course Linux system administration · Linux system administration course Spring 2019: 5th slideset: Network services 1

Linux system administration course

Spring 2019: 5th slideset: Network services

1

Linux system administration, 5th slide set © Jani Jaakkola 2019

Centrally managed LAN services● An LAN networked office computer system needs:

○ Managed user accounts, authentication and user groups: PAM, NSS, LDAP, sssd.■ Preferably with single sign on: Kerberos, Shibboleth.

○ Network shared home and group directories: NFS, Samba/Cifs○ Printing services: Cups, Samba.○ Centrally managed LAN: DHCP and DNS

■ Also switches and routers.○ Centrally managed operating system installations: PXE boot, repositories, configuration.○ Firewall between LAN and WAN.○ Access to resources from outside the centrally managed network with a VPN.

● … cloud computing systems are replacing old ways of LAN management.● Everything should be encrypted and identities cryptographically verified.


User accounts and authentication from network● Linux glibc builtin Name Service Switch (NSS) plugin mechanism enables user

account information to be pulled from network sources.● Pluggable Authentication Modules (PAM) is a plugin mechanism for

authentication configuration.○ Can be used for two factor authentication.

● SSSD is a daemon that enables network authentication and local caching of authentication information, including passwords.

○ Provides NSS and PAM plugins.● LDAP server and protocol provides networked user account data.

○ With optional password authentication.● Kerberos server and protocol enables single sign on.


PAM: Pluggable Authentication Modules● A library configurable with plugins for applications.

○ Validates users with account modules: that the user accounts exists and is valid.○ Valides user identity with authentication modules: usually with password or other methods.○ Provides a session setup for the user after login with session modules.○ Provides an API for changing passwords.

● Assumes that interactive dialogs can be made with the user.○ This assumption is not always correct (eg. HTTP basic auth).○ However allows implementation of forced password change during login.○ Can provide information and warnings during the login process.

● Allows different login daemons to have different configurations.○ Different login rules for console logins, display manager logins, screensaver logins and ssh

logins.


PAM configuration files● PAM configuration files are stored in /etc/pam.d● One configuration file for every system needing authentication.

○ /etc/pam.d/lightdm, /etc/pam.d/sshd○ PAM authentication goes through configuration modules (and modules’ arguments) in the order

they are listed.○ With modules marked required, all modules must record a successful status for successful

authentication.○ With sufficient modules marked sufficient, a successful status for the module is enough to allow

authentication.○ Provides also a syntax for more complex module order evaluation.○ Include directives allow system wide configuration for all applications.○ Ubuntu: /etc/pam.d/common-auth○ Fedora: /etc/pam.d/system-auth


PAM authentication process1. First user identity is verified with auth modules.2. User account is then verified with account modules.3. If the user password needs changing, it is done with password modules.4. A session is setup for user with session modules.● Some PAM modules:

○ Unix passwd/shadow PAM module: pam_unix

○ LDAP authentication module: pam_ldap

○ Kerberos authentication module: pam_krb5

○ Sssd daemon authentication: pam_sssd

○ Run scripts during authentication: pam_exec


NSS Name Service Switch● Glibc’s built in plugin mechanism for mapping names to data.

○ A name can be a user account, group account, shadow account, DNS name, …○ Used by glibc function calls: getpwuid(), initgroups(), gethostbyname(), ...

● Configured with /etc/nsswitch.conf○ Can be automatically modified with package install scripts.

● NSS plugins have their own configuration files, depending on the plugin.● Plugins nss_files and nss_compat implement the usual /etc/passwd,

/etc/group, /etc/shadow and /etc/hosts configuration.● Daemon nscd is provided with glibc, which allows nss queries to be cached in

memory or RAM:○ Probably shouldn’t be used anymore: sssd caching is more useful.

Kerberos protocol


Kerberos protocol● Kerberos is a computer network authentication protocol that works on the basis

of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. [wikipedia]

● Works with symmetric key cryptography and a trusted Kerberos server.○ Here symmetric key cryptography means shared secrets and passwords.○ The trusted server is called Authentication Server (AS) or Key Distribution Center (KDC).○ The kerberos server has a plain text equivalent copy of all secrets and passwords!

