Centrify Corporation provides this document and the software described in this document "as is" without warranty of any kind, either express or implied. Some companies, names, and data in this document are used for illustration purposes. Centrify Corporation may make improvements in or changes to the software.
Centrify Corporation provides this document and the software described in this document "as is" without warranty of any kind, either express or implied. Some companies, names, and data in this document are used for illustration purposes. Centrify Corporation may make improvements in or changes to the software.
Centrify Corporation provides this document and the software described in this document "as is" without warranty of any kind, either express or implied. Some companies, names, and data in this document are used for illustration purposes. Centrify Corporation may make improvements in or changes to the software.
Legal notice This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2014 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows XP, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred. 3 Contents About this guide 4 Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Chapter 1 Using Centrify Suite technology with Samba 7 Integrating Centrify Suite and Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Integrating Samba with Centrify Express. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 2 Install the Centrify-enabled Samba package 10 Verifying the software required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Deciding how to work with old Samba installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Installing Centrify-enabled Samba and adbindproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Upgrading from a previous release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Chapter 3 Configuring Centrify-enabled Samba 22 Verifying the environment before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Verifying DNS settings on the local computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Running the adbindproxy.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Verifying the Samba integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Modifying the Samba smb.conf configuration file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Appendix A Migrating existing Samba users to DirectControl 36 Migrating UNIX profiles to Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Migrating Samba servers to Centrify Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Appendix B Using adbindproxy.pl 38 Index 41 4
About this guide The Centrify Suite centrally secures cross-platform data centers through Active Directory- based identity and access management for a wide range of heterogeneous systems, hypervisors and applications. Built on an integrated architecture that leverages patented technology, the Centrify Suite of solutions help centralize ID, access privilege delegation and policy management to reduce the organizations IT expense and complexity, improve end-user productivity, strengthen security and enhance regulatory compliance initiatives. Key components of the Centrify Suite include integrated authentication, access control, role-based privilege management, user-level auditing and server protection solutions, consisting of Centrify DirectControl, Centrify DirectAuthorize, Centrify DirectAudit, Centrify DirectSecure, and Centrify DirectManage. This book describes how to install and configure Centrify-enabled Samba, a customized version of the open source file and print sharing program, on a Linux or UNIX computer that has the DirectControl agent already installed. Intended audience This book is written for an experienced system administrator familiar with the unpacking and installation of programs on Linux or UNIX computers. In addition, the instructions assume that you have a working knowledge of Samba and how to perform common administrative tasks for creating and maintaining Samba shares. This book also requires you to have a working knowledge of DirectControl and how to perform common administrative tasks using the DirectManage Administrator Console and the Active Directory Users and Computers administration tool. If you are unfamiliar with DirectControl, see the Centrify Suite Administrators Guide. Using this guide The book guides you through the installation and configuration of Centrify-enabled Samba. It is organized as follows: Chapter 1, Using Centrify Suite technology with Samba, provides a brief overview of Samba, and how Samba, DirectControl, and Active Directory work together to provide a secure, integrated environment. Chapter 2, Install the Centrify-enabled Samba package, describes how to unpack and install the Centrify Samba package. Conventions used in this guide About this guide 5 Chapter 3, Configuring Centrify-enabled Samba, describes how to use the Samba configuration file and test your integration of Samba, DirectControl, and Active Directory. Appendix A, Migrating existing Samba users to DirectControl, describes how to migrate existing users from Samba servers to DirectControl. Appendix B, Using adbindproxy.pl, describe the adbi ndpr oxy. pl utility, which enables you to configure Samba for interoperability with DirectControl. Conventions used in this guide The following conventions are used in this guide: Fi xed- wi dt h font is used for sample code, program names, program output, file names, and commands that you type at the command line. When i t al i ci zed, this font is used to indicate variables. In addition, in command line reference information, square brackets ([ ] ) indicate optional arguments. Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms. Italics are used for book titles and to emphasize specific words or terms. The variable r el ease is used in place of a specific release number in the file names for individual DirectControl software packages. For example, cent r i f ydc- r el ease- sol 8- spar c- l ocal . t gz in this guide refers to the specific release of the DirectControl Agent for Solaris on SPARC available on the DirectControl CD or in a DirectControl download package. On the CD or in the download package, the file name indicates the DirectControl version number. For example, if the software package installs DirectControl version number 4. 4. 2, the full file name is cent r i f ydc- 4. 4. 2- sol 8- spar c- l ocal . t gz. Where to go for more information Before you start, be sure to read through the Release Notes included with the software package. This file provides the most up-to-date information about the package, including system requirements and supported platforms, and any additional information that may not be included in other documentation. For information about how to set up and use Samba, you should review the guides included in the Samba distribution, or the documentation available at http://samba.org, including: Official Samba-3 HOWTO and Reference Guide Samba-3 by Example Contacting Centrify Samba Integration Guide 6 The following books describe the Centrify Suite components and how to integrate them into your environment. Planning and Deployment Guide provides guidelines, strategies, and best practices to help you plan for and deploy DirectControl in a production environment.This guide covers issues you should consider in planning a DirectControl deployment project. The Planning and Deployment Guide should be used in conjunction with the information covered in the Administrators Guide. Administrators Guide describes how to perform administrative tasks using the DirectControl Administrator Console and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment, including creating a zone structure and managing identity and access for users in your UNIX environment. Group Policy Guide describes the DirectControl group policies you can use to customize user-based and computer-based configuration settings. This guide provides an overview of how group policies are applied and how to install and enable DirectControl-specific policies. Configuration Parameters Reference Guide provides reference information for the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies. Administrators Guide for Mac OS X provides information for Mac OS X system administrators about the administrative issues and tasks that are specific or unique to a Mac OS X environment. If you are deploying in an environment with Mac OS X servers or workstations, you should refer to this guide for information about the group policies that only apply to Mac OS X computers and users. Authentication Guide for Apache describes how to install and configure the DirectControl for Web Applications product with Apache servers and applications. Authentication Guide for Java Applications describes how to install and configure the DirectControl for Web Applications product with Tomcat, JBoss, WebLogic, and WebSphere servers and J2EE applications. Individual UNIX man pages for command reference information for DirectControl UNIX command line programs. Contacting Centrify If you have a problem during DirectControl software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and log in for the Technical Support contact information. 