Centrify Samba Guide PDF

Centrify Server Suite 2014
Samba Integration Guide

January 2014
Centrify Corporation

Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a
license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or
non-disclosure agreement, Centrify Corporation provides this document and the software described in this
document as is without warranty of any kind, either express or implied, including, but not limited to, the
implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of
express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away without the prior
written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth
in such license agreement or non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some
companies, names, and data in this document are used for illustration purposes and may not represent real
companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein. These changes may be incorporated in new editions of this document. Centrify Corporation
may make improvements in or changes to the software described in this document at any time.
2004-2014 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from
third party or open source software. Copyright and legal notices for these sources are listed separately in the
Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the
U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48
C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use,
modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all
respects to the commercial license rights and restrictions provided in the license agreement.
Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and
DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft,
Active Directory, Windows, Windows XP, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and other countries.
Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.
The names of any other companies and products mentioned in this document may be the trademarks or registered
trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies,
organizations, domain names, people and events herein are fictitious. No association with any real company,
organization, domain name, person, or event is intended or should be inferred.
3
Contents
About this guide 4
Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 1 Using Centrify Suite technology with Samba 7
Integrating Centrify Suite and Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Integrating Samba with Centrify Express. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2 Install the Centrify-enabled Samba package 10
Verifying the software required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Deciding how to work with old Samba installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installing Centrify-enabled Samba and adbindproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Upgrading from a previous release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 3 Configuring Centrify-enabled Samba 22
Verifying the environment before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Verifying DNS settings on the local computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Running the adbindproxy.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Verifying the Samba integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Modifying the Samba smb.conf configuration file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Appendix A Migrating existing Samba users to DirectControl 36
Migrating UNIX profiles to Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Migrating Samba servers to Centrify Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Appendix B Using adbindproxy.pl 38
Index 41
4

