Using Samba & Kerberos Technology for Mac OSX & AD-based SSO Identity Management v1.6

Embed Size (px)

DESCRIPTION

A popular thing to do with Samba these days is to join a Samba 3 host to a Windows Active Directory domain using Kerberos ticketing. You may freely set up any number of Samba servers in a Windows network and Mac OSX without joining them to the domain giving you the power of single-sign-on (SSO) identity management to all your network resources. You can share files, map drives and provide centralized printer services. The advantages of domain membership are central management and authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a lovely time- and hassle-saver. We have also joined Mac OS X to the network to achieve a complete system integration of the three major operating systems.

Text of Using Samba & Kerberos Technology for Mac OSX & AD-based SSO Identity Management v1.6

Global Open Versity Vancouver Canada

Samba 3 Mac OSX and Windows AD SSO Integration HowTo v1.6

Global Open Versity Systems Integration Hands-on Linux Labs Training Manual Using Samba & Kerberos Technology for Mac OSX & AD-based SSO Identity Management Kefa Rabah Global Open Versity, Vancouver Canadakrabah@globalopenversity.org www.globalopenversity.org

Table of ContentsUSING SAMBA & KERBEROS TECHNOLOGY FOR MAC OSX & AD-BASED SSO IDENTITY MANAGEMENT 1.0 Introduction 1.1 Our Implementing Plan Part 1: Install and Check necessary packages Part 2: Install & Configure Samba 3 Part 2: Install & Configure Kerberos 5 Step 1: Install Kerberos Step 2: Server Clocks Synchronization Step 3: Configure and Test Kerberos Part 2: Use Winbind Authentication to Setup Samba-Windows Connectivity Step 1: Configure Samba Step 2: Add Users & Machines to Samba Account Step 3: Add Users Profiles & Netlogon to Samba Account Step 4: How to Delete Users from Your Samba Domain Part 3: Enabling Windbind on Linux Box Step 1: Modify /etc/nsswitch.conf. file Step 2: (Re)starting Samba and Winbind Part 4: Configure Pluggable Authentication Module (PAM) Part 5: Accessing your Client & Server Machines 5.1 Connecting to a Samba Machine in Linux 5.2 Configuring Windows Machines Step 1: Access Shares on the Windows desktop. Step 2: Mounting shared drives on Windows Step 3: Binding to the Domain Controller. Step 4: Accessing Windows shares from the Linux node. Step 5: Accessing Network Machines from Mac OS X Part 6: Mac OS/Linux/Windows Single Sign-On April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

Page No.

3 3 3 4 5 6 6 6 7 9 10 12 13 14 14 15 15 18 19 20 20 20 22 23 23 24 25 1

www.globalopenversity.org

A GOV Open Knowledge Access License Technical Publication

Global Open Versity Vancouver Canada

Samba 3 Mac OSX and Windows AD SSO Integration HowTo v1.6

Step 1: Configure DNS on Mac OS X Step 2: Configure Directory Access: Step 3: Join the AD Domain: Step 4: Test it out: Part 7: Easier Web Access to Shared Data Part 8: SSH Support Part 9: Rational for this System Integration 9.1 Windows Authentication 9.2 Linux Authentication 9.3 Samba and Windbind 9.4 Three Authentication Strategies 9.4.1 Using LDAP authentication: 9.4.2 Using LDAP and Kerberos 9.4.3 Using Winbind

25 26 28 32 32 33 33 33 34 34 34 34 35 35

April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

2

www.globalopenversity.org

A GOV Open Knowledge Access License Technical Publication

Global Open Versity Vancouver Canada

Samba 3 Mac OSX and Windows AD SSO Integration HowTo v1.6

Global Open Versity Systems Integration Hands-on Labs Training Manual Using Samba & Kerberos Technology for Mac OSX & AD-based SSO Identity ManagementBy Kefa Rabah, krabah@globalopenversity.org Oct., 03, 2009 SerengetiSys Labs

1.0 IntroductionA popular thing to do with Samba these days is to join a Samba 3 host to a Windows Active Directory domain using Kerberos ticketing. You may freely set up any number of Samba servers in a Windows network and Mac OSX without joining them to the domain giving you the power of single-sign-on (SSO) identity management to all your network resources. You can share files, map drives and provide centralized printer services. The advantages of domain membership are central management and authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a lovely time- and hassle-saver. We have also joined Mac OS X to the network to achieve a complete system integration of the three major operating systems. 1.1 Our Implementing Plan Because of the enhanced integration with Active Directory (AD) and Mac OS X 10, I choose to use Winbind on Red Hat Enterprise 5 (RHE5) for my Linux-to- Win 2k3 AD and Mac OSX integration project, which is schematically represented by Fig. 1.

Fig. 1: A Samba, Windows-AD and Mac OS X systems integration network.