7 Chapter 1 Using Centrify Suite technology with Samba This chapter introduces Centrify-enabled Samba and highlights the integration issues you might encounter when enterprise networks want to combine the services of Centrify Suite products and Samba to share files on Centrify-managed computers. The following topics are covered: Integrating Centrify Suite and Samba Integrating Samba with Centrify Express Integrating Centrify Suite and Samba Samba is a popular, open source, file and printer sharing program that allows a Linux or UNIX host to participate as an Active Directory services domain member. When Samba is installed, Windows users can share files and printers on the Linux or UNIX computers. The Centrify Suite is an integrated set of commercial, identity management products that enable a Linux, UNIX, or Mac host to participate as an Active Directory domain member. When Centrify Suite products are installed, the Centrify-managed computers user and group accounts and privileges can be managed entirely through Active Directory. When open-source Samba is configured as an Active Directory domain member and the Centrify Suite DirectControl agent are both installed on the same Linux or UNIX host, however, two problems can arise: Samba and DirectControl both attempt to create and manage the same Active Directory computer account object, causing one of the products to stop working. Conflicting UIDs and GIDs are generated by Samba and the Centrify Suite DirectManage tools for the same Active Directory users and groups. However, the two programs use different algorithms for generating these values. The result is file ownership conflicts and access control problems. To resolve these issues, Centrify-enabled Samba should be used instead of any existing Samba running on the Linux or UNIX system. Centrify-enabled Samba supports the standard Samba protocols and eliminates the potential contentions and UID/GID conflicts. The Centrify-enabled Samba package consists of the following components: Compiled and packaged version of Centrify-enabled Samba. adbi ndpr oxy module: Intercepts Samba UNIX ID mapping requests and reroutes them to DirectControl for processing. This module ensures that Samba and DirectControl agree on the UNIX attribute values. Integrating Centrify Suite and Samba Samba Integration Guide 8 adbindproxy.pl PERL configuration script: Automates most of the setup process and designates DirectControl as the manager of the shared computer object. The following figure provides a conceptual view of the complete solution architecture using Active Directory, Samba, and Centrify Suite components. If you have not been using Samba up to this point, or if you have been using an older Samba security method (such as user or server), the integration process makes it easy to configure Samba as an Active Directory member. On the other hand, if you have already been using Samba as an Active Directory domain member and have assigned UIDs and GIDs to Active Directory users and groups, the PERL configuration script helps migrate these UIDs and GIDs for use with Centrify-enabled Samba. Integrating Samba with Centrify Express Chapter 1 Using Centrify Suite technology with Samba 9 The integrated solution, composed of the DirectControl Agent (installed separately), the pre-compiled, Centrify-enabled Samba program and adbindproxy, the Centrify wi nbi nd proxy program, provides the following: Samba and DirectControl use the same Active Directory computer object without conflicts. Consistent user and group attributes are applied on files across Windows, Linux and UNIX computers. All UNIX user identity attributes, including the UID, GID, home directory and log in shell in UNIX profiles, are centrally stored and managed in Active Directory. Both Kerberos and NTLM Samba authentication methods are supported. Standard Samba access-control features are implemented and augmented by the Centrify zones technology. Integrating Samba with Centrify Express Centrify Express is a special deployment option of the Centrify Suite technology that automatically generates UNIX attributes for Active Directory users and computers. Centrify Express does not, however, use Centrify zone technology. Most of the procedures described in this manual work the same for both the standard and Express deployments, with the following limitations: You cannot migrate existing, Samba-generated UIDs and GIDs to Centrify Express. This is only an issue if you have already been running Samba as an Active Directory member. You can, however, manually convert the Samba-generated UIDs and GIDs to the same IDs generated by the DirectManage Administrator console. You cannot use Centrify zones to restrict access to Samba shares. See the Samba documentation for ways to implement share restriction if it is something you need. Alternatively, consider upgrading to the full Centrify Suite. 10 Chapter 2 Install the Centrify-enabled Samba package This chapter describes host to install Centrify-enabled Samba on the Linux and UNIX computers in your environment and enable interoperability between DirectControl and Samba. The following topics are covered: Verifying the software required Deciding how to work with old Samba installations Installing Centrify-enabled Samba and adbindproxy Upgrading from a previous release Verifying the software required Samba is an open source software package that is freely available on the Samba project site (ht t p: / / samba. or g). In addition, virtually every distribution of Linux and many commercial UNIX operating environments include a binary version of Samba as an integral part of the package. To get Samba interoperability with Centrify Suite products, you must use the precompiled version of Samba that is provided by Centrify. Centrify-enabled Samba includes patches to the Samba programs. Although these patches may be included in future versions of Samba if approved by the Samba development team, for now, they only exist in Centrify-enabled Samba. Required Centrify Suite software Before you install the Samba package, confirm that you have the following software installed on your Windows and Linux or UNIX systems that you have the software required; see the release notes for compatibility information: The DirectControl for Windows software package, for the DirectControl Administrator Console. Note If you are running the DirectControl Express, you do not need to install the DirectControl Administrator Console. The DirectControl Agent software package, for the specific operating environments you want to support. The Centrify-enabled Samba archive file that contains the cent r i f ydc- samba and cent r i f ydc- adbi ndpr oxy installation packages for the specific operating environments you want to support. Deciding how to work with old Samba installations Chapter 2 Install the Centrify-enabled Samba package 11 You must install the DirectControl Agent, and the Centrify-enabled Samba and adbindproxy packages, on each computer on which you intend to set up Samba-based SMB file servers. Centrify Suite software installation If you have not already done so: Follow the instructions in the DirectControl Administrators Guide to install the DirectControl Administrator Console on at least one Windows computer and configure at least one zone. Apply the latest operating system patches on the computers where you intend to install the DirectControl Agent and Centrify-enabled Samba to ensure the operating systems are up to date. Copy the Centrify Suite and Centrify-enabled Samba software packages to an empty working directory on each Linux or UNIX computer to avoid potential conflicts with other packages. Follow the instructions in DirectControl Administrators Guide to install the DirectControl Agent on each Linux or UNIX computer. Use the instructions in this book to create your Centrify Zones and to join the Samba servers to the Active Directory domain. Deciding how to work with old Samba installations Many Linux and UNIX vendors bundle Samba with the operating system. If an existing Samba installation resides on your target computer, it will conflict with the Centrify- enabled Samba package you are about to install. This section explains the choices you have if you find an existing Samba installation and your options. To check for an existing Samba installation, do one of the following: Run your package management software. For example, on RedHat Enterprise Linux: r pm- qa | gr ep - i samba If you have Samba installed, the command returns something similar to the following: samba- cl i ent - ver si on samba- common- ver si on where ver si on is the current samba version number. Search for Samba utilities such as net or smbst at us (typically found in the / usr / bi n directory) or the Samba daemons, such as smbd, nmbd, or wi nbi nd (typically found in / usr / sbi n). For example, enter the following command: l s - l / usr / bi n | gr ep - i smbst at us - r wxr - xr - x 1 r oot r oot 669372 Oct 16 2007 smbst at us Deciding how to work with old Samba installations Samba Integration Guide 12 If you find no evidence of an existing Samba, skip to Installing Centrify-enabled Samba and adbindproxy on page 14. In addition, you can safely answer Yes to the question Do you want to create symbolic links when you run the adbi ndpr oxy. pl configuration script. If a Samba already exists on the target computer then you must do one of the