centrify-samba-guide.pdf

Centrify Server Suite 2014

Samba Integration GuideJanuary 2014

Centrify Corporation

Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

2004-2014 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows XP, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

Appendix B Using adbindproxy.pl 38

Index 41Contents

About this guide 4

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1 Using Centrify Suite technology with Samba 7

Integrating Centrify Suite and Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Integrating Samba with Centrify Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2 Install the Centrify-enabled Samba package 10

Verifying the software required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Deciding how to work with old Samba installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Installing Centrify-enabled Samba and adbindproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Upgrading from a previous release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 3 Configuring Centrify-enabled Samba 22

Verifying the environment before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Verifying DNS settings on the local computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Running the adbindproxy.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Verifying the Samba integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Modifying the Samba smb.conf configuration file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Appendix A Migrating existing Samba users to DirectControl 36

Migrating UNIX profiles to Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Migrating Samba servers to Centrify Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Chapter 1, Using Centrify Suite technology with Samba, provides a brief overview of Samba, and how Samba, DirectControl, and Active Directory work together to provide a secure, integrated environment.

Chapter 2, Install the Centrify-enabled Samba package, describes how to unpack and install the Centrify Samba package.About this guide

The Centrify Suite centrally secures cross-platform data centers through Active Directory-based identity and access management for a wide range of heterogeneous systems, hypervisors and applications.

Built on an integrated architecture that leverages patented technology, the Centrify Suite of solutions help centralize ID, access privilege delegation and policy management to reduce the organizations IT expense and complexity, improve end-user productivity, strengthen security and enhance regulatory compliance initiatives. Key components of the Centrify Suite include integrated authentication, access control, role-based privilege management, user-level auditing and server protection solutions, consisting of Centrify DirectControl, Centrify DirectAuthorize, Centrify DirectAudit, Centrify DirectSecure, and Centrify DirectManage.

This book describes how to install and configure Centrify-enabled Samba, a customized version of the open source file and print sharing program, on a Linux or UNIX computer that has the DirectControl agent already installed.

Intended audienceThis book is written for an experienced system administrator familiar with the unpacking and installation of programs on Linux or UNIX computers. In addition, the instructions assume that you have a working knowledge of Samba and how to perform common administrative tasks for creating and maintaining Samba shares.

This book also requires you to have a working knowledge of DirectControl and how to perform common administrative tasks using the DirectManage Administrator Console and the Active Directory Users and Computers administration tool. If you are unfamiliar with DirectControl, see the Centrify Suite Administrators Guide.

Using this guideThe book guides you through the installation and configuration of Centrify-enabled Samba. It is organized as follows: 4

Conventions used in this guide Chapter 3, Configuring Centrify-enabled Samba, describes how to use the Samba configuration file and test your integration of Samba, DirectControl, and Active Directory.

Appendix A, Migrating existing Samba users to DirectControl, describes how to migrate existing users from Samba servers to DirectControl.

Appendix B, Using adbindproxy.pl, describe the adbindproxy.pl utility, which enables you to configure Samba for interoperability with DirectControl.

Conventions used in this guideThe following conventions are used in this guide:

Fixed-width font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, this font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.

Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms.

Italics are used for book titles and to emphasize specific words or terms.

The variable release is used in place of a specific release number in the file names for individual DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the DirectControl Agent for Solaris on SPARC available on the DirectControl CD or in a DirectControl download package. On the CD or in the download package, the file name indicates the DirectControl version number. For example, if the software package installs DirectControl version number 4.4.2, the full file name is centrifydc-4.4.2-sol8-sparc-local.tgz.

Where to go for more informationBefore you start, be sure to read through the Release Notes included with the software package. This file provides the most up-to-date information about the package, including system requirements and supported platforms, and any additional information that may not be included in other documentation.

For information about how to set up and use Samba, you should review the guides included in the Samba distribution, or the documentation available at http://samba.org, including:

Official Samba-3 HOWTO and Reference Guide

Samba-3 by Example About this guide 5

Contacting CentrifyThe following books describe the Centrify Suite components and how to integrate them into your environment.

Planning and Deployment Guide provides guidelines, strategies, and best practices to help you plan for and deploy DirectControl in a production environment.This guide covers issues you should consider in planning a DirectControl deployment project. The Planning and Deployment Guide should be used in conjunction with the information covered in the Administrators Guide.

Administrators Guide describes how to perform administrative tasks using the DirectControl Administrator Console and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment, including creating a zone structure and managing identity and access for users in your UNIX environment.

Group Policy Guide describes the DirectControl group policies you can use to customize user-based and computer-based configuration settings. This guide provides an overview of how group policies are applied and how to install and enable DirectControl-specific policies.

Configuration Parameters Reference Guide provides reference information for the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies.

Administrators Guide for Mac OS X provides information for Mac OS X system administrators about the administrative issues and tasks that are specific or unique to a Mac OS X environment. If you are deploying in an environment with Mac OS X servers or workstations, you should refer to this guide for information about the group policies that only apply to Mac OS X computers and users.

Authentication Guide for Apache describes how to install and configure the DirectControl for Web Applications product with Apache servers and applications.

Authentication Guide for Java Applications describes how to install and configure the DirectControl for Web Applications product with Tomcat, JBoss, WebLogic, and WebSphere servers and J2EE applications.

Individual UNIX man pages for command reference information for DirectControl UNIX command line programs.

Contacting CentrifyIf you have a problem during DirectControl software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and log in for the Technical Support contact information.Samba Integration Guide 6

Chapter 1 Compiled and packaged version of Centrify-enabled Samba.

adbindproxy module: Intercepts Samba UNIX ID mapping requests and reroutes them to DirectControl for processing. This module ensures that Samba and DirectControl agree on the UNIX attribute values.Using Centrify Suite technology with Samba

This chapter introduces Centrify-enabled Samba and highlights the integration issues you might encounter when enterprise networks want to combine the services of Centrify Suite products and Samba to share files on Centrify-managed computers. The following topics are covered:

Integrating Centrify Suite and Samba

Integrating Samba with Centrify Express

Integrating Centrify Suite and SambaSamba is a popular, open source, file and printer sharing program that allows a Linux or UNIX host to participate as an Active Directory services domain member. When Samba is installed, Windows users can share files and printers on the Linux or UNIX computers.

The Centrify Suite is an integrated set of commercial, identity management products that enable a Linux, UNIX, or Mac host to participate as an Active Directory domain member. When Centrify Suite products are installed, the Centrify-managed computers user and group accounts and privileges can be managed entirely through Active Directory.

When open-source Samba is configured as an Active Directory domain member and the Centrify Suite DirectControl agent are both installed on the same Linux or UNIX host, however, two problems can arise:

Samba and DirectControl both attempt to create and manage the same Active Directory computer account object, causing one of the products to stop working.

Conflicting UIDs and GIDs are generated by Samba and the Centrify Suite DirectManage tools for the same Active Directory users and groups. However, the two programs use different algorithms for generating these values. The result is file ownership conflicts and access control problems.

To resolve these issues, Centrify-enabled Samba should be used instead of any existing Samba running on the Linux or UNIX system. Centrify-enabled Samba supports the standard Samba protocols and eliminates the potential contentions and UID/GID conflicts.

The Centrify-enabled Samba package consists of the following components:7

Integrating Centrify Suite and Samba adbindproxy.pl PERL configuration script: Automates most of the setup process and designates DirectControl as the manager of the shared computer object.

The following figure provides a conceptual view of the complete solution architecture using Active Directory, Samba, and Centrify Suite components.

If you have not been using Samba up to this point, or if you have been using an older Samba security method (such as user or server), the integration process makes it easy to configure Samba as an Active Directory member.

