Samba 3 trust Relationship with Active Directory

Posted on Posted in linux, samba, windows

In a previous post I explained How install and Configure Samba4, unfortunately in this moment Samba4 not support a Trust RelationShip with Samba3. This integration with Samba3 is a requisite to implement the Vmware View (VDI) solution that we are implementing in the University of Navarra, where I work. For this reason, while the developers of Samba4 are working in the SMB3 & SMB4 RelationShip, we decided to install a new domain under Windows Active Directory (for the Vmware View) and create a Trust RelationShip with the actual Samba3 domain.

In summary I’ll explain how install the basic infrastructure to implement this solution, which has:

  • OpenLap 2.4.32
  • Samba3x-winbind
  • Samba 3.6.7
  • Windows 2008 x64 R2 Enterprise for the Active Directory

Installation

OpenLdap

Requisites

To install OpenLdap server this package are needed:

yum install openssl.x86_64 openssl-devel.x86_64 libtool-ltdl-devel.x86_64 libtool-ltdl.x86_64 cyrus-sasl-devel.x86_64

BerkeleyDB

In this case I’ll use BerkeleyDB as LDAP embeddable database, to install it:

wget http://download.oracle.com/berkeley-db/db-5.1.25.NC.tar.gz
tar xvfz db-5.1.25.NC.tar.gz && cd db-5.1.25.NC
cd build_unix
../dist/configure
make
make install

OpenLdap Installation

Ok now is the moment to install the Ldap server, to realize this task

  • Specify the needed Berkeley librarys
export LD_LIBRARY_PATH=/usr/local/etc/db-5.1.25.NC/build_unix/.libs
  • Create a SH-INSTALL.SH script to configure the OpenLdap server
env LDFLAGS=" -L/usr/local/BerkeleyDB.5.1/lib" \
 CPPFLAGS=" -I/usr/local/BerkeleyDB.5.1/include" \
 ./configure --with-tls \
 --enable-modules \
 --enable-syslog \
 --enable-crypt \
 --enable-monitor \
 --enable-backends=no \
 --enable-bdb \
 --disable-ipv6 \
 --with-cyrus-sasl=yes \
 --enable-dynamic \
 --enable-spasswd \
 --enable-rewrite \
 --enable-rwm=yes \
 --enable-ldap=mod \
 --enable-meta=mod \
 --enable-relay=mod \
 --enable-proxycache=mod \
 --enable-refint=mod \
 --enable-unique=mod \
 --enable-accesslog=mod \
 --enable-auditlog=mod \
 --enable-dds=mod \
 --enable-dyngroup=mod \
 --enable-dynlist=mod \
 --enable-ppolicy=mod \
 --enable-syncprov=mod \
 --enable-translucent=mod \
 --prefix=/usr/local/etc2/openldap
  • Create your configuration
sh SH-INSTALL.SH
  • Make depend
make depend
make
  • Test your make installation, this process could be taking a long time
make test
  • Finally install OpenLdap server
make install

Post Installation task’s

Ldap Admin password

You’ll need protect your Ldap Administrator user, in my case root, to do it execute the slappasswd utility

/usr/local/etc2/openldap/sbin/slappasswd 
New password: 
Re-enter new password: 
{SSHA}IC2JFIUhdSpJTf+3O1bjaMIK491L7gjG

Now edit your Ldap configuration file and configure you BDB database

cp -pr /usr/local/etc2/openldap/etc/openldap/slapd.conf /usr/local/etc2/openldap/etc/openldap/slapd.conf-DIST

Edit with your domain configuration, something like this

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=albertolarripa.com,dc=com"
rootdn          "cn=root,dc=albertolarripa,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}IC2JFIUhdSpJTf+3O1bjaMIK491L7gjG
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/etc2/openldap/var/openldap-data
# Indices to maintain
index   objectClass     eq

Create your Organization

It’s the moment to create your basic tree and root Administrator account in your Ldap server, to realize this task create a LDIF file with similar content:

# Organization for Example Corporation
dn: dc=albertolarripa,dc=com
objectClass: dcObject
objectClass: organization
dc: albertolarripa
o: Example Corporation
description: The Example Corporation