following BEFORE you install Centrify-enabled Samba: Remove it: see Remove existing Samba installations Replace it: see Replace existing Samba installations Co-exist with it: see Co-existing with existing Samba installations Remove existing Samba installations Ideally, the best solution is to remove the existing Samba installation using your platform's package management software. However, in practice, this is often difficult to do because not only are multiple Samba components installed (client, server, and library components) but in many cases other installed packages depend on the Samba components and must be removed first. Note Before you remove your existing Samba package you may want to save the existing wi nbi nd UID and GID assignments. See Upgrading from a non-Centrify-enabled version of Samba on page 20 for the rationale and instructions. In such cases, you may have to follow and remove all dependencies, then work back and remove all Samba components, which can be a very complicated process. On the other hand, some package managers, such as r pm, allow you to remove Samba components ignoring dependencies. See Upgrading from a non-Centrify-enabled version of Samba on page 20 for examples that show how to remove an existing Samba with various package managers. When you install Centrify-enabled Samba it replaces most if not all of the dependencies. Replace existing Samba installations An alternative strategy is to replace the existing Samba by creating symbolic links to Centrify-enabled Samba. When you run adbi ndpr oxy. pl to configure Samba, you are prompted to create symbolic links. Replacing an existing installation is a simple and effective strategy. In this case, adbi ndpr oxy. pl renames any existing Samba binaries it finds by adding a suffix (. pr e_adbi ndpr oxy). For example, an existing smbd would be renamed smbd. pr e_adbi ndpr oxy. Then adbi ndpr oxy. pl creates a symbolic link from the original name to the Centrify-enabled Samba component; for example: / usr / sbi n/ smbd => / opt / cent r i f y/ samba/ sbi n/ smbd Deciding how to work with old Samba installations Chapter 2 Install the Centrify-enabled Samba package 13 During installation you are not required to do any manual work to remove the existing Samba installation. You will, however, need to use a package manager option that ignores file conflicts and dependencies, such as the rpm - - r epl acef i l es and - - nodeps options (see Upgrading from a previous release on page 18 for an example,). After installation, the adbindproxy configuration script automatically takes care of creating symbolic links and renaming the existing Samba binaries when you answer Yes to the prompt, Do you want to create symbolic links... (see Running the adbindproxy.pl on page 23). Note Before you replace your existing Samba package you may want to save the existing wi nbi nd UID and GID assignments. See Upgrading from a non-Centrify-enabled version of Samba on page 20 for the rationale and instructions. After installation and configuration, because they have been renamed, there is no chance that the old Samba binaries can be mistakenly executed in place of the Centrify-enabled Samba binary. The downside to this strategy is that as far as the operating system is concerned, the original Samba is still installed, so you must be careful when installing operating system patches to avoid inadvertently overwriting Centrify-enabled Samba binaries with ones from the patches. Co-existing with existing Samba installations The third strategy is to leave an existing Samba installation in place when you install Centrify-enabled Samba. After installation, when you configure Centrify-enabled Samba, do not replace the existing binaries with symbolic links to Centrify-enabled Samba. That is, after installation, when you run the Samba configuration script, answer No to the prompt, Do you want to create symbolic links... (see Running the adbindproxy.pl on page 23). The original Samba binaries are not modified. Centrify-enabled Samba is installed in the directory / opt / cent r i f y/ samba, while the original Samba binaries remain in their current directories (typically / usr / bi n and / usr / sbi n). With coexistence you do not have to be concerned with inadvertently overwriting Centrify-enabled Samba binaries when applying operating system patches. However, you have to be careful to be certain that you are executing the correct Samba binaries. Typically, you need to use the complete path (/ opt / cent r i f y/ samba/ bi n/ sambaPr ogr amName) when executing Centrify-enabled Samba binaries, or you can modify the PATH environment variable to define the path to the Centrify-enabled Samba binaries first. Installing Centrify-enabled Samba and adbindproxy Samba Integration Guide 14 Installing Centrify-enabled Samba and adbindproxy Use the instructions in this section to install the Centrify-enabled Samba and the adbi ndpr oxy program. Note If you have not already done so, before continuing, be certain to look at Upgrading from a previous release on page 18 for instructions that may be pertinent, depending on your current DirectControl and Centrify-enabled Samba installation. Depending on the version of DirectControl you are using, some related programs for Centrify-enabled Samba may be installed by default with the DirectControl Agent. The Centrify-enabled Samba package and the Centrify adbi ndpr oxy package, however, are separate, add-on software packages installed separately from the DirectControl Agent or the Centrify Suite. For information about configuring the Centrify-enabled Samba environment to work with DirectControl after installation, see Configuring Centrify- enabled Samba on page 22. Extracting the contents of Centrify-enabled Samba package The following steps describe how to download and unpack the Samba package for a Linux or UNIX computer. Note In these instructions, a sample file name of cent r i f y- samba- v. v. v- pl at f or m- ar ch. t gz is used in place of the full file name. The full file name for the Centrify-enabled Samba package includes the Centrify-enabled Samba version and supported platform information. For example, the full file name may look similar to this: cent r i f y- samba- v. v. v- pl at f or m- ar ch. t gz where: v. v. v is the DirectControl version number pl at f or mindicates the target operating system as follows. Note that some platforms are only available on one architecture.This table may not include all of the platforms supported. Be sure to read through the Product Bundle descriptions before downloading. Platform Description aix IBM AIX debn Debian and Ubuntu Linux hpnn.nn Hewlett-Packard HP-UX irix Silicon Graphics IRIX rheln Centos, Mandriva, Red Hat and Scientific Linux Installing Centrify-enabled Samba and adbindproxy Chapter 2 Install the Centrify-enabled Samba package 15 ar ch indicates the processor architecture as follows: 1 Go to the Centrify Download Center to get the Centrify-enabled Samba package. You get to the Download Center from the Centrify home page. Next, click the Support tab and select the Customer Support Portal. Enter your User Name and Password. From the Support portal select the Customer Download Center. soln Solaris and OpenSolaris susen Novell SUSE and openSUSE arch Description i386 Intel x86, 32-bit x86_64 Intel x86, 64-bit ppc Power PC ia Itanium sparc SPARC pa PA-RISC Platform Description Installing Centrify-enabled Samba and adbindproxy Samba Integration Guide 16 In the Download Center, select Centrify-Enabled Samba from the Centrify-Enabled Tools. 2 Download the cent r i f y- samba- r el ease- pl at f or m- ar ch. t gz file corresponding to your DC (DirectControl) Version (see the leftmost column) and the target computers operating system and processor architecture. 3 Uncompress the contents of the file. For example, on a Red Hat Enterprise Linux computer you would use the following: gunzi p cent r i f y- samba- v. v. v- pl at f or m- ar ch. t gz 4 Extract the contents of the file. For example, on a Red Hat Enterprise Linux computer you would use the following: t ar - xvf cent r i f y- samba- v. v. v- pl at f or m- ar ch. t ar After extracting the contents of the file, you should see the following files: Cent r i f y- Samba- v. v. v- Rel ease- Not es. t xt : Generic release note for this version of the Centrify-enabled Samba package. cent r i f ydc- adbi ndpr oxy- V. V. V- pl at f or m- ar ch. r pm: The module that intercepts Samba UNIX ID mapping requests and reroutes them to DirectControl for processing cent r i f ydc- samba- s. s. s- v. v. v- pl at f or m- ar ch. r pm( wher e s. s. s i s t he base Samba ver si on number ) : the Centrify-enabled Samba package Installing Centrify-enabled Samba and adbindproxy Chapter 2 Install the Centrify-enabled Samba package 17 r el ease- not es- samba- pl at f or m. t xt : Supplemental, platform-specific release notes. 5 Review the two text files for release-specific information about the package that was available after this document was published. The packages are now ready for installation. Install Centrify-enabled Samba Use the following steps to install the Centrify-enabled Samba and then adbindproxy. In these steps the file name cent r i f ydc- samba- *. r pmis used in place of the full file name. You can use the wildcard symbol (*) to substitute for a portion of the file name if there are no conflicting files in the directory. Note If you are updating from a previous version of Centrify-enabled Samba or have a vendor-supplied Samba installed on the computer, see Upgrading from a previous release on page 18before proceeding. Be sure to enter the full path name in the command line if multiple versions of the same file exist in the same directory. 