA/pam_unix.sosession required pam_mkhomedir.so

* Test login SSHssh –l ccbao localhostlogin as: ccbaoccbao@linuxserv01's password:Creating directory '/home/HCMC/ccbao'.Last login: Thu Sep 4 14:39:02 2008 from 172.33.41.208

[ccbao@linuxnt ~]$

* Commands check connection to Domain Windows 2003Show sequence numbers of all domains

wbinfo --sequence

Check shared secretwbinfo –t

List trusted domainswbinfo -m

Converts sid to namewbinfo --sid-to-name= < sid number >

Get user infowbinfo -I <username>

Get group infowbinfo --group-info=<group name>

3. FIREWALL

4. CONFIGURE FILESnsswitch.conf## /etc/nsswitch.conf## An example Name Service Switch config file. This file should be# sorted with the most-used services at the beginning.## The entry '[NOTFOUND=return]' means that the search for an


Auth by 2003 Domain

# entry should stop if the search in the previous entry turned# up nothing. Note that if the search failed due to some other reason# (like no NIS server responding) then the search continues with the# next entry.## Legal entries are:## nis or yp Use NIS (NIS version 2), also called YP# dns Use DNS (Domain Name Service)# files Use the local files# db Use the local database (.db) files# compat Use NIS on compat mode# hesiod Use Hesiod for user lookups# ldap Use LDAP (only if nss_ldap is installed)# nisplus or nis+ Use NIS+ (NIS version 3), unsupported# [NOTFOUND=return] Stop searching if not found so far#

# To use db, put the "db" in front of "files" for entries you want to be# looked up first in the databases## Example:#passwd: db files ldap nis#shadow: db files ldap nis#group: db files ldap nis

passwd: files winbindshadow: files winbindgroup: files winbind

#hosts: db files ldap nis dnshosts: files dns

# Example - obey only what ldap tells us...#services: ldap [NOTFOUND=return] files#networks: ldap [NOTFOUND=return] files#protocols: ldap [NOTFOUND=return] files#rpc: ldap [NOTFOUND=return] files#ethers: ldap [NOTFOUND=return] files

bootparams: filesethers: filesnetmasks: filesnetworks: filesprotocols: files winbindrpc: filesservices: files winbindnetgroup: files winbindpublickey: filesautomount: files winbindaliases: files

smb.conf# This is the main Samba configuration file. You should read the# smb.conf(5) manual page in order to understand the options listed# here. Samba has a huge number of configurable options (perhaps too# many!) most of which are not shown in this example## Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a ## for commentry and a ; for parts of the config file that you# may wish to enable## NOTE: Whenever you modify this file you should run the command "testparm"# to check that you have not made any basic syntactic errors. ##======================= Global Settings =====================================[global]

# workgroup = NT-Domain-Name or Workgroup-Name workgroup = ATVN


Auth by 2003 Domain

# server string is the equivalent of the NT Description field server string = Server - ATVN Reference Server 01

# this tells Samba to use a separate log file for each machine# that connects log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb). max log size = 0

# Security mode. Most people will want user level security. See# security_level.txt for details. security = domain

# Use password server option only with security = server password server = DEMON

# You may wish to use password encryption. Please read# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.# Do not enable this option unless you have read those documents encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to# update the Linux system password also.# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.# NOTE2: You do NOT need these to allow workstations to change only# the encrypted SMB passwords. They allow the Unix password# to be kept in sync with the SMB password.; unix password sync = Yes; passwd program = /usr/bin/passwd %u; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names username map = /etc/samba/smbusers map to guest = Bad User

# Most people will find that this option gives better performance.# See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:# set local master to no if you don't want Samba to become a master# browser on your network. Otherwise the normal election rules apply local master = no

# Domain Master specifies Samba to be the Domain Master Browser. This# allows Samba to collate browse lists between subnets. Don't use this# if you already have a Windows NT domain controller doing this job domain master = no

# Preferred Master causes Samba to force a local browser election on startup# and gives it a slightly higher chance of winning the election preferred master = no

# All NetBIOS names must be resolved to IP Addresses# 'Name Resolve Order' allows the named resolution mechanism to be specified# the default order is "host lmhosts wins bcast". "host" means use the unix# system gethostbyname() function call that will use either /etc/hosts OR# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf# and the /etc/resolv.conf file. "host" therefore is system configuration# dependant. This parameter is most often of use to prevent DNS lookups# in order to resolve NetBIOS names to IP Addresses. Use with care!# The example below excludes use of name resolution for machines that are NOT# on the local network segment# - OR - are not deliberately to be known via lmhosts or via WINS. name resolve order = wins lmhosts bcast

# WINS Server - Tells the NMBD components of Samba to be a WINS Client# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 10.0.0.2


Auth by 2003 Domain

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names# via DNS nslookups. The built-in default for versions 1.9.17 is yes,# this has been changed in version 1.9.18 to no. dns proxy = no

#============================ Winbind Parameters ============================= winbind use default domain = yes winbind separator = / winbind cache time = 10 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/ATVN/%U

#============================ PAM Parameters =================================

obey pam restrictions = no

#============================ Share Definitions ==============================

[homes]comment = Home Directoriesvalid users =%D+%Swritable = yescreate mask = 0777directory mask = 0775browseable = yes

[Thalassa] comment = All Reference for own project path = /home/Thalassa browseable = yes read only = yes create mask = 0777 directory mask = 0777

/etc/pam.d/loginauth required /lib/security/pam_securetty.soauth sufficient /lib/security/pam_winbind.soauth sufficient /lib/security/pam_unix.so use_first_passauth required /lib/security/pam_stack.so service=system-authauth required /lib/security/pam_nologin.soaccount sufficient /lib/security/pam_winbind.soaccount required /lib/security/pam_stack.so service=system-authpassword required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_stack.so service=system-authsession optional /lib/security/pam_console.sosession required pam_mkhomedir.so

/etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required /lib/security/$ISA/pam_env.soauth sufficient /lib/security/$ISA/pam_unix.so likeauth nullokauth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocalauth sufficient /lib/security/$ISA/pam_winbind.so use_first_passauth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadowaccount sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quietaccount [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.soaccount required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3


Auth by 2003 Domain

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadowpassword sufficient /lib/security/$ISA/pam_winbind.so use_authtokpassword required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.sosession required /lib/security/$ISA/pam_unix.sosession required pam_mkhomedir.so

5. OPEN ISSUESIssue No.

Issue Open date Close date

Solution

1 Profiles not create 11-09-2008 12-09-2008 I added the pam_mkhomedir.so before pam_console.so

2 checking the trust secret via RPC calls failederror code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)Could not check secret

16-09-2008 18-09-2008Install new Samba

3 smb_pam_account: PAM: UNKNOWN PAM ERROR (28) during Account Management for User

07-05-2009 08-05-2009 Check smb .conf file : obey pam restrictions = no

4 Error looking up domain users on the Windows2003

15-05-2009 23-05-2009 Install packer : samba-3.0.25b-0.4E.6

5 kerberos_kinit_password [email protected] failed: Cannot find KDC for requested realm

07-07-2009 08-07-2009 Install krb and configure to domain( krb5.conf in H:\IT\Project\Samba-Become Domain Member Windows2003\Samba files config )

6. APPENDIX A

7. APPENDIX B


auth by 2003 domain

Documents