Kerberized SAMBA

CIFS is just a file server

© 2010 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

CIFS is just a file server

SAMBA in this setup will not act as a logon server. The configuration described in this section will setup SAMBA as a CIFS server, and only that. It is assumed that users and clients logon against Kerberos and LDAP as described in previous documents.

After users have received their Kerberos ticket, they can start using the SAMBA services. Meaning that SAMBA has to honour connections with a valid ticket. And deny all other access.

The other goal is to have as much centralized in LDAP. Meaning LDAP has to support SAMBA accounts. For this we need the samba.schema file included in the OpenLDAP configuration.

SAMBA on the network

I don't know about you, but I hate all the broadcasts and ports used by Windows networking systems, while all I need is a server that provides shares to the network. So for me only SMB over TCP/IP is sufficient.

All that will be left out is:

Also since AD and SAMBA can perfectly work with DNS, there is no need to use WINS (NetBIOS name services), so we will skip that.

Important Note

I have had some strange problems that where SELinux related. To prevent that from happening make sure that SELinux is set to permissive on your SAMBA server: 

setenforce 0
If you later on get messages from smbclient telling you NT_STATUS_BAD_NETWORK_NAME it might be SELinux that is not set to permissive. You have been warned.

Initial setup

Configure your host to use your LDAP and Kerberos server (on Red Hat based systems run authconfig-tui).

Create the krb5.keytab file.

DNS support

Add to DNS: 

_ldap._tcp.dc._msdcs.EXAMPLE.COM	SRV 0 389 ldap.example.com.
This entry is need when we direct SAMBA to act as a ADS member server.

Also add a DNS entry for your samba server. We also add an SRV record, although it will not be used, we make it a habit of adding those records: 

fs01		CNAME	larix
larix		A	192.168.1.55
_cifs._tcp	SRV	0 0 445 larix.example.com

LDAP support

Copy the samba3.schema to /etc/openldap/schema/

Add to slapd.conf: 

# Include samba support
include         /etc/openldap/schema/samba3.schema

...

# Make sure no-one can read or write the samba password fields
access to attr=sambaLMPassword,sambaNTPassword
	by * none

...

# Create samba indexes
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

Make OpenLDAP work with the new settings: 

service ldap stop
slapindex
service ldap start

If you are like me and watch everything that goes over the line, you might notice that SAMBA tries to use CLDAP. CLDAP is LDAP over UDP, which is not supported in OpenLDAP anymore, but which is still used by Microsofts Active Directory.

SIDs and RIDs

Before we add users and groups to LDAP, we first need to explain the SID and RID used in the Microsoft environment. SID stands for Security IDentifier. Within an Microsoft networking environment the SID is globally unique.

The structure of the SID looks like this: 

S-[Revision]-[IdentifierAuthority]-[SubAuthority0]-[SubAuthority1]-...-[SubAuthority[SubAuthorityCount]](-RID).
The components in this structure are:
Revision
The revision is always 1 for current NT versions.
Identifier Authorities and SubAuthorities
SID RID Description
S-1 0 NULL SID authority: used to hold the "null" account SID
S-1-0 0 The null account
S-1 1 World SID authority: used for the "Everyone" group, which is the only account in this authority.
S-1-1 0 The Everyone group (\EVERYONE)
S-1 2 Local SID authority: used for the "Local" group, which is the only account in this group.
S-1-2 0 The Local group
S-1 3 Creator SID authority: responsible for the CREATOR_OWNER, CREATOR_GROUP, CREATOR_OWNER_SERVER and CREATOR_GROUP_SERVER well known SIDs. These SIDs are used as placeholders in an access control list (ACL) and are replaced by the user, group, and machine SIDs of the security principal.
S-1-3 0 Creator Owner account (\CREATOR OWNER)
S-1-3 1 Creator Group account (\CREATOR GROUP)
S-1-3 2 Creator Owner Server account (\CREATOR SERVER OWNER)
S-1-3 3 Creator Group Server account (\CREATOR SERVER GROUP)
S-1 4 Non-unique authority: Not used by NT
S-1 5 NT authority: accounts that are managed by the NT security subsystem.
S-1-5 2 NT authority: Network (AUTHORITY\NETWORK)
S-1-5 4 NT authority: Interactive (AUTHORITY\INTERACTIVE)
S-1-5 11 NT authority: Authenicated users (AUTHORITY\AUTHENTICATED USERS)
S-1-5 18 NT authority: System (AUTHORITY\SYSTEM)
S-1-5 19 NT authority: Local service (AUTHORITY\LOCAL SERVICE)
S-1-5 20 NT authority: Network service (AUTHORITY\NETWORK SERVICE)
S-1-5 21 Non-unique SIDs, used for domain SIDs: The SID S-1-5-21 is followed by 3 RIDs (96 bytes) that defines the domain. Which could look like this S-1-5-21-0123456789-0123456789-0123456789. The 3 RIDs are created during initial domain installation. Since it is a random number duplicates can exist, there is no such thing as a central domain number authority. The domain SID is followed by a RID identifying the account within the domain. This RID is just a simple counter assigning a new RID to an account. There are howvere a couple well known RIDs.
S-1 9 Resource manager authority: is a catch-all that is used for 3rd party resource managers.

