Thursday, December 27. 2012
Samba 4.0.0
Today's entry is about one of the most important open source projects: Samba. This project is the standard Windows interoperability suite of programs for Linux and Unix and just a few days ago the first stable version of Samba 4 series was released. This milestone is enormously important for the project, cos this version can act as an Active Directory (AD) Domain Component (DC), supporting AD logon (any version of current windows client can now join a Samba domain). After nine years of developing and 21 alpha releases, 8 betas and 6 release candidates the final stable version 4.0.0 was made public. I think the Samba project was the first open source project that I was interested in and I started to follow. Being the icon against closed software at first times, the project has changed very little while the world around it was under transformation. When I saw that Microsoft was even collaborating with the team I finally realized that positions had changed in closed/open software relationships. Now I am (much to my sorrow) less informed about this great project but, celebrating that event, I am going to dedicate the entry to test new Samba 4.0.0.
Mainly I followed the Samba 4 howto from its wiki page.
First a Wheezy box was installed and the following extra packages were added:
# apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl bind9 libkrb5-dev git libpam0g-dev libcups2-dev ntp ldap-util quota acl
Some of the packages can be not necessary but the real requirements are explained here. Cos I wanted to test acls, quotas and so on I changed the root file system this way:
# cat /etc/fstab | grep "ext4" UUID=39c4ea16-e59c-4d2a-8f76-c9fd3179b59c / ext4 errors=remount-ro,usrquota,grpquota 0 1 # mount | grep "on / " /dev/disk/by-uuid/39c4ea16-e59c-4d2a-8f76-c9fd3179b59c on / type ext4 (rw,relatime,errors=remount-ro,user_xattr,barrier=1,data=ordered,usrquota,grpquota)
I just added quotas cos default options give to the file system user extended attributes.
Then the compressed tarball was downloaded, compiled and installed:
# tar zxvf samba-4.0.0.tar.gz # ./configure --enable-debug --enable-selftest # make # make test --quick # make install
I tried first to compile it with MIT kerberos but it seems that Samba 4 needs internal Heimdal implementation in order to work as a Domain Component (trying to compile it with MIT results like compiling with the --without-ad-dc option). The default installation directory is /usr/local/samba.
After that the domain should be provisioned. I set the --dns-backend=BIND9_DLZ option, that means that complex AD and DNS interaction is made using a Dynamically Loadable Zones (DLZ) module (this option needs bind compiled with DLZ support and current 9.8.1 package in Wheezy supports it), and --use-rfc2307, this option make the winbind daemon get the uid and guid from RFC2307 attributes in AD (at first I thought Samba would pull uidNumber and gidNumber at user creation but no, you have to do that as it is said in this forum).
# /usr/local/samba/bin/samba-tool domain provision --domain=KVM --realm=KVM.TEST --server-role=dc --adminpass=Kiosko_00 --dns-backend=BIND9_DLZ --use-rfc2307 Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=kvm,DC=test Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=kvm,DC=test Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: samba NetBIOS Domain: KVM DNS Domain: kvm.test DOMAIN SID: S-1-5-21-2145774160-2038213957-1596523949
Then the dynamic zone for AD is configured in bind:
# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, BEFORE you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/usr/local/samba/private/named.conf";
The samba daemon can now be started:
# /usr/local/samba/sbin/samba
Let's do some tests. List the services running in Samba:
# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[KVM] OS=[Unix] Server=[Samba 4.0.0] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.0.0) Domain=[KVM] OS=[Unix] Server=[Samba 4.0.0] Server Comment --------- ------- Workgroup Master --------- -------
Perform a ls command in the netlogon:
# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'Kiosko_00' -c 'ls' Domain=[KVM] OS=[Unix] Server=[Samba 4.0.0] . D 0 Tue Dec 25 13:40:02 2012 .. D 0 Tue Dec 25 13:40:12 2012 45559 blocks of size 65536. 9267 blocks available
Check that some names in the DNS are working:
# host -t SRV _kerberos._udp.kvm.test. _kerberos._udp.kvm.test has SRV record 0 100 88 samba.kvm.test. # host -t SRV _ldap._tcp.kvm.test. _ldap._tcp.kvm.test has SRV record 0 100 389 samba.kvm.test. # host -t A samba.kvm.test. samba.kvm.test has address 192.168.122.13
As AD is up and running, all the typical info can be requested at empty base, data like contexts, capabilities, controls and so on (I did not check if it is the same data as the information answered by a real AD).