About this guide
The Centrify Suite centrally secures cross-platform data centers through Active Directory-
based identity and access management for a wide range of heterogeneous systems,
hypervisors and applications.
Built on an integrated architecture that leverages patented technology, the Centrify Suite of
solutions help centralize ID, access privilege delegation and policy management to reduce
the organizations IT expense and complexity, improve end-user productivity, strengthen
security and enhance regulatory compliance initiatives. Key components of the Centrify
Suite include integrated authentication, access control, role-based privilege management,
user-level auditing and server protection solutions, consisting of Centrify DirectControl,
Centrify DirectAuthorize, Centrify DirectAudit, Centrify DirectSecure, and Centrify
DirectManage.
This book describes how to install and configure Centrify-enabled Samba, a customized
version of the open source file and print sharing program, on a Linux or UNIX computer
that has the DirectControl agent already installed.
Intended audience
This book is written for an experienced system administrator familiar with the unpacking
and installation of programs on Linux or UNIX computers. In addition, the instructions
assume that you have a working knowledge of Samba and how to perform common
administrative tasks for creating and maintaining Samba shares.
This book also requires you to have a working knowledge of DirectControl and how to
perform common administrative tasks using the DirectManage Administrator Console and
the Active Directory Users and Computers administration tool. If you are unfamiliar with
DirectControl, see the Centrify Suite Administrators Guide.
Using this guide
The book guides you through the installation and configuration of Centrify-enabled Samba.
It is organized as follows:
Chapter 1, Using Centrify Suite technology with Samba, provides a brief overview of
Samba, and how Samba, DirectControl, and Active Directory work together to provide
a secure, integrated environment.
Chapter 2, Install the Centrify-enabled Samba package, describes how to unpack and
install the Centrify Samba package.
Conventions used in this guide
About this guide 5
Chapter 3, Configuring Centrify-enabled Samba, describes how to use the Samba
configuration file and test your integration of Samba, DirectControl, and Active
Directory.
Appendix A, Migrating existing Samba users to DirectControl, describes how to
migrate existing users from Samba servers to DirectControl.
Appendix B, Using adbindproxy.pl, describe the adbi ndpr oxy. pl utility, which
enables you to configure Samba for interoperability with DirectControl.
Conventions used in this guide
The following conventions are used in this guide:
Fi xed- wi dt h font is used for sample code, program names, program output, file names,
and commands that you type at the command line. When i t al i ci zed, this font is used
to indicate variables. In addition, in command line reference information, square
brackets ([ ] ) indicate optional arguments.
Bold text is used to emphasize commands, buttons, or user interface text, and to
introduce new terms.
Italics are used for book titles and to emphasize specific words or terms.
The variable r el ease is used in place of a specific release number in the file names for
individual DirectControl software packages. For example, cent r i f ydc- r el ease- sol 8- spar c-
l ocal . t gz in this guide refers to the specific release of the DirectControl Agent for Solaris
on SPARC available on the DirectControl CD or in a DirectControl download package.
On the CD or in the download package, the file name indicates the DirectControl
version number. For example, if the software package installs DirectControl version
number 4. 4. 2, the full file name is cent r i f ydc- 4. 4. 2- sol 8- spar c- l ocal . t gz.
Where to go for more information
Before you start, be sure to read through the Release Notes included with the software
package. This file provides the most up-to-date information about the package, including
system requirements and supported platforms, and any additional information that may not
be included in other documentation.
For information about how to set up and use Samba, you should review the guides included
in the Samba distribution, or the documentation available at http://samba.org, including:
Official Samba-3 HOWTO and Reference Guide
Samba-3 by Example
Contacting Centrify
Samba Integration Guide 6
The following books describe the Centrify Suite components and how to integrate them
into your environment.
Planning and Deployment Guide provides guidelines, strategies, and best practices to help
you plan for and deploy DirectControl in a production environment.This guide covers
issues you should consider in planning a DirectControl deployment project. The
Planning and Deployment Guide should be used in conjunction with the information
covered in the Administrators Guide.
Administrators Guide describes how to perform administrative tasks using the
DirectControl Administrator Console and UNIX command line programs. The
Administrators Guide focuses on managing your environment after deployment, including
creating a zone structure and managing identity and access for users in your UNIX
environment.
Group Policy Guide describes the DirectControl group policies you can use to customize
user-based and computer-based configuration settings. This guide provides an overview
of how group policies are applied and how to install and enable DirectControl-specific
policies.
Configuration Parameters Reference Guide provides reference information for the Centrify
DirectControl configuration parameters that enable you to customize your
environment. Many of these settings can also be controlled through group policies.
Administrators Guide for Mac OS X provides information for Mac OS X system
administrators about the administrative issues and tasks that are specific or unique to a
Mac OS X environment. If you are deploying in an environment with Mac OS X servers
or workstations, you should refer to this guide for information about the group policies
that only apply to Mac OS X computers and users.
Authentication Guide for Apache describes how to install and configure the DirectControl
for Web Applications product with Apache servers and applications.
Authentication Guide for Java Applications describes how to install and configure the
DirectControl for Web Applications product with Tomcat, JBoss, WebLogic, and
WebSphere servers and J2EE applications.
Individual UNIX man pages for command reference information for DirectControl UNIX
command line programs.
Contacting Centrify
If you have a problem during DirectControl software installation or configuration, need help
with Active Directory configuration, or want clarification on best practices contact your
Centrify System Engineer or Technical Support. Go to www.centrify.com/support and log in
for the Technical Support contact information.
7
Chapter 1
Using Centrify Suite technology with Samba
This chapter introduces Centrify-enabled Samba and highlights the integration issues you
might encounter when enterprise networks want to combine the services of Centrify Suite
products and Samba to share files on Centrify-managed computers. The following topics are
covered:
Integrating Centrify Suite and Samba
Integrating Samba with Centrify Express
Samba is a popular, open source, file and printer sharing program that allows a Linux or
UNIX host to participate as an Active Directory services domain member. When Samba is
installed, Windows users can share files and printers on the Linux or UNIX computers.
The Centrify Suite is an integrated set of commercial, identity management products that
enable a Linux, UNIX, or Mac host to participate as an Active Directory domain member.
When Centrify Suite products are installed, the Centrify-managed computers user and
group accounts and privileges can be managed entirely through Active Directory.
When open-source Samba is configured as an Active Directory domain member and the
Centrify Suite DirectControl agent are both installed on the same Linux or UNIX host,
however, two problems can arise:
Samba and DirectControl both attempt to create and manage the same Active Directory
computer account object, causing one of the products to stop working.
Conflicting UIDs and GIDs are generated by Samba and the Centrify Suite
DirectManage tools for the same Active Directory users and groups. However, the two
programs use different algorithms for generating these values. The result is file
ownership conflicts and access control problems.
To resolve these issues, Centrify-enabled Samba should be used instead of any existing
Samba running on the Linux or UNIX system. Centrify-enabled Samba supports the
standard Samba protocols and eliminates the potential contentions and UID/GID conflicts.
The Centrify-enabled Samba package consists of the following components:
Compiled and packaged version of Centrify-enabled Samba.
adbi ndpr oxy module: Intercepts Samba UNIX ID mapping requests and reroutes them
to DirectControl for processing. This module ensures that Samba and DirectControl
agree on the UNIX attribute values.
adbindproxy.pl PERL configuration script: Automates most of the setup process and
designates DirectControl as the manager of the shared computer object.
The following figure provides a conceptual view of the complete solution architecture using
Active Directory, Samba, and Centrify Suite components.
If you have not been using Samba up to this point, or if you have been using an older Samba
security method (such as user or server), the integration process makes it easy to configure
Samba as an Active Directory member.
On the other hand, if you have already been using Samba as an Active Directory domain
member and have assigned UIDs and GIDs to Active Directory users and groups, the PERL
configuration script helps migrate these UIDs and GIDs for use with Centrify-enabled
Samba.
Chapter 1 Using Centrify Suite technology with Samba 9
The integrated solution, composed of the DirectControl Agent (installed separately), the
pre-compiled, Centrify-enabled Samba program and adbindproxy, the Centrify wi nbi nd
proxy program, provides the following:
Samba and DirectControl use the same Active Directory computer object without
conflicts.
Consistent user and group attributes are applied on files across Windows, Linux and
UNIX computers.
All UNIX user identity attributes, including the UID, GID, home directory and log in
shell in UNIX profiles, are centrally stored and managed in Active Directory.
Both Kerberos and NTLM Samba authentication methods are supported.
Standard Samba access-control features are implemented and augmented by the Centrify
zones technology.
Centrify Express is a special deployment option of the Centrify Suite technology that
automatically generates UNIX attributes for Active Directory users and computers.
Centrify Express does not, however, use Centrify zone technology. Most of the procedures
described in this manual work the same for both the standard and Express deployments,
with the following limitations:
You cannot migrate existing, Samba-generated UIDs and GIDs to Centrify Express. This
is only an issue if you have already been running Samba as an Active Directory member.
You can, however, manually convert the Samba-generated UIDs and GIDs to the same
IDs generated by the DirectManage Administrator console.
You cannot use Centrify zones to restrict access to Samba shares. See the Samba
documentation for ways to implement share restriction if it is something you need.
Alternatively, consider upgrading to the full Centrify Suite.
10
Chapter 2
Install the Centrify-enabled Samba package
This chapter describes host to install Centrify-enabled Samba on the Linux and UNIX
computers in your environment and enable interoperability between DirectControl and
Samba.
The following topics are covered:
Verifying the software required
Deciding how to work with old Samba installations
Installing Centrify-enabled Samba and adbindproxy
Upgrading from a previous release
Verifying the software required
Samba is an open source software package that is freely available on the Samba project site
(ht t p: / / samba. or g). In addition, virtually every distribution of Linux and many
commercial UNIX operating environments include a binary version of Samba as an integral
part of the package. To get Samba interoperability with Centrify Suite products, you must
use the precompiled version of Samba that is provided by Centrify.
Centrify-enabled Samba includes patches to the Samba programs. Although these patches
may be included in future versions of Samba if approved by the Samba development team,
for now, they only exist in Centrify-enabled Samba.
Required Centrify Suite software
Before you install the Samba package, confirm that you have the following software installed
on your Windows and Linux or UNIX systems that you have the software required; see the
release notes for compatibility information:
The DirectControl for Windows software package, for the DirectControl Administrator
Console.
Note If you are running the DirectControl Express, you do not need to install the
DirectControl Administrator Console.
The DirectControl Agent software package, for the specific operating environments you
want to support.
The Centrify-enabled Samba archive file that contains the cent r i f ydc- samba and
cent r i f ydc- adbi ndpr oxy installation packages for the specific operating environments
you want to support.
You must install the DirectControl Agent, and the Centrify-enabled Samba and
adbindproxy packages, on each computer on which you intend to set up Samba-based SMB
file servers.
Centrify Suite software installation
If you have not already done so:
Follow the instructions in the DirectControl Administrators Guide to install the
DirectControl Administrator Console on at least one Windows computer and configure
at least one zone.
Apply the latest operating system patches on the computers where you intend to install