Figure 1 shows a simple network that would be one AD server, One Samba and a few client workstations, connected through a router or switch (most home network routers have at least four ports of switch April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

3

www.globalopenversity.org

A GOV Open Knowledge Access License Technical Publication

Global Open Versity Vancouver Canada

Samba 3 Mac OSX and Windows AD SSO Integration HowTo v1.6

included in the device). This grows over time, usually by adding more switches, routers, clients and additional storage on the server. This HowTo training manual we assume that you already have a functioning Win2k3 Active Directory domain, and know how to run it. AD is very dependent on DNS (domain name system) so I'll assume your DNS house is also in order, if not check out this excellent HowTo setup and configure a DNS server . On your Linux box you'll need Samba 3, version 3.0.8 or newer. Plus MIT Kerberos 5, version 1.3.1 or newer, and OpenLDAP. (The Samba documentation states that Heimdal Kerberos, version 0.6.3 or newer, also works. The examples in this HowTo use MIT Kerberos.) Debian users need the krb5-user, krb5-config, krb5-doc, and libkrb53 packages. Red Hat and Red Hat family users need the krb5 and krb5-client RPMs.The following setup is used: 192.168.83.10 192.168.83.33 Server02.medtech.com rhe5.groptech.com the AD server, hereafter known as "the server" samba3 "client" machine

The Samba system is based upon a stock standard RHE5 system with the samba 3 software. The following steps are needed to get the system functioning: 1. 2. 3. 4. 5. 6. install and check necessary packages configure name resolution using either DNS or a hosts file configure samba and winbind configure kerberos testing Samba and winbind good luck

Part 1: Install and Check necessary packagesThe following packages are required to successfully run all the commands detailed in this guide: Samba: 1. 2. 3. 4. system-config-samba samba-common samba-client samba

Kerberos: 1. 2. 3. 4. 5. pam_krb5 krb5-workstation krb5-client krb5-libs krbafs

You can query if these packages are installed by running: rpm -q package-name

April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

4

www.globalopenversity.org

A GOV Open Knowledge Access License Technical Publication

Global Open Versity Vancouver Canada

Samba 3 Mac OSX and Windows AD SSO Integration HowTo v1.6

Part 2: Install & Configure Samba 3First and foremost check if Samba is installed, as follows: ]# rpm qa | grep samba* \\ the start * allows you to parse all installed Samba files

[root@rhe5 ~]# rpm -qa | grep samba* system-config-samba-1.2.39-1.el5 samba-common-3.0.28-1.el5_2.1 samba-swat-3.0.28-1.el5_2.1 samba-3.0.28-1.el5_2.1 samba-client-3.0.28-1.el5_2.1 In case you get blank result, then Samba is not installed. Best way to get Samba is to compile it from the source file. However, I have found that the RPM files obtained via Yum, if you use CentOS4 and later, Fedora Core 8 and later, or Yast with OpenSuse 11.1 contain all the required files. To install all Samba files with RHE5, do the following: [root@rhe5 ~]# yum install samba* -y The next task is to verify that your Samba installation has been compiled to support Kerberos, LDAP, Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command has a switch for printing build information. You will see a lot more lines of output than are shown here: [root@rhe5 ~]# cd /usr/sbin root@rhe5:/usr/sbin]# smbd -b | grep LDAP HAVE_LDAP_H HAVE_LDAP HAVE_LDAP_DOMAIN2HOSTLIST ... root@rhe5:/usr/sbin]# smbd -b | grep KRB HAVE_KRB5_H HAVE_ADDRTYPE_IN_KRB5_ADDRESS HAVE_KRB5 ... root@rhe5:/usr/sbin]# smbd -b | grep ADS WITH_ADS WITH_ADS root@rhe5:/usr/sbin]# smbd -b | grep WINBIND WITH_WINBIND WITH_WINBIND 5

April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org

A GOV Open Knowledge Access License Technical Publication

Global Open Versity Vancouver Canada

Samba 3 Mac OSX and Windows AD SSO Integration HowTo v1.6

Fortunately, in our case all the required support for Kerberos, ADS and Winbind is present. However, if you are in the unfortunate position of missing any of these, which will be indicated by a blank line, you need to recompile Samba, or installed per your Linux box as indicated above. Also, see Chapter 37 of the Official Samba-3 HOWTO and Reference Guide. Configure /etc/hosts Even if your DNS servers are perfect in every way, it is always a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down: 192.168.83.10 server02.medtech.com medtech

Part 2: Install & Configure Kerberos 5Step 1: Install Kerberos Our next task is to install Kerberos. Again as with Samba installation, you can compile Kerberos support using source file or via RPM using Yum, Yast, or Apt depending on your Linux box. Here we have used CentOS5 RPM via Yum. First verify if Kerberos is installed: ]# rpm qa | grep krb* [root@rhe5 ~]# rpm -qa | grep krb* pam_krb5-2.2.14-1.el5_2.1 krb5-devel-1.6.1-25.el5_2.1 krb5-workstation-1.6.1-25.el5_2.1 krb5-server-1.6.1-25.el5_2.1 krb5-libs-1.6.1-25.el5_2.1 krb5-auth-dialog-0.7-1 If not, use Yum to install, as follows: [root@rhe5 ~]# yum install krb* -y The next task is to configure and test the Kerberos installation, but first we have to ensure that the servers clocks are synchronized. Step 2: Server Clocks Synchronization Before moving to join your Linux box to AD server, check to make sure that the two machines clocks are synchronized, as follows: 1. Set NET TIME on Wi