RID
RID is a Relative IDentifier. Relative to the SID that is. The most important RIDs are:
RIDNameType
500DOMAINNAME\AdministratorUser
501DOMAINNAME\GuestUser
512DOMAINNAME\Domain AdminsGroup
513DOMAINNAME\Domain UsersGroup
514DOMAINNAME\Domain GuestsGroup
544BUILTIN\AdministratorsGroup
545BUILTIN\UsersGroup
546BUILTIN\GroupsGroup
548BUILTIN\Account OperatorsGroup
549BUILTIN\Server OperatorsGroup
550BUILTIN\Print OperatorsGroup
551BUILTIN\Backup OperatorsGroup
552BUILTIN\ReplicatorGroup

For more see: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2597519

The domain identifier

The NT Domain (S-1-5-21) has per domain a unique 96 byte unique RID together they form the domain SID. das_passgen can be used to create this RID like this: 

# A=`das_passgen -c 3 -l 30`; echo ${A:0:10}-${A:10:10}-${A:20:10}
4187449527-7460873736-5306093569
The complete domain SID will then look like this: S-1-5-21-4187449527-7460873736-5306093569

Adding the SAMBA entries to LDAP

A bit about ID numbers

If you are in the lucky situation that you can start with a clean installation I would suggest the following:

an important note here is that Windows can not handle two identities with the same ID number. I mean every object in AD has a unique SID. While in the POSIX world we are used to uidNumber 0 for the root user and gidNumber 0 for the root group. This also brings forward another problem in the Windows world: two entries being called root, a user and a group. This is also not possible in the Windows world. Your name has to be unique too, even if the object is part of a different tree in the AD structure the name of the object (CN) has to be unique within your domain.

If you would like to work with Personal User Groups on your POSIX systems, I would suggest using:

This means you need two numbers for every entry. But it gives you the benefit that you can use domainSID-uidNumber or domainSID-gidNumber as the SID for the object. But in the end this is only cosmetics.

sambaGroupTypes

Defined sambaGroupTypes are:
2Domain group
4Local groups (alias)
5WKN_GRP???

sambaAcctFlags

Use man pdbedit for an overview of the possible flags.

Essential Object LDIFs

dn: ou=samba,ou=Services,dc=example,dc=com
ou: samba
objectClass: top
objectClass: organizationalUnit
description: Samba Internal Settings

# Make sure to adjust the sambaAlgorithmicRidBase and sambaNextUserRid according to your situation.

dn: sambaDomainName=EXAMPLE.COM,ou=samba,ou=Services,dc=example,dc=com
sambaDomainName: EXAMPLE.COM
objectClass: sambaDomain
sambaSID: S-1-5-21-4187449527-7460873736-5306093569
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0

dn: uid=Administrator,ou=Users,dc=example,dc=com
cn: Administrator
sn: Administrator
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 512
uidNumber: 500
sambaPrimaryGroupSID: S-1-5-21-4187449527-7460873736-5306093569-512
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-500
loginShell: /bin/false
homeDirectory: /dev/null
uid: Administrator
gecos: Domain Administrator
sambaAcctFlags: [U]
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 1267280010
shadowLastChange: 14622
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1263392010
shadowMax: 45

dn: uid=nobody,ou=Users,dc=example,dc=com
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-2998
sambaPrimaryGroupSID: S-1-5-21-4187449527-7460873736-5306093569-514
homeDirectory: /dev/null
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 0
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
loginShell: /bin/false

dn: cn=Domain Admins,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Domain Administrators
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-512
sambaGroupType: 2
displayName: Domain Admins

dn: cn=Domain Users,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Domain Users
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-513
sambaGroupType: 2
displayName: Domain Users

dn: cn=Domain Guests,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Domain Guests Users
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-514
sambaGroupType: 2
displayName: Domain Guests

dn: cn=Domain Computers,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Domain Computers accounts
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-515
sambaGroupType: 2
displayName: Domain Computers

dn: cn=Administrators,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Members can fully administer the computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators

dn: cn=Account Operators,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Members can manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Account Operators

dn: cn=Print Operators,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Printer Operators
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Print Operators

dn: cn=Backup Operators,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Backup Operators

dn: cn=Replicators,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replicators

## Need to figure out if we need both or just one of:

dn: cn=Users,ou=samba,ou=Services,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: Users
description: Users group in a sambaDomainName
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users

dn: sambaSID=S-1-5-32-545,ou=samba,ou=Services,dc=example,dc=com
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 545
sambaSIDList: S-1-5-21-4187449527-7460873736-5306093569-513
This are essential resources.