the DirectControl Agent and Centrify-enabled Samba to ensure the operating systems
are up to date.
Copy the Centrify Suite and Centrify-enabled Samba software packages to an empty
working directory on each Linux or UNIX computer to avoid potential conflicts with
other packages.
Follow the instructions in DirectControl Administrators Guide to install the DirectControl
Agent on each Linux or UNIX computer. Use the instructions in this book to create
your Centrify Zones and to join the Samba servers to the Active Directory domain.
Many Linux and UNIX vendors bundle Samba with the operating system. If an existing
Samba installation resides on your target computer, it will conflict with the Centrify-
enabled Samba package you are about to install. This section explains the choices you have if
you find an existing Samba installation and your options.
To check for an existing Samba installation, do one of the following:
Run your package management software. For example, on RedHat Enterprise Linux:
r pm- qa | gr ep - i samba
If you have Samba installed, the command returns something similar to the following:
samba- cl i ent - ver si on
samba- common- ver si on
where ver si on is the current samba version number.
Search for Samba utilities such as net or smbst at us (typically found in the / usr / bi n
directory) or the Samba daemons, such as smbd, nmbd, or wi nbi nd (typically found in /
usr / sbi n). For example, enter the following command:
l s - l / usr / bi n | gr ep - i smbst at us
- r wxr - xr - x 1 r oot r oot 669372 Oct 16 2007 smbst at us
If you find no evidence of an existing Samba, skip to Installing Centrify-enabled Samba and
adbindproxy on page 14. In addition, you can safely answer Yes to the question Do you
want to create symbolic links when you run the adbi ndpr oxy. pl configuration
script.
If a Samba already exists on the target computer then you must do one of the following
BEFORE you install Centrify-enabled Samba:
Remove it: see Remove existing Samba installations
Replace it: see Replace existing Samba installations
Co-exist with it: see Co-existing with existing Samba installations
Remove existing Samba installations
Ideally, the best solution is to remove the existing Samba installation using your platform's
package management software. However, in practice, this is often difficult to do because
not only are multiple Samba components installed (client, server, and library components)
but in many cases other installed packages depend on the Samba components and must be
removed first.
Note Before you remove your existing Samba package you may want to save the existing
wi nbi nd UID and GID assignments. See Upgrading from a non-Centrify-enabled version of
Samba on page 20 for the rationale and instructions.
In such cases, you may have to follow and remove all dependencies, then work back and
remove all Samba components, which can be a very complicated process. On the other
hand, some package managers, such as r pm, allow you to remove Samba components
ignoring dependencies. See Upgrading from a non-Centrify-enabled version of Samba on
page 20 for examples that show how to remove an existing Samba with various package
managers.
When you install Centrify-enabled Samba it replaces most if not all of the dependencies.
Replace existing Samba installations
An alternative strategy is to replace the existing Samba by creating symbolic links to
Centrify-enabled Samba. When you run adbi ndpr oxy. pl to configure Samba, you are
prompted to create symbolic links.
Replacing an existing installation is a simple and effective strategy. In this case,
adbi ndpr oxy. pl renames any existing Samba binaries it finds by adding a suffix
(. pr e_adbi ndpr oxy). For example, an existing smbd would be renamed
smbd. pr e_adbi ndpr oxy. Then adbi ndpr oxy. pl creates a symbolic link from the original
name to the Centrify-enabled Samba component; for example:
/ usr / sbi n/ smbd => / opt / cent r i f y/ samba/ sbi n/ smbd
During installation you are not required to do any manual work to remove the existing
Samba installation. You will, however, need to use a package manager option that ignores
file conflicts and dependencies, such as the rpm - - r epl acef i l es and - - nodeps options
(see Upgrading from a previous release on page 18 for an example,).
After installation, the adbindproxy configuration script automatically takes care of creating
symbolic links and renaming the existing Samba binaries when you answer Yes to the
prompt, Do you want to create symbolic links... (see Running the adbindproxy.pl
on page 23).
Note Before you replace your existing Samba package you may want to save the existing
wi nbi nd UID and GID assignments. See Upgrading from a non-Centrify-enabled version of
Samba on page 20 for the rationale and instructions.
After installation and configuration, because they have been renamed, there is no chance
that the old Samba binaries can be mistakenly executed in place of the Centrify-enabled
Samba binary.
The downside to this strategy is that as far as the operating system is concerned, the original
Samba is still installed, so you must be careful when installing operating system patches to
avoid inadvertently overwriting Centrify-enabled Samba binaries with ones from the
patches.
Co-existing with existing Samba installations
The third strategy is to leave an existing Samba installation in place when you install
Centrify-enabled Samba. After installation, when you configure Centrify-enabled Samba,
do not replace the existing binaries with symbolic links to Centrify-enabled Samba. That is,
after installation, when you run the Samba configuration script, answer No to the prompt,
Do you want to create symbolic links... (see Running the adbindproxy.pl on
page 23).
The original Samba binaries are not modified. Centrify-enabled Samba is installed in the
directory / opt / cent r i f y/ samba, while the original Samba binaries remain in their current
directories (typically / usr / bi n and / usr / sbi n).
With coexistence you do not have to be concerned with inadvertently overwriting
Centrify-enabled Samba binaries when applying operating system patches. However, you
have to be careful to be certain that you are executing the correct Samba binaries. Typically,
you need to use the complete path (/ opt / cent r i f y/ samba/ bi n/ sambaPr ogr amName) when
executing Centrify-enabled Samba binaries, or you can modify the PATH environment
variable to define the path to the Centrify-enabled Samba binaries first.
Use the instructions in this section to install the Centrify-enabled Samba and the
adbi ndpr oxy program.
Note If you have not already done so, before continuing, be certain to look at Upgrading
from a previous release on page 18 for instructions that may be pertinent, depending on
your current DirectControl and Centrify-enabled Samba installation.
Depending on the version of DirectControl you are using, some related programs for
Centrify-enabled Samba may be installed by default with the DirectControl Agent.
The Centrify-enabled Samba package and the Centrify adbi ndpr oxy package, however, are
separate, add-on software packages installed separately from the DirectControl Agent or
the Centrify Suite. For information about configuring the Centrify-enabled Samba
environment to work with DirectControl after installation, see Configuring Centrify-
enabled Samba on page 22.
Extracting the contents of Centrify-enabled Samba package
The following steps describe how to download and unpack the Samba package for a Linux
or UNIX computer.
Note In these instructions, a sample file name of cent r i f y- samba- v. v. v- pl at f or m-
ar ch. t gz is used in place of the full file name. The full file name for the Centrify-enabled
Samba package includes the Centrify-enabled Samba version and supported platform
information. For example, the full file name may look similar to this:
cent r i f y- samba- v. v. v- pl at f or m- ar ch. t gz
where:
v. v. v is the DirectControl version number
pl at f or mindicates the target operating system as follows. Note that some platforms are
only available on one architecture.This table may not include all of the platforms
supported. Be sure to read through the Product Bundle descriptions before
downloading.
Platform Description
aix IBM AIX
debn Debian and Ubuntu Linux
hpnn.nn Hewlett-Packard HP-UX
irix Silicon Graphics IRIX
rheln Centos, Mandriva, Red Hat and Scientific Linux
ar ch indicates the processor architecture as follows:
1 Go to the Centrify Download Center to get the Centrify-enabled Samba package. You get
to the Download Center from the Centrify home page. Next, click the Support tab and
select the Customer Support Portal. Enter your User Name and Password.
From the Support portal select the Customer Download Center.
soln Solaris and OpenSolaris
susen Novell SUSE and openSUSE
arch Description
i386 Intel x86, 32-bit
x86_64 Intel x86, 64-bit
ppc Power PC
ia Itanium
sparc SPARC
pa PA-RISC
Platform Description
In the Download Center, select Centrify-Enabled Samba from the Centrify-Enabled
Tools.
2 Download the cent r i f y- samba- r el ease- pl at f or m- ar ch. t gz file corresponding to
your DC (DirectControl) Version (see the leftmost column) and the target computers
operating system and processor architecture.
3 Uncompress the contents of the file. For example, on a Red Hat Enterprise Linux
computer you would use the following:
gunzi p cent r i f y- samba- v. v. v- pl at f or m- ar ch. t gz
4 Extract the contents of the file. For example, on a Red Hat Enterprise Linux computer
you would use the following:
t ar - xvf cent r i f y- samba- v. v. v- pl at f or m- ar ch. t ar
After extracting the contents of the file, you should see the following files:
Cent r i f y- Samba- v. v. v- Rel ease- Not es. t xt : Generic release note for this version of
the Centrify-enabled Samba package.
cent r i f ydc- adbi ndpr oxy- V. V. V- pl at f or m- ar ch. r pm: The module that intercepts
Samba UNIX ID mapping requests and reroutes them to DirectControl for processing
cent r i f ydc- samba- s. s. s- v. v. v- pl at f or m- ar ch. r pm( wher e s. s. s i s t he base
Samba ver si on number ) : the Centrify-enabled Samba package
r el ease- not es- samba- pl at f or m. t xt : Supplemental, platform-specific release notes.
5 Review the two text files for release-specific information about the package that was
available after this document was published.
The packages are now ready for installation.
Install Centrify-enabled Samba
Use the following steps to install the Centrify-enabled Samba and then adbindproxy. In
these steps the file name cent r i f ydc- samba- *. r pmis used in place of the full file name.
You can use the wildcard symbol (*) to substitute for a portion of the file name if there are
no conflicting files in the directory.
Note If you are updating from a previous version of Centrify-enabled Samba or have a
vendor-supplied Samba installed on the computer, see Upgrading from a previous release
on page 18before proceeding.
Be sure to enter the full path name in the command line if multiple versions of the same file
exist in the same directory.
1 Run the appropriate command for your platform to install the cent r i f ydc- samba
package. The following table shows sample commands using the common package
installers for each platforms.
For this platform You can run
Linux-based
computers
Red Hat Enterprise
Linux
CentOS Linux
Scientific Linux
Oracle Linux
For 32-bit systems:
r pm- Uvh cent r i f ydc- samba- *. r pm
For 64-bit systems:
r pm- Uvh cent r i f ydc- samba- *. r pm
Sun Solaris On SPARC systems, for example:
gunzi p cent r i f ydc- samba- *- sol 8- spar c- l ocal . gz
pkgadd - d cent r i f ydc- samba- *
There are four Solaris packages. Select the package that matches your Solaris
version and processor type. If you have Solaris 9, use the sol8 package. If you have
Solaris 11, use the sol10 page. Furthermore, the x86 version can be installed on
32- and 64-bit architectures.
cent r i f ydc- samba- *- sol 8- spar c- l ocal
cent r i f ydc- samba- *- sol 8- x86- l ocal
cent r i f ydc- samba- *- sol 10- spar c- l ocal
cent r i f ydc- samba- *- sol 10- x86- l ocal
2 Repeat the installation command for your platform, this time specify cent r i f ydc-
adbi ndpr oxy- *. r pm
This concludes the installation of Centrify-enabled Samba and the adbindproxy. Skip to
Chapter 3, Configuring Centrify-enabled Samba to continue.
The following sections describe how to upgrade from previous versions of DirectControl
and Centrify-enabled Samba.
Upgrading from a DirectControl version earlier than 4.4.2 and Centrify-enabled Samba
3.0.33 or earlier on page 19
Upgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba 3.0.33 or
earlier on page 20
Upgrading from a non-Centrify-enabled version of Samba on page 20
Before proceeding, run the adi nf o - - ver si on command on the managed computer to
determine which version of DirectControl (CentrifyDC) you are running
HP-UX For HP-UX 11.11 on PA-RISC:
gunzi p cent r i f ydc- samba- *- hp11. 11. gz
swi nst al l - s / pat h/ cent r i f ydc- samba- *- hp11. 11. depot
Cent r i f yDC- Samba
For other HP-UX versions and platforms the commands are the same but the file
names are different. For example on HP-UX 11.23 Itanium 64-bit systems:
cent r i f ydc- samba- *- hp11. 23- i a64. depot . gz
IBM AIX For AIX 5.3 or later:
gunzi p cent r i f ydc- samba- *- ai x5. 3- ppc. t gz
i nut oc .
i nst al l p - aY - d cent r i f ydc- samba- *- ai x5. 3- ppc. bf f
Cent r i f yDC. samba
Debian Linux
Ubuntu Linux
Check that you have l i bcupsys2- gnut l s10 (1.1.23-1 or later) installed
If you have the required libraries, run the following command to install:
32-bit processor: dpkg i cent r i f ydc- samba- *- deb5- i 386. deb
64-bit processor: dpkg i cent r i f ydc- samba- *- deb5- x86_64. deb
SuSE Linux
OpenSuSE Linux
For 32-bit systems:
r pm- i vh cent r i f ydc- samba- *- suse8- i 386. r pm
For 64-bit systems:
r pm- i vh cent r i f ydc- samba- *- suse9- x86_64. r pm
Note SuSE Linux 9 requires the cups package.