# ldapsearch -LLL -h localhost -p 389 -D "Administrator@KVM.TEST" -w Kiosko_00 -b "" -s base dn= dn: configurationNamingContext: CN=Configuration,DC=kvm,DC=test defaultNamingContext: DC=kvm,DC=test rootDomainNamingContext: DC=kvm,DC=test schemaNamingContext: CN=Schema,CN=Configuration,DC=kvm,DC=test subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=kvm,DC=test supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Samba Team (http://samba.org) isSynchronized: TRUE dsServiceName: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name ,CN=Sites,CN=Configuration,DC=kvm,DC=test serverName: CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu ration,DC=kvm,DC=test dNSHostName: samba.kvm.test ldapServiceName: kvm.test:samba$@KVM.TEST currentTime: 20121226195225.0Z supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1341 namingContexts: DC=kvm,DC=test namingContexts: CN=Configuration,DC=kvm,DC=test namingContexts: CN=Schema,CN=Configuration,DC=kvm,DC=test namingContexts: DC=DomainDnsZones,DC=kvm,DC=test namingContexts: DC=ForestDnsZones,DC=kvm,DC=test supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM highestCommittedUSN: 3803 domainFunctionality: 2 forestFunctionality: 2 domainControllerFunctionality: 4 isGlobalCatalogReady: TRUE
The AD information is stored using the new LDB database engine developed by the team too. In the /usr/local/samba/private/ directory there are several LDB files which store different data (all the AD entries, DNS data and so on). This is very important cos now in Samba 4 this storage engine is the only one supported (in previous releases other repositories can be used for some specific parts).
Then the /etc/resolv.conf was configured to search over the local DNS, the system kerberos was setup to attack Samba 4 and ticketing was tested:
# cat /etc/resolv.conf domain kvm.test nameserver 19.2168.122.13 # cat /usr/local/samba/share/setup/krb5.conf [libdefaults] default_realm = "KVM.TEST" dns_lookup_realm = false dns_lookup_kdc = true # kinit administrator@KVM.TEST Password for administrator@KVM.TEST: Warning: Your password will expire in 41 days on Tue Feb 5 13:40:10 2013 # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@KVM.TEST Valid starting Expires Service principal 25/12/2012 14:57 26/12/2012 00:57 krbtgt/KVM.TEST@KVM.TEST renew until 26/12/2012 14:57
To complete the domain provision the DNS should be configured to update the AD zone. This step is done just adding the following option to bind files:
# cat /etc/bind/named.conf.options options { directory "/var/cache/bind"; ... // samba 4 tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; # /usr/local/samba/sbin/samba_dnsupdate --all-names
As the last step, NTP was configured in the samba machine too (it is known that kerberos and AD needs proper time synchronization with clients to proper logon). I configured the server to let the machines in the network to question this host:
restrict 192.168.122.0 mask 255.255.255.0
Then you can test the machine is synchronized against the NTP pool:
# ntpq -n -p localhost remote refid st t when poll reach delay offset jitter ============================================================================== 84.77.40.132 130.206.3.166 2 u 15 64 37 75.035 4.127 7.337 +147.83.123.133 193.67.79.202 2 u 5 64 77 57.778 3.094 5.415 +46.17.142.10 158.227.98.15 2 u 7 64 77 70.119 5.455 7.780 -84.88.69.32 193.67.79.202 2 u 42 64 77 82.793 -8.122 10.070
After that a share was added in the /usr/local/samba/etc/smb.conf file:
[data] path = /data writable = yes browsable = yes
And I created a folder (0 is administrator uid and 100 the Domain Users group gid, see later how to know those numbers):
# mkdir /data # chown 0:100 /data
After that some users and groups were created:
