Recently I had the task of setting up central user management for Windows servers. This blog post describes my experience with trying to setup central user management for Windows servers in an open source Linux based environment.
My client is fond of free and open source tools, so I had to find a free and open source tool that provides central user management for Windows based servers. After some searching on the internet, I came across Samba.
Samba is basically a file sharing server that can be used by all devices that support SMB/CIFS. These include Linux and Windows based servers. Version 4 of Samba, which was released in 2012 had a new feature that allowed it to function as an Active Directory Domain Controller.
This is a very useful feature as it allows Windows based hosts to authenticate against Linux based Samba Authentication Server. This opens up the possibility of cross platform user management, which is very useful in a heterogeneous I.T environment with different operating systems.
Configuring Samba to work as an Active Directory Domain Controller is simple. Installing and configuring the Samba server and configuring a Windows server to authenticate against the Samba server takes less than 20 minutes.
Instructions on configuring Active Directory on Samba are given on the Samba Wiki. Instructions on connecting a Windows client to a Samba AD DC are also given. Of course if you have specific requirements then you can read the articles on the Samba Wiki or read the Samba mailing archives. To install Samba and configure it as a Domain Controller follow these steps:
I used the samba package repository provided by SerNet. SerNet provides package repositories for the major Linux distributions. Create an account on SAMBA+. Then download and install the package repository and package signing key. Follow the given instructions.
Then install the Samba packages. For Centos enter the following command:
yum install -y sernet-samba sernet-samba-ad sernet-samba-client
Enter following commands to verify correct installation. Samba -V and smbclient -V. These commands return the version of Samba server and Samba client that was installed. Its best to install the latest version.
This configures Active Directory Domain Controller. It also configures Kerberos on the server. Kerberos is a mechanism for encrypting authentication information. It is used by Active Directory Domain Controller to provide secure authentication to the domain clients. The Kerberos website has useful information on Kerberos configuration.
To start the Samba AD DC provisioning enter the following command:
samba-tool domain provision --use-rfc2307 --interactive
You will then be asked about the following:
If all goes well the command will end without errors. You can read more about the Provisioning command on “Setup a Samba Active Directory Domain Controller”.
Setup a startup script for Samba. You can use the Samba4/InitScript. Start Samba. e.g on Centos enter the command:
systemctl start samba-ad-dc
Enter the command:
smbclient -L localhost -U%
It should return some information about your Samba configuration. Enter the command:
smbclient //localhost/netlogon -UAdministrator -c 'ls'
This command will connect you to the netlogon share, using the Domain Administrator account, created during provisioning. If these commands fail then check the Samba AD DC Troubleshooting guide.
Add the IP address of your DNS server. This DNS server must have the correct DNS records created. Following DNS records need to be created for your DNS zone. Your DNS zone is same as the Realm name you gave during provisioning. Login to your DNS server and create the following records for your DNS zone:
Enter the following commands on your Samba server to verify correct working of the DNS. If you receive any errors, check your system log.
host -t SRV _ldap._tcp.WIN.EXAMPLE.COM. host -t SRV _kerberos._udp.WIN.EXAMPLE.COM. host -t A addc.WIN.EXAMPLE.COM. host -t A WIN.EXAMPLE.COM.
Kerberos configuration can be quite complex. Thankfully the Provisioning tool takes care of the Kerberos configuration. During provisioning the file/usr/local/samba/private/krb5.conf is generated. Location of this file can vary depending on your system. Copy the file krb5.conf to /etc/krb5.conf. This is the main kerberos configuration file. You can read more about configuring Kerberos on the Kerberos website.
Obtain a Kerberos ticket by using the kinit command. Enter following: kinit administrator@WIN.EXAMPLE.COM. You will then have to enter the administrator password that you gave during provisioning. To verify that the command worked enter the command: klist. It should return the Kerberos ticket that you just created.
Use NTP (Network time protocol) on your Samba server and Windows clients. This ensures that the time on the Server and Clients is synchronized. This is very important for correct working of Kerberos.
Samba does not have a full fledged forum but instead uses a mailing list. You can ask a question by posting to a mailing list. I was interested to know if its possible to synchronize FreeIPA users with Samba AD DC users. I asked on their general samba mailing list and also mentioned my experience with installing Samba.
Samba is an excellent open source tool that offers the possibility of managing Linux and Windows users from a single tool. Samba is usually used as a file sharing server in enterprises and is a useful tool to learn.