# Organizational Role for Directory Manager
dn: cn=root,dc=albertolarripa,dc=com
objectClass: organizationalRole
cn: root
description: Directory Manager

dn: o=accounts,dc=albertolarripa,dc=com
o: accounts
description: Accounts Content
objectclass: organization

dn: ou=smb,o=accounts,dc=albertolarripa,dc=com
ou: smb
description: All smb in organisation
objectclass: organizationalunit

And import:

ldapadd -H ldap://192.168.100.204 -x -D "cn=root,dc=albertolarripa,dc=com" -W -f albertolarripa.ldif

Ldap Certificate

The purpose of TLS is to provide security during communication between the client and the LDAP server

Server tasks

Generate a private key for the LDAP server.

# openssl genrsa -out ldap.key 2048

Make a Certificate Signing Request (CSR) to sign a certificate with the key that you have just generated

# openssl req -new -key ldap.key -out ldap.csr

Create your own self-signed certificate

# openssl genrsa -out ca.key 2048
# openssl req -new -x509 -days 3650 -key ca.key -out ca.cert

Now you need to sign the CSR using:

# openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 365

If you wish to examine the contents of a certificate, you can use:

# openssl x509 -in ldap.cert -text -noout

Create the ssl directories and move the previous created certificates

# mkdir /usr/local/etc2/openldap/etc/openldap/ssl
# mv ldap.cert /usr/local/etc2/openldap/etc/openldap/ssl/
# mv ldap.key /usr/local/etc2/openldap/etc/openldap/ssl/
# mv ca.cert /usr/local/etc2/openldap/etc/openldap/ssl/

Finally edit smb.conf and add

TLSCertificateFile /usr/local/etc2/openldap/etc/openldap/ssl/ldap.cert
TLSCertificateKeyFile /usr/local/etc2/openldap/etc/openldap/ssl/ldap.key
TLSCACertificateFile /usr/local/etc2/openldap/etc/openldap/ssl/ca.cert

Client tasks

In the client machine you will need to install the CA certificate so that the client will accept certificates that the CA has signed. Then edit /etc/openldap/ldap.conf on the client and include :

host ldap.albertolarripa.com
base ou=smb,o=accounts,dc=albertolarripa,dc=com
ldap_version 3
pam_login_attribute uid
ssl start_tls
TLS_REQCERT allow

init.d script

This is a example for /etc/init.d/ldap startup script

#! /bin/sh
#
# chkconfig: 345 34 98
# description:  slapd
# processname: slapd

case "$1" in
  start)
        /usr/local/etc2/openldap/libexec/slapd -f /usr/local/etc2/openldap/etc/openldap/slapd.conf -h "ldap://ldap/ ldaps://ldap.albertolarripa.com/" -l LOCAL4
        ;;
  stop)
        kill -INT `cat /usr/local/etc2/openldap/var/run/slapd.pid`
        ;;
  restart)
        stop
        start
        ;;
  *)
        echo $"Usage: $0 {start|stop}"
        exit 1
esac

exit $?

Samba 3

Requisites

nsswitch.conf

Force the system to search users and groups in tour Ldap server, edit your /etc/nsswitch.conf and add ldap

passwd:     files ldap
shadow:     files
group:      files ldap

Needed packages

OpenLdap-devel and Pam-devel are necessary for install samba 3

yum install openldap-devel.x86_64 pam-devel.x86_64

Samba3 Installation

Is the moment to install samba3 binary’s, download and install

wget http://www.samba.org/samba/ftp/stable/samba-3.6.7.tar.gz
tar xvfz samba-3.6.7.tar.gz 
cd samba-3.6.7/source3

In my case I created a SH-INSTALL.SH script to configure samba with these options

./configure \
        --prefix=/usr/local/etc2/samba \
	--mandir=/usr/share/man \
        --with-ldap \
        --without-quotas \
        --with-winbind \
	--with-ads \
        --disable-cups \
	--with-pam

Make and install

make
make install

Samba3 Configuration

smb.conf

Create your samba configuration file in the /usr/local/etc2/samba/lib directory, this is my smb.conf file

