Saturday, April 10, 2010

Samba4 AD Domain Controller to serve Solaris and Windows

The installation of Samba4 as DC is almost finished. Despite some minor issues and a bit of work involved it was a rather pleasant and nice thing to do. I try to document the steps I had to do here as a little reference. Implementing Linux clients is still open, so for now this is very Solaris centric. But should be easy to reproduce on Linux.

Start off with the Samba4 how-to here. It gives all information needed to build and setup your DC. Once this is completed you are ready to serve Windows clients.
But I want to do a little bit more and use the data in Samba4's LDAP to serve the Unix boxes as well.

For wide parts I followed Scott Lowe's post on integrating Solaris 10 and Active Directory.
Since a few things differ when using Samba4 as AD I'll list the steps with short comments here again:

I skipped the part about installing the "Server for NIS" on the AD server. When I started off setting things up I didn't the schema use by AD and SFU at hand. But you only need that if you plan to manage you users with the MS tools (MMC and the likes). Since I tend to do that stuff from my Solaris box with a few scripts I found the presence of the posixAccount and shadowAccount objectclasses sufficient. As it turns out the need schema for the SFU stuff can be found here.

I created a test account with

net newuser test password

and set the required attributes with ldapmodify:

ldapmodify -h ldapserver -D adminsitrator@YOURDOMAIN
dn: cn=test,cn=users,dc=YOURDOMAIN
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 1000
-
add: gidnumber
gidnumber: 100
-
add:unixhomedirectory
unixhomedirectory: /home/test
-
add: loginshell
loginshell: /bin/tcsh

This will be done with a litte script later, including creating a ZFS dataset for the user, finding the next free uidnumber and so on. For now this is just fine.

Well almost perfect. Unfortunately the MS AD schema used by Samba4 doesn't know anything about automount maps. So I had to add the necessary schema.
The schema definition is here. This creates an auto_master map with entries for /net and /home and the auto_home map with an entry for
* fileserver:/export/home/&
autmount.ldif can be added using ldapadd. The creation of the actual maps with ldapadd fails though. It gives a naming violation and I haven't found out why yet. Luckily Samba4 brings ldbmodify that can process LDIFs and write them into the database.
Point it to the ldb file for your domain. (Those files are in $SAMBAHOME/private/sam.ldb.d/ ):
ldbmodify -H $SAMBAHOME/private/sam.ldb.d/DC%3DYOURDOMAIN.ldb -U administrator autmount_maps.ldif
You may want to make a backup before ;-)

Next thing is to setup Kerberos. For that to work we need to create service principals in the Kerberos database for each host that we want to join.
Scott's post suggests to create an user account for each Solaris machine and to use ktpass.exe to generate a keytab file. Since I couldn't find a version of ktpass that would work on the Windows7 (virtual machines) I have here, I reverted to an alternative way. The easiest was to just use Samba3 and join the machines as domain members using a minimal smb.conf with
workgroup = DOMAIN
realm = REALM
security = ADS

When you have the smb.conf in place do the basic Kerberos setup on your Solaris client. Either use kclient to configure everything or copy the krb5.conf from your S4 DC. That file is created during the provision and can be found in $SAMBAHOME/private/krb5.conf. krb5.conf goes into /etc/krb5 on Solaris.
Test your Kerberos setup with
kinit administrator@REALM (mind the uppercase for the realm). That should exit without failure. You can check your ticket with klist.
If that worked you can now do a
net ads join -U administrator
to join the domain. Upon a successful join we can use
net keytab create
to write the principal key into a local file. The Samba3 that comes with Solaris10 writes the krb5.keytab in /etc. The Solaris Kerberos client expects that file to be in /etc/krb5 though. So just move it there.
Now we have Kerberos configured and the needed keytab in place.
Tell PAM to use Kerberos for authentication by modifying /etc/pam.conf to look like this:

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1


The last missing piece is the LDAP configuration. For now I trimmed down the ldapclient line from Scott's post to;
ldapclient manual \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a defaultServerList=172.16.1.10 \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a serviceSearchDescriptor=passwd:cn=users,dc=example,dc=com \
-a serviceSearchDescriptor=group:cn=users,dc=example,dc=com

Problem is that this expects the users to have objectclass posixAccount and shadowAccount (no problem for me, since I set those in my scripts). The windows tools only set objectclass user (see the objectClassMap in Scott's post).
I tried with that mapping in place, but found that getent passwd fails to list LDAP users, getent passwd username works, finger fails, logins work. I assume there is something wrong with getent in Solaris but I need to investigate a litte more.
Without the objectclassmap in place everything works just fine.
One advise - ldapclient copies /etc/nsswitch.ldap to /etc/nsswitch.conf. So go and check that file, especially look at the hosts line. You sure want DNS in there... ;-)

Now users can login with their domain accounts and have a common password for both Windows and Solaris.
I need to play around with the mappings a little more and get a few more maps into LDAP (auth_attr, prof_attr and project at least). Also at the moment I cannot change the password from a Solaris client.
Let me know If you need more details on the bits of the setup, I'll try to help.

12 comments:

aszeszo said...

Nice post. Good to hear that Samba 4 runs fine on Solaris.

Andrzej

steve said...

Hi
Am struggling with the gid:uid, home directory problem Samba 4 and Linux. Samba 4 is no problem for windows clients but will not work for filesharing on Linux clients due to the wrong uid:gid. Have you got any further with this? Do you know if it works with Linux? I have openSUSE 12.1. I'd like to nfs the /home/DOMAIN/users folder over to the clients and use Samba 4 for authentication. Is this what you are doing here? Thanks so much for your time and sorry for the questions. I'm relatively new to this but do have a samba3/ldap single sign on lan working for windows and Linux clients at the moment. Wanted to migrate to Samba 4.
Thanks
Steve.

steve said...