On the other hand, if you have already been using Samba as an Active Directory domain member and have assigned UIDs and GIDs to Active Directory users and groups, the PERL configuration script helps migrate these UIDs and GIDs for use with Centrify-enabled Samba. Samba Integration Guide 8

Integrating Samba with Centrify ExpressThe integrated solution, composed of the DirectControl Agent (installed separately), the pre-compiled, Centrify-enabled Samba program and adbindproxy, the Centrify winbind proxy program, provides the following:

Samba and DirectControl use the same Active Directory computer object without conflicts.

Consistent user and group attributes are applied on files across Windows, Linux and UNIX computers.

All UNIX user identity attributes, including the UID, GID, home directory and log in shell in UNIX profiles, are centrally stored and managed in Active Directory.

Both Kerberos and NTLM Samba authentication methods are supported.

Standard Samba access-control features are implemented and augmented by the Centrify zones technology.

Integrating Samba with Centrify ExpressCentrify Express is a special deployment option of the Centrify Suite technology that automatically generates UNIX attributes for Active Directory users and computers. Centrify Express does not, however, use Centrify zone technology. Most of the procedures described in this manual work the same for both the standard and Express deployments, with the following limitations:

You cannot migrate existing, Samba-generated UIDs and GIDs to Centrify Express. This is only an issue if you have already been running Samba as an Active Directory member. You can, however, manually convert the Samba-generated UIDs and GIDs to the same IDs generated by the DirectManage Administrator console.

You cannot use Centrify zones to restrict access to Samba shares. See the Samba documentation for ways to implement share restriction if it is something you need. Alternatively, consider upgrading to the full Centrify Suite. Chapter 1 Using Centrify Suite technology with Samba 9

Chapter 2 The DirectControl Agent software package, for the specific operating environments you want to support.

The Centrify-enabled Samba archive file that contains the centrifydc-samba and centrifydc-adbindproxy installation packages for the specific operating environments you want to support.Install the Centrify-enabled Samba package

This chapter describes host to install Centrify-enabled Samba on the Linux and UNIX computers in your environment and enable interoperability between DirectControl and Samba.

The following topics are covered:

Verifying the software required

Deciding how to work with old Samba installations

Installing Centrify-enabled Samba and adbindproxy

Upgrading from a previous release

Verifying the software requiredSamba is an open source software package that is freely available on the Samba project site (http://samba.org). In addition, virtually every distribution of Linux and many commercial UNIX operating environments include a binary version of Samba as an integral part of the package. To get Samba interoperability with Centrify Suite products, you must use the precompiled version of Samba that is provided by Centrify.

Centrify-enabled Samba includes patches to the Samba programs. Although these patches may be included in future versions of Samba if approved by the Samba development team, for now, they only exist in Centrify-enabled Samba.

Required Centrify Suite software

Before you install the Samba package, confirm that you have the following software installed on your Windows and Linux or UNIX systems that you have the software required; see the release notes for compatibility information:

The DirectControl for Windows software package, for the DirectControl Administrator Console.

Note If you are running the DirectControl Express, you do not need to install the DirectControl Administrator Console. 10

Deciding how to work with old Samba installationsYou must install the DirectControl Agent, and the Centrify-enabled Samba and adbindproxy packages, on each computer on which you intend to set up Samba-based SMB file servers.

Centrify Suite software installation

If you have not already done so:

Follow the instructions in the DirectControl Administrators Guide to install the DirectControl Administrator Console on at least one Windows computer and configure at least one zone.

Apply the latest operating system patches on the computers where you intend to install the DirectControl Agent and Centrify-enabled Samba to ensure the operating systems are up to date.

Copy the Centrify Suite and Centrify-enabled Samba software packages to an empty working directory on each Linux or UNIX computer to avoid potential conflicts with other packages.

Follow the instructions in DirectControl Administrators Guide to install the DirectControl Agent on each Linux or UNIX computer. Use the instructions in this book to create your Centrify Zones and to join the Samba servers to the Active Directory domain.

Deciding how to work with old Samba installationsMany Linux and UNIX vendors bundle Samba with the operating system. If an existing Samba installation resides on your target computer, it will conflict with the Centrify-enabled Samba package you are about to install. This section explains the choices you have if you find an existing Samba installation and your options.

To check for an existing Samba installation, do one of the following:

Run your package management software. For example, on RedHat Enterprise Linux:

rpm -qa | grep -i samba

If you have Samba installed, the command returns something similar to the following:samba-client-version

samba-common-version

where version is the current samba version number.

Search for Samba utilities such as net or smbstatus (typically found in the /usr/bin directory) or the Samba daemons, such as smbd, nmbd, or winbind (typically found in /usr/sbin). For example, enter the following command:

ls -l /usr/bin |grep -i smbstatus-rwxr-xr-x 1 root root 669372 Oct 16 2007 smbstatusChapter 2 Install the Centrify-enabled Samba package 11

Deciding how to work with old Samba installationsIf you find no evidence of an existing Samba, skip to Installing Centrify-enabled Samba and adbindproxy on page 14. In addition, you can safely answer Yes to the question Do you want to create symbolic links when you run the adbindproxy.pl configuration script.

If a Samba already exists on the target computer then you must do one of the following BEFORE you install Centrify-enabled Samba:

Remove it: see Remove existing Samba installations

Replace it: see Replace existing Samba installations

Co-exist with it: see Co-existing with existing Samba installations

Remove existing Samba installations

Ideally, the best solution is to remove the existing Samba installation using your platform's package management software. However, in practice, this is often difficult to do because not only are multiple Samba components installed (client, server, and library components) but in many cases other installed packages depend on the Samba components and must be removed first.

Note Before you remove your existing Samba package you may want to save the existing winbind UID and GID assignments. See Upgrading from a non-Centrify-enabled version of Samba on page 20 for the rationale and instructions.

In such cases, you may have to follow and remove all dependencies, then work back and remove all Samba components, which can be a very complicated process. On the other hand, some package managers, such as rpm, allow you to remove Samba components ignoring dependencies. See Upgrading from a non-Centrify-enabled version of Samba on page 20 for examples that show how to remove an existing Samba with various package managers.

When you install Centrify-enabled Samba it replaces most if not all of the dependencies.

Replace existing Samba installations

An alternative strategy is to replace the existing Samba by creating symbolic links to Centrify-enabled Samba. When you run adbindproxy.pl to configure Samba, you are prompted to create symbolic links.

Replacing an existing installation is a simple and effective strategy. In this case, adbindproxy.pl renames any existing Samba binaries it finds by adding a suffix (.pre_adbindproxy). For example, an existing smbd would be renamed smbd.pre_adbindproxy. Then adbindproxy.pl creates a symbolic link from the original name to the Centrify-enabled Samba component; for example:/usr/sbin/smbd => /opt/centrify/samba/sbin/smbdSamba Integration Guide 12

Deciding how to work with old Samba installationsDuring installation you are not required to do any manual work to remove the existing Samba installation. You will, however, need to use a package manager option that ignores file conflicts and dependencies, such as the rpm --replacefiles and --nodeps options (see Upgrading from a previous release on page 18 for an example,).

After installation, the adbindproxy configuration script automatically takes care of creating symbolic links and renaming the existing Samba binaries when you answer Yes to the prompt, Do you want to create symbolic links... (see Running the adbindproxy.pl on page 23).

Note Before you replace your existing Samba package you may want to save the existing winbind UID and GID assignments. See Upgrading from a non-Centrify-enabled version of Samba on page 20 for the rationale and instructions.

After installation and configuration, because they have been renamed, there is no chance that the old Samba binaries can be mistakenly executed in place of the Centrify-enabled Samba binary.