Upgrading from a DirectControl version earlier than 4.4.2 and Centrify-
enabled Samba 3.0.33 or earlier
The adbi ndpr oxy in this version of Centrify-enabled Samba requires at least DirectControl
4.4.2 and a version of Centrify-enabled Samba greater than version 3.0.33. In addition, the
CentrifyDC i dmap program, which was installed as part of Centrify-enabled Samba,
conflicts with adbi ndpr oxy and must be removed.
Use the following steps to upgrade from a Centrify-enabled Samba installation with a
version of DirectControl earlier than 4.4.2, and Centrify-enabled Samba 3.0.33 or earlier:
1 Copy the existing startup script / et c/ i ni t . d/ cent r i f ydc- samba file and rename it
/ et c/ i ni t . d/ cent r i f ydc- samba. upgr ade. For example:
cd / et c/ i ni t . d
cp cent r i f ydc- samba . / cent r i f ydc- samba. upgr ade
Note On HP-UX, there are two files you must copy and save before upgrading, / sbi n/
i ni t . d/ cent r i f ydc- samba and / et c/ r c. conf i g. d/ cent r i f ydc- samba. r c. For both of
these files, append . upgr ade to the file name.
2 Use the appropriate local operating system command or package manager to remove the
old version of the i dmap program. For example, the following table lists the common
commands associated with each platform:
3 Replace the Centrify Suite DirectControl and DirectManage components on all of the
Windows and Linux or UNIX computers. See the DirectControl Administrators Guide for
the installation instructions.
4 Install Centrify-enabled Samba and adbindproxy as described in Installing Centrify-
enabled Samba and adbindproxy on page 14.
Note You may see package conflict errors during this step. If so, rerun the r pmcommand
with the - - nodeps and - - r epl acef i l es option. The - - nodeps option installs the
Centrify-enabled Samba package without checking for dependencies; the - -
r epl acef i l es option replaces conflicting files with the files from the new package.
This concludes Centrify-enabled Samba and adbi ndpr oxy installation. Go to Configuring
Centrify-enabled Samba on page 22 to continue.
Most Linux variants r pme Cent r i f yDC- i dmap
Debian/Ubuntu dpkg P cent r i f ydc- i dmap
Sun Solaris pkgr mCent r i f yDC- i dmap
HP-UX swr emove Cent r i f yDC- i dmap
IBM AIX i nst al l p u Cent r i f yDC. i dmap
Upgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba
3.0.33 or earlier
The adbi ndpr oxy in Centrify-enabled Samba requires at least DirectControl 4.4.2 and a
version of Centrify-enabled Samba greater than version 3.0.33.
If the target system has DirectControl 4.4.2 or later but your Centrify-enabled Samba is
version 3.0.33 or earlier, use the following steps to update Centrify-enabled Samba, install
Centrify-enabled Samba and adbindproxy as described in Installing Centrify-enabled
Samba and adbindproxy on page 14.
Note You may see package conflict errors during this step. If so, rerun the r pminstallation
command with the - - nodeps and - - r epl acef i l es options. The - - nodeps option installs the
Centrify-enabled Samba package without checking for dependencies, while the - -
r epl acef i l es option replaces conflicting files with files from the new package.
This concludes Centrify-enabled Samba and adbi ndpr oxy installation. Go to Configuring
Centrify-enabled Samba on page 22 to continue.
Upgrading from a non-Centrify-enabled version of Samba
If you have a Samba already installed on your systemAND determine it serves you best to
replace it (see Deciding how to work with old Samba installations on page 11 for a
discussion of your options)use the following procedure to upgrade to Centrify-enabled
Samba:
1 Save the existing wi nbi nd UID and GID assignments: If you have been running Samba and
wi nbi nd on the computer where you are going to install Centrify-enabled Samba, save the
existing wi nbi nd UID and GID assignments before you install the new software. This
allows you to import these assignments into a Centrify Zone and map it to users and
groups in Active Directory.
If wi nbi nd is currently configured in your / et c/ nsswi t ch. conf file, run the following
commands to save the information to a file before installing:
get ent passwd | gr ep - e - f / et c/ passwd > / t mp/ passwd. wi nbi nd
get ent gr oup | gr ep - e - f / et c/ gr oup > / t mp/ gr oup. wi nbi nd
See Migrating existing Samba users to DirectControl on page 36 for more information.
2 Use the appropriate local operating system command or package manager to manually
remove the old version of the Samba program. For example, you can use the following
commands to remove the existing Samba program:
Most Linux variants r pme samba- common- ver si on
Debian/Ubuntu dpkg P samba- common- ver si on
You may see package conflict errors during this step that cause package removal to fail.
In this case, proceed with the next step and be certain to use the - - nodeps and --
r epl acef i l es options when installing DirectControl Samba.
3 Install Centrify-enabled Samba and adbindproxy. See Installing Centrify-enabled Samba
and adbindproxy on page 14 for the instructions.
Since you are upgrading you may see package conflict errors when you run the package
manager for Centrify-enabled Samba. If so, rerun the r pmcommand with the - - nodeps
or - - r epl acef i l es options. The - - nodeps option installs the Centrify-enabled Samba
package without checking for dependencies; the - - r epl acef i l es option replaces
conflicting files with files in the new package.
4 Run the adbi ndpr oxy. pl script to configure Centrify-enabled Samba; see Running the
adbindproxy.pl on page 23.
Sun Solaris
pkgr msamba- common- ver si on
HP-UX
swr emove samba- common- ver si on
IBM AIX
i nst al l p u samba- common- ver si on
22
Chapter 3
Configuring Centrify-enabled Samba
This chapter describes how to configure Centrify DirectControl and Centrify-enabled
Samba to work together properly.
Verifying the environment before you begin
Verifying DNS settings on the local computer on page 23
Running the adbindproxy.pl on page 23
Verifying the Samba integration on page 29
Modifying the Samba smb.conf configuration file on page 32
Verifying the environment before you begin
Centrify-enabled Samba includes the adbi ndpr oxy. pl script that performs most of the
configuration steps for you. Before running this script, however, you should verify the
environment is ready for configuration and you are ready to proceed.
At this point, you should check that:
Centrify DirectControl is installed on a Windows computer in an Active Directory
domain.
You have created at least one zone, either the default zone or a zone you created with
the zone wizard.
Note If you are running Centrify DirectControl in Express Mode, or have connected to
a domain through Auto Zone, you will not have any zones configured. You can still
configure Centrify-enabled Samba to run with DirectControl.
You have added or imported some users and groups into the Centrify Zone. Only Active
Directory users who are members of the Centrify Zone are able to access Samba shares
on the local computer.
The DirectControl Agent is installed on the computer where you have installed the
Centrify-enabled Samba.
Older, incompatible versions of Samba have been removed or updated with Centrify-
enabled Samba on the computer that hosts the Samba shares.
Note Although you are not required to remove older Samba versions, you should be
careful to use versions with the proper operating system patches. You can use the
adbi ndpr oxy. pl configuration script to automatically move and rename an older Samba
Verifying DNS settings on the local computer
version to a different directory, or you can manually remove or rename an older Samba
installation prior to running the adbi ndpr oxy. pl configuration script.
The adbi ndpr oxy package is installed on the computer.
Verifying DNS settings on the local computer
Centrify Suite relies on DNS to locate its domain controller and monitor connection status.
If you are unsure whether DNS is configured properly, you can run the adcheck utility, or
manually inspect and, if necessary, edit the / et c/ r esol v. conf and / et c/ host s files to
ensure server host names and IP addresses can be successfully resolved.
Running adcheck
Centrify Suite includes a utility, adcheck, which runs a number of operating system,
network, and Active Directory checks to verify that your domains are correctly configured
for DirectControl. You can run adcheck to verify your DNS settings, as follows:
/ usr / shar e/ cent r i f ydc/ bi n/ adcheck - t net domai nName
where:
- t net runs only the network check.
domai nName specifies the domain; for example, aj ax. or g.
You should see output similar to the following:
/ usr / shar e/ cent r i f ydc/ bi n/ adcheck - t net aj ax. or g
NSHOSTS : Check host s l i ne i n / et c/ nsswi t ch. conf : Pass
DNSPROBE : Pr obe DNS ser ver 192. 164. 10. 1 : Pass
DNSCHECK : Anal yze basi c heal t h of DNS ser ver s : Pass
WHATSSH : I s t hi s an SSH t hat Di r ect Cont r ol wor ks wel l wi t h : Pass
SSH : SSHD ver si on and conf i gur at i on : Pass
If adcheck encounters any problems with the configuration, it prints a warning or error
message that includes information on how to correct the problem.
Running the adbindproxy.pl
This section describes how to configure Samba using the adbi ndpr oxy. pl script.
Note If your current environment has Windows users accessing data on Samba member
servers that are joined to the Active Directory domain, you may want to migrate those users
to DirectControl. This way, you can use Centrify Zones to manage conflicting identities and
rationalize UIDs and GIDs. See Migrating UNIX profiles to Active Directory on page 36
to migrate those users. Complete the migration before integrating Centrify-enabled Samba
and DirectControl.
The adbi ndpr oxy. pl script performs the following tasks:
Determines the computers operating system and adjusts accordingly. For example, for
Solaris-based machines it verifies that all of the patches necessary to run Samba have
been installed.
Confirms that the DirectControl Agent is installed.
Confirms the Centrify-enabled Samba has been installed.
Checks for and reports any conflicting Samba installations.
Note If the script finds another Samba installed, you have several options, see Deciding
how to work with old Samba installations on page 11.
Prompts you to create symbolic links to the Centrify-enabled Samba binaries in / usr /
bi n and / usr / sbi n. If you have existing links it backs up the originals.
Determines if you are joined to an Active Directory domain and, if you are, displays the
domain name and Centrify Zone.
Asks if you want to join Centrify-enabled Samba to the current Active Directory domain
or another. If you choose another, the script guides you through the current domain
leave and new domain join processes.
Note If you want to modify or set advanced join settings (for example, update PAM or
NSS config, use DES for encryption, or use a computer alias), either run adl eave before
you run adbi ndpr oxy. pl or select a different domain when prompted in the script.
Otherwise, the script does NOT prompt you to enter advanced join settings.
If you have a previous Samba installation, asks if you want to keep the smb.conf settings
or use new ones. adbi ndpr oxy. pl automatically saves the existing copy.
Note The script automatically looks for an existing smb.conf file using the smbd - b
command. If your current version of smbd does not support the -b option or you have
smb.conf in a custom directory the script will not find it. If you want to use your existing
smb. conf , move it to / et c/ samba before you run the script.
Removes old state files from previous instances of Samba, including any existing
wi nbi nd entries from the / et c/ nsswi t ch. conf file.
Restarts the Centrify-enabled Samba clients (nmbd, wi nbi ndd, adbi ndd and smbd).
Installs scripts to automatically start the correct Samba and DirectControl services each
time the computer boots.
Before you run adbi ndpr oxy. pl , read through the prompts described below to make sure
youre prepared with the answers
To begin, logon and switch to the root user and proceed with the following steps:
1 Start script: From r oot enter
per l / usr / shar e/ cent r i f ydc/ bi n/ adbi ndpr oxy. pl
2 Please specify Centrify Sambas path if it is not in [/opt/centrify/samba]
Press Enter to accept the default. Otherwise, enter your path.
adbi ndpr oxy. pl checks for a conflicting version of Samba. If it does not find one you
get the message
No conf l i ct i ng Samba f ound
If it finds one, it displays the message
War ni ng: pot ent i al l y conf l i ct i ng Samba i nst al l at i ons wer e f ound i n
[ di r ect or y]
Do you want t o cont i nue [ N]
and shows the directory.
How to proceed depends upon whether or not you want to keep the existing Samba
versions. See Deciding how to work with old Samba installations on page 11 to review
the options.
Enter N if you need to terminate the script. Enter Y if you want to proceed with two
Sambas.
3 Do you want to create symbolic links from /usr to /opt/centrify/samba/? [Y]
Answer Y and press Enter for the following conditions:
if there are no older Samba installations on the computer,
if you have removed older Samba installations, or
if you intend to entirely replace any older Samba installations with the Centrify-
enabled Samba installation.
See Deciding how to work with old Samba installations on page 11 for details on these
choices.
Answer N and press Enter if you want the existing Samba installation and Centrify-
enabled Samba to co-exist. See Co-existing with existing Samba installations on
page 13 for details on this choice.
As it proceeds adbi ndpr oxy. pl displays its progress as it replaces and backs up the
existing files.
4 Do you want to leave and join to another domain? [N]
How you respond prompt depends upon whether or not the computer is already joined
to a Active Directory domain.
If you are joined to a domain when you initiated the script, adbi ndpr oxy. pl displays
the domain name and zone and asks you
Do you want t o l eave or j oi n t o anot her domai n? [ N]