# /usr/local/samba/bin/samba-tool user add ricky New Password: Retype Password: User 'ricky' created successfully # /usr/local/samba/bin/samba-tool user add santi New Password: Retype Password: User 'santi' created successfully # /usr/local/samba/bin/samba-tool group add group1 Added group group1 # /usr/local/samba/bin/samba-tool group add group2 Added group group2 # /usr/local/samba/bin/samba-tool group add group3 Added group group3 # /usr/local/samba/bin/samba-tool group addmembers group1 ricky Added members to group group1 # /usr/local/samba/bin/samba-tool group addmembers group2 santi Added members to group group2 # /usr/local/samba/bin/samba-tool group addmembers group3 ricky,santi Added members to group group3
The samba-tool command has several functions when Samba 4 acts like a DC. The users can then be obtained using normal ldapsearch against the AD:
# ldapsearch -h localhost -p 389 -D "Administrator@KVM.TEST" -LLL -w Kiosko_00 -b "DC=KVM,DC=TEST" samaccountname=ricky dn: CN=ricky,CN=Users,DC=kvm,DC=test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: ricky instanceType: 4 whenCreated: 20121225213834.0Z whenChanged: 20121225213834.0Z uSNCreated: 3769 name: ricky objectGUID:: JIRbSHnZXEqKYAUuabOZPg== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAUOrlf0WtfHmtBSlfUAQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: ricky sAMAccountType: 805306368 userPrincipalName: ricky@kvm.test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=kvm,DC=test pwdLastSet: 130009451140000000 userAccountControl: 512 uSNChanged: 3771 memberOf: CN=group1,CN=Users,DC=kvm,DC=test memberOf: CN=group3,CN=Users,DC=kvm,DC=test distinguishedName: CN=ricky,CN=Users,DC=kvm,DC=test
Any user (or group) is assigned to a UID and a SID, so there is a map between Unix and Windows information. This mapping is stored again in a LDB file, in that case the idmap.ldb. With the current configuration the Windows user is just an UID, not a real Unix user, until we setup winbind but this part is not done in the entry. That linking information can be checked using wbinfo command:
# /usr/local/samba/bin/wbinfo --user-info=ricky KVM\ricky:*:3000016:100::/home/KVM/ricky:/bin/false # /usr/local/samba/bin/wbinfo --name-to-sid=ricky S-1-5-21-2145774160-2038213957-1596523949-1104 SID_USER (1)
And they can be searched (Samba 4 gives ldb* commands to attack directly against the LDB files):
# /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-2145774160-2038213957-1596523949-1104 dn: CN=S-1-5-21-2145774160-2038213957-1596523949-1104 cn: S-1-5-21-2145774160-2038213957-1596523949-1104 objectClass: sidMap objectSid: S-1-5-21-2145774160-2038213957-1596523949-1104 type: ID_TYPE_BOTH xidNumber: 3000016 distinguishedName: CN=S-1-5-21-2145774160-2038213957-1596523949-1104
Finally you can create the user using LDAP directly against the AD port (I wanted to check that for provisioning purposes), the user is more or less added like in any other AD. The only problem I had was setting the password, but it was because it should be in UTF16 and quoted (it seems that samba, and maybe AD I do not know, uses three different password attributes unicodePwd, userPassword and clearTextPassword). Here it is a little java to change the password. As I commented before the RFC2307 (posix information) should be assigned after the creation (which is really nasty in my opinion).
In all the previous configurations of Samba I had seen, they used the ldap backend (user and groups were stored in a compatible LDAP server). But it seems that now the software does not support or recommend it. I suppose that implementing a LDAP server (AD is basically a LDAP directory server) over another LDAP server is not a good idea. But previous architecture let to construct a central / corporate directory that can be the user repository for all the company applications, now this idea can only be implemented using Samba as the common user repository (obviously this is not the fault of Samba team, it was the target of Microsoft when introduced AD, Samba is only giving the chance of not using Microsoft software).