Finally went out and did it:

http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html

Happy new year!

On Lawn said...

Hello, your automount.ldif link no longer works?

THanks though for all the help. I'm hoping that automount is what is keeping smbadm from joining my samba4 domain right now.

phaedrus77 said...

the link works fine for me. what error do you get?
here's the ldif:

dn: automountmapname=auto_master,dc=YOURDOMAIN
automountMapName: auto_master
objectClass: automountMap
objectClass: top


dn: automountKey=/home,automountmapname=auto_master,dc=YOURDOMAIN
automountInformation: auto_home -nobrowse,intr
automountKey: /home
objectClass: top
objectClass: automount


dn: automountKey=/net,automountmapname=auto_master,dc=YOURDOMAIN
automountInformation: -hosts -nosuid,nobrowse
automountKey: /net
objectClass: top
objectClass: automount


dn: automountmapname=auto_home,dc=YOURDOMAIN
automountMapName: auto_home
objectClass: automountMap
objectClass: top


dn: automountKey=*,automountmapname=auto_home,dc=YOURDOMAIN
automountInformation: fileserver:/export/home/&
automountKey: *
objectClass: top
objectClass: automount

you may need to fix the line breaks when copying from here...

On Lawn said...

THanks, I found it with a little back tracing.

So I take it you did not use smbadm at all when joining the domain?

phaedrus77 said...

smbadm only helps to join solaris' native cifs server to a domain. since I use samba on the solaris boxes to serve files and needed native unix logins to be served via samba4 I didn't use smbadm. btw smbadm is not yet available in solaris10 - it came along when opensolaris got the kernel cifs bits.

steve said...

Hi again
Is there an ldbmodify we can use to extend the s4 schema with the automount.ldif file so we can add the automount attributes from your automount_maps.ldif?
To extend the AD schema under windows looks horrendously complicated!

phaedrus77 said...

I used the ldbmodify that got built alongside samba4. usage was
ldbmodify -H $SAMBAHOME/private/sam.ldb.d/DC%3DYOURDOMAIN.ldb -U administrator autmount_maps.ldif

steve said...

Hi
I tried that but got errors. I was wondering how you used not the autmount_maps.ldif, but the automount.ldif file.I think this is needed to extend the schema to enable you to add the contents of the automount_maps.ldif afterwards. As you say, the Samba4 schema knows nothing about automount maps.
Thanks

phaedrus77 said...

what's the error you got? indeed you need the schema definition before you can add the actual maps. it's been quite some time since i did this maybe i remember more when i see the error.

steve said...

Hi
This must be it:
1. Extend the schema
ldbmodify --url='CN=SCHEMA,CN=CONFIGURATION,DC=HH3,DC=SITE.ldb' /home/steve/Dropbox/automount.ldif
Modified 5 records with 0 failures

my current setup is this:
auto.master
/home2/POLOP /etc/auto.misc
auto.misc
* -rw,krb=5 hh1:/home2/POLOP/&

I have translated it to this for automount_maps.ldif:
dn: automountmapname=auto.master,dc=HH3,dc=site
automountMapName: auto.master
objectClass: automountMap
objectClass: top

dn: automountKey=/home2/POLOP,automountmapname=auto.master,dc=HH3,dc=SITE
automountInformation: -rw,sec=krb5
automountKey: /home2/POLOP
objectClass: top
objectClass: automount

dn: automountmapname=auto.misc,dc=HH3,dc=SITE
automountMapName: auto_misc
objectClass: automountMap
objectClass: top

dn: automountKey=*,automountmapname=auto.misc,dc=HH3,dc=SITE
automountInformation: hh1:/home2/POLOP/&
automountKey: *
objectClass: top
objectClass: automount

Does that translate OK?

Anyway:
2. would be to add the automount info:
ldbmodify --url='DC=HH3,DC=SITE.ldb' /home/steve/automount_maps.ldif
Modified 4 records with 0 failures

Now, how do I include the automount info under the dn of a user? e.g.here is a posixified domain user:

ldbsearch --url=sam.ldb cn=steve2suse
# record 1
dn: CN=steve2suse,CN=Users,DC=hh3,DC=site
cn: steve2suse
instanceType: 4
whenCreated: 20120403061101.0Z
uSNCreated: 3913
name: steve2suse
objectGUID: 18460dc2-ec58-4f50-946a-a51d9ccdcee7
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-1036012963-3581365152-2408737896-1124
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve2suse
sAMAccountType: 805306368
userPrincipalName: steve2suse@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129779070610000000
userAccountControl: 512
uidNumber: 3000023
gidNumber: 4004
unixHomeDirectory: /home2/POLOP/steve2suse
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
memberOf: CN=Domain Users,CN=Users,DC=hh3,DC=site
primaryGroupID: 1107
profilePath: \\hh1\profiles\steve2suse
homeDrive: Z:
homeDirectory: \\hh1\home\steve2suse
whenChanged: 20120403061118.0Z
uSNChanged: 3922
distinguishedName: CN=steve2suse,CN=Users,DC=hh3,DC=site

What attributes do I need to add for the automount?

Sorry about all these qns. I don't know of anyone else I could ask. I think we are a very small group doing this stuff!

TIA and thanks for your time

Post a Comment