● Kerberos accounts (users, computers, servers) are called principals. ● Kerberos is used by MS Active Directory (since 2000).● Multiple Linux implementations: MIT Kerberos, Heimdal Kerberos, Java

○ We use MIT Kerberos.


Kerberos authentication● A Kerberos client authenticates itself to the Authentication Server (AS).

○ AS uses Key Distribution Center (KDC) server to create a ticket-granting ticket (TGT).○ TGT is time stamped and encrypted with a hash of clients password. ○ TGT is returned to client and client can decrypt it with its own password.○ The TGT is typically created on session logins.○ TGT has a lifetime, after which it needs to be renewed.

● The TGT is used to obtain tickets to actual kerberos services.○ The TGT is a shared secret, which is used to access Ticket Granting Service (TGS).○ TGT is used to request session ticket from TGS to access services of Kerberos principals.○ TGS returns encrypted session keys which can be used to access the Kerberos principal.

● In practice, AS, KDC and TGS are the same kerberos domain server.● Principals validate the tickets by decrypting them with their own key.

Kerberos protocol[wikipedia]

The Service Server does not need to connect to the AS to validate a ticket!


Kerberos terminology● Kerberos realm (or Windows domain) is the collection of principals managed by

one Kerberos domain controller (and its replicas.)○ The domain controller provides the AS, KDC and TGS services.○ The name of a Kerberos realm is by convention the DNS domain in uppercase.○ The kerberos realm of DNS domain ad.helsinki.fi is AD.HELSINKI.FI

● Kerberos principal is the identity of any kerberos realm participant:○ User principal: [email protected]

○ Host principal: host/[email protected]

○ AD host principal: [email protected]

○ Service principal: nfs/[email protected]

● Kerberos ticket granting ticket (TGT) is the secret key used to get service tickets: krbtgt/[email protected]


Where Kerberos is used?● Kerberos can be used to authenticate access and validate identify of:

○ NFS file shares○ Samba/Cifs file shares○ Network printers.○ SSH services.○ http/https services.○ LDAP directory access services.

● Anything which implements GSSAPI protocol.○ Generic Security Service Application Program Interface.○ A protocol for negotiating authentication client server interactions. ○ Mostly used to embed kerberos authentication to other network protocols.


Kerberos drawbacks● The authentication server is a single point of failure.

○ AS needs to be replicated. ○ If the authentication server is breached, all secrets including passwords need to be changed.

■ The protocol supports public key infrastructure, but it isn’t used.● Tickets expire. Getting a new ticket needs the password. ● Clocks need to be kept in sync. Also at boot time.● Administration protocol is not standardized: No standard management API.● Kerberos principals are assumed to be same as DNS names!

○ Avoid strange problems: Always keep DNS names and Kerberos principals same!■ Old Windows versions don’t always validate DNS principals.

● Kerberos only works inside trusted domains.


Implementing Kerberos● A Kerberos server needs to be setup to use Kerberos.

○ This isn’t a simple process...○ MIT Kerberos server is an option.

● But just a Kerberos server is not enough!○ User management, host management, DNS management are needed.○ You probably shouldn’t bother with MIT Kerberos.

● RedHat FreeIPA and MS Active Directory provide the needed admin tools.● Shared secrets for users and hosts need to be established.

○ User passwords need to be set or provided by the user for the KDC.○ Principals need to be joined the kerberos realm with some protocol or process.

■ The join process establishes the shared secret between the principal and KDC.


MIT Kerberos usage● Configuration file /etc/krb5.conf:

○ Provides the default realm.○ Maps DNS domains to Kerberos realms and realms to Kerberos servers.○ Configures how DNS aliases are resolved.

● Keytab: list of host’s principals and secret keys: /etc/krb5.keytab● Command line:

○ Get a new TGT from KDC: kinit <principal>

■ Environment variable KRB5CCNAME points to the ticket cache where the ticket is saved.○ Renew TGT, if still renewable: krenew

○ List contents of ticket cache: klist

○ Manage keytab: ktutil

○ Destroy ticket cache: kdestroy

○ Change kerberos password: kpasswd


Configure Openssh to allow Kerberos● SSH client:

○ Use Kerberos to validate ssh server identity: GSSAPIKeyExchange no○ Delegate Kerberos tickets to the server: GSSAPIDelegateCredentials no

■ This can be dangerous. The delegated credentials can be used to act on behalf of the accessing user by a hostile server.