To continue to join Centrify-enabled Samba to the current joined Active Directory
domain press Enter and skip ahead to Step 7 on page 27
If you want to leave the current domain and join another OR change any advanced
options (see list below) in your current domain enter Y and then proceed with Step 5.
If your are not joined, the script displays the message
Not j oi ned t o any domai n. Make sur e you ent er t he cor r ect domai n and zone
i nf or mat i on i n t he next st eps
This initiates a set of prompts that ask you for the Active Directory domain name, the
Centrify Zone and advanced options. Proceed with the next step.
5 Join new Active Directory domain
Note You arrive at this step if you are not joined to an Active Directory Domain when
you started adbi ndpr oxy. pl , you decided to leave that domain OR you decided to
change advanced options in your current join. If none of these conditions apply to you,
skip to Step 7.
The first prompt asks you for the domain name.
Ent er t he Act i ve Di r ect or y domai n t o j oi n :
and then asks
Check DNS heal t h f or [ domai n] ? Not e: t hi s may t ake sever al mi nut es [ Y] :
Press Enter to ensure the domain exists.
Next, the script prompts you to enter the following properties:
Centrify Zone on the target Active Directory domain
Note If you are running DirectControl in Express Mode or need to join the domain
through Auto Zone, enter NULL_AUTO for the zone name.
computer name on which Centrify-enabled Samba is installed
Active Directory authorized user (default is Administrator)
6 Do you wish to specify advanced join options? [N] :
The options are listed below. The defaults are in brackets. If do not need any advanced
join options, enter N. Otherwise, enter Y and make your selections.
Canoni cal name of Act i ve Di r ect or y Comput er Cont ai ner
Pr ef er r ed Domai n Ser ver t o use ( pr ess Ent er f or none)
Updat e PAM and NSS Conf i g [ Y]
Tr ust comput er f or del egat i on? [ N]
Use DES encr ypt i on onl y? [ N]
Run adj oi n i n ver bose mode? [ N]
Addi t i on comput er al i as ( pr ess Ent er f or none)
The script then displays the selections you made and asks if you want to proceed. Enter
Y to proceed or N to abort adbi ndpr oxy. pl .
If you choose to proceed AND you are leaving the current Active Directory domain to
join another, the script prompts you twice to enter your password. In response to the
first prompt enter the current Active Directory domain account password to leave that
domain; for the second prompt, enter the password for the Active Directory Domain,
computer and authorized user specified in the prompts to join that domain.
If you were not joined to an Active Directory domain when you started the script, you
are prompted to enter your password once. Enter the password for the Active Directory
Domain, computer and authorized user specified in the prompts.
7 Keep Samba Settings?
adbi ndpr oxy. pl creates a new smb.conf file and stores it in /etc/samba. It can create a
skeletal version with minimal global settings and a samba-test share only (see Modifying
the Samba configuration file (smb.conf) on page 30 for a sample), or it can update an
existing smb.conf file.
Note Regardless of whether you update an existing smb.conf or create a new one, you
will need to modify the / et c/ samba/ smb. conf file to have the [ gl obal ] section settings
and the appropriate shares for your environment. See Modifying the Samba smb.conf
configuration file on page 32 for instructions. The file created by adbi ndpr oxy. pl
should be used for verifying the Centrify-enabled Samba integration only.
After completing the join routines in the script, adbi ndpr oxy. pl searches for existing
smb. conf files. If it does not find one, it automatically creates a new one and displays
the message
Updat i ng smb. conf wi t h Cent r i f y r ecommended set t i ngs . . .
and finishes the script - skip to Finishing Up on page 28 for the messages.
If it does find one, adbi ndpr oxy.pl copies the file to / et c/ samba asks
Do you want t o keep t he or i gi nal samba set t i ngs? [ Y] :
Note If adbi ndpr oxy. pl finds more than one smb. conf , it displays the list and asks you
to select one. After you make the selection, it copies that one to / et c/ samba and
continues.
Enter N to create the skeletal smb. conf . adbi ndpr oxy. pl makes a backup of your
smb. conf in / et c/ samba in the form, smb. conf . yyyy- mm- dd- hh- mmand creates the
skeletal version.
Enter Y to modify the existing file. adbi ndpr oxy. pl displays the prompt:
Backup exi st i ng / et c/ samba/ smb. conf and add Cent r i f y r ecommended set t i ngs?
[ Y]
Enter Y to create a backup in the form, smb. conf . yyyy- mm- dd- hh- mm.
Enter N to use the existing smb. conf without making a backup.
Note If the existing smb.conf has Security = ADS and the workgroup and realm are set,
the script does NOT modify the existing file; the original is left unchanged.
8 Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting
mappings) [Y]
adbi ndpr oxy. pl creates new mapping in the Samba User/Group ID cache, which may
result in conflicts if there are any mappings in place already.
Unless you created custom mappings, use the default [Y]. This flushes the cache.
Thi s pr ompt i s onl y per t i nent t o t he smal l set of Samba admi ni st r at or s who
cr eat ed cust omuser and gr oup I D mappi ngs. I f you do have cust ommappi ngs,
use t he def aul t t o f l ush t he cache and pr event pot ent i al conf l i ct s. Af t er
adbi ndpr oxy. pl compl et es, r e- add your mappi ngs as necessar y.
Finishing Up
To complete the configuration, adbi ndpr oxy. pl stops any running versions of smbd,
adbi ndd, wi nbi ndd and nmbd, starts the Centrify-enabled versions and displays a set of
progress and configuration messages. You should see the following messages:
I ni t Samba st ar t scr i pt . . .
Rest ar t i ng Samba daemons . . .
St oppi ng Samba smbd: [ OK ]
St oppi ng Samba adbi ndd [ OK ]
St oppi ng Samba wi nbi ndd: [ OK ]
St oppi ng Samba nmbd: [ OK ]
St ar t i ng Cent r i f yDC- Samba nmbd: [ OK ]
St ar t i ng Cent r i f yDC- Samba wi nbi ndd: [ OK ]
St ar t i ng Cent r i f yDC- Samba adbi ndd: [ OK ]
St ar t i ng Cent r i f yDC- Samba smbd: [ OK ]
adbi ndpr oxy. pl displays one last prompt
Pr ess ENTER t o cont i nue . . .
To finish up, press Enter.
Note If any service fails to start, you should run one of the following after the
adbi ndpr oxy. pl script completes its execution.
On Linux or Solaris computers, run:
/ et c/ i ni t . d/ cent r i f ydc- samba r est ar t
On HP-UX computers, run:
/ sbi n/ i ni t . d/ cent r i f ydc- samba r est ar t
On AIX computers, run:
st opsr c - g samba && st ar t sr c - g samba
As a quick test, log off as the r oot user and log on with an Active Directory user account
that has been granted access to the local computers zone. If this is the first time the you are
Verifying the Samba integration
logging on with this user account, check that the users home directory is created, which is
created automatically by Centrify DirectControl the first time you log on.
There are two key scenarios for testing whether Samba is configured properly for
integration with Centrify DirectControl and Active Directory:
Accessing Samba shares from a UNIX client session
Accessing Samba shares from a Windows desktop session
Accessing Samba from a UNIX client session
To test access to Samba shares on a Linux or UNIX computer, users should do the
following:
1 Log on to the Linux or UNIX computer using the Active Directory account that has been
granted access to the local computers zone.
Run the following command:
smbcl i ent - k - L l ocal host
The smbcl i ent program displays information about Samba and the SMB shares that are
available on the local computer. For example, you should see a listing similar to the
following (where s. s. s is the Samba version and v. v. v is the DirectControl version:
OS=[ Uni x] Ser ver =[ Samba s. s. s- cdc- v. v. v- xxx]
Shar ename Type Comment
- - - - - - - - - - - - - - - - - - - -
samba- t est Di sk
I PC$ I PC I PC Ser vi ce ( Samba- CDC)
sar a Di sk Home di r ect or i es
OS=[ Uni x] Ser ver =[ Samba s. s. s- cdc- v. v. v- xxx]
Ser ver Comment
- - - - - - - - - - - - - - - -
Wor kgr oup Mast er
- - - - - - - - - - - - - - -
ARCADE MAGNOLI A
If you are able to see the Samba shares as an Active Directory user logged on to the Linux or
UNIX computer that is acting as the Samba server, you should next test accessing the Samba
shares from a Windows desktop. For information about performing this test, see Accessing
Samba shares from a Windows desktop on page 31.
Purging and reissuing Kerberos tickets
If you see an error such as NT_STATUS_LOGI N_FAI LURE instead of the expected results when
you run the smbcl i ent program, you may need to purge your existing Kerberos tickets and
have them reissued. Try running the following command to remove all of your Kerberos
tickets:
/ usr / shar e/ cent r i f ydc/ ker ber os/ bi n/ kdest r oy
Then run the following command to reissue tickets after you provide your Active Directory
password:
/ usr / shar e/ cent r i f ydc/ ker ber os/ bi n/ ki ni t
You can then run the following command to list the Kerberos tickets that have been issued
to you:
/ usr / shar e/ cent r i f ydc/ ker ber os/ bi n/ kl i st
After verifying the Kerberos tickets you have been issued, try running the smbcl i ent
program again.
Verifying the version of Samba you are using
If purging and reissuing tickets does not resolve the problem, confirm the version of the
smbst at us that is currently running using the following command:
smbst at us | gr ep ver si on
The command should display the Centrify-enabled Samba version you have installed. For
example:
Samba ver si on s. s. s- cdc- v. v. v- xxx
(where s. s. s is the installed Samba version number and v. v. v is the DirectControl
version number)
The string, cdc- r el ease (cdc- v. v. v. xxx), indicates that the installed Samba package is
Centrify-enabled Samba intended for use with DirectControl. If the version of Samba is not
the one provided by Centrify, completely remove this version and install the precompiled
version from the Centrify-enabled Samba software package.
If the correct version of Samba is installed, run smbst at us again and note the names of any
*. t db files that do not exist, and try restoring them from your backup, then try running the
smbcl i ent program again.
Rejoining the domain
If the smbcl i ent program does not display the Samba shares you have defined in the
configuration file, you should review the settings in the smb. conf file, then leave and rejoin
the Active Directory domain.
Accessing Samba shares from a Windows desktop
To test access to Samba shares on a Linux or UNIX computer from a Windows desktop:
1 Log on to a Windows computer that is joined to the domain with an Active Directory user
account.
2 Click Start > Windows Explorer, then navigate to the domain. For example, open
My Network Places > Entire Network > Microsoft Windows Network >
Arcade to view the Ar cade. net domain.
3 Select the Linux or UNIX computer that is running Centrify-enabled Samba to view its
Samba shares. For example:
4 Click samba- t est or browse other available Samba shares to verify that you can open
existing files and create new files.
5 Confirm from both Windows and the managed computer that the files in the share
directories are owned by the correct users.
If you cannot browse the shares on the Linux or UNIX computer from the Windows
desktop, you should:
Verify that there is network connectivity between the two systems.
Confirm that you do not have a firewall running on the managed computer that is
blocking access to the SMB ports.
Make sure there are no stale Kerberos tickets on your Windows system by obtaining the
Windows kerbtray program from the Microsoft Web site, installing it on the Windows
computer, and using it to purge your Kerberos tickets. Log out and log in again to your
Windows system and retest accessing the Samba shares from Windows.
The default Samba share (samba-test)
and any other shares you have defined
for the computer are displayed
Modifying the Samba smb.conf configuration file
The Samba configuration file, / et c/ samba/ smb. conf , defines important parameters for
Samba-based file sharing. After you have verified the Samba integration with Centrify
DirectControl and Active Directory using a sample configuration file and the test share, you
need to modify the smb. conf file so that it accurately represents your environment. This file
must include the [ gl obal ] section that defines the Active Directory domain, authentication
methods, and other parameters. The file should also include a section for each directory
you are making accessible as a SMB share.
The following shows a skeletal sample / et c/ samba/ smb. conf file for the domain,
wonder . l and.
Note The smb. conf file shown below was generated on a computer running RedHat
Enterprise Linux. adbi ndpr oxy. pl tests to determine what operating system is running on
the host and generates an smb. conf file appropriate to that platform. For example, the
smb. conf for SuSe-based computers includes the following comments and command:
#
# Suse 11 CUPS pr i nt i ng appear s t o cr ash at st ar t up
# So we di sabl e pr i nt i ng on t hi s pl at f or mf or now
pr i nt i ng = BSC
Other platforms may have different exemptions and adjustments.
#
# Thi s f i l e was gener at ed by Cent r i f y ADBi ndPr oxy Ut i l i t y
#
[ gl obal ]
secur i t y = ADS
r eal m= WONDER. LAND
wor kgr oup = WONDER
net bi os name = debi an5
aut h met hods = guest , sam, wi nbi nd, nt domai n
machi ne passwor d t i meout = 0
passdb backend = t dbsam: / et c/ samba/ pr i vat e/ passdb. t db
#
# Usi ng ker ber os keyt ab may l ead t o a ser i ous Samba cr ash.
# Cent r i f y r ecommends agai nst usi ng i t .
# Ker ber os aut hent i cat i on i s st i l l suppor t ed wi t hout i t .
#
use ker ber os keyt ab = No
# I f your Samba ser ver onl y ser ves t o Wi ndows syst ems, t r y ser ver si gni ng =
mandat or y.