The downside to this strategy is that as far as the operating system is concerned, the original Samba is still installed, so you must be careful when installing operating system patches to avoid inadvertently overwriting Centrify-enabled Samba binaries with ones from the patches.

Co-existing with existing Samba installations

The third strategy is to leave an existing Samba installation in place when you install Centrify-enabled Samba. After installation, when you configure Centrify-enabled Samba, do not replace the existing binaries with symbolic links to Centrify-enabled Samba. That is, after installation, when you run the Samba configuration script, answer No to the prompt, Do you want to create symbolic links... (see Running the adbindproxy.pl on page 23).

The original Samba binaries are not modified. Centrify-enabled Samba is installed in the directory /opt/centrify/samba, while the original Samba binaries remain in their current directories (typically /usr/bin and /usr/sbin).

With coexistence you do not have to be concerned with inadvertently overwriting Centrify-enabled Samba binaries when applying operating system patches. However, you have to be careful to be certain that you are executing the correct Samba binaries. Typically, you need to use the complete path (/opt/centrify/samba/bin/sambaProgramName) when executing Centrify-enabled Samba binaries, or you can modify the PATH environment variable to define the path to the Centrify-enabled Samba binaries first. Chapter 2 Install the Centrify-enabled Samba package 13

Installing Centrify-enabled Samba and adbindproxyInstalling Centrify-enabled Samba and adbindproxyUse the instructions in this section to install the Centrify-enabled Samba and the adbindproxy program.

Note If you have not already done so, before continuing, be certain to look at Upgrading from a previous release on page 18 for instructions that may be pertinent, depending on your current DirectControl and Centrify-enabled Samba installation.

Depending on the version of DirectControl you are using, some related programs for Centrify-enabled Samba may be installed by default with the DirectControl Agent.

The Centrify-enabled Samba package and the Centrify adbindproxy package, however, are separate, add-on software packages installed separately from the DirectControl Agent or the Centrify Suite. For information about configuring the Centrify-enabled Samba environment to work with DirectControl after installation, see Configuring Centrify-enabled Samba on page 22.

Extracting the contents of Centrify-enabled Samba package

The following steps describe how to download and unpack the Samba package for a Linux or UNIX computer.

Note In these instructions, a sample file name of centrify-samba-v.v.v-platform-arch.tgz is used in place of the full file name. The full file name for the Centrify-enabled Samba package includes the Centrify-enabled Samba version and supported platform information. For example, the full file name may look similar to this:

centrify-samba-v.v.v-platform-arch.tgz

where:

v.v.v is the DirectControl version number

platform indicates the target operating system as follows. Note that some platforms are only available on one architecture.This table may not include all of the platforms supported. Be sure to read through the Product Bundle descriptions before downloading.

Platform Description

aix IBM AIX

debn Debian and Ubuntu Linux

hpnn.nn Hewlett-Packard HP-UX

irix Silicon Graphics IRIX

rheln Centos, Mandriva, Red Hat and Scientific LinuxSamba Integration Guide 14

Installing Centrify-enabled Samba and adbindproxy arch indicates the processor architecture as follows:

1 Go to the Centrify Download Center to get the Centrify-enabled Samba package. You get to the Download Center from the Centrify home page. Next, click the Support tab and select the Customer Support Portal. Enter your User Name and Password.From the Support portal select the Customer Download Center.

soln Solaris and OpenSolaris

susen Novell SUSE and openSUSE

arch Description

i386 Intel x86, 32-bit

x86_64 Intel x86, 64-bit

ppc Power PC

ia Itanium

sparc SPARC

pa PA-RISC

Platform DescriptionChapter 2 Install the Centrify-enabled Samba package 15

Installing Centrify-enabled Samba and adbindproxyIn the Download Center, select Centrify-Enabled Samba from the Centrify-Enabled Tools.

2 Download the centrify-samba-release-platform-arch.tgz file corresponding to your DC (DirectControl) Version (see the leftmost column) and the target computers operating system and processor architecture.

3 Uncompress the contents of the file. For example, on a Red Hat Enterprise Linux computer you would use the following:gunzip centrify-samba-v.v.v-platform-arch.tgz

4 Extract the contents of the file. For example, on a Red Hat Enterprise Linux computer you would use the following:tar -xvf centrify-samba-v.v.v-platform-arch.tar

After extracting the contents of the file, you should see the following files:

Centrify-Samba-v.v.v-Release-Notes.txt: Generic release note for this version of the Centrify-enabled Samba package.

centrifydc-adbindproxy-V.V.V-platform-arch.rpm: The module that intercepts Samba UNIX ID mapping requests and reroutes them to DirectControl for processing

centrifydc-samba-s.s.s-v.v.v-platform-arch.rpm (where s.s.s is the base Samba version number): the Centrify-enabled Samba packageSamba Integration Guide 16

Installing Centrify-enabled Samba and adbindproxy release-notes-samba-platform.txt: Supplemental, platform-specific release notes.

5 Review the two text files for release-specific information about the package that was available after this document was published.

The packages are now ready for installation.

Install Centrify-enabled Samba

Use the following steps to install the Centrify-enabled Samba and then adbindproxy. In these steps the file name centrifydc-samba-*.rpm is used in place of the full file name. You can use the wildcard symbol (*) to substitute for a portion of the file name if there are no conflicting files in the directory.

Note If you are updating from a previous version of Centrify-enabled Samba or have a vendor-supplied Samba installed on the computer, see Upgrading from a previous release on page 18before proceeding.

Be sure to enter the full path name in the command line if multiple versions of the same file exist in the same directory.

1 Run the appropriate command for your platform to install the centrifydc-samba package. The following table shows sample commands using the common package installers for each platforms.

For this platform You can run

Linux-based computers

Red Hat Enterprise Linux

CentOS Linux

Scientific Linux

Oracle Linux

For 32-bit systems:rpm -Uvh centrifydc-samba-*.rpm

For 64-bit systems:rpm -Uvh centrifydc-samba-*.rpm

Sun Solaris On SPARC systems, for example:gunzip centrifydc-samba-*-sol8-sparc-local.gz

pkgadd -d centrifydc-samba-*

There are four Solaris packages. Select the package that matches your Solaris version and processor type. If you have Solaris 9, use the sol8 package. If you have Solaris 11, use the sol10 page. Furthermore, the x86 version can be installed on 32- and 64-bit architectures.centrifydc-samba-*-sol8-sparc-local

centrifydc-samba-*-sol8-x86-local

centrifydc-samba-*-sol10-sparc-local

centrifydc-samba-*-sol10-x86-localChapter 2 Install the Centrify-enabled Samba package 17

Upgrading from a previous release2 Repeat the installation command for your platform, this time specify centrifydc-adbindproxy-*.rpm

This concludes the installation of Centrify-enabled Samba and the adbindproxy. Skip to Chapter 3, Configuring Centrify-enabled Samba to continue.

Upgrading from a previous releaseThe following sections describe how to upgrade from previous versions of DirectControl and Centrify-enabled Samba.