○ Delegate renewed kerberos tickets: GSSAPIRenewalForcesRekey no● SSH server:

○ Allow Kerberos authentication: GSSAPIAuthentication no○ Allow Kerberos toi validate server identity: GSSAPIKeyExchange no○ Automatically destroy credentials: GSSAPICleanupCredentials yes○ Strict principal validation: GSSAPIStrictAcceptorCheck yes○ Delegate also renewed tickets: GSSAPIStoreCredentialsOnRekey no


Configure browsers for Kerberos● Firefox: add trusted kerberos services to preferences:

○ pref("network.negotiate-auth.trusted-uris","login.helsinki.fi, stshy.helsinki.fi");○ From file: /usr/lib/firefox/defaults/pref/login-helsinki-fi-spnego.js

● Google Chrome and Chromium:

jjaakkol@melkki:~$ cat /etc/opt/chrome/policies/recommended/disable-cname-lookup.json \ /etc/opt/chrome/policies/recommended/login-helsinki-fi-spnego.json // JJ: stshy maps to stshy.itx, which does not have a kerberos principal{ "DisableAuthNegotiateCnameLookup": true}// Enable Kerberos SPNEGO logins to login.helsinki.fi{ "AuthServerWhitelist": "login.helsinki.fi, stshy.helsinki.fi"}

LDAP protocol

OpenLDAP, ldapsearch, FreeIPA


LDAP: Lightweight Directory Access Protocol● Open application protocol for accessing and maintaining distributed directory

information service.○ RFC 4511: https://tools.ietf.org/html/rfc4511

● LDAP provides a central place to store usernames and user metadata.○ User full name, UID, GID, email, telephone number, room number, ...

● The LDAP directory can also provide:○ User groups and metadata.○ Host configuration and metadata.○ Any centrally managed configuration: lists of network shares, lists of printers.○ Public keys and Kerberos principals for directory objects. ○ Allows administrators to configure available information with schemas.

● LDAP server is a database server: data can be queried and also changed.

https://tools.ietf.org/html/rfc4511

LDAP Directory hierarchy● LDAP data is ordered in a directory

hierarchy by organisation and organisational subunits.

● By convention the root of the hierarchy is the organisations DNS domain:

○ dc=cs,dc=helsinki,dc=fi

● An organisation can have multiple subunits.○ Administration of a LDAP subdirectory can

be delegated to the subunit.● One LDAP server can handle multiple

different domains and subunits.○ Also by referring to another LDAP server

with a referral.

LDAP Directory tree domain based naming [openldap documentation]:


LDAP entry● LDAP server stores data as LDAP entries.● A LDAP entry always has an exact location in the directory hierarchy.

○ Given with the Distinguished Name (DN) attribute. ● Entries contain attributes, where attribute is a name and a value pair.● Entries always have one or more object classes.

○ Object class specifies what attributes an entry is allowed to have and what it needs to have.○ LDAP database has a schema where object classes and their attributes are specified.

● Entries can have multiple instances of some attributes:○ Including multiple objectClass attributes.○ A user can have multiple phone numbers.

● Entries can be searched with LDAP search filter query language.○ LDAP clients use LDAP search filter to access LDAP services.

LDIF: LDAP Data Interchange Format

● The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. [wikipedia]

● LDIF can also be used to make changes to LDAP directory data.

dn:cn=Barbara Jensen, ou=Product Development, dc=airius, dc=comobjectclass:topobjectclass:personobjectclass:organizationalPersoncn:Barbara Jensencn:Babs Jensensn:Jensenuid:bjensentelephonenumber:+1 408 555 1212description:Babs is a big sailing fan, and travels extensively in search of perfect sailing conditions.title:Product Manager, Rod and Reel Division


LDAP searches● LDAP data is accessed by LDAP searches. ● To perform a LDAP search you need:

○ LDAP server which is accessible.○ The LDAP directory base, from under which the search is performed.○ User account in the LDAP server to perform the search is anonymous search is not available.

