© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part 2: Domain Configurations Tim Samba

March 6, 2006 Part 2 – Domain Configurations Samba as −Domain member (NT4) −Domain member (Active Directory) −Domain controller Account storage options Delegation using privileges Domain security Using winbind

March 6, 2006 Samba as Domain Member (NT4) Use security = domain in smb.conf −NTLM or NTLMv2 authentication used RPC calls used to query user information Much better than security = server −Uses less resources −Can use domain trusts Not prompted to enter passwords all the time

March 6, 2006 Joining a Domain (2.x) Stop smbd and nmbd Adjust smb.conf Join domain with smbpasswd Start smbd and nmbd Ensure Linux user exists for each Windows user −Samba 2.2 behaviour enabled with map to guest = bad uid

March 6, 2006 net rpc join (3.x) Join the domain using the net command −net rpc join -U administrator%password Domain name taken from smb.conf PDC located via a netbios name query for DOMAIN#1B Join information stored in ${private}/secrets.tdb −Trust account password −Local and domain SIDs

March 6, 2006 Samba as Domain Member (AD) New for Samba 3.x Use security = ads in smb.conf −Kerberos authentication used LDAP used to query user information Better integration with Windows 2000 networks Uses DNS to resolve names, NetBIOS as a fallback

March 6, 2006 net ads join (3.x) Join domain using the net command −net ads join -U administrator%password Domain and realm taken from smb.conf Domain controller located via DNS Join information stored in ${private}/secrets.tdb −Trust account password −Local and domain SIDs

March 6, 2006 Samba as Domain Controller Samba 3 can control NT4-style domains Can act as PDC or BDC −Replicate accounts via other means −NT4 account replication not supported −Samba BDC still serves logon request Windows 2000 and above workstations can still join the domain Must have Linux user created for each Windows user

March 6, 2006 Account Storage Options Samba 2.2 used smbpasswd file Samba 3.0 has pluggable backends −tdbsam −ldapsam Use tdbsam for small installations Use ldapsam for larger installations −LDAP replication −Integration with other directory services passdb backend (G)

March 6, 2006 Account Storage Options Write your own storage backend! API described in source/include/passdb.h Fill in hooks for −Creating users and groups −Enumerating users and groups −Searching users and groups −Mapping Unix uids and gids to NT SIDs Compile to a shared library Set passdb backend parameter

March 6, 2006 Delegation using Privileges Windows privileges bypass normal access controls for particular operations Allow you to delegate authority and admin work New in Samba Also called user rights

March 6, 2006 Supported Privileges SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege

March 6, 2006 Configuring Privileges Set enable privileges = yes in smb.conf Disabled by default <= b Can be used in security = user, domain or ads Currently not replicated between Samba DCs Implies that certain operations done as root

March 6, 2006 Modifying Privileges Use net rpc rights command List assigned privileges −net rpc rights list accounts Grrant privileges −net rpc rights grant \ 'DOMAIN\User' SeMachineAccountPrivilege Revoke privileges −net rpc rights revoke \ 'DOMAIN\User' SeMachineAccountPrivilege

March 6, 2006 Account Policies Similar to NT4-style domain policies Applies to all accounts in a Samba domain Implemented using the pdbedit command line tool See the Samba HOWTO for tips and details on policy usage

March 6, 2006 Account Policies (cont) min password length password history use must logon to change password maximum password age minimum password age lockout duration...

March 6, 2006 Domain Security

March 6, 2006 Samba as WINS Server Samba easily configured as a WINS server Replication with other servers not possible samba4wins project Implements WINS replication protocol Allows migration of another service

March 6, 2006 Using Winbind Samba requires a Unix user for every Windows user Administrative nightmare! Winbind is a daemon and NSS library Returns a Unix user for every Windows user Returns a Unix group for every Windows group

March 6, 2006 Configuring Winbind Configure uid/gid mapping parameters in smb.conf −winbind_idmap.tdb −LDAP −SFU Add winbind entry to /etc/nsswitch.conf Start winbind daemon Test configuration with wbinfo and getent command line tools

March 6, 2006 TDB Files A superior data storage format Simple multi-reader, multi-writer database Much important information stored in TDBs /var/lib/samba for persistent data /var/run/samba for temporary data Use tdbbackup utility to back up TDBs

March 6, 2006 Summary of Part 2 Samba can act as domain member or domain controller Can delegate admin work via privileges More domain policy supported Samba can act as a WINS server, now with replication Use winbind to dynamically create users and groups

End of Part 2 Break for 10 minutes