Upgrading from a DirectControl version earlier than 4.4.2 and Centrify-enabled Samba 3.0.33 or earlier on page 19

Upgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba 3.0.33 or earlier on page 20

Upgrading from a non-Centrify-enabled version of Samba on page 20

Before proceeding, run the adinfo --version command on the managed computer to determine which version of DirectControl (CentrifyDC) you are running

HP-UX For HP-UX 11.11 on PA-RISC:gunzip centrifydc-samba-*-hp11.11.gz

swinstall -s /path/centrifydc-samba-*-hp11.11.depot CentrifyDC-Samba

For other HP-UX versions and platforms the commands are the same but the file names are different. For example on HP-UX 11.23 Itanium 64-bit systems:centrifydc-samba-*-hp11.23-ia64.depot.gz

IBM AIX For AIX 5.3 or later:gunzip centrifydc-samba-*-aix5.3-ppc.tgz

inutoc .

installp -aY -d centrifydc-samba-*-aix5.3-ppc.bff CentrifyDC.samba

Debian Linux

Ubuntu Linux

Check that you have libcupsys2-gnutls10 (1.1.23-1 or later) installed

If you have the required libraries, run the following command to install:

32-bit processor: dpkg i centrifydc-samba-*-deb5-i386.deb

64-bit processor: dpkg i centrifydc-samba-*-deb5-x86_64.deb

SuSE Linux

OpenSuSE Linux

For 32-bit systems:rpm -ivh centrifydc-samba-*-suse8-i386.rpm

For 64-bit systems:rpm -ivh centrifydc-samba-*-suse9-x86_64.rpm

Note SuSE Linux 9 requires the cups package.

For this platform You can runSamba Integration Guide 18

Upgrading from a previous releaseUpgrading from a DirectControl version earlier than 4.4.2 and Centrify-enabled Samba 3.0.33 or earlier

The adbindproxy in this version of Centrify-enabled Samba requires at least DirectControl 4.4.2 and a version of Centrify-enabled Samba greater than version 3.0.33. In addition, the CentrifyDC idmap program, which was installed as part of Centrify-enabled Samba, conflicts with adbindproxy and must be removed.

Use the following steps to upgrade from a Centrify-enabled Samba installation with a version of DirectControl earlier than 4.4.2, and Centrify-enabled Samba 3.0.33 or earlier:

1 Copy the existing startup script /etc/init.d/centrifydc-samba file and rename it/etc/init.d/centrifydc-samba.upgrade. For example:cd /etc/init.d

cp centrifydc-samba ./centrifydc-samba.upgrade

Note On HP-UX, there are two files you must copy and save before upgrading, /sbin/init.d/centrifydc-samba and /etc/rc.config.d/centrifydc-samba.rc. For both of these files, append .upgrade to the file name.

2 Use the appropriate local operating system command or package manager to remove the old version of the idmap program. For example, the following table lists the common commands associated with each platform:

3 Replace the Centrify Suite DirectControl and DirectManage components on all of the Windows and Linux or UNIX computers. See the DirectControl Administrators Guide for the installation instructions.

4 Install Centrify-enabled Samba and adbindproxy as described in Installing Centrify-enabled Samba and adbindproxy on page 14.

Note You may see package conflict errors during this step. If so, rerun the rpm command with the --nodeps and --replacefiles option. The --nodeps option installs the Centrify-enabled Samba package without checking for dependencies; the --replacefiles option replaces conflicting files with the files from the new package.

This concludes Centrify-enabled Samba and adbindproxy installation. Go to Configuring Centrify-enabled Samba on page 22 to continue.


Most Linux variants rpm e CentrifyDC-idmap

Debian/Ubuntu dpkg P centrifydc-idmap

Sun Solaris pkgrm CentrifyDC-idmap

HP-UX swremove CentrifyDC-idmap

IBM AIX installp u CentrifyDC.idmapChapter 2 Install the Centrify-enabled Samba package 19

Upgrading from a previous releaseUpgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba 3.0.33 or earlier

The adbindproxy in Centrify-enabled Samba requires at least DirectControl 4.4.2 and a version of Centrify-enabled Samba greater than version 3.0.33.

If the target system has DirectControl 4.4.2 or later but your Centrify-enabled Samba is version 3.0.33 or earlier, use the following steps to update Centrify-enabled Samba, install Centrify-enabled Samba and adbindproxy as described in Installing Centrify-enabled Samba and adbindproxy on page 14.

Note You may see package conflict errors during this step. If so, rerun the rpm installation command with the --nodeps and --replacefiles options. The --nodeps option installs the Centrify-enabled Samba package without checking for dependencies, while the --replacefiles option replaces conflicting files with files from the new package.

This concludes Centrify-enabled Samba and adbindproxy installation. Go to Configuring Centrify-enabled Samba on page 22 to continue.

Upgrading from a non-Centrify-enabled version of Samba

If you have a Samba already installed on your systemAND determine it serves you best to replace it (see Deciding how to work with old Samba installations on page 11 for a discussion of your options)use the following procedure to upgrade to Centrify-enabled Samba:

1 Save the existing winbind UID and GID assignments: If you have been running Samba and winbind on the computer where you are going to install Centrify-enabled Samba, save the existing winbind UID and GID assignments before you install the new software. This allows you to import these assignments into a Centrify Zone and map it to users and groups in Active Directory.

If winbind is currently configured in your /etc/nsswitch.conf file, run the following commands to save the information to a file before installing:getent passwd | grep -e -f /etc/passwd > /tmp/passwd.winbind

getent group | grep -e -f /etc/group > /tmp/group.winbind

See Migrating existing Samba users to DirectControl on page 36 for more information.

2 Use the appropriate local operating system command or package manager to manually remove the old version of the Samba program. For example, you can use the following commands to remove the existing Samba program:


Most Linux variants rpm e samba-common-version

Debian/Ubuntu dpkg P samba-common-versionSamba Integration Guide 20

Upgrading from a previous releaseYou may see package conflict errors during this step that cause package removal to fail. In this case, proceed with the next step and be certain to use the --nodeps and --replacefiles options when installing DirectControl Samba.

3 Install Centrify-enabled Samba and adbindproxy. See Installing Centrify-enabled Samba and adbindproxy on page 14 for the instructions.

Since you are upgrading you may see package conflict errors when you run the package manager for Centrify-enabled Samba. If so, rerun the rpm command with the --nodeps or --replacefiles options. The --nodeps option installs the Centrify-enabled Samba package without checking for dependencies; the --replacefiles option replaces conflicting files with files in the new package.

4 Run the adbindproxy.pl script to configure Centrify-enabled Samba; see Running the adbindproxy.pl on page 23.

Sun Solaris pkgrm samba-common-version

HP-UX swremove samba-common-version

IBM AIX installp u samba-common-version

For this platform You can runChapter 2 Install the Centrify-enabled Samba package 21

Chapter 3 Older, incompatible versions of Samba have been removed or updated with Centrify-enabled Samba on the computer that hosts the Samba shares.

Note Although you are not required to remove older Samba versions, you should be careful to use versions with the proper operating system patches. You can use the adbindproxy.pl configuration script to automatically move and rename an older Samba Configuring Centrify-enabled Samba

This chapter describes how to configure Centrify DirectControl and Centrify-enabled Samba to work together properly.


Verifying the environment before you begin

Verifying DNS settings on the local computer on page 23

Running the adbindproxy.pl on page 23

Verifying the Samba integration on page 29

Modifying the Samba smb.conf configuration file on page 32

Verifying the environment before you beginCentrify-enabled Samba includes the adbindproxy.pl script that performs most of the configuration steps for you. Before running this script, however, you should verify the environment is ready for configuration and you are ready to proceed.

At this point, you should check that:

Centrify DirectControl is installed on a Windows computer in an Active Directory domain.

You have created at least one zone, either the default zone or a zone you created with the zone wizard.

Note If you are running Centrify DirectControl in Express Mode, or have connected to a domain through Auto Zone, you will not have any zones configured. You can still configure Centrify-enabled Samba to run with DirectControl.

You have added or imported some users and groups into the Centrify Zone. Only Active Directory users who are members of the Centrify Zone are able to access Samba shares on the local computer.