● Just authenticate: ○ ldapsearch -W -H ldaps://ldapauth.it.helsinki.fi/ -D uid=jjaakkol,ou=people,dc=helsinki,dc=fi

● Find user jjaakkol:○ ldapsearch -xZZH ldaps://ldapauth.it.helsinki.fi:389 -b

ou=people,dc=helsinki,dc=fi uid=jjaakkol "*" memberOf

○ ldapsearch -x -H ldaps://ldap1.cs.helsinki.fi/ -b dc=cs,dc=helsinki,dc=fi

'(&(sn=Jaakkola)(givenName=Jani))'


LDAP search syntax● LDAP search syntax is a simple query language.● Search criteria:

○ Equality: (attribute=abc) (&(objectClass=user)(sn=Foeckeler)

○ Negation: (!(attribute=abc)) (!objectClass=group)

○ Presence: (attribute=*) (mailNickName=*)

○ Absence: (!(attribute=*)) (!proxyAddresses=*)

○ Greater than or equal: (attribute>=abc) (uidNumber>=1000000)

○ Less than or equal: (attribute<=abc) (uidNumber<=100000)

○ Proximity: (attribute~=abc) (displayName~=Foeckeler) ○ Wildcards: (sn=F*) or (mail=*@cerrotorre.de) or (givenName=*Paul*)

● Simple expressions: ○ And: (&(objectClass=user)(givenName=Jani)(sn=Jaakkola))○ Or: (|(sn=Niemelä)(sn=Niemiela)(sn=Nieminen))


LDAP Schemas● LDAP objectClasses are defined in LDAP schemas.

○ Schema tells which attributes are allowed to be used in a LDAP objectClass and what are the types of the attribute values.

○ Object can have multiple object classes (as long as they are not incompatible).● inetOrgPerson LDAP schema

○ Defined in https://docs.ldap.com/specs/rfc4519.txt○ Standard for representing persons in a organisation.

● Groups in LDAP:○ List the groups a user belongs to with memberOf attributes○ Separate group object lists group members and metadata.

https://docs.ldap.com/specs/rfc4519.txt


OpenLDAP● OpenLDAP implements LDAP for Linux:

○ Library for LDAP applications.○ Command line clients for searches and data updates.○ LDAP server called slapd

● OpenLDAP client configuration file: /etc/ldap/ldap.conf● Server configuration file: /etc/ldap/slapd.conf


FreeIPA● FreeIPA is an integrated security information management solution combining

Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

● Can integrate with MS Active Directory, including trust relationships.● If there are Windows clients in the domain, you probably need Active Directory● Provides a web UI for management.

MS Active Directory


Active Directory● Active Directory (AD) is a directory service that Microsoft developed for the

Windows domain networks (Used since Windows 2000)○ Requires a license from MS.

● Provides services: ○ Kerberos for authentication and single sign on protocol.○ LDAP for user, group and computer accounts.

■ Also for centrally maintained configuration and configuration updates.■ There is a separate Unix compatibility LDAP schema that adds uidNumber and

gidNumber and other Unix attributes.○ DNS and DHCP for network management. ○ Can manage user and computer certificates.

● Active directory namespace is flat: there user accounts, groups and computers must have separate names,


AD and computer accounts● In AD computers are also user accounts.● A computer account is needed for accessing AD LDAP server.● Establishing a computer account is called joining AD-domain.

○ A computer account has a password: this is the same as the Kerberos secret key stored in /etc/krb5.keytab

○ Joining computers to AD domain needs administrator privileges in the domain.■ Or admin can create other accounts that have join privileges to certain computer accounts.

○ Administrator can also pre-create computer accounts with a known default password, which the joined computer then automatically changes.

● Utility msktutil can join computers to AD.