1 Run the appropriate command for your platform to install the cent r i f ydc- samba package. The following table shows sample commands using the common package installers for each platforms. For this platform You can run Linux-based computers Red Hat Enterprise Linux CentOS Linux Scientific Linux Oracle Linux For 32-bit systems: r pm- Uvh cent r i f ydc- samba- *. r pm For 64-bit systems: r pm- Uvh cent r i f ydc- samba- *. r pm Sun Solaris On SPARC systems, for example: gunzi p cent r i f ydc- samba- *- sol 8- spar c- l ocal . gz pkgadd - d cent r i f ydc- samba- * There are four Solaris packages. Select the package that matches your Solaris version and processor type. If you have Solaris 9, use the sol8 package. If you have Solaris 11, use the sol10 page. Furthermore, the x86 version can be installed on 32- and 64-bit architectures. cent r i f ydc- samba- *- sol 8- spar c- l ocal cent r i f ydc- samba- *- sol 8- x86- l ocal cent r i f ydc- samba- *- sol 10- spar c- l ocal cent r i f ydc- samba- *- sol 10- x86- l ocal Upgrading from a previous release Samba Integration Guide 18 2 Repeat the installation command for your platform, this time specify cent r i f ydc- adbi ndpr oxy- *. r pm This concludes the installation of Centrify-enabled Samba and the adbindproxy. Skip to Chapter 3, Configuring Centrify-enabled Samba to continue. Upgrading from a previous release The following sections describe how to upgrade from previous versions of DirectControl and Centrify-enabled Samba. Upgrading from a DirectControl version earlier than 4.4.2 and Centrify-enabled Samba 3.0.33 or earlier on page 19 Upgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba 3.0.33 or earlier on page 20 Upgrading from a non-Centrify-enabled version of Samba on page 20 Before proceeding, run the adi nf o - - ver si on command on the managed computer to determine which version of DirectControl (CentrifyDC) you are running HP-UX For HP-UX 11.11 on PA-RISC: gunzi p cent r i f ydc- samba- *- hp11. 11. gz swi nst al l - s / pat h/ cent r i f ydc- samba- *- hp11. 11. depot Cent r i f yDC- Samba For other HP-UX versions and platforms the commands are the same but the file names are different. For example on HP-UX 11.23 Itanium 64-bit systems: cent r i f ydc- samba- *- hp11. 23- i a64. depot . gz IBM AIX For AIX 5.3 or later: gunzi p cent r i f ydc- samba- *- ai x5. 3- ppc. t gz i nut oc . i nst al l p - aY - d cent r i f ydc- samba- *- ai x5. 3- ppc. bf f Cent r i f yDC. samba Debian Linux Ubuntu Linux Check that you have l i bcupsys2- gnut l s10 (1.1.23-1 or later) installed If you have the required libraries, run the following command to install: 32-bit processor: dpkg i cent r i f ydc- samba- *- deb5- i 386. deb 64-bit processor: dpkg i cent r i f ydc- samba- *- deb5- x86_64. deb SuSE Linux OpenSuSE Linux For 32-bit systems: r pm- i vh cent r i f ydc- samba- *- suse8- i 386. r pm For 64-bit systems: r pm- i vh cent r i f ydc- samba- *- suse9- x86_64. r pm Note SuSE Linux 9 requires the cups package. For this platform You can run Upgrading from a previous release Chapter 2 Install the Centrify-enabled Samba package 19 Upgrading from a DirectControl version earlier than 4.4.2 and Centrify- enabled Samba 3.0.33 or earlier The adbi ndpr oxy in this version of Centrify-enabled Samba requires at least DirectControl 4.4.2 and a version of Centrify-enabled Samba greater than version 3.0.33. In addition, the CentrifyDC i dmap program, which was installed as part of Centrify-enabled Samba, conflicts with adbi ndpr oxy and must be removed. Use the following steps to upgrade from a Centrify-enabled Samba installation with a version of DirectControl earlier than 4.4.2, and Centrify-enabled Samba 3.0.33 or earlier: 1 Copy the existing startup script / et c/ i ni t . d/ cent r i f ydc- samba file and rename it / et c/ i ni t . d/ cent r i f ydc- samba. upgr ade. For example: cd / et c/ i ni t . d cp cent r i f ydc- samba . / cent r i f ydc- samba. upgr ade Note On HP-UX, there are two files you must copy and save before upgrading, / sbi n/ i ni t . d/ cent r i f ydc- samba and / et c/ r c. conf i g. d/ cent r i f ydc- samba. r c. For both of these files, append . upgr ade to the file name. 2 Use the appropriate local operating system command or package manager to remove the old version of the i dmap program. For example, the following table lists the common commands associated with each platform: 3 Replace the Centrify Suite DirectControl and DirectManage components on all of the Windows and Linux or UNIX computers. See the DirectControl Administrators Guide for the installation instructions. 4 Install Centrify-enabled Samba and adbindproxy as described in Installing Centrify- enabled Samba and adbindproxy on page 14. Note You may see package conflict errors during this step. If so, rerun the r pmcommand with the - - nodeps and - - r epl acef i l es option. The - - nodeps option installs the Centrify-enabled Samba package without checking for dependencies; the - - r epl acef i l es option replaces conflicting files with the files from the new package. This concludes Centrify-enabled Samba and adbi ndpr oxy installation. Go to Configuring Centrify-enabled Samba on page 22 to continue. For this platform You can run Most Linux variants r pme Cent r i f yDC- i dmap Debian/Ubuntu dpkg P cent r i f ydc- i dmap Sun Solaris pkgr mCent r i f yDC- i dmap HP-UX swr emove Cent r i f yDC- i dmap IBM AIX i nst al l p u Cent r i f yDC. i dmap Upgrading from a previous release Samba Integration Guide 20 Upgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba 3.0.33 or earlier The adbi ndpr oxy in Centrify-enabled Samba requires at least DirectControl 4.4.2 and a version of Centrify-enabled Samba greater than version 3.0.33. If the target system has DirectControl 4.4.2 or later but your Centrify-enabled Samba is version 3.0.33 or earlier, use the following steps to update Centrify-enabled Samba, install Centrify-enabled Samba and adbindproxy as described in Installing Centrify-enabled Samba and adbindproxy on page 14. Note You may see package conflict errors during this step. If so, rerun the r pminstallation command with the - - nodeps and - - r epl acef i l es options. The - - nodeps option installs the Centrify-enabled Samba package without checking for dependencies, while the - - r epl acef i l es option replaces conflicting files with files from the new package. This concludes Centrify-enabled Samba and adbi ndpr oxy installation. Go to Configuring Centrify-enabled Samba on page 22 to continue. Upgrading from a non-Centrify-enabled version of Samba If you have a Samba already installed on your systemAND determine it serves you best to replace it (see Deciding how to work with old Samba installations on page 11 for a discussion of your options)use the following procedure to upgrade to Centrify-enabled Samba: 1 Save the existing wi nbi nd UID and GID assignments: If you have been running Samba and wi nbi nd on the computer where you are going to install Centrify-enabled Samba, save the existing wi nbi nd UID and GID assignments before you install the new software. This allows you to import these assignments into a Centrify Zone and map it to users and groups in Active Directory. If wi nbi nd is currently configured in your / et c/ nsswi t ch. conf file, run the following commands to save the information to a file before installing: get ent passwd | gr ep - e - f / et c/ passwd > / t mp/ passwd. wi nbi nd get ent gr oup | gr ep - e - f / et c/ gr oup > / t mp/ gr oup. wi nbi nd See Migrating existing Samba users to DirectControl on page 36 for more information. 2 Use the appropriate local operating system command or package manager to manually remove the old version of the Samba program. For example, you can use the following commands to remove the existing Samba program: For this platform You can run Most Linux variants r pme samba- common- ver si on Debian/Ubuntu dpkg P samba- common- ver si on Upgrading from a previous release Chapter 2 Install the Centrify-enabled Samba package 21 You may see package conflict errors during this step that cause package removal to fail. In this case, proceed with the next step and be certain to use the - - nodeps and -- r epl acef i l es options when installing DirectControl Samba. 3 Install Centrify-enabled Samba and adbindproxy. See Installing Centrify-enabled Samba and adbindproxy on page 14 for the instructions. Since you are upgrading you may see package conflict errors when you run the package manager for Centrify-enabled Samba. If so, rerun the r pmcommand with the - - nodeps or - - r epl acef i l es options. The - - nodeps option installs the Centrify-enabled Samba package without checking for dependencies; the - - r epl acef i l es option replaces conflicting files with files in the new package. 