The DirectControl Agent is installed on the computer where you have installed the Centrify-enabled Samba.22

Verifying DNS settings on the local computerversion to a different directory, or you can manually remove or rename an older Samba installation prior to running the adbindproxy.pl configuration script.

The adbindproxy package is installed on the computer.

Verifying DNS settings on the local computerCentrify Suite relies on DNS to locate its domain controller and monitor connection status. If you are unsure whether DNS is configured properly, you can run the adcheck utility, or manually inspect and, if necessary, edit the /etc/resolv.conf and /etc/hosts files to ensure server host names and IP addresses can be successfully resolved.

Running adcheck

Centrify Suite includes a utility, adcheck, which runs a number of operating system, network, and Active Directory checks to verify that your domains are correctly configured for DirectControl. You can run adcheck to verify your DNS settings, as follows:/usr/share/centrifydc/bin/adcheck -t net domainName

where:

-t net runs only the network check.

domainName specifies the domain; for example, ajax.org.

You should see output similar to the following:/usr/share/centrifydc/bin/adcheck -t net ajax.org

NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass

DNSPROBE : Probe DNS server 192.164.10.1 : Pass

DNSCHECK : Analyze basic health of DNS servers : Pass

WHATSSH : Is this an SSH that DirectControl works well with : Pass

SSH : SSHD version and configuration : Pass

If adcheck encounters any problems with the configuration, it prints a warning or error message that includes information on how to correct the problem.

Running the adbindproxy.plThis section describes how to configure Samba using the adbindproxy.pl script.

Note If your current environment has Windows users accessing data on Samba member servers that are joined to the Active Directory domain, you may want to migrate those users to DirectControl. This way, you can use Centrify Zones to manage conflicting identities and rationalize UIDs and GIDs. See Migrating UNIX profiles to Active Directory on page 36 to migrate those users. Complete the migration before integrating Centrify-enabled Samba and DirectControl. Chapter 3 Configuring Centrify-enabled Samba 23

Running the adbindproxy.plThe adbindproxy.pl script performs the following tasks:

Determines the computers operating system and adjusts accordingly. For example, for Solaris-based machines it verifies that all of the patches necessary to run Samba have been installed.

Confirms that the DirectControl Agent is installed.

Confirms the Centrify-enabled Samba has been installed.

Checks for and reports any conflicting Samba installations.

Note If the script finds another Samba installed, you have several options, see Deciding how to work with old Samba installations on page 11.

Prompts you to create symbolic links to the Centrify-enabled Samba binaries in /usr/bin and /usr/sbin. If you have existing links it backs up the originals.

Determines if you are joined to an Active Directory domain and, if you are, displays the domain name and Centrify Zone.

Asks if you want to join Centrify-enabled Samba to the current Active Directory domain or another. If you choose another, the script guides you through the current domain leave and new domain join processes.

Note If you want to modify or set advanced join settings (for example, update PAM or NSS config, use DES for encryption, or use a computer alias), either run adleave before you run adbindproxy.pl or select a different domain when prompted in the script. Otherwise, the script does NOT prompt you to enter advanced join settings.

If you have a previous Samba installation, asks if you want to keep the smb.conf settings or use new ones. adbindproxy.pl automatically saves the existing copy.

Note The script automatically looks for an existing smb.conf file using the smbd -b command. If your current version of smbd does not support the -b option or you have smb.conf in a custom directory the script will not find it. If you want to use your existing smb.conf, move it to /etc/samba before you run the script.

Removes old state files from previous instances of Samba, including any existing winbind entries from the /etc/nsswitch.conf file.

Restarts the Centrify-enabled Samba clients (nmbd, winbindd, adbindd and smbd).

Installs scripts to automatically start the correct Samba and DirectControl services each time the computer boots.

Before you run adbindproxy.pl, read through the prompts described below to make sure youre prepared with the answers

To begin, logon and switch to the root user and proceed with the following steps:

1 Start script: From root enter perl /usr/share/centrifydc/bin/adbindproxy.plSamba Integration Guide 24

Running the adbindproxy.pl2 Please specify Centrify Sambas path if it is not in [/opt/centrify/samba]

Press Enter to accept the default. Otherwise, enter your path.

adbindproxy.pl checks for a conflicting version of Samba. If it does not find one you get the messageNo conflicting Samba found

If it finds one, it displays the messageWarning: potentially conflicting Samba installations were found in [directory]

Do you want to continue [N]

and shows the directory.

How to proceed depends upon whether or not you want to keep the existing Samba versions. See Deciding how to work with old Samba installations on page 11 to review the options.

Enter N if you need to terminate the script. Enter Y if you want to proceed with two Sambas.

3 Do you want to create symbolic links from /usr to /opt/centrify/samba/? [Y]

Answer Y and press Enter for the following conditions:

if there are no older Samba installations on the computer,

if you have removed older Samba installations, or

if you intend to entirely replace any older Samba installations with the Centrify-enabled Samba installation.

See Deciding how to work with old Samba installations on page 11 for details on these choices.

Answer N and press Enter if you want the existing Samba installation and Centrify-enabled Samba to co-exist. See Co-existing with existing Samba installations on page 13 for details on this choice.

As it proceeds adbindproxy.pl displays its progress as it replaces and backs up the existing files.

4 Do you want to leave and join to another domain? [N]

How you respond prompt depends upon whether or not the computer is already joined to a Active Directory domain.

If you are joined to a domain when you initiated the script, adbindproxy.pl displays the domain name and zone and asks youDo you want to leave or join to another domain? [N]

To continue to join Centrify-enabled Samba to the current joined Active Directory domain press Enter and skip ahead to Step 7 on page 27Chapter 3 Configuring Centrify-enabled Samba 25

Running the adbindproxy.plIf you want to leave the current domain and join another OR change any advanced options (see list below) in your current domain enter Y and then proceed with Step 5.

If your are not joined, the script displays the messageNot joined to any domain.Make sure you enter the correct domain and zone information in the next steps

This initiates a set of prompts that ask you for the Active Directory domain name, the Centrify Zone and advanced options. Proceed with the next step.

5 Join new Active Directory domain

Note You arrive at this step if you are not joined to an Active Directory Domain when you started adbindproxy.pl, you decided to leave that domain OR you decided to change advanced options in your current join. If none of these conditions apply to you, skip to Step 7.

The first prompt asks you for the domain name.

Enter the Active Directory domain to join :

and then asks

Check DNS health for [domain]? Note: this may take several minutes [Y] :

Press Enter to ensure the domain exists.

Next, the script prompts you to enter the following properties:

Centrify Zone on the target Active Directory domain

Note If you are running DirectControl in Express Mode or need to join the domain through Auto Zone, enter NULL_AUTO for the zone name.

computer name on which Centrify-enabled Samba is installed

Active Directory authorized user (default is Administrator)

6 Do you wish to specify advanced join options? [N] :

The options are listed below. The defaults are in brackets. If do not need any advanced join options, enter N. Otherwise, enter Y and make your selections.

Canonical name of Active Directory Computer Container

Preferred Domain Server to use (press Enter for none)

Update PAM and NSS Config [Y]

Trust computer for delegation? [N]

Use DES encryption only? [N]

Run adjoin in verbose mode? [N]

Addition computer alias (press Enter for none)

The script then displays the selections you made and asks if you want to proceed. Enter Y to proceed or N to abort adbindproxy.pl.

If you choose to proceed AND you are leaving the current Active Directory domain to Samba Integration Guide 26

Running the adbindproxy.pljoin another, the script prompts you twice to enter your password. In response to the first prompt enter the current Active Directory domain account password to leave that domain; for the second prompt, enter the password for the Active Directory Domain, computer and authorized user specified in the prompts to join that domain.