AD and computer account attributes.● Computer account objectClass is computer

○ Since a computer account has password it has also a SAM Account.■ Security Account Manager attribute: sAMAccountName■ When joining: msktutil --computer-name

○ Single attribute userPrincipalName (UPN) is user when the computer acts as client.■ By default [email protected]■ When joining: msktutil --upn

○ Multiple servicePrincipalName (SPN) attributes list the principals the computer is known as.■ When joining: msktutil --service host/fqdn.com --service nfs/fqdn.com

○ Attribute dNSHostName gives the DNS name of the computer. ■ When joining: mskutil --hostname fqdn.com

● Create computer account and join computer to AD with mskutil:○ msktutil --create --server ad-server.domain.com --computer computer-object

AD Computer account exampledn: CN=dx6-melkinkari,OU=cs,OU=linux,OU=thcomp,DC=ad,DC=helsinki,DC=fiobjectClass: userobjectClass: computercn: dx6-melkinkaridescription: Interactive ssh server melkinkari.cs.helsinki.fiwhenCreated: 20160914122543.0ZwhenChanged: 20190324195716.0ZlastLogon: 131985241620273711pwdLastSet: 131831153693675638sAMAccountName: DX6-MELKINKARI$operatingSystem: Cubbli 18dNSHostName: melkinkari.cs.helsinki.fiuserPrincipalName: host/[email protected]: host/dx6-melkinkari.ad.helsinki.fiservicePrincipalName: host/melkinkari.cs.helsinki.fiobjectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=helsinki,DC=fiisCriticalSystemObject: FALSE

SSSD

System Security Services Daemon


SSSD: System Security Services Daemon● SSSD daemon is a Linux client for LDAP and Kerberos servers.

○ Implements authentication with pam_sssd PAM module.○ Implements users and group lists with nss_sssd module.

● SSSD is an intermediary between local clients and any configured data store.● SSSD maintains cache of remote data:

○ User account data is available from the cache when the remote server is offline.○ Allows offline authentication with a saved password (for mobile workstations).○ Reduces load on remote servers.

● Can maintain Kerberos ticket cache, with optionally automatic ticket renewal.○ Also with a cached password.


SSSD configuration● Single SSSD configuration can access multiple different domains.● Configuration file /etc/sssd.conf

○ Contains global settings, PAM-settings, NSS-settings and configured authentication domains.● SSSD identity providers:

○ LDAP identity provider: sssd-ldap

○ Active directory identity provider: sssd-ad

○ Kerberos authentication provider: sssd-krb5

○ Freeipa provider: sssd-ipa

● SSSD can also manage:○ Autofs mount maps.○ Sudo access lists.○ Openssh ssh public keys.

NFS

Network File System


NFS: Network File System● Network File System is the Unix native protocol for sharing files over network.

○ NFS v2, RFC1095, 1989■ Stateless protocol. Locks implemented with separate protocol. 32 bit file sizes.

○ NFS v3, RFC1813, 1995■ 64 bit file sizes. Avoids useless file attribute checks over network.

○ NFS v4, RFC3530, 2003■ Stateless protocol discarded for better client side caching.■ File locks integrated natively in NFS.

○ NFS v4.1, RFC 5661, 2010■ Directory delegations■ Parallel NFS (pNFS)

○ NFS v4.2, RFC 7862, 2016■ server-side clone and copy, sparse files, space reservation, Better Apple Mac support.


NFS features● Supports all Unix file system attributes: file owner and group, mode bits,

symlinks, file access times, sockets, even device nodes. ● Supports Unix style file locking, across different NFS clients.● Server and client support is kernel built in.

○ NFS is fast enough for most situations: latency and network bandwidth limit efficiency.● Access control list (ACL) support is not compatible with Posix ACLs

○ Linux NFS server attempts to map NFS ACLs to Posix ACLs.● Authentication is implemented with Kerberos and Kerberos principals.

○ Or disabled: the server just trusts clients.● If a NFS server is inaccessible for any reason, the NFS accessing processes on

the client hang in uninterruptible D-state until the server comes back!


NFS client configuration● NFS mounts are listed in /etc/fstab with syntax: server.name:/share● NFS mount options include:

○ Protocol version required: vers=4.1

○ Don’t honor suid bits and device files: nosuid,nodev

○ Retry NFS requests indefinitely: hard

○ Allow NFS requests to time out: soft

○ Use no security on NFS access: sec=sys

○ Use kerberos authentication: sec=krb5

○ Use kerberos also for data integrity protection: sec=krb5i

○ Use kerberos for integrity and encryption: sec=krb5p

● NFSv4 requires idmapd daemon for mapping uids to principal names● Kerberos requires gssd daemon for kernel kerberos contexts.


NFS: idmapd● NFS4 and Kerberos require that NFS requests are mapped to user names of

format [email protected]○ Older unauthenticated NFS versions with sec=sys mounts just used uids and gids.