4 Run the adbi ndpr oxy. pl script to configure Centrify-enabled Samba; see Running the adbindproxy.pl on page 23. Sun Solaris pkgr msamba- common- ver si on HP-UX swr emove samba- common- ver si on IBM AIX i nst al l p u samba- common- ver si on For this platform You can run 22 Chapter 3 Configuring Centrify-enabled Samba This chapter describes how to configure Centrify DirectControl and Centrify-enabled Samba to work together properly. The following topics are covered: Verifying the environment before you begin Verifying DNS settings on the local computer on page 23 Running the adbindproxy.pl on page 23 Verifying the Samba integration on page 29 Modifying the Samba smb.conf configuration file on page 32 Verifying the environment before you begin Centrify-enabled Samba includes the adbi ndpr oxy. pl script that performs most of the configuration steps for you. Before running this script, however, you should verify the environment is ready for configuration and you are ready to proceed. At this point, you should check that: Centrify DirectControl is installed on a Windows computer in an Active Directory domain. You have created at least one zone, either the default zone or a zone you created with the zone wizard. Note If you are running Centrify DirectControl in Express Mode, or have connected to a domain through Auto Zone, you will not have any zones configured. You can still configure Centrify-enabled Samba to run with DirectControl. You have added or imported some users and groups into the Centrify Zone. Only Active Directory users who are members of the Centrify Zone are able to access Samba shares on the local computer. The DirectControl Agent is installed on the computer where you have installed the Centrify-enabled Samba. Older, incompatible versions of Samba have been removed or updated with Centrify- enabled Samba on the computer that hosts the Samba shares. Note Although you are not required to remove older Samba versions, you should be careful to use versions with the proper operating system patches. You can use the adbi ndpr oxy. pl configuration script to automatically move and rename an older Samba Verifying DNS settings on the local computer Chapter 3 Configuring Centrify-enabled Samba 23 version to a different directory, or you can manually remove or rename an older Samba installation prior to running the adbi ndpr oxy. pl configuration script. The adbi ndpr oxy package is installed on the computer. Verifying DNS settings on the local computer Centrify Suite relies on DNS to locate its domain controller and monitor connection status. If you are unsure whether DNS is configured properly, you can run the adcheck utility, or manually inspect and, if necessary, edit the / et c/ r esol v. conf and / et c/ host s files to ensure server host names and IP addresses can be successfully resolved. Running adcheck Centrify Suite includes a utility, adcheck, which runs a number of operating system, network, and Active Directory checks to verify that your domains are correctly configured for DirectControl. You can run adcheck to verify your DNS settings, as follows: / usr / shar e/ cent r i f ydc/ bi n/ adcheck - t net domai nName where: - t net runs only the network check. domai nName specifies the domain; for example, aj ax. or g. You should see output similar to the following: / usr / shar e/ cent r i f ydc/ bi n/ adcheck - t net aj ax. or g NSHOSTS : Check host s l i ne i n / et c/ nsswi t ch. conf : Pass DNSPROBE : Pr obe DNS ser ver 192. 164. 10. 1 : Pass DNSCHECK : Anal yze basi c heal t h of DNS ser ver s : Pass WHATSSH : I s t hi s an SSH t hat Di r ect Cont r ol wor ks wel l wi t h : Pass SSH : SSHD ver si on and conf i gur at i on : Pass If adcheck encounters any problems with the configuration, it prints a warning or error message that includes information on how to correct the problem. Running the adbindproxy.pl This section describes how to configure Samba using the adbi ndpr oxy. pl script. Note If your current environment has Windows users accessing data on Samba member servers that are joined to the Active Directory domain, you may want to migrate those users to DirectControl. This way, you can use Centrify Zones to manage conflicting identities and rationalize UIDs and GIDs. See Migrating UNIX profiles to Active Directory on page 36 to migrate those users. Complete the migration before integrating Centrify-enabled Samba and DirectControl. Running the adbindproxy.pl Samba Integration Guide 24 The adbi ndpr oxy. pl script performs the following tasks: Determines the computers operating system and adjusts accordingly. For example, for Solaris-based machines it verifies that all of the patches necessary to run Samba have been installed. Confirms that the DirectControl Agent is installed. Confirms the Centrify-enabled Samba has been installed. Checks for and reports any conflicting Samba installations. Note If the script finds another Samba installed, you have several options, see Deciding how to work with old Samba installations on page 11. Prompts you to create symbolic links to the Centrify-enabled Samba binaries in / usr / bi n and / usr / sbi n. If you have existing links it backs up the originals. Determines if you are joined to an Active Directory domain and, if you are, displays the domain name and Centrify Zone. Asks if you want to join Centrify-enabled Samba to the current Active Directory domain or another. If you choose another, the script guides you through the current domain leave and new domain join processes. Note If you want to modify or set advanced join settings (for example, update PAM or NSS config, use DES for encryption, or use a computer alias), either run adl eave before you run adbi ndpr oxy. pl or select a different domain when prompted in the script. Otherwise, the script does NOT prompt you to enter advanced join settings. If you have a previous Samba installation, asks if you want to keep the smb.conf settings or use new ones. adbi ndpr oxy. pl automatically saves the existing copy. Note The script automatically looks for an existing smb.conf file using the smbd - b command. If your current version of smbd does not support the -b option or you have smb.conf in a custom directory the script will not find it. If you want to use your existing smb. conf , move it to / et c/ samba before you run the script. Removes old state files from previous instances of Samba, including any existing wi nbi nd entries from the / et c/ nsswi t ch. conf file. Restarts the Centrify-enabled Samba clients (nmbd, wi nbi ndd, adbi ndd and smbd). Installs scripts to automatically start the correct Samba and DirectControl services each time the computer boots. Before you run adbi ndpr oxy. pl , read through the prompts described below to make sure youre prepared with the answers To begin, logon and switch to the root user and proceed with the following steps: 1 Start script: From r oot enter per l / usr / shar e/ cent r i f ydc/ bi n/ adbi ndpr oxy. pl Running the adbindproxy.pl Chapter 3 Configuring Centrify-enabled Samba 25 2 Please specify Centrify Sambas path if it is not in [/opt/centrify/samba] Press Enter to accept the default. Otherwise, enter your path. adbi ndpr oxy. pl checks for a conflicting version of Samba. If it does not find one you get the message No conf l i ct i ng Samba f ound If it finds one, it displays the message War ni ng: pot ent i al l y conf l i ct i ng Samba i nst al l at i ons wer e f ound i n [ di r ect or y] Do you want t o cont i nue [ N] and shows the directory. How to proceed depends upon whether or not you want to keep the existing Samba versions. See Deciding how to work with old Samba installations on page 11 to review the options. Enter N if you need to terminate the script. Enter Y if you want to proceed with two Sambas. 3 Do you want to create symbolic links from /usr to /opt/centrify/samba/? [Y] Answer Y and press Enter for the following conditions: if there are no older Samba installations on the computer, if you have removed older Samba installations, or if you intend to entirely replace any older Samba installations with the Centrify- enabled Samba installation. See Deciding how to work with old Samba installations on page 11 for details on these choices. Answer N and press Enter if you want the existing Samba installation and Centrify- enabled Samba to co-exist. See Co-existing with existing Samba installations on page 13 for details on this choice. As it proceeds adbi ndpr oxy. pl displays its progress as it replaces and backs up the existing files. 