Let us also create a user that we can use for testing. The password for this account is test123... so no need to use a dictionary attack on the passwords: 

dn: uid=testuser,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser
sn: testuser
givenName: testuser
uid: testuser
uidNumber: 3002
gidNumber: 513
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: testuser
sambaSID: S-1-5-21-4187449527-7460873736-5306093569-3002
sambaPrimaryGroupSID: S-1-5-21-4187449527-7460873736-5306093569-513
sambaLogonScript: logon.bat
sambaProfilePath: \\fs01.example.com\profiles\testuser
sambaHomePath: \\fs01.example.com\testuser
sambaHomeDrive: H:
sambaLMPassword: 624AAC413795CDC1AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: C5A237B7E9D8E708D8436B6148A25FA1
sambaPwdLastSet: 1263395290
sambaPwdMustChange: 1267283290
userPassword:: e1NTSEF9amMyNkdhWklPN2taNURJZnFuWTlwclgzK3JOaVREaGw=
shadowLastChange: 14622
shadowMax: 45

Configure SAMBA

Install SAMBA and make sure that you also install the client packages and winbind.

Create an smb.conf like this: 

[global]
   #-----------------#
   # Naming settings #
   #-----------------#
   workgroup = EXAMPLE.COM
   server string = SMB server
   netbios name = FS01
   os level = 44

   #------------#
   # Networking #
   #------------#
   interfaces = 127.0.0.0/8 eth0
   bind interfaces only = yes
   name resolve order = lmhosts host bcast
   disable netbios = yes
   smb ports = 445
   domain logons = Yes
   preferred master = Yes
   domain master = Yes

   #---------------#
   # LDAP Settings #
   #---------------#
   ldap suffix = dc=op,dc=example,dc=com
   ldap machine suffix = ou=Computers
   ldap user suffix = ou=Users
   ldap group suffix = ou=Group
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=Manager,dc=example,dc=com
   ldap ssl = no
   ldap passwd sync = Yes

   #-------------------#
   # Kerberos Settings #
   #-------------------#
   security = ADS
   realm = EXAMPLE.COM

   #---------------#
   # User mappings #
   #---------------#
   username map = /etc/samba/smbusers
   idmap uid = 15000-20000
   idmap gid = 15000-20000

   #-------------------#
   # Security Settings #
   #-------------------#
   encrypt passwords = yes
   dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

   #----------#
   # Printing #
   #----------#
   show add printer wizard = yes

   #---------#
   # Logging #
   #---------#
   log level = 3 auth:10
   log file = /var/log/samba/%m.log
   max log size = 10000
   syslog = 0

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes
   force create mode = 0660
   force directory mode = 0770

Create a machine trust for our CIFS server. Run on kerberos host: 

kadmin.local
addprinc cifs/fs01.example.com

Add the password that you added for the cifs/fs01.example.com to the secrets.tdb file (this is the machine trust account password): 

net changesecretpw -f
If you later on get an error message like: 
ads_secrets_verify_ticket: failed to fetch machine password
In your machine log file, it means that the passwords in Kerberos and in the secrets.tdb file are out of sync. Also note that the password is stored in plain text in the secrets.tdb file, so make sure this file is very secure (chmod 600).

Create the home directory for our user: 

mkdir /home/testuser
chown testuser:Domain\ Users /home/testuser/

Test the configuration parameters in the smb.conf file: 

testparm
and start the samba services. Note that on Red Hat machines nmbd is automatically started. So if you do not want nmbd (which I said we wouldn't) comment the corresponding lines in /etc/init.d/smb out. 
service smb start
service winbind start

Testing

Check network connectivity: 

net lookup ldap
This should return the IP address of the LDAP server and its port number.

Check domain SIDs. SAMBA should have created it's own machine domain SID and should have read the domain SID from LDAP: 

net lookup name EXAMPLE.COM
net lookup name LARIX
This should return the SIDs

Check to see if the user SIDs are there and correct: 

net usersidlist
This should return testuser and nobody.

smbclient -L fs01.example.com -N
This is an anonymous logon check. Just to see if we can list the shares available on the server, if this fails samba is probably not running.

List the services available on our server as user testuser using our kerberos ticket: 

kinit testuser
smbclient -U testuser -L fs01.example.com -k

Connect to a share using our kerberos ticket: 

smbclient -U testuser //fs01.example.com/testuser -k
With ls you should be able to view the contents of the share. With put you can transfer a file from your local system to the remote. Samba acts as an FTP server, so if you are familair with FTP, do as you like to test the share. ? will give you an over view of the available commands. quit closes the connection.

Resources