If you were not joined to an Active Directory domain when you started the script, you are prompted to enter your password once. Enter the password for the Active Directory Domain, computer and authorized user specified in the prompts.

7 Keep Samba Settings?

adbindproxy.pl creates a new smb.conf file and stores it in /etc/samba. It can create a skeletal version with minimal global settings and a samba-test share only (see Modifying the Samba configuration file (smb.conf) on page 30 for a sample), or it can update an existing smb.conf file.

Note Regardless of whether you update an existing smb.conf or create a new one, you will need to modify the /etc/samba/smb.conf file to have the [global] section settings and the appropriate shares for your environment. See Modifying the Samba smb.conf configuration file on page 32 for instructions. The file created by adbindproxy.pl should be used for verifying the Centrify-enabled Samba integration only.

After completing the join routines in the script, adbindproxy.pl searches for existing smb.conf files. If it does not find one, it automatically creates a new one and displays the message

Updating smb.conf with Centrify recommended settings ...

and finishes the script - skip to Finishing Up on page 28 for the messages.

If it does find one, adbindproxy.pl copies the file to /etc/samba asks Do you want to keep the original samba settings? [Y] :

Note If adbindproxy.pl finds more than one smb.conf, it displays the list and asks you to select one. After you make the selection, it copies that one to /etc/samba and continues.

Enter N to create the skeletal smb.conf. adbindproxy.pl makes a backup of your smb.conf in /etc/samba in the form, smb.conf.yyyy-mm-dd-hh-mm and creates the skeletal version.

Enter Y to modify the existing file. adbindproxy.pl displays the prompt: Backup existing /etc/samba/smb.conf and add Centrify recommended settings? [Y]

Enter Y to create a backup in the form, smb.conf.yyyy-mm-dd-hh-mm .

Enter N to use the existing smb.conf without making a backup. Chapter 3 Configuring Centrify-enabled Samba 27

Running the adbindproxy.plNote If the existing smb.conf has Security = ADS and the workgroup and realm are set, the script does NOT modify the existing file; the original is left unchanged.

8 Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y]

adbindproxy.pl creates new mapping in the Samba User/Group ID cache, which may result in conflicts if there are any mappings in place already.

Unless you created custom mappings, use the default [Y]. This flushes the cache.This prompt is only pertinent to the small set of Samba administrators who created custom user and group ID mappings. If you do have custom mappings, use the default to flush the cache and prevent potential conflicts. After adbindproxy.pl completes, re-add your mappings as necessary.

Finishing Up

To complete the configuration, adbindproxy.pl stops any running versions of smbd, adbindd, winbindd and nmbd, starts the Centrify-enabled versions and displays a set of progress and configuration messages. You should see the following messages:

Init Samba start script ...

Restarting Samba daemons ...

Stopping Samba smbd: [ OK ]

Stopping Samba adbindd [ OK ]

Stopping Samba winbindd: [ OK ]

Stopping Samba nmbd: [ OK ]

Starting CentrifyDC-Samba nmbd: [ OK ]

Starting CentrifyDC-Samba winbindd: [ OK ]

Starting CentrifyDC-Samba adbindd: [ OK ]

Starting CentrifyDC-Samba smbd: [ OK ]

adbindproxy.pl displays one last promptPress ENTER to continue ...

To finish up, press Enter.

Note If any service fails to start, you should run one of the following after the adbindproxy.pl script completes its execution.

On Linux or Solaris computers, run:/etc/init.d/centrifydc-samba restart

On HP-UX computers, run:/sbin/init.d/centrifydc-samba restart

On AIX computers, run:stopsrc -g samba && startsrc -g samba

As a quick test, log off as the root user and log on with an Active Directory user account that has been granted access to the local computers zone. If this is the first time the you are Samba Integration Guide 28

Verifying the Samba integrationlogging on with this user account, check that the users home directory is created, which is created automatically by Centrify DirectControl the first time you log on.

Verifying the Samba integrationThere are two key scenarios for testing whether Samba is configured properly for integration with Centrify DirectControl and Active Directory:

Accessing Samba shares from a UNIX client session

Accessing Samba shares from a Windows desktop session

Accessing Samba from a UNIX client session

To test access to Samba shares on a Linux or UNIX computer, users should do the following:

1 Log on to the Linux or UNIX computer using the Active Directory account that has been granted access to the local computers zone.

Run the following command:smbclient -k -L localhost

The smbclient program displays information about Samba and the SMB shares that are available on the local computer. For example, you should see a listing similar to the following (where s.s.s is the Samba version and v.v.v is the DirectControl version:

OS=[Unix] Server=[Samba s.s.s-cdc-v.v.v-xxx]

Sharename Type Comment

--------- ---- -------

samba-test Disk

IPC$ IPC IPC Service (Samba-CDC)

sara Disk Home directories

OS=[Unix] Server=[Samba s.s.s-cdc-v.v.v-xxx]

Server Comment

--------- -------

Workgroup Master

-------- -------

ARCADE MAGNOLIA

If you are able to see the Samba shares as an Active Directory user logged on to the Linux or UNIX computer that is acting as the Samba server, you should next test accessing the Samba shares from a Windows desktop. For information about performing this test, see Accessing Samba shares from a Windows desktop on page 31.Chapter 3 Configuring Centrify-enabled Samba 29

Verifying the Samba integrationPurging and reissuing Kerberos tickets

If you see an error such as NT_STATUS_LOGIN_FAILURE instead of the expected results when you run the smbclient program, you may need to purge your existing Kerberos tickets and have them reissued. Try running the following command to remove all of your Kerberos tickets:/usr/share/centrifydc/kerberos/bin/kdestroy

Then run the following command to reissue tickets after you provide your Active Directory password:/usr/share/centrifydc/kerberos/bin/kinit

You can then run the following command to list the Kerberos tickets that have been issued to you:/usr/share/centrifydc/kerberos/bin/klist

After verifying the Kerberos tickets you have been issued, try running the smbclient program again.

Verifying the version of Samba you are using

If purging and reissuing tickets does not resolve the problem, confirm the version of the smbstatus that is currently running using the following command:smbstatus | grep version

The command should display the Centrify-enabled Samba version you have installed. For example:Samba version s.s.s-cdc-v.v.v-xxx

(where s.s.s is the installed Samba version number and v.v.v is the DirectControl version number)

The string, cdc-release (cdc-v.v.v.xxx), indicates that the installed Samba package is Centrify-enabled Samba intended for use with DirectControl. If the version of Samba is not the one provided by Centrify, completely remove this version and install the precompiled version from the Centrify-enabled Samba software package.

If the correct version of Samba is installed, run smbstatus again and note the names of any *.tdb files that do not exist, and try restoring them from your backup, then try running the smbclient program again.

Rejoining the domain

If the smbclient program does not display the Samba shares you have defined in the configuration file, you should review the settings in the smb.conf file, then leave and rejoin the Active Directory domain.Samba Integration Guide 30

Verifying the Samba integrationAccessing Samba shares from a Windows desktop

To test access to Samba shares on a Linux or UNIX computer from a Windows desktop:

1 Log on to a Windows computer that is joined to the domain with an Active Directory user account.

2 Click Start > Windows Explorer, then navigate to the domain. For example, open My Network Places > Entire Network > Microsoft Windows Network > Arcade to view the Arcade.net domain.

3 Select the Linux or UNIX computer that is running Centrify-enabled Samba to view its Samba shares. For example:

4 Click samba-test or browse other available Samba shares to verify that you can open existing files and create new files.

5 Confirm from both Windows and the managed computer that the files in the share directories are owned by the correct users.

If you cannot browse the shares on the Linux or UNIX computer from the Windows desktop, you should:

Verify that there is network connectivity between the two systems.