● Kernel uses idmapd daemon to map local uids to principals names.○ This also allows uids and gids to be different on NFS client and server.

● Configuration file is /etc/idmapd.conf: [general] :■ Select the DNS domain: Domain

■ Select the Kerberos domain: Local-Realms○ [static]

■ Allows explicit static mapping of principals to local users.○ [mapping]

■ Select nobody user and group: Nobody-User Nobody-Group


NFS client: rpc.gssd● Kernel NFS clients needs a way to obtain Kerberos tickets when accessing

Kerberos authenticated NFS shares.● The kerberos tickets are saved to user space files and the kerberos libraries

needed for contacting kerberos servers are implemented in user space.● Client NFS mount needs a machine account ticket.

○ Rpc.gssd uses /etc/krb5.keytab to create a machine account ticket cache /tmp/krb5ccmachine_KERBEROS.REALM

● To obtain a user client ticket kernel does a downcall to rpc.gssd, which selects (guesses) the ticket cache, obtains the service ticket and returns it to kernel.

○ Kernel then saved the NFS ticket to its own cache: NFS clients can still work until the kernel ticket expires, even if the user space ticket cache is destroyed.

● NFS Kerberos authentication will fail if rpc.gssd is not running.


Systemd automounts● Mounting file systems from network can fail for multitude of reasons.

○ Linux system should still boot, even when network is disconnected.● Systemd allows filesystems to marked automounted: they are mounted only when they

are accessed.○ Autofs provides the same feature: systemd allows plain /etc/fstab to be used for automounts.

● Add mount options to fstab: noauto,x-systemd.automount

● Enable automatic umount when not used: x-systemd.idle-timeout=1min

● Timeout if the device is not available: x-systemd.device-timeout=10

● Require network before automount: ○ x-systemd.requires=network-online.target


Kernel NFS server configuration● The exported NFS filesystems are listed in /etc/exports

○ Whole file systems should be exported: NFS server accesses files directly through files inode number. Verifying that the inode is inside the correct directory is costly and should be avoided.

○ Contains lines of form: /directory nfs-client(export options)○ Clients can be listed with IP addresses/subnet or with just *○ When using Kerberos the client can be specified as gss/krb5 for kerberos authentication,

gss/krb5i for kerberos and data validation, gss/krb5p kerberos and encryption○ Only allow read only mounts with option: ro○ Allow read writes mounts with option: rw

● Start the NFS kernel server: systemctl start nfs-kernel-server● Stop the NFS kernel server: systemctl stop nfs-kernel-server● Force reload of /etc/exports: exportfs -ra


NFS server: svcgssd and gssproxy● NFS server needs a way access system /etc/krb5.keytab to validate

(decrypt) tickets of NFS clients.● Kernel (again) does a upcall to user space daemon. Either

○ Older method for kerberos ticket validation: rpc.svcgssd○ Newer more general method which can be used by other services: gssproxy

Samba

SMB/Cifs Network services


SMB/Cifs protocol● Structured Message Block / Common Internet File System● SMB protocol comes from ancient Windows for Workgroups network stack.

○ Originally used IPX instead of TCP/IP○ Used NetBIOS name resolution instead of DNS.

● Cifs is an attempt by MS to standardize SMB.○ Cifs is a smaller subset of SMB.

● SMB is the RPC communication protocol of Windows networks. ○ Used for file sharing, printing, and remote configuration.

● Samba is the Linux server which implements the server part of SMB for Linux and SMB client libraries.

○ Implements both file and printing services.○ Can work as a part of existing AD domain.


SMB versions● SMB protocol version 1 should not be used anymore.

○ Was used by XP.● Windows Vista and Windows 7 introduces SMB protocol version 2.● Modern SMB protocol version 3 was introduced by Windows server 2012 and

Windows 8.● SMB version 3 uses Kerberos authentication, using the full DNS FQDN as

kerberos principal name and AES encryption.


Samba: Open source SMB implementation● Samba is a free software re-implementation of the SMB networking protocol,

and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains. [wikipedia]

● Provides also client libraries for accessing SMB shares and printing from user space programs.