4 Do you want to leave and join to another domain? [N] How you respond prompt depends upon whether or not the computer is already joined to a Active Directory domain. If you are joined to a domain when you initiated the script, adbi ndpr oxy. pl displays the domain name and zone and asks you Do you want t o l eave or j oi n t o anot her domai n? [ N] To continue to join Centrify-enabled Samba to the current joined Active Directory domain press Enter and skip ahead to Step 7 on page 27 Running the adbindproxy.pl Samba Integration Guide 26 If you want to leave the current domain and join another OR change any advanced options (see list below) in your current domain enter Y and then proceed with Step 5. If your are not joined, the script displays the message Not j oi ned t o any domai n. Make sur e you ent er t he cor r ect domai n and zone i nf or mat i on i n t he next st eps This initiates a set of prompts that ask you for the Active Directory domain name, the Centrify Zone and advanced options. Proceed with the next step. 5 Join new Active Directory domain Note You arrive at this step if you are not joined to an Active Directory Domain when you started adbi ndpr oxy. pl , you decided to leave that domain OR you decided to change advanced options in your current join. If none of these conditions apply to you, skip to Step 7. The first prompt asks you for the domain name. Ent er t he Act i ve Di r ect or y domai n t o j oi n : and then asks Check DNS heal t h f or [ domai n] ? Not e: t hi s may t ake sever al mi nut es [ Y] : Press Enter to ensure the domain exists. Next, the script prompts you to enter the following properties: Centrify Zone on the target Active Directory domain Note If you are running DirectControl in Express Mode or need to join the domain through Auto Zone, enter NULL_AUTO for the zone name. computer name on which Centrify-enabled Samba is installed Active Directory authorized user (default is Administrator) 6 Do you wish to specify advanced join options? [N] : The options are listed below. The defaults are in brackets. If do not need any advanced join options, enter N. Otherwise, enter Y and make your selections. Canoni cal name of Act i ve Di r ect or y Comput er Cont ai ner Pr ef er r ed Domai n Ser ver t o use ( pr ess Ent er f or none) Updat e PAM and NSS Conf i g [ Y] Tr ust comput er f or del egat i on? [ N] Use DES encr ypt i on onl y? [ N] Run adj oi n i n ver bose mode? [ N] Addi t i on comput er al i as ( pr ess Ent er f or none) The script then displays the selections you made and asks if you want to proceed. Enter Y to proceed or N to abort adbi ndpr oxy. pl . If you choose to proceed AND you are leaving the current Active Directory domain to Running the adbindproxy.pl Chapter 3 Configuring Centrify-enabled Samba 27 join another, the script prompts you twice to enter your password. In response to the first prompt enter the current Active Directory domain account password to leave that domain; for the second prompt, enter the password for the Active Directory Domain, computer and authorized user specified in the prompts to join that domain. If you were not joined to an Active Directory domain when you started the script, you are prompted to enter your password once. Enter the password for the Active Directory Domain, computer and authorized user specified in the prompts. 7 Keep Samba Settings? adbi ndpr oxy. pl creates a new smb.conf file and stores it in /etc/samba. It can create a skeletal version with minimal global settings and a samba-test share only (see Modifying the Samba configuration file (smb.conf) on page 30 for a sample), or it can update an existing smb.conf file. Note Regardless of whether you update an existing smb.conf or create a new one, you will need to modify the / et c/ samba/ smb. conf file to have the [ gl obal ] section settings and the appropriate shares for your environment. See Modifying the Samba smb.conf configuration file on page 32 for instructions. The file created by adbi ndpr oxy. pl should be used for verifying the Centrify-enabled Samba integration only. After completing the join routines in the script, adbi ndpr oxy. pl searches for existing smb. conf files. If it does not find one, it automatically creates a new one and displays the message Updat i ng smb. conf wi t h Cent r i f y r ecommended set t i ngs . . . and finishes the script - skip to Finishing Up on page 28 for the messages. If it does find one, adbi ndpr oxy.pl copies the file to / et c/ samba asks Do you want t o keep t he or i gi nal samba set t i ngs? [ Y] : Note If adbi ndpr oxy. pl finds more than one smb. conf , it displays the list and asks you to select one. After you make the selection, it copies that one to / et c/ samba and continues. Enter N to create the skeletal smb. conf . adbi ndpr oxy. pl makes a backup of your smb. conf in / et c/ samba in the form, smb. conf . yyyy- mm- dd- hh- mmand creates the skeletal version. Enter Y to modify the existing file. adbi ndpr oxy. pl displays the prompt: Backup exi st i ng / et c/ samba/ smb. conf and add Cent r i f y r ecommended set t i ngs? [ Y] Enter Y to create a backup in the form, smb. conf . yyyy- mm- dd- hh- mm. Enter N to use the existing smb. conf without making a backup. Running the adbindproxy.pl Samba Integration Guide 28 Note If the existing smb.conf has Security = ADS and the workgroup and realm are set, the script does NOT modify the existing file; the original is left unchanged. 8 Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] adbi ndpr oxy. pl creates new mapping in the Samba User/Group ID cache, which may result in conflicts if there are any mappings in place already. Unless you created custom mappings, use the default [Y]. This flushes the cache. Thi s pr ompt i s onl y per t i nent t o t he smal l set of Samba admi ni st r at or s who cr eat ed cust omuser and gr oup I D mappi ngs. I f you do have cust ommappi ngs, use t he def aul t t o f l ush t he cache and pr event pot ent i al conf l i ct s. Af t er adbi ndpr oxy. pl compl et es, r e- add your mappi ngs as necessar y. Finishing Up To complete the configuration, adbi ndpr oxy. pl stops any running versions of smbd, adbi ndd, wi nbi ndd and nmbd, starts the Centrify-enabled versions and displays a set of progress and configuration messages. You should see the following messages: I ni t Samba st ar t scr i pt . . . Rest ar t i ng Samba daemons . . . St oppi ng Samba smbd: [ OK ] St oppi ng Samba adbi ndd [ OK ] St oppi ng Samba wi nbi ndd: [ OK ] St oppi ng Samba nmbd: [ OK ] St ar t i ng Cent r i f yDC- Samba nmbd: [ OK ] St ar t i ng Cent r i f yDC- Samba wi nbi ndd: [ OK ] St ar t i ng Cent r i f yDC- Samba adbi ndd: [ OK ] St ar t i ng Cent r i f yDC- Samba smbd: [ OK ] adbi ndpr oxy. pl displays one last prompt Pr ess ENTER t o cont i nue . . . To finish up, press Enter. Note If any service fails to start, you should run one of the following after the adbi ndpr oxy. pl script completes its execution. On Linux or Solaris computers, run: / et c/ i ni t . d/ cent r i f ydc- samba r est ar t On HP-UX computers, run: / sbi n/ i ni t . d/ cent r i f ydc- samba r est ar t On AIX computers, run: st opsr c - g samba && st ar t sr c - g samba As a quick test, log off as the r oot user and log on with an Active Directory user account that has been granted access to the local computers zone. If this is the first time the you are Verifying the Samba integration Chapter 3 Configuring Centrify-enabled Samba 29 logging on with this user account, check that the users home directory is created, which is created automatically by Centrify DirectControl the first time you log on. Verifying the Samba integration There are two key scenarios for testing whether Samba is configured properly for integration with Centrify DirectControl and Active Directory: Accessing Samba shares from a UNIX client session Accessing Samba shares from a Windows desktop session Accessing Samba from a UNIX client session To test access to Samba shares on a Linux or UNIX computer, users should do the following: 1 Log on to the Linux or UNIX computer using the Active Directory account that has been granted access to the local computers zone. Run the following command: smbcl i ent - k - L l ocal host The smbcl i ent program displays information about Samba and the SMB shares that are available on the local computer. For example, you should see a listing similar to the following (where s. s. s is the Samba version and v. v. v is the DirectControl version: OS=[ Uni x] Ser ver =[ Samba s. s. s- cdc- v. v. v- xxx] Shar ename Type Comment - - - - - - - - - - - - - - - - - - - - samba- t est Di sk I PC$ I PC I PC Ser vi ce ( Samba- CDC) sar a Di sk Home di r ect or i es OS=[ Uni x] Ser ver =[ Samba s. s. s- cdc- v. v. v- xxx] Ser ver Comment - - - - - - - - - - - - - - - - Wor kgr oup Mast er - - - - - - - - - - - - - - - ARCADE MAGNOLI A If you are able to see the Samba shares as an Active Directory user logged on to the Linux or UNIX computer that is acting as the Samba server, you should next test accessing the Samba shares from a Windows desktop. For information about performing this test, see Accessing Samba shares from a Windows desktop on page 31. Verifying the Samba integration Samba Integration Guide 30 Purging and reissuing Kerberos tickets If you see an error such as NT_STATUS_LOGI N_FAI LURE instead of the expected results when you run the smbcl i ent program, you may need to purge your existing Kerberos tickets and have them reissued. Try running the following command to remove all of your Kerberos tickets: / usr / shar e/ cent r i f ydc/ ker ber os/ bi n/ kdest r oy Then run the following command to reissue tickets after you provide your Active Directory password: / usr / shar e/ cent r i f ydc/ ker ber os/ bi n/ ki ni t You can then run the following command to list the Kerberos tickets that have been issued to you: / usr / shar e/ cent r i f ydc/ ker ber os/ bi n/ kl i st After verifying the Kerberos tickets you have been issued, try running the smbcl i ent program again. Verifying the version of Samba you are using If purging and reissuing tickets does not resolve the problem, confirm the version of the