After that a windows 2008R2 was installed and joined to the Samba domain. In order to do that a fixed address was configured in the same network: Start→Control Panel→Network and Internet→View Network Status and Tasks→Local Area Network. Remember that the DNS server should be the Samba one.
Then the windows box was configured to be in time against the Samba NTP following this information. And finally I changed the host to join to the Samba domain. My Computer→Properties→Change Settings→Change (it requests an Administrator user and password for the task).
Once the windows machine was rebooted I could login as domain Administrator. As him the share can be restricted using normal security (Properties→Security→Advanced), three directories were created and full permissions for the so-named group were assigned. All of that worked smoothly.
For example in the folder group3 those permissions were used:
As the file system uses user_xattr (I did not force that, but that is another option of domain provision and smb.conf file --use-xattrs) the permissions are assigned using ACLs, which can be checked in the system (remember wbinfo command can be used to map GIDs with Samba groups):
# getfacl /data/group3 # file: data/group3 # owner: 3000000 # group: users user::rwx group::--- group:users:--- group:3000000:rwx group:3000021:rwx mask::rwx other::--- default:user::rwx default:user:3000000:rwx default:group::--- default:group:users:--- default:group:3000000:rwx default:group:3000021:rwx default:mask::rwx default:other::---
The final test I did was assigning file system quotas to the root device. Cos the usrquota and grpquota were previously set we can assign the quota directly to user ricky:
# edquota -u 3000016 Disk quotas for user 3000016 (uid 3000016): Filesystem blocks soft hard inodes soft hard /dev/disk/by-uuid/39c4ea16-e59c-4d2a-8f76-c9fd3179b59c 8 100 200 1 0 0
After that I logged in in the windows box and created several files in the group1 directory. After the quota was reached a not enough space error is shown.
And the repquota command shows it is full (user ricky is using more than the 100 blocks soft limit):
# repquota / *** Report for user quotas on device /dev/disk/by-uuid/39c4ea16-e59c-4d2a-8f76-c9fd3179b59c Block grace time: 00:00; Inode grace time: 00:00 Block limits File limits User used soft hard grace used soft hard grace ---------------------------------------------------------------------- root -- 2088512 0 0 60007 0 0 daemon -- 68 0 0 4 0 0 man -- 1844 0 0 139 0 0 libuuid -- 4 0 0 1 0 0 Debian-exim -- 28 0 0 6 0 0 statd -- 12 0 0 3 0 0 ricky -- 21536 0 0 6 0 0 bind -- 16 0 0 5 0 0 ntp -- 12 0 0 3 0 0 #3000008 -- 64 0 0 8 0 0 #3000016 +- 104 100 200 none 12 0 0 #3000000 -- 8 0 0 1 0 0 #3000017 -- 8 0 0 1 0 0
As you have seen the entry explains the basics of Samba 4, a simple installation and some file serving testing (ACLs and quotas), I did not even setup a second DC or migrated a previous Samba 3. But some years ago I knew a lot about Samba and I wanted to refresh my knowledge with the new version. If Samba is going to be used as an AD DC, things have changed a lot. Now the software provides a complete AD/LDAP implementation made over their own LDB storage and, in general, it should be treated like any other Microsoft AD. It was a little disappointment at first but then I realized that it is the main goal that Microsoft was pursuing with Active Directory, so Samba team just implemented an alternative AD (my main doubt is how the Samba implementation deals with thousands of entries). But anyways the Samba 4 is an enormous step forward for the project and Samba team deserves the appreciation of any open source or linux lover for their gigantic task.
Thanks guys! I am absolutely sure you will continue the good work.
Sunday, December 2. 2012
Limbo
Once wine was again in my system I decided to play some game this weekend. I had in mind for a long time a puzzle one called Limbo. The game mixes puzzle and platform types (so besides thinking is important, some handicraft is also needed). It is short, funny, very addictive and, although some parts are really tricky, it is not impossible. I spent the whole weekend playing the game and only two or three times I gave up and checked a walkthrough. In summary it is a really entertaining game and it works smoothly under wine. From time to time I like wasting my time with things like that.
Limbo time!
Comments