[global]

bind interfaces only = yes
interfaces = eth1 lo
ldap replication sleep = 2000
ldap suffix = "ou=smb,o=accounts,dc=albertolarripa,dc=com"
ldap admin dn = "cn=root,dc=albertolarripa,dc=com"
ldap ssl = start tls
passdb backend = ldapsam:ldap://ldap.albertolarripa.com/

ldap replication sleep = 2000

idmap uid = 20000 - 30000
idmap gid = 20000 - 30000

unix charset = "CP850"

workgroup = albertolarripa
netbios name = smb3
comment = Linux RedHat Samba Server
security = domain
null passwords = Yes
encrypt passwords = yes

use spnego = yes
client signing = no
client use spnego = yes

logon drive = U:
logon path = \\%L\profiles\%I

domain logons = yes
domain master = yes
local master = yes
preferred master = yes
os level = 255

kernel oplocks = false

log file = /var/log/samba.log
max log size = 5024000
log level = 10
syslog = 10

public = no
browseable = no
writable = no

wins server = 192.168.100.204
name resolve order = host wins lmhosts bcast

[netlogon]
path = /usr/local/etc2/samba/netlogon
locking = no
writeable = no
guest ok = no
browseable = yes
read only = yes

Init.d script

Create the startup script for the samba server

#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and nmbd daemons \
#	       used to provide SMB network services.

# Source function library.
if [ -f /etc/init.d/functions ] ; then
  . /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
  . /etc/rc.d/init.d/functions
else
  exit 0
fi

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

TIME_WAIT=4

PDCx=SMB3
SMB_DIR=/usr/local/etc2/samba
SMB_PID=$SMB_DIR/var/locks/smbd.pid
NMB_PID=$SMB_DIR/var/locks/nmbd.pid
SMB_CONF=$SMB_DIR/lib/smb.conf
SMB_SBIN_DIR=$SMB_DIR/sbin

echo "$PDCx"
echo "$SMB_DIR"
echo "$SMB_PID"
echo "$NMB_PID"
echo "$SMB_CONF"
echo "$SMB_SBIN_DIR"
export LD_LIBRARY_PATH=/usr/local/etc2/samba/lib

# Check that smb.conf and other exists.
[ -f $SMB_CONF ] || exit 0

RETVAL=0

start() {
        KIND="SMB:$PDCx"
	echo -n $"Starting $KIND services: "
	$SMB_SBIN_DIR/smbd -D -s $SMB_CONF
	RETVAL=$?
	echo
        KIND="NMB:$PDCx"
	echo -n $"Starting $KIND services: "
	$SMB_SBIN_DIR/nmbd -D  -s $SMB_CONF
	RETVAL2=$?
	echo
	[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] && touch $SMB_PID $NMB_PID || \
	   RETVAL=1
	/bin/sleep $TIME_WAIT
	return $RETVAL
}	

stop() {
	[ -f $SMB_PID ] || exit 0
	[ -f $NMB_PID ] || exit 0

        KIND="SMB:$PDCx"
	echo -n $"Shutting down $KIND services: "
	read PID < $SMB_PID
	kill -TERM $PID
	RETVAL=$?
	echo
	KIND="NMB:$PDCx"
	echo -n $"Shutting down $KIND services: "
	read PID < $NMB_PID
	kill -TERM $PID
	RETVAL2=$?
	[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] && rm -f $SMB_PID $NMB_PID
	echo ""
	/bin/sleep $TIME_WAIT
	return $RETVAL
}	

restart() {
	stop
	start
}	

reload() {
        echo -n $"Reloading smb.conf file: "
	read PID < $SMB_PID
	kill -HUP $PID
	RETVAL=$?
	echo
	return $RETVAL
}	

rhstatus() {
	status smbd
	status nmbd
}	

case "$1" in
  start)
  	start
	;;
  stop)
  	stop
	;;
  restart)
  	restart
	;;
  reload)
  	reload
	;;
  status)
  	rhstatus
	;;
  condrestart)
  	[ -f /var/lock/subsys/smb ] && restart || :
	;;
  *)
	echo $"Usage: $0 {start|stop|restart|status|condrestart}"
	exit 1
esac

exit $?