smbst at us that is currently running using the following command: smbst at us | gr ep ver si on The command should display the Centrify-enabled Samba version you have installed. For example: Samba ver si on s. s. s- cdc- v. v. v- xxx (where s. s. s is the installed Samba version number and v. v. v is the DirectControl version number) The string, cdc- r el ease (cdc- v. v. v. xxx), indicates that the installed Samba package is Centrify-enabled Samba intended for use with DirectControl. If the version of Samba is not the one provided by Centrify, completely remove this version and install the precompiled version from the Centrify-enabled Samba software package. If the correct version of Samba is installed, run smbst at us again and note the names of any *. t db files that do not exist, and try restoring them from your backup, then try running the smbcl i ent program again. Rejoining the domain If the smbcl i ent program does not display the Samba shares you have defined in the configuration file, you should review the settings in the smb. conf file, then leave and rejoin the Active Directory domain. Verifying the Samba integration Chapter 3 Configuring Centrify-enabled Samba 31 Accessing Samba shares from a Windows desktop To test access to Samba shares on a Linux or UNIX computer from a Windows desktop: 1 Log on to a Windows computer that is joined to the domain with an Active Directory user account. 2 Click Start > Windows Explorer, then navigate to the domain. For example, open My Network Places > Entire Network > Microsoft Windows Network > Arcade to view the Ar cade. net domain. 3 Select the Linux or UNIX computer that is running Centrify-enabled Samba to view its Samba shares. For example: 4 Click samba- t est or browse other available Samba shares to verify that you can open existing files and create new files. 5 Confirm from both Windows and the managed computer that the files in the share directories are owned by the correct users. If you cannot browse the shares on the Linux or UNIX computer from the Windows desktop, you should: Verify that there is network connectivity between the two systems. Confirm that you do not have a firewall running on the managed computer that is blocking access to the SMB ports. Make sure there are no stale Kerberos tickets on your Windows system by obtaining the Windows kerbtray program from the Microsoft Web site, installing it on the Windows computer, and using it to purge your Kerberos tickets. Log out and log in again to your Windows system and retest accessing the Samba shares from Windows. The default Samba share (samba-test) and any other shares you have defined for the computer are displayed Modifying the Samba smb.conf configuration file Samba Integration Guide 32 Modifying the Samba smb.conf configuration file The Samba configuration file, / et c/ samba/ smb. conf , defines important parameters for Samba-based file sharing. After you have verified the Samba integration with Centrify DirectControl and Active Directory using a sample configuration file and the test share, you need to modify the smb. conf file so that it accurately represents your environment. This file must include the [ gl obal ] section that defines the Active Directory domain, authentication methods, and other parameters. The file should also include a section for each directory you are making accessible as a SMB share. The following shows a skeletal sample / et c/ samba/ smb. conf file for the domain, wonder . l and. Note The smb. conf file shown below was generated on a computer running RedHat Enterprise Linux. adbi ndpr oxy. pl tests to determine what operating system is running on the host and generates an smb. conf file appropriate to that platform. For example, the smb. conf for SuSe-based computers includes the following comments and command: # # Suse 11 CUPS pr i nt i ng appear s t o cr ash at st ar t up # So we di sabl e pr i nt i ng on t hi s pl at f or mf or now pr i nt i ng = BSC Other platforms may have different exemptions and adjustments. # # Thi s f i l e was gener at ed by Cent r i f y ADBi ndPr oxy Ut i l i t y # [ gl obal ] secur i t y = ADS r eal m= WONDER. LAND wor kgr oup = WONDER net bi os name = debi an5 aut h met hods = guest , sam, wi nbi nd, nt domai n machi ne passwor d t i meout = 0 passdb backend = t dbsam: / et c/ samba/ pr i vat e/ passdb. t db # # Usi ng ker ber os keyt ab may l ead t o a ser i ous Samba cr ash. # Cent r i f y r ecommends agai nst usi ng i t . # Ker ber os aut hent i cat i on i s st i l l suppor t ed wi t hout i t . # use ker ber os keyt ab = No # I f your Samba ser ver onl y ser ves t o Wi ndows syst ems, t r y ser ver si gni ng = mandat or y. Modifying the Samba smb.conf configuration file Chapter 3 Configuring Centrify-enabled Samba 33
ser ver si gni ng = aut o t empl at e shel l = / bi n/ bash wi nbi nd use def aul t domai n = Yes wi nbi nd enumuser s = No wi nbi nd enumgr oups = No wi nbi nd nest ed gr oups = Yes i gnor e sysset gr oups er r or = No i dmap ui d = 1000 - 200000000 i dmap gi d = 1000 - 200000000 enabl e cor e f i l es = f al se # Di sabl e Loggi ng t o sysl og, and onl y wr i t e l og t o Samba st andar d l og f i l es. sysl og = 0 [ samba- t est ] pat h = / samba- t est publ i c = yes # i f set publ i c = No, we shoul d set par amet er val i d user s . # and when t he user or gr oup i s i n AD , t he set t i ng synt axes i s: # val i d user s = WONDER\ user name +WONDER\ gr oup wr i t abl e = yes [ homes] comment = Home di r ect or i es r ead onl y = No br owseabl e = No Note Do not set use ker ber os keyt ab = yes in the smb. conf file. Setting the ker ber os keyt ab parameter to yes could result in a serious Samba crash. Kerberos authentication is supported through DirectControl without setting this parameter. At the beginning of a line, both the hash symbol (#) and the semi-colon (; ) indicate lines to ignore. By convention, in this file, the hash indicates a comment and the semi-colon indicates a parameter you may wish to enable. The settings in the [ gl obal ] section are required whether you use the sample configuration file or create your own smb. conf file. The settings in the [ homes] section indicate that you want to share home directories, and the [ samba- t est ] section describes the samba- t est Modifying the Samba smb.conf configuration file Samba Integration Guide 34 share as a publicly-writable share mapped to the / samba- t est directory. For more information about editing the Samba configuration file and the supported parameters, see the Samba documentation. When you make changes to the smb. conf file, you should run the Samba utility t est par mto make sure there are no errors in your smb. conf file before putting it into production use. When you run the t est par mutility, you should see output similar to the following: Load smb conf i g f i l es f r om/ et c/ samba/ smb. conf Pr ocessi ng sect i on " [ homes] " Pr ocessi ng sect i on " [ pr i nt er s] " Pr ocessi ng sect i on " [ samba- t est ] " Loaded ser vi ces f i l e OK. Ser ver r ol e: ROLE_DOMAI N_MEMBER Pr ess ent er t o see a dump of your ser vi ce def i ni t i ons [ gl obal ] wor kgr oup = WONDER r eal m= WONDER. LAND secur i t y = ADS aut h met hods = guest , sam, wi nbi nd, nt domai n passdb backend = t dbsam: / et c/ samba/ pr i vat e/ passdb. t db sysl og = 0 enabl e cor e f i l es = No ser ver si gni ng = aut o machi ne passwor d t i meout = 0 adbi ndpr oxy backend = cdc: / usr / shar e/ cent r i f ydc/ l i b/ l i bcapi . so adbi ndpr oxy st andar d mapper s = No t empl at e shel l = / bi n/ bash wi nbi nd use def aul t domai n = Yes [ homes] comment = Home Di r ect or i es r ead onl y = No br owseabl e = No [ pr i nt er s] comment = Al l Pr i nt er s pat h = / usr / spool / samba pr i nt abl e = Yes br owseabl e = No [ samba- t est ] pat h = / samba- t est Modifying the Samba smb.conf configuration file Chapter 3 Configuring Centrify-enabled Samba 35 r ead onl y = No guest ok = Yes 36 Appendix A Migrating existing Samba users to DirectControl This appendix describes how to migrate an existing user population from Samba servers to DirectControl. Note The information in this chapter is relevant to systems with at least the Centrify Suite DirectControl, DirectAuthorize, and DirectManage components installed and on which you created a Centrify Zone, either by name or used the default zone option. These instructions do not apply to computers with Centrify Express installed and computers that are joined through Auto Zone. If you are using Centrify Express or if you have joined to a zone through Auto Zone, it is not possible to migrate existing Samba UID and GID settings. The following topics are covered: Migrating UNIX profiles to Active Directory Migrating Samba servers to Centrify Zones Migrating UNIX profiles to Active Directory If your current environment includes Samba servers that are joined to the Active Directory domain as member servers and existing Windows users access the data on those servers, you may want to migrate those existing users to DirectControl so can rationalize UIDs and GIDs and manage all of your networks conflicting identities in a single, centralized ID repository. Note Migrate your Samba users to Active Directory, as explained in this section, before integrating Centrify-enabled Samba and DirectControl as explained in Running the adbindproxy.pl on page 23. If wi nbi nd is currently configured in your / et c/ nsswi t ch. conf file, run the following commands to save the information to a file before installing Centrify-enabled Samba: get ent passwd | gr ep - e - f / et c/ passwd > / t mp/ passwd. wi nbi nd get ent gr oup | gr ep - e - f / et c/ gr oup > / t mp/ gr oup. wi nbi nd Otherwise, use the following adbi ndpr oxy. pl - - expor t s steps after installing Centrify- enabled Samba to migrate the users: 1 Identify the Samba servers you want to update to integrate with DirectControl. 