ser ver si gni ng = aut o
t empl at e shel l = / bi n/ bash
wi nbi nd use def aul t domai n = Yes
wi nbi nd enumuser s = No
wi nbi nd enumgr oups = No
wi nbi nd nest ed gr oups = Yes
i gnor e sysset gr oups er r or = No
i dmap ui d = 1000 - 200000000
i dmap gi d = 1000 - 200000000
enabl e cor e f i l es = f al se
# Di sabl e Loggi ng t o sysl og, and onl y wr i t e l og t o Samba st andar d l og f i l es.
sysl og = 0
[ samba- t est ]
pat h = / samba- t est
publ i c = yes
# i f set publ i c = No, we shoul d set par amet er val i d user s .
# and when t he user or gr oup i s i n AD , t he set t i ng synt axes i s:
# val i d user s = WONDER\ user name +WONDER\ gr oup
wr i t abl e = yes
[ homes]
comment = Home di r ect or i es
r ead onl y = No
br owseabl e = No
Note Do not set use ker ber os keyt ab = yes in the smb. conf file. Setting the ker ber os
keyt ab parameter to yes could result in a serious Samba crash. Kerberos authentication is
supported through DirectControl without setting this parameter.
At the beginning of a line, both the hash symbol (#) and the semi-colon (; ) indicate lines to
ignore. By convention, in this file, the hash indicates a comment and the semi-colon
indicates a parameter you may wish to enable.
The settings in the [ gl obal ] section are required whether you use the sample configuration
file or create your own smb. conf file. The settings in the [ homes] section indicate that you
want to share home directories, and the [ samba- t est ] section describes the samba- t est
share as a publicly-writable share mapped to the / samba- t est directory. For more
information about editing the Samba configuration file and the supported parameters, see
the Samba documentation.
When you make changes to the smb. conf file, you should run the Samba utility t est par mto
make sure there are no errors in your smb. conf file before putting it into production use.
When you run the t est par mutility, you should see output similar to the following:
Load smb conf i g f i l es f r om/ et c/ samba/ smb. conf
Pr ocessi ng sect i on " [ homes] "
Pr ocessi ng sect i on " [ pr i nt er s] "
Pr ocessi ng sect i on " [ samba- t est ] "
Loaded ser vi ces f i l e OK.
Ser ver r ol e: ROLE_DOMAI N_MEMBER
Pr ess ent er t o see a dump of your ser vi ce def i ni t i ons
[ gl obal ]
wor kgr oup = WONDER
r eal m= WONDER. LAND
secur i t y = ADS
aut h met hods = guest , sam, wi nbi nd, nt domai n
passdb backend = t dbsam: / et c/ samba/ pr i vat e/ passdb. t db
sysl og = 0
enabl e cor e f i l es = No
ser ver si gni ng = aut o
machi ne passwor d t i meout = 0
adbi ndpr oxy backend = cdc: / usr / shar e/ cent r i f ydc/ l i b/ l i bcapi . so
adbi ndpr oxy st andar d mapper s = No
t empl at e shel l = / bi n/ bash
wi nbi nd use def aul t domai n = Yes
[ homes]
comment = Home Di r ect or i es
r ead onl y = No
br owseabl e = No
[ pr i nt er s]
comment = Al l Pr i nt er s
pat h = / usr / spool / samba
pr i nt abl e = Yes
br owseabl e = No
[ samba- t est ]
pat h = / samba- t est
r ead onl y = No
guest ok = Yes
36
Appendix A
Migrating existing Samba users to DirectControl
This appendix describes how to migrate an existing user population from Samba servers to
DirectControl.
Note The information in this chapter is relevant to systems with at least the Centrify Suite
DirectControl, DirectAuthorize, and DirectManage components installed and on which you
created a Centrify Zone, either by name or used the default zone option. These instructions do
not apply to computers with Centrify Express installed and computers that are joined through
Auto Zone. If you are using Centrify Express or if you have joined to a zone through Auto
Zone, it is not possible to migrate existing Samba UID and GID settings.
Migrating UNIX profiles to Active Directory
Migrating Samba servers to Centrify Zones
Migrating UNIX profiles to Active Directory
If your current environment includes Samba servers that are joined to the Active Directory
domain as member servers and existing Windows users access the data on those servers, you
may want to migrate those existing users to DirectControl so can rationalize UIDs and GIDs
and manage all of your networks conflicting identities in a single, centralized ID repository.
Note Migrate your Samba users to Active Directory, as explained in this section, before
integrating Centrify-enabled Samba and DirectControl as explained in Running the
If wi nbi nd is currently configured in your / et c/ nsswi t ch. conf file, run the following
commands to save the information to a file before installing Centrify-enabled Samba:
get ent passwd | gr ep - e - f / et c/ passwd > / t mp/ passwd. wi nbi nd
get ent gr oup | gr ep - e - f / et c/ gr oup > / t mp/ gr oup. wi nbi nd
Otherwise, use the following adbi ndpr oxy. pl - - expor t s steps after installing Centrify-
enabled Samba to migrate the users:
1 Identify the Samba servers you want to update to integrate with DirectControl.
2 On each of the Samba servers to be updated, locate the wi nbi ndd_i dmap. t db file and create
a backup copy of the file. For example, run a command similar to the following to view
details about the Samba build:
/ Cur r ent SambaBI nar yPat h/ smbd - b | gr ep - i l ockdi r
Appendix A Migrating existing Samba users to DirectControl 37
In the output, you should see a line similar to the following that indicates the location of the
wi nbi nd_i dmap. t db file:
LOCKDI R: / var / l i b/ samba
3 Make a backup copy of the file; for example:
cp / var / l i b/ samba/ wi nbi nd_i dmap. t db / t mp/ wi nbi nd_i dmap. t db. pr e_adbi ndpr oxybackup
4 Run the adbi ndpr oxy. pl script with the following options to generate the export files.
per l / usr / shar e/ cent r i f ydc/ bi n/ adbi ndpr oxy. pl - - expor t s - - gi df i l e f i l ename -
- ui df i l e f i l ename - - t dbf i l e f i l ename
See Appendix B, Using adbindproxy.pl, for details about the command-line parameters
for adbi ndpr oxy. pl .
When you run these adbi ndpr oxy. pl options it generates export files for the users and the
groups that are currently known by the Samba server. By default, these files are created as:
/ var / cent r i f ydc/ samba/ passwd
/ var / cent r i f ydc/ samba/ gr oup
5 After generating the export files, move them to a Windows Domain Control. Then use the
Import from UNIX wizard in the DirectControl Administrator Console to import the users
and groups with their existing UID and GID mappings into the zone.
For more information on importing existing user and group information and mapping
information to Active Directory, see the Importing existing users and groups chapter in the
Centrify Suite Administrators Guide.
Samba generates UIDs and GIDs based on a range of values that have been defined for a
specific server. In most cases, a user who has accessed two different Samba servers is likely to
have two different UIDs, for example, 6003 on the server mi ssi on and 9778 on the server
dol or es. Therefore, in an initial migration of existing users, each Samba server must join the
Active Directory domain in separate Centrify Zones to accommodate the different UIDs and
GIDs users and groups may have.
38
Appendix B
Using adbindproxy.pl
This appendix describes the options available for the adbi ndpr oxy command-line tool. The
adbi ndpr oxy. pl utility is used to configure Centrify-enabled Samba and Centrify
DirectControl to work together and provides specific functions, such as exporting UIDs and
GIDs, creating symbolic links to Centrify-enabled Samba binaries and libraries, and restoring
backed-up Samba files.
Note For step-by-step instructions about running adbi ndpr oxy. pl to configure Centrify-
enabled Samba and Centrify DirectControl to work together, see Running the
Synopsis
adbi ndpr oxy. pl [ - - hel p] [ - - i nf o] [ - - r est or e] [ - - symbol ] [ - - ver bose]
[ - - ver si on]
adbi ndpr oxy. pl - - expor t s [ - - gi df i l e f i l ename] [ - - ui df i l e f i l ename] [ - - t dbf i l e
f i l ename]
adbindroxy.pl options
You can use the following options with this command:
Use this option To do this
- E, - - expor t s Expor t user I Ds ( UI Ds) and gr oup I Ds ( GI Ds) t hat
ar e st or ed i n Samba s wi nbi ndd_i dmap. t db f i l e.
Use t he - - gi df i l e and - - ui df i l e opt i ons t o speci f y
t he expor t f i l es f or t he GI Ds and UI Ds. Use t he -
- t dbf i l e opt i on t o speci f y t he . t db f i l e t hat
cont ai ns t he GI Ds and UI Ds.
Af t er expor t , you can use t he Cent r i f y
Di r ect Cont r ol Admi ni st r at or Consol e t o i mpor t t he
user s and gr oups wi t h t hei r exi st i ng UI D and GI D
mappi ngs i nt o a zone.
- g, - - gi df i l e f i l ename Speci f y t he f i l e i n whi ch t o wr i t e t he
Samba- cr eat ed ADGr oup t o GI D mappi ngs. Use t hi s
opt i on wi t h t he - - expor t opt i on. By def aul t , t he
f i l e i s:
/ et c/ gr oup
- h, - - hel p Di spl ay t he adbi ndpr oxy. pl usage i nf or mat i on.
- i , - - i nf o Di spl ay Samba i nt er oper abi l i t y i nf or mat i on.