● Provides winbind daemon for AD LDAP client access and to optionally map AD users to Linux users when uidNumber and gidNumber attributes are not available.


Samba clients● Command line simple Samba client: smbclient

○ Access a file share: smbclient //ad.helsinki.fi/home/

○ Use Kerberos for access: smbclient -k //home3.ad.helsinki.fi/j

○ Access a printer: smbclient //pinewood1.ad.helsinki.fi/smartcard-ps

● Use Gnome VFS for file manager access with URL:○ smb://home3.ad.helsinki.fi/j/jjaakkol○ Also create a fuse mount in /run/user/

● Linux kernel cifs client in /etc/fstab:○ Use man mount.cifs○ //server.domain/share /share/j cifs iocharset=utf8,noserverino,soft

○ For kerberos add: sec=krb5,multiuser○ Cifs kerberos requires keyutils package to be installed for Kernel Kerberos ticket access.


Samba policy decisions● Samba server should be joined to AD domain when possible.

○ Enables kerberos and SSO and shared LDAP user accounts.○ This requires help for AD domain administrators.

● Samba can work with local authentication (local to Samba server).○ Accounts passwords are stored internally to Samba server with NTLM hashes.○ Samba file and printer shares need to be mapped to Linux users.

● Samba share configuration options:○ User level security: security = user

■ Authentication to share with server local user/password pair.■ This is the default.

○ ADS level security: security = ads

■ Samba server joined to active directory domain.


Samba configuration /etc/samba/smb.conf● Set password for samba users with smbpasswd: smbpasswd -a jjaakkol● Configure Samba: workgroup = WORKGROUP

server string = Example server (Samba, Ubuntu)[media] comment = Media browseable = yes path = /home/media[printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700


Configure Samba as AD domain member● https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member● Active directory DNS resolution must work.

○ Query the AD domain servers: host -t srv _ldap._tcp.ad.helsinki.fi● Kerberos must work and clocks must be accurate.● Configure the domain in /etc/smb.conf:

○ Domain name and kerberos realm○ Which winbind account idmapd backend to use:

■ Map AD users to Linux users on the fly: use rid backend■ Use AD uidNumber and gidNumber: use ad backend

● Join samba to the domain: net ads join -U administrator○ Use existing krb5.keytab: kerberos method = dedicated keytab

● Optionally use winbind as nss module

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Linux printing

Cups, Cups SMB backend


Linux printing● Linux and Unix does not have a printing API or printing library.● Applications implement printing by generating postscript (or PDF) and passing

the generated file to the printing system.● The generated data is passed through printing filters:

○ First filters convert text or image data to postscript or PDF.○ The generated postscript is passed through a PPD filter (Postscript Printer Definition).

■ A .ppd file is a standard system independent way to describe printer capabilities.■ The .ppd file is provided either by the printer manufacturer or driver writer for a printer.■ The PPD filter (gutenprint or foomatic) applies user specified printing options to .ps

or .pdf file. ○ The ps or pdf is passed through postscript interpreter if the printer is not a ps printer.○ Finally the job is passed to a physical printer, either directly attached or over network.


Linux Printing: Cups● Common Unix Printing System

○ Also used by Apple on Macs. Apple bought Cups project in 2007.○ Implements printer lists and printer metadata.

■ Metadata includes the .ppd file. ■ The .ppd file is the nearest Linux equivalent to printer driver.

○ Implements printing queues.○ Implements IPP printing protocol.

■ Can automatically add IPP printers seen in local network (with MDNS protocol).■ IPP is also used to submit jobs to local printing daemon. ■ HTTP based configuration on http://localhost:631

○ A printing library for applications.○ Provides way to configure print filters.○ Provides backends to forward print jobs to network printers or print servers.

http://localhost:631


Linux printing: command line● Status of printer queues: lpstat (or old BSD lpq)● Manage printer options: lpoptions

● Manage printers queues: lpadmin

● Configure cups daemon: cupsctl

● Print: lp (or old BSD lpr)● Cups logs: /var/log/cups

● Cups configuration: /etc/cups

● Cups backends: /usr/lib/cups/backend

● Cups SMB printing backend: ○ /usr/lib/cups/backend/smb


Cups administration

Documents

course Linux system administration · Linux system administration course Spring 2019: 5th slideset: Network services 1