2 On each of the Samba servers to be updated, locate the wi nbi ndd_i dmap. t db file and create a backup copy of the file. For example, run a command similar to the following to view details about the Samba build: / Cur r ent SambaBI nar yPat h/ smbd - b | gr ep - i l ockdi r Migrating Samba servers to Centrify Zones Appendix A Migrating existing Samba users to DirectControl 37 In the output, you should see a line similar to the following that indicates the location of the wi nbi nd_i dmap. t db file: LOCKDI R: / var / l i b/ samba 3 Make a backup copy of the file; for example: cp / var / l i b/ samba/ wi nbi nd_i dmap. t db / t mp/ wi nbi nd_i dmap. t db. pr e_adbi ndpr oxybackup 4 Run the adbi ndpr oxy. pl script with the following options to generate the export files. per l / usr / shar e/ cent r i f ydc/ bi n/ adbi ndpr oxy. pl - - expor t s - - gi df i l e f i l ename - - ui df i l e f i l ename - - t dbf i l e f i l ename See Appendix B, Using adbindproxy.pl, for details about the command-line parameters for adbi ndpr oxy. pl . When you run these adbi ndpr oxy. pl options it generates export files for the users and the groups that are currently known by the Samba server. By default, these files are created as: / var / cent r i f ydc/ samba/ passwd / var / cent r i f ydc/ samba/ gr oup 5 After generating the export files, move them to a Windows Domain Control. Then use the Import from UNIX wizard in the DirectControl Administrator Console to import the users and groups with their existing UID and GID mappings into the zone. For more information on importing existing user and group information and mapping information to Active Directory, see the Importing existing users and groups chapter in the Centrify Suite Administrators Guide. Migrating Samba servers to Centrify Zones Samba generates UIDs and GIDs based on a range of values that have been defined for a specific server. In most cases, a user who has accessed two different Samba servers is likely to have two different UIDs, for example, 6003 on the server mi ssi on and 9778 on the server dol or es. Therefore, in an initial migration of existing users, each Samba server must join the Active Directory domain in separate Centrify Zones to accommodate the different UIDs and GIDs users and groups may have. 38 Appendix B Using adbindproxy.pl This appendix describes the options available for the adbi ndpr oxy command-line tool. The adbi ndpr oxy. pl utility is used to configure Centrify-enabled Samba and Centrify DirectControl to work together and provides specific functions, such as exporting UIDs and GIDs, creating symbolic links to Centrify-enabled Samba binaries and libraries, and restoring backed-up Samba files. Note For step-by-step instructions about running adbi ndpr oxy. pl to configure Centrify- enabled Samba and Centrify DirectControl to work together, see Running the adbindproxy.pl on page 23. Synopsis adbi ndpr oxy. pl [ - - hel p] [ - - i nf o] [ - - r est or e] [ - - symbol ] [ - - ver bose] [ - - ver si on] adbi ndpr oxy. pl - - expor t s [ - - gi df i l e f i l ename] [ - - ui df i l e f i l ename] [ - - t dbf i l e f i l ename] adbindroxy.pl options You can use the following options with this command: Use this option To do this - E, - - expor t s Expor t user I Ds ( UI Ds) and gr oup I Ds ( GI Ds) t hat ar e st or ed i n Samba s wi nbi ndd_i dmap. t db f i l e. Use t he - - gi df i l e and - - ui df i l e opt i ons t o speci f y t he expor t f i l es f or t he GI Ds and UI Ds. Use t he - - t dbf i l e opt i on t o speci f y t he . t db f i l e t hat cont ai ns t he GI Ds and UI Ds. Af t er expor t , you can use t he Cent r i f y Di r ect Cont r ol Admi ni st r at or Consol e t o i mpor t t he user s and gr oups wi t h t hei r exi st i ng UI D and GI D mappi ngs i nt o a zone. - g, - - gi df i l e f i l ename Speci f y t he f i l e i n whi ch t o wr i t e t he Samba- cr eat ed ADGr oup t o GI D mappi ngs. Use t hi s opt i on wi t h t he - - expor t opt i on. By def aul t , t he f i l e i s: / et c/ gr oup - h, - - hel p Di spl ay t he adbi ndpr oxy. pl usage i nf or mat i on. - i , - - i nf o Di spl ay Samba i nt er oper abi l i t y i nf or mat i on.
Appendix B Using adbindproxy.pl 39 Examples To display basic information about the configuration of Centrify-enabled Samba and interoperability with DirectControl and Active Directory, you could type a command line similar to the following: adbi ndpr oxy. pl - - i nf o This command displays information similar to the following (where v. v. v is the DirectControl version number and s. s. s is the Samba number): The Samba base pat h i s: / opt / cent r i f y/ samba Cent r i f yDC Real m = ARCADE. NET Cent r i f yDC NTLM Domai n = ARCADE Cent r i f yDC Host = magnol i a. ar cade. net Cent r i f yDC Shor t Host = magnol i a Cent r i f yDC ver si on = Cent r i f yDC v. v. v Samba Ver si on = s. s. s- CDC- v. v. v Samba Real m = ARCADE. NET Samba Net BI OS Name = MAGNOLI A Samba Ver si on Suppor t ed = yes - r , - - r est or e Rest or e f i l es backed up f r omt he f i r st t i me you conf i gur ed Samba f or i nt er oper abi l i t y wi t h Di r ect Cont r ol . Typi cal l y, you r un adbi ndpr oxy. pl wi t h t he - - r est or e opt i on t o r est or e Samba f i l es bef or e uni nst al l i ng t he Cent r i f y- enabl ed ver si on of Samba. - S, - - symbol For ce t he cr eat i on of symbol i c l i nks t o Cent r i f y- enabl ed Samba bi nar i es and l i br ar i es wi t hout aski ng f or conf i r mat i on. - t , - - t dbf i l e f i l ename Speci f y t he l ocat i on of t he wi nbi ndd_i dmap. t db f i l e t hat cont ai ns Samba UI D and GI D i nf or mat i on. Thi s opt i on i s used dur i ng t he UI D and GI D expor t pr ocess. I f you omi t t hi s opt i on, t he def aul t f i l e t o expor t f r omi s: / var / l i b/ samba/ wi nbi ndd_i dmap. t db - u, - - user f i l e f i l ename Speci f y t he f i l e i n whi ch t o wr i t e Samba- cr eat ed ADUser t o UI D mappi ngs. Use t hi s opt i on wi t h t he - - expor t s opt i on. By def aul t , t he f i l e i s: / et c/ passwd - v, - - ver si on Di spl ay ver si on i nf or mat i on f or t he i nst al l ed sof t war e. - V, - - ver bose Di spl ay det ai l ed i nf or mat i on f or each oper at i on. Use this option To do this
Samba Integration Guide 40 Samba and CDC i n same Real m = yes Samba and CDC shar e machi ne account = yes To export existing Samba GID and UID information that you want to import into a Centrify Zone, and to show details about the operation performed, type a command line similar to the following: adbi ndpr oxy. pl - - expor t s - - ver bose This command displays information similar to the following: The exi st i ng ui d mappi ngs have been expor t ed t o / var / cent r i f ydc/ samba/ passwd. The exi st i ng gi d mappi ngs have been expor t ed t o / var / cent r i f ydc/ samba/ gr oup. 41
Index A access to Samba shares from Windows 31 UNIX 29 adbindd 24 adbindproxy 7 winbind proxy 9 adbindproxy.pl 8 advanced join options 26 create smb.conf 27 create symbolic links 25 export option 36, 37 join domain 25, 26 keep Samba settings 27 nmbd 28 running 23 set advanced join settings 24 smbd -b 24 stop adbindd 28 stop smbd 28 task summary 24 winbindd 28 adleave 24 Administrator Console import groups 37 import users 37 C Centrify DirectControl Express Samba and 9 Centrify-enabled Samba adbindd 24 extracting 14 nmbd 24 smbd 24 winbindd 24 conventions, documentation 5 D DirectControl Agent 9 DirectControl Express 10 documentation additional 6 conventions 5 Samba 5 Download Center 16 F file sharing 7 displayed on Windows 31 testing access 29 G group save to file 36 J Join domain 26 K kdestroy 30 Kerberos list tickets 30 purging tickets 30 reissue tickets 30 stale tickets 31 Kerberos authentication 9 Kerberos tickets removing 30 kerbtray 31 kinit 30 klist 30 L Linux installation commands 17, 18 M man pages source of information 6
Samba Integration Guide 42 N nmbd 24 nodeps 13, 19, 20, 21 NT_STATUS_LOGIN_FAILURE 30 NTLM authentication 9 P passwd save to file 36 PERL configuration script 8 R replacefiles 13, 19, 20, 21 S Samba accessing from Windows 31 checking the version 30 coexisting 13 configuration file 32 dependencies 12 documentation 5 find existing 11 keep settings 27 protocols 7 remove existing 12 replace existing 12 testing 29 verify version 30 winbind 9 Samba servers join Centrify Zones 37 Samba testparm utility 34 smb.conf 32 keytab warning 33 testparm utility 34 smbd 24 smbd command 24 smbstatus version 30 symbolic links 12, 13, 24, 25 T testparm 34 U users export existing information 37 importing to Active Directory 37 W winbind 36 proxy 9 save assignments 12 save assignmentss 20 winbindd 24 winbindd_idmap.tdb locate 36