Appendix B Using adbindproxy.pl 39
Examples
To display basic information about the configuration of Centrify-enabled Samba and
interoperability with DirectControl and Active Directory, you could type a command line
similar to the following:
adbi ndpr oxy. pl - - i nf o
This command displays information similar to the following (where v. v. v is the
DirectControl version number and s. s. s is the Samba number):
The Samba base pat h i s: / opt / cent r i f y/ samba
Cent r i f yDC Real m = ARCADE. NET
Cent r i f yDC NTLM Domai n = ARCADE
Cent r i f yDC Host = magnol i a. ar cade. net
Cent r i f yDC Shor t Host = magnol i a
Cent r i f yDC ver si on = Cent r i f yDC v. v. v
Samba Ver si on = s. s. s- CDC- v. v. v
Samba Real m = ARCADE. NET
Samba Net BI OS Name = MAGNOLI A
Samba Ver si on Suppor t ed = yes
- r , - - r est or e Rest or e f i l es backed up f r omt he f i r st t i me you
conf i gur ed Samba f or i nt er oper abi l i t y wi t h
Di r ect Cont r ol . Typi cal l y, you r un adbi ndpr oxy. pl
wi t h t he - - r est or e opt i on t o r est or e Samba f i l es
bef or e uni nst al l i ng t he Cent r i f y- enabl ed ver si on
of Samba.
- S, - - symbol For ce t he cr eat i on of symbol i c l i nks t o Cent r i f y-
enabl ed Samba bi nar i es and l i br ar i es wi t hout
aski ng f or conf i r mat i on.
- t , - - t dbf i l e f i l ename Speci f y t he l ocat i on of t he wi nbi ndd_i dmap. t db
f i l e t hat cont ai ns Samba UI D and GI D i nf or mat i on.
Thi s opt i on i s used dur i ng t he UI D and GI D expor t
pr ocess.
I f you omi t t hi s opt i on, t he def aul t f i l e t o
expor t f r omi s:
/ var / l i b/ samba/ wi nbi ndd_i dmap. t db
- u, - - user f i l e f i l ename Speci f y t he f i l e i n whi ch t o wr i t e Samba- cr eat ed
ADUser t o UI D mappi ngs. Use t hi s opt i on wi t h t he
- - expor t s opt i on.
By def aul t , t he f i l e i s:
/ et c/ passwd
- v, - - ver si on Di spl ay ver si on i nf or mat i on f or t he i nst al l ed
sof t war e.
- V, - - ver bose Di spl ay det ai l ed i nf or mat i on f or each oper at i on.
Use this option To do this