Confirm that you do not have a firewall running on the managed computer that is blocking access to the SMB ports.

Make sure there are no stale Kerberos tickets on your Windows system by obtaining the Windows kerbtray program from the Microsoft Web site, installing it on the Windows computer, and using it to purge your Kerberos tickets. Log out and log in again to your Windows system and retest accessing the Samba shares from Windows.

The default Samba share (samba-test)and any other shares you have defined

for the computer are displayedChapter 3 Configuring Centrify-enabled Samba 31

Modifying the Samba smb.conf configuration fileModifying the Samba smb.conf configuration fileThe Samba configuration file, /etc/samba/smb.conf, defines important parameters for Samba-based file sharing. After you have verified the Samba integration with Centrify DirectControl and Active Directory using a sample configuration file and the test share, you need to modify the smb.conf file so that it accurately represents your environment. This file must include the [global] section that defines the Active Directory domain, authentication methods, and other parameters. The file should also include a section for each directory you are making accessible as a SMB share.

The following shows a skeletal sample /etc/samba/smb.conf file for the domain, wonder.land.

Note The smb.conf file shown below was generated on a computer running RedHat Enterprise Linux. adbindproxy.pl tests to determine what operating system is running on the host and generates an smb.conf file appropriate to that platform. For example, the smb.conf for SuSe-based computers includes the following comments and command:

#

# Suse 11 CUPS printing appears to crash at start up

# So we disable printing on this platform for now

printing = BSC

Other platforms may have different exemptions and adjustments.#

# This file was generated by Centrify ADBindProxy Utility

#

[global]

security = ADS

realm = WONDER.LAND

workgroup = WONDER

netbios name = debian5

auth methods = guest, sam, winbind, ntdomain

machine password timeout = 0

passdb backend = tdbsam:/etc/samba/private/passdb.tdb

#

# Using kerberos keytab may lead to a serious Samba crash.

# Centrify recommends against using it.

# Kerberos authentication is still supported without it.

#

use kerberos keytab = No

# If your Samba server only serves to Windows systems, try server signing = mandatory.Samba Integration Guide 32

Modifying the Samba smb.conf configuration file

server signing = auto

template shell = /bin/bash

winbind use default domain = Yes

winbind enum users = No

winbind enum groups = No

winbind nested groups = Yes

ignore syssetgroups error = No

idmap uid = 1000 - 200000000

idmap gid = 1000 - 200000000

enable core files = false

# Disable Logging to syslog, and only write log to Samba standard log files.

syslog = 0

[samba-test]

path = /samba-test

public = yes

# if set public = No, we should set parameter valid users .

# and when the user or group is in AD , the setting syntaxes is:

# valid users = WONDER\username +WONDER\group

writable = yes

[homes]

comment = Home directories

read only = No

browseable = No

Note Do not set use kerberos keytab = yes in the smb.conf file. Setting the kerberos keytab parameter to yes could result in a serious Samba crash. Kerberos authentication is supported through DirectControl without setting this parameter.

At the beginning of a line, both the hash symbol (#) and the semi-colon (;) indicate lines to ignore. By convention, in this file, the hash indicates a comment and the semi-colon indicates a parameter you may wish to enable.

The settings in the [global] section are required whether you use the sample configuration file or create your own smb.conf file. The settings in the [homes] section indicate that you want to share home directories, and the [samba-test] section describes the samba-test Chapter 3 Configuring Centrify-enabled Samba 33

Modifying the Samba smb.conf configuration fileshare as a publicly-writable share mapped to the /samba-test directory. For more information about editing the Samba configuration file and the supported parameters, see the Samba documentation.

When you make changes to the smb.conf file, you should run the Samba utility testparm to make sure there are no errors in your smb.conf file before putting it into production use. When you run the testparm utility, you should see output similar to the following:

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[printers]"

Processing section "[samba-test]"

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

[global]

workgroup = WONDER

realm = WONDER.LAND

security = ADS

auth methods = guest, sam, winbind, ntdomain

passdb backend = tdbsam:/etc/samba/private/passdb.tdb

syslog = 0

enable core files = No

server signing = auto

machine password timeout = 0

adbindproxy backend = cdc:/usr/share/centrifydc/lib/libcapi.so

adbindproxy standard mappers = No

template shell = /bin/bash

winbind use default domain = Yes

[homes]

comment = Home Directories

read only = No

browseable = No

[printers]

comment = All Printers

path = /usr/spool/samba

printable = Yes

browseable = No

[samba-test]

path = /samba-testSamba Integration Guide 34

Modifying the Samba smb.conf configuration fileread only = No

guest ok = YesChapter 3 Configuring Centrify-enabled Samba 35

Appendix A2 On each of the Samba servers to be updated, locate the winbindd_idmap.tdb file and create a backup copy of the file. For example, run a command similar to the following to view details about the Samba build:/CurrentSambaBInaryPath/smbd -b |grep -i lockdirMigrating existing Samba users to DirectControl

This appendix describes how to migrate an existing user population from Samba servers to DirectControl.

Note The information in this chapter is relevant to systems with at least the Centrify Suite DirectControl, DirectAuthorize, and DirectManage components installed and on which you created a Centrify Zone, either by name or used the default zone option. These instructions do not apply to computers with Centrify Express installed and computers that are joined through Auto Zone. If you are using Centrify Express or if you have joined to a zone through Auto Zone, it is not possible to migrate existing Samba UID and GID settings.


Migrating UNIX profiles to Active Directory

Migrating Samba servers to Centrify Zones

Migrating UNIX profiles to Active DirectoryIf your current environment includes Samba servers that are joined to the Active Directory domain as member servers and existing Windows users access the data on those servers, you may want to migrate those existing users to DirectControl so can rationalize UIDs and GIDs and manage all of your networks conflicting identities in a single, centralized ID repository.

Note Migrate your Samba users to Active Directory, as explained in this section, before integrating Centrify-enabled Samba and DirectControl as explained in Running the adbindproxy.pl on page 23.

If winbind is currently configured in your /etc/nsswitch.conf file, run the following commands to save the information to a file before installing Centrify-enabled Samba:getent passwd | grep -e -f /etc/passwd > /tmp/passwd.winbind

getent group | grep -e -f /etc/group > /tmp/group.winbind

Otherwise, use the following adbindproxy.pl --exports steps after installing Centrify-enabled Samba to migrate the users:

1 Identify the Samba servers you want to update to integrate with DirectControl. 36

Migrating Samba servers to Centrify ZonesIn the output, you should see a line similar to the following that indicates the location of the winbind_idmap.tdb file:LOCKDIR: /var/lib/samba

3 Make a backup copy of the file; for example:cp /var/lib/samba/winbind_idmap.tdb /tmp/winbind_idmap.tdb.pre_adbindproxybackup

4 Run the adbindproxy.pl script with the following options to generate the export files.perl /usr/share/centrifydc/bin/adbindproxy.pl --exports --gidfile filename --uidfile filename --tdbfile filename

See Appendix B, Using adbindproxy.pl, for details about the command-line parameters for adbindproxy.pl.

When you run these adbindproxy.pl options it generates export files for the users and the groups that are currently known by the Samba server. By default, these files are created as:/var/centrifydc/samba/passwd

/var/centrifydc/samba/group

5 After generating the export files, move them to a Windows Domain Control. Then use the Import from UNIX wizard in the DirectControl Administrator Console to import the users and groups with their existing UID and GID mappings into the zone.

For more information on importing existing user and group information and mapping information to Active Directory, see the Importing existing users and groups chapter in the Centrify Suite Administrators Guide.