Samba schema

Load the samba schema in your ldap server, copy the samba.schema from the samba binary installation directory

scp /usr/local/etc/samba-3.6.7/examples/LDAP/samba.schema 192.168.100.204:/usr/local/etc2/openldap/etc/openldap/schema/

Now logon in your ldap server and include this schema in your configuration file

cat /usr/local/etc2/openldap/etc/openldap/slapd.conf
###################
include /usr/local/etc2/openldap/etc/openldap/schema/samba.schema
###################

Restart the server

/etc/init.d/openldap stop
/etc/init.d/openldap start

Admin Password

Set your admin ldap password in your secrets.tdb database

export LD_LIBRARY_PATH=/usr/local/etc2/samba/lib
/usr/local/etc2/samba/bin/smbpasswd -W
Netbios name list:-
my_netbios_names[0]="SMB3"
Setting stored password for "cn=root,dc=albertolarripa,dc=com" in secrets.tdb
New SMB password:
Retype new SMB password:

Samba Tools

I’ll use samba tools to create the samba structure in my ldap server, but before is necessary install it

Need Packages

Run CPAN to install the required PERL packages

cpan> install Net::LDAP      
cpan> install Crypt::SmbHash   
cpan> install Digest::SHA1

Install Samba-Tools

Download and install the package

wget http://download.gna.org/smbldap-tools/sources/0.9.9/smbldap-tools-0.9.9.tar.gz
tar xvfz smbldap-tools-0.9.9.tar.gz
cd smbldap-tools-0.9.9
./configure --with-samba-sysconfdir=/usr/local/etc2/samba/lib -with-samba-bindir=/usr/local/etc2/samba/bin --sysconfdir=/etc/samba
make && make install

Configure Samba-Tools

To configure this tools we’ll need some configuration files, copy from the installation directory

cp -pr /usr/local/etc/smbldap-tools-0.9.9/smbldap.conf /etc/smbldap-tools
cp -pr /usr/local/etc/smbldap-tools-0.9.9/smbldap_bind.conf /etc/smbldap-tools

Get your SAMBA SID, is necessary to configure this tool

# net getlocalsid
SID for domain SMB3 is: S-1-5-21-4140054460-3620877735-2405673070

Ok, now edit /etc/smbldap-tools/smbldap.conf like this

SID=S-1-5-21-4140054460-3620877735-2405673070
sambaDomain="ALBERTOLARRIPA"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

masterLDAP="ldap://ldap.albertolarripa.com/"
ldapTLS="0"
verify="require"
suffix="ou=smb,o=accounts,dc=albertolarripa,dc=com"

usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"

password_hash="SSHA"

password_crypt_salt_format="%s"

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

userLoginShell="/bin/bash"

userHome="/home/%U"

userHomeDirectoryMode="700"

userGecos="System User"

defaultUserGid="513"

defaultComputerGid="515"

skeletonDir="/etc/skel"

shadowAccount="1"

defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

userSmbHome="\\ALBERTOLARRIPA\%U"

userProfile="\\ALBERTOLARRIPA\profiles\%U"

userHomeDrive="H:"

userScript="logon.bat"

mailDomain="example.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

Finally edit /etc/smbldap-tools/smbldap_bind.conf file and add your LDAP server and Master Password

masterDN="cn=root,dc=albertolarripa,dc=com"
masterPw="PASSWORD"

Populate the samba tree

Use smbldap-populate to populate your samba LDAP tree

# smbldap-populate 
------------------------------------------------
Populating LDAP directory for domain ALBERTOLARRIPA (S-1-5-21-4140054460-3620877735-2405673070)
(using builtin directory structure)

adding new entry: ou=smb,o=accounts,dc=albertolarripa,dc=com 
adding new entry: ou=Users,ou=smb,o=accounts,dc=albertolarripa,dc=com 
adding new entry: ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com 
adding new entry: ou=Computers,ou=smb,o=accounts,dc=albertolarripa,dc=com 
adding new entry: ou=Idmap,ou=smb,o=accounts,dc=albertolarripa,dc=com 
adding new entry: sambaDomainName=ALBERTOLARRIPA,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: uid=root,ou=Users,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: uid=nobody,ou=Users,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Domain Admins,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Domain Users,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Domain Guests,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Domain Computers,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Administrators,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Account Operators,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Print Operators,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Backup Operators,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com
adding new entry: cn=Replicators,ou=Groups,ou=smb,o=accounts,dc=albertolarripa,dc=com

Please provide a password for the domain root: 
Changing UNIX and samba passwords for root
New password: 
Retype new password:

Start your samba server and check for possible errors

/etc/init.d/samba start && tail -f /var/log/samba.log

AD Outgoing RelationShip

Samba tasks

In your samba server you’ll need to create an account with windows domain name to allow access.