Samba and CDC i n same Real m = yes
Samba and CDC shar e machi ne account = yes
To export existing Samba GID and UID information that you want to import into a Centrify
Zone, and to show details about the operation performed, type a command line similar to the
following:
adbi ndpr oxy. pl - - expor t s - - ver bose
This command displays information similar to the following:
The exi st i ng ui d mappi ngs have been expor t ed t o
/ var / cent r i f ydc/ samba/ passwd.
The exi st i ng gi d mappi ngs have been expor t ed t o
/ var / cent r i f ydc/ samba/ gr oup.
41

Index
A
access to Samba shares
from Windows 31
UNIX 29
adbindd 24
adbindproxy 7
winbind proxy 9
adbindproxy.pl 8
advanced join options 26
create smb.conf 27
create symbolic links 25
export option 36, 37
join domain 25, 26
keep Samba settings 27
nmbd 28
running 23
set advanced join settings 24
smbd -b 24
stop adbindd 28
stop smbd 28
task summary 24
winbindd 28
adleave 24
Administrator Console
import groups 37
import users 37
C
Centrify DirectControl Express
Samba and 9
Centrify-enabled Samba
adbindd 24
extracting 14
nmbd 24
smbd 24
winbindd 24
conventions, documentation 5
D
DirectControl Agent 9
DirectControl Express 10
documentation
additional 6
conventions 5
Samba 5
Download Center 16
F
file sharing 7
displayed on Windows 31
testing access 29
G
group
save to file 36
J
Join domain 26
K
kdestroy 30
Kerberos
list tickets 30
purging tickets 30
reissue tickets 30
stale tickets 31
Kerberos authentication 9
Kerberos tickets
removing 30
kerbtray 31
kinit 30
klist 30
L
Linux
installation commands 17, 18
M
man pages
source of information 6

N
nmbd 24
nodeps 13, 19, 20, 21
NT_STATUS_LOGIN_FAILURE 30
NTLM authentication 9
P
passwd
save to file 36
PERL configuration script 8
R
replacefiles 13, 19, 20, 21
S
Samba
accessing from Windows 31
checking the version 30
coexisting 13
configuration file 32
dependencies 12
documentation 5
find existing 11
keep settings 27
protocols 7
remove existing 12
replace existing 12
testing 29
verify version 30
winbind 9
Samba servers
join Centrify Zones 37
Samba testparm utility 34
smb.conf 32
keytab warning 33
testparm utility 34
smbd 24
smbd command 24
smbstatus
version 30
symbolic links 12, 13, 24, 25
T
testparm 34
U
users
export existing information 37
importing to Active Directory 37
W
winbind 36
proxy 9
save assignments 12
save assignmentss 20
winbindd 24
winbindd_idmap.tdb
locate 36

Centrify Samba Guide PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Centrify Samba Guide PDF

Uploaded by

Copyright:

Available Formats

Centrify Server Suite 2014

Samba Integration Guide

You might also like