Migrating Samba servers to Centrify ZonesSamba generates UIDs and GIDs based on a range of values that have been defined for a specific server. In most cases, a user who has accessed two different Samba servers is likely to have two different UIDs, for example, 6003 on the server mission and 9778 on the server dolores. Therefore, in an initial migration of existing users, each Samba server must join the Active Directory domain in separate Centrify Zones to accommodate the different UIDs and GIDs users and groups may have.Appendix A Migrating existing Samba users to DirectControl 37

Appendix B/etc/group

-h, --help Display the adbindproxy.pl usage information.

-i, --info Display Samba interoperability information.Using adbindproxy.pl

This appendix describes the options available for the adbindproxy command-line tool. The adbindproxy.pl utility is used to configure Centrify-enabled Samba and Centrify DirectControl to work together and provides specific functions, such as exporting UIDs and GIDs, creating symbolic links to Centrify-enabled Samba binaries and libraries, and restoring backed-up Samba files.

Note For step-by-step instructions about running adbindproxy.pl to configure Centrify-enabled Samba and Centrify DirectControl to work together, see Running the adbindproxy.pl on page 23.

Synopsisadbindproxy.pl [--help] [--info] [--restore] [--symbol] [--verbose] [--version]

adbindproxy.pl --exports [--gidfile filename] [--uidfile filename] [--tdbfile filename]

adbindroxy.pl options

You can use the following options with this command:

Use this option To do this

-E, --exports Export user IDs (UIDs) and group IDs (GIDs) that are stored in Sambas winbindd_idmap.tdb file.

Use the --gidfile and --uidfile options to specify the export files for the GIDs and UIDs. Use the --tdbfile option to specify the .tdb file that contains the GIDs and UIDs.

After export, you can use the Centrify DirectControl Administrator Console to import the users and groups with their existing UID and GID mappings into a zone.

-g, --gidfile filename Specify the file in which to write the Samba-created ADGroup to GID mappings. Use this option with the --export option. By default, the file is:38

Examples

To display basic information about the configuration of Centrify-enabled Samba and interoperability with DirectControl and Active Directory, you could type a command line similar to the following:adbindproxy.pl --info

This command displays information similar to the following (where v.v.v is the DirectControl version number and s.s.s is the Samba number):The Samba base path is: /opt/centrify/samba

CentrifyDC Realm = ARCADE.NET

CentrifyDC NTLM Domain = ARCADE

CentrifyDC Host = magnolia.arcade.net

CentrifyDC Short Host = magnolia

CentrifyDC version = CentrifyDC v.v.v

Samba Version = s.s.s-CDC-v.v.v

Samba Realm = ARCADE.NET

Samba NetBIOS Name = MAGNOLIA

Samba Version Supported = yes

-r, --restore Restore files backed up from the first time you configured Samba for interoperability with DirectControl. Typically, you run adbindproxy.pl with the --restore option to restore Samba files before uninstalling the Centrify-enabled version of Samba.

-S, --symbol Force the creation of symbolic links to Centrify-enabled Samba binaries and libraries without asking for confirmation.

-t, --tdbfile filename Specify the location of the winbindd_idmap.tdb file that contains Samba UID and GID information. This option is used during the UID and GID export process.

If you omit this option, the default file to export from is:/var/lib/samba/winbindd_idmap.tdb

-u, --userfile filename Specify the file in which to write Samba-created ADUser to UID mappings. Use this option with the --exports option.

By default, the file is:

/etc/passwd

-v, --version Display version information for the installed software.

-V, --verbose Display detailed information for each operation.

Use this option To do thisAppendix B Using adbindproxy.pl 39

Samba and CDC in same Realm = yes

Samba and CDC share machine account = yes

To export existing Samba GID and UID information that you want to import into a Centrify Zone, and to show details about the operation performed, type a command line similar to the following:adbindproxy.pl --exports --verbose

This command displays information similar to the following:The existing uid mappings have been exported to /var/centrifydc/samba/passwd.

The existing gid mappings have been exported to /var/centrifydc/samba/group.Samba Integration Guide 40

installation commands 17, 18winbindd 24conventions, documentation 5

DDirectControl Agent 9DirectControl Express 10

Mman pages

source of information 6Index

Aaccess to Samba shares

from Windows 31UNIX 29

adbindd 24adbindproxy 7

winbind proxy 9adbindproxy.pl 8

advanced join options 26create smb.conf 27create symbolic links 25export option 36, 37join domain 25, 26keep Samba settings 27nmbd 28running 23set advanced join settings 24smbd -b 24stop adbindd 28stop smbd 28task summary 24winbindd 28

adleave 24Administrator Console

import groups 37import users 37

CCentrify DirectControl Express

Samba and 9Centrify-enabled Samba

adbindd 24extracting 14nmbd 24smbd 24

documentationadditional 6conventions 5Samba 5

Download Center 16

Ffile sharing 7

displayed on Windows 31testing access 29

Ggroup

save to file 36

JJoin domain 26

Kkdestroy 30Kerberos

list tickets 30purging tickets 30reissue tickets 30stale tickets 31

Kerberos authentication 9Kerberos tickets

removing 30kerbtray 31kinit 30klist 30

LLinux41

Nnmbd 24nodeps 13, 19, 20, 21NT_STATUS_LOGIN_FAILURE 30NTLM authentication 9

Ppasswd

save to file 36PERL configuration script 8

Rreplacefiles 13, 19, 20, 21

SSamba

accessing from Windows 31checking the version 30coexisting 13configuration file 32dependencies 12documentation 5find existing 11keep settings 27protocols 7remove existing 12replace existing 12testing 29verify version 30winbind 9

Samba serversjoin Centrify Zones 37

Samba testparm utility 34smb.conf 32

keytab warning 33testparm utility 34

smbd 24smbd command 24smbstatus

version 30symbolic links 12, 13, 24, 25

Ttestparm 34

Uusers

export existing information 37importing to Active Directory 37

Wwinbind 36

proxy 9save assignments 12save assignmentss 20

winbindd 24winbindd_idmap.tdb

locate 36Samba Integration Guide 42

ContentsAbout this guideIntended audienceUsing this guideConventions used in this guideWhere to go for more informationContacting Centrify

Using Centrify Suite technology with SambaIntegrating Centrify Suite and SambaIntegrating Samba with Centrify Express

Install the Centrify-enabled Samba packageVerifying the software requiredRequired Centrify Suite softwareCentrify Suite software installation

Deciding how to work with old Samba installationsRemove existing Samba installationsReplace existing Samba installationsCo-existing with existing Samba installations

Installing Centrify-enabled Samba and adbindproxyExtracting the contents of Centrify-enabled Samba packageInstall Centrify-enabled Samba

Upgrading from a previous releaseUpgrading from a DirectControl version earlier than 4.4.2 and Centrify- enabled Samba 3.0.33 or earlierUpgrading from DirectControl 4.4.2 or later and Centrify-enabled Samba 3.0.33 or earlierUpgrading from a non-Centrify-enabled version of Samba

Configuring Centrify-enabled SambaVerifying the environment before you beginVerifying DNS settings on the local computerRunning adcheck

Running the adbindproxy.plVerifying the Samba integrationAccessing Samba from a UNIX client sessionAccessing Samba shares from a Windows desktop

Modifying the Samba smb.conf configuration file

Migrating existing Samba users to DirectControlMigrating UNIX profiles to Active DirectoryMigrating Samba servers to Centrify Zones

Using adbindproxy.plSynopsisadbindroxy.pl optionsExamples

Index

centrify-samba-guide.pdf

Documents

portions of centrify

centrify suite

license agreement

centrify server suite

nondisclosure agreement

open source software

registered trademarks

commercial license rights