First create a local account with the Windows Domain + $

 useradd ADLARRIPA.COM$

Now create this account in your samba3 domain, without $

# smbpasswd -c /usr/local/etc2/samba/lib/smb.conf -a -i ADLARRIPA
New SMB password:
Retype new SMB password:
Added user ADLARRIPA$.

If you search this account in your LDAP server you can see that the sambaAcctFlags is set to I, this account is a interdomain trust account

# ./bin/ldapsearch -LLL -H ldap://192.168.100.204 -b "dc=albertolarripa,dc=com" "uid=ADLARRIPA*" -D "cn=root,dc=albertolarripa,dc=com" -W
Enter LDAP Password: 
dn: uid=ADLARRIPA.COM$,ou=smb,o=accounts,dc=albertolarripa,dc=com
uid: ADLARRIPA.COM$
sambaSID: S-1-5-21-4140054460-3620877735-2405673070-1001
sambaNTPassword: DB81CCF122D29AA8E342BAD6E30C810A
sambaPwdLastSet: 1347211201
sambaAcctFlags: [I          ]
objectClass: sambaSamAccount
objectClass: account

To authenticate the relationship must be exist the same account (same name) in the domains that form this relation, in my case I created Administrator account.

smbpasswd -c /usr/local/etc2/samba/lib/smb.conf -a Administrator
New SMB password:
Retype new SMB password:

Windows task

In your windows server be sure that your GPO allow Domain Compatibility Mode and the DNS Name Resolution Required are deactivate, if you not be sure apply this regedit

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

Is the moment to create the trust relationship with your Active Directory server, to realize this, open your Active Directory Domains and Trusts (start/Administrative Tools/Active Directory Domains and Trusts) and click with secondary button in your domain/Properties , in my case ADLARRIPA.

Click in Trust/New Trust

Follow the instructions, enter the samba NetBios domain name

To start I’ll create a One-way: outgoing relationShip, this mining that the windows resources can share with samba users.

Select Domain-wide authentication

Enter the password that you set when you add the windows domain name in your samba server

Confirm the Outgoing trust

If all run correctly the trust relationship was successfully created and confirmed !!

Test outgoing relationship

To test this new relationship, share a new resource in your windows domain with the samba domain. In the security tab click in Add… and change the default Locations to the Samba domain.

Search some user that exist in the samba domain and share the resource with him

In your samba server you can access this resource using smbclient

[root@smb3 ~]# smbclient //AD/share 
Enter root's password: 
Domain=[ADLARRIPA] OS=[Windows Server 2008 R2 Enterprise 7600] Server=[Windows Server 2008 R2 Enterprise 6.1]
smb: \> dir
  .                                   D        0  Fri Sep 14 09:48:01 2012
  ..                                  D        0  Fri Sep 14 09:48:01 2012
  test.reg.txt                        A        0  Sun Sep  9 19:24:23 2012

AD Incoming RelationShip

If you need authenticate the windows user in your samba domain, you must created a incoming relationship between samba3 and Active Directory

Samba task

Establish a new trust domain

# net rpc trustdom establish ADLARRIPA 
Enter ALBERTOLARRIPA$'s password:
Could not connect to server AD
Trust to domain ADLARRIPA established

Windows task

Like outcoming relationship follow the instructions, enter the samba domain

Now the wizard have the possibility to convert the one way trust relationship into a two way trust

Enter the trust password

Finally the both trust relationship have been created

And this is all, if you have some question you can add a comment or write to:

Thanks for follow me

One thought on “Samba 3 trust Relationship with Active Directory

  1. Hi ,
    Trust SAMBA 3.6 and AD 2012. When creating a trust in Windows 2012 server does not want to find my PDC NETBIOS name. What am I doing wrong?

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *