Samba share with freeipa auth

Use FreeIPA Authentication for Samba CIFS Shares for Non-domain Windows Clients

I couldn’t find a singular place on the Internet for a descriptive guide of how to configure samba to use freeipa authentication for cifs shares for non-domain Windows clients.
There are guides out there for freeipa cross-domain trust, so you can share with a domain-joined Windows client, including https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.

This document will show you how to set up Samba 4.4.4 to use FreeIPA 4.4.0 usernames and passwords to allow Windows clients to connect to cifs shares.

Example environment

  • Freeipa domain is vm.example.com.
  • A freeipa master on CentOS7 host1.vm.example.com 192.168.100.10
  • A freeipa replica on CentOS7 host2.vm.example.com 192.168.100.11
  • Samba server will go on host2.vm.examplecom.
  • Windows client is horatio.vm.example.com.

Samba share with freeipa auth

Install freeipa server (and replica)

You need a working freeipa environment, which is outside the scope of this document. A quick sample installation process is:

### INSTALL FREEIPA host1.vm.example.com
firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=ntp --add-service=dns --add-service=dhcp --add-service=kerberos
firewall-cmd --reload

yum install -y ipa-server ipa-client
ipa-server-install -r VM.EXAMPLE.COM -n vm.example.com --mkhomedir --hostname="$( hostname --fqdn )" --admin-password='adminpassword' --ds-password='dspassword'

### INSTALL REPLICA host2.vm.example.com
firewall-cmd --permanent --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=ntp --add-service=dns --add-service=dhcp --add-service=kerberos
firewall-cmd --reload

yum install -y ipa-server ipa-client
ipa-client-install --mkhomedir --force-ntpd --enable-dns-updates
ipa-replica-install --setup-ca --mkhomedir

Install samba server

Install the samba packages.

yum -y install samba samba-client sssd-libwbclient

Create the cifs principal for samba on one of the ipa controllers.

# run on an ipa controller. This principal name is "service/hostname"
ipa service-add cifs/host2.vm.example.com

Fetch the keytab to the samba server. In this example, it’s the same as the replica.

# on samba server
kinit -kt /etc/krb5.keytab
ipa-getkeytab -s host1.vm.example.com -p cifs/host2.vm.example.com -k /etc/samba/samba.keytab
setsebool -P samba_enable_home_dirs on &

Reference: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

Install adtrust components

On the freeipa controller

yum -y install ipa-server-trust-ad
ipa-adtrust-install --add-sids

I recommend running this interactively, as shown above. Let it overwrite your samba config. It will configure it to use the registry, and we will rewrite it to suit the demands here.
The ipa-adtrust-install command generates the records you need to add to dns. They will look like:

Add the following service records to your DNS server for DNS zone vm.example.com: 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 389 host2.vm.example.com.
_kerberos._udp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_ldap._tcp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 389 host2.vm.example.com.
_kerberos._tcp.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.vm.example.com. 86400 IN SRV 0 100 88 host2.vm.example.com.

I successfully added them just fine by pasting them into my zone file and running rndc reconfig or systemctl restart named.
The adtrust mechanism adds new attributes to each user and group, specifically ipaNTSecurityIdentifier (the SID) and ipaNTHash. Technically the ipaNTHash can only be generated when the user changes passwords.
Reference: https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html

On the samba server

Install the ipa-server-trust-ad package on the samba server. You need this package there to get the ipasam config option in smb.conf.

yum -y install ipa-server-trust-ad

Open the firewall for the ports mentioned in the output of the command. You can use this script.

tf=/lib/firewalld/services/freeipa-samba.xml
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat <<EOFXML > "${tf}"
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IPA and Samba</short>
  <description>This service provides the ports required by the ipa-adtrust-install command.</description>
  <port protocol="tcp" port="135"/>
  <port protocol="tcp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="445"/>
  <port protocol="tcp" port="1024-1300"/>
  <port protocol="udp" port="138"/>
  <port protocol="udp" port="139"/>
  <port protocol="udp" port="389"/>
  <port protocol="udp" port="445"/>
</service>
EOFXML
systemctl restart firewalld
firewall-cmd --permanent --add-service=freeipa-samba
firewall-cmd --reload
echo done

Allow samba to read passwords

This is the magic part that is so hard to find on the Internet.
You will need to give special permissions to the samba service to read user passwords.

ipa permission-add "CIFS server can read user passwords" \
   --attrs={ipaNTHash,ipaNTSecurityIdentifier} \
   --type=user --right={read,search,compare} --bindtype=permission
ipa privilege-add "CIFS server privilege"
ipa privilege-add-permission "CIFS server privilege" \
   --permission="CIFS server can read user passwords"
ipa role-add "CIFS server"
ipa role-add-privilege "CIFS server" --privilege="CIFS server privilege"
ipa role-add-member "CIFS server" --services=cifs/host2.vm.example.com

Reference: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa

Explanation

If you use ldapsearch with kerberos authentication (after a kinit admin, of course), you can see attributes about users.

ldapsearch -Y gssapi "(uid=username)"

Even if the user has generated a new password since the adtrust installation, even the admin cannot see the ipaNTHash attribute.
To confirm the samba service can read the ipaNTHash, use its keytab and search for that attribute.

# on the samba server, so host2.vm.example.com
kdestroy -A
kinit -kt /etc/samba/samba.keytab cifs/host2.vm.example.com
ldapsearch -Y gssapi "(ipaNTHash=*)" ipaNTHash

Configure samba to use freeipa auth

When freeipa adjusts the samba config, it will just make it use the registry backend. You can view the equivalent conf file with testparm.
Here is a complete /etc/samba/smb.conf.

tf=/etc/samba/smb.conf
touch "${tf}"; chmod 0644 "${tf}"; chown root:root "${tf}"; restorecon "${tf}"
cat <<EOFCONF > "${tf}"
[global]
	debug pid = yes
	realm = VM.EXAMPLE.COM
	workgroup = VM
	domain master = Yes
	ldap group suffix = cn=groups,cn=accounts
	ldap machine suffix = cn=computers,cn=accounts
	ldap ssl = off
	ldap suffix = dc=vm,dc=example,dc=com
	ldap user suffix = cn=users,cn=accounts
	log file = /var/log/samba/log
	max log size = 100000
	domain logons = Yes
	registry shares = Yes
	disable spoolss = Yes
	dedicated keytab file = FILE:/etc/samba/samba.keytab
	kerberos method = dedicated keytab
	#passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
	#passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd-VM-EXAMPLE-COM.socket
	passdb backend = ipasam:ldap://host2.vm.example.com ldap://host1.vm.example.com
	security = USER
	create krb5 conf = No
	rpc_daemon:lsasd = fork
	rpc_daemon:epmd = fork
	rpc_server:tcpip = yes
	rpc_server:netlogon = external
	rpc_server:samr = external
	rpc_server:lsasd = external
	rpc_server:lsass = external
	rpc_server:lsarpc = external
	rpc_server:epmapper = external
	ldapsam:trusted = yes
	idmap config * : backend = tdb

	ldap admin dn = cn=Directory Manager

[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
EOFCONF
systemctl restart smb.service

Appendices

Get localsid

Get the local SID

net getlocalsid

Changing ipa domains

It’s possible that if you change ipa domains, the sssd cache is not cleared and you will have cached information for the old domain which can prevent user authentication from happening. You can just clear the cache directory manually and restart sssd.

rm -rf /var/lib/sss/db/*
systemctl restart sssd.service

Reference: https://bgstack15.wordpress.com/2017/05/07/freeipa-client-uninstall-and-reinstall/

References

Weblinks

  1. install samba and kerberize it https://sites.google.com/site/wikirolanddelepper/directory-services/ipa-server-with-samba
  2. add cifs/servername entry https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
  3. cifs service needs custom privilege to read password http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
  4. Each user must generate a new password https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html
  5. Seminal article about freeipa and samba integration https://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
  6. Changing ipa domains https://bgstack15.wordpress.com/2017/05/07/freeipa-client-uninstall-and-reinstall/
Advertisements

Cifs keepalive

Updated

This post originally talked about cifs-keepalive.sh, which is now bundled into the newer and more fully-featured shares.sh.

Overview

When a Linux system has a cifs mount to another server, sometimes it can time out. If you haven’t used it in a while, the connection becomes stale. If you do an ls -l /mnt it might take a while, and then return a ‘/mnt/cifsdirectory not found’ before displaying the directory contents.

Solution

My solution is a multi-tool script for network shares, which I simply call “shares.” It’s a part of my bgscripts package accessible on github.

Code walkthrough

Obviously, there are many ways to implement this. All my script does is touch a file in a cifs mounted directory every couple of minutes.

Check out its usage block from lines 18-33.

usage: shares.sh [-duV] [-r|-k] [-a] [-t <type>] [/mounted/directory [ ... ]]
version ${sharesversion}
-d debug Show debugging info, including parsed variables.
-u usage Show this usage block.
-V version Show script version number.
-r remount Remount shares
-k keepalive Touch shares to keep them from timing out
-a all All shares. Can be limited with -t. Default behavior if no directories provided.
-t <type> Only this type of share. Needs -a flag.
Return values:
0 Normal
1 Help or version info displayed
2 Invalid input options
3 Incorrect OS type
4 Unable to find dependency
5 Not run as root or sudo

The best way to run it is just with the -a flag. It will scan the currently mounted filesystems and list just the cifs/nfs ones as defined $validtypes. See lines 224-237,245:

# all currently mounted filesystems of the requested type
# get type, if requested
alltypes="$( echo "${validtypes}" | tr ' ' '|' )"
case "${type}" in
   "")
      searchstring="(${alltypes})"
      ;;
   *)
      if echo "${validtypes}" | grep -qiE "${type}" 1>/dev/null 2>&1;
      then
         searchstring="${type}"
      else
         searchstring="."
      fi

mount | grep -viE "${excludes}" | awk "/type ${searchstring}/{print \$3;}" >> "${tempfile1}"

And the actual keepalive command is just a touch –no-create, from lines 268-276.

keepalive)
   while read word;
   do
       debuglev 1 && echo "touching ${word}";
       touch --no-create "${word}/.fskeepalive" 1>/dev/null 2>&1
   done < "${tempfile1}"
   ;;

To make it run every three minutes, place a cron entry. Mine is in /etc/cron.d/shares-keepalive.cron:

*/3	*	*	*	*	root	/usr/share/bgscripts/shares.sh --all --keepalive 1>/dev/null 2>&1

Samba share with AD authentication

Updates

AD is great for a Windows environment. Now I have a guide for Samba shares with freeipa auth!

Overview

This document describes how to configure a Linux system joined to an AD environment to have a working Samba share for Windows users that uses the AD users and groups for authentication.

Preliminary steps

These steps are covered in the internal CentOS and Ubuntu 16.04 templates.

  • Ensure ntp is running and enabled
  • The server is joined to the domain

Setting up samba

Install samba (which should include samba-client and samba-common, at least for rpm)

Centos 7 Ubuntu 16.04
yum -y install samba
apt-get install -y samba

Reference: https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note

Open firewall

Centos 7 Ubuntu 16.04
firewall-cmd --permanent --add-service=samba
systemctl restart firewalld.service
ufw allow samba

Reference: https://wiki.centos.org/HowTos/SetUpSamba
Modify /etc/samba/smb.conf

bup /etc/samba/smb.conf 2>/dev/null
cat <<EOFSMB > /etc/samba/smb.conf
[global]
        security = ads
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        kerberos method = system keytab
        netbios name = $( hostname -s )
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        dns proxy = no
        encrypt passwords = yes
        passdb backend = tdbsam
        load printers = no
        cups options = raw
        printcap name = /dev/null
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

# END BASELINE SMB.CONF 
EOFSMB
/bin/cp -p /etc/samba/smb.conf /etc/samba/smb.conf.example

Reference for kerberos method: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
On CentOS 7 only, set SELinux to allow samba to share nfs locations if necessary.

setsebool -P samba_share_nfs 1

Reference: http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
Start and enable the samba service

Centos 7 Ubuntu 16.04
systemctl enable smb
systemctl start smb
systemctl enable smbd nmbd
systemctl start smbd nmbd

Making smb.conf dynamic

Unfortunately smb.conf does not provide support for a directive similar to “include = /etc/samba/smb.conf.d/*.conf.” However, with some modifications and a shell script this can be simulated.
A template file, input directory for extra snippets, and output file can be used along with this script.

cat <<'EOFSCRIPT' > /usr/local/bin/samba-conf
#!/bin/sh
# File: /usr/local/bin/samba-conf

infile1=/etc/samba/smb.conf.example
indir1=/etc/samba/smb.conf.d
outfile1=/etc/samba/smb.conf
tmpfile1=/etc/samba/smb.conf.orig.$( date "+%Y-%m-%d").$$

[[ ! -f "${infile1}" ]] && echo "$0: 2. Template not found: ${infile1}. Aborted." 1>&2 && exit 1

{
   cat "${infile1}"
   printf "\n"
   find "${indir1}" -type f -regex ".*.conf" 2>/dev/null | sed -e 's/^/include = /;'
} > "${tmpfile1}"

{
   if ! diff -q "${tmpfile1}" "${outfile1}";
   then
      /bin/chmod --ref "${outfile1}" "${tmpfile1}"
      /bin/cp -p "${tmpfile1}" "${outfile1}"
      /bin/rm -rf "${tmpfile1}"
   fi
   /bin/rm -rf "${tmpfile1}"
} >/dev/null 2>&1
EOFSCRIPT
chmod 750 /usr/local/bin/samba-conf

Modify any files in /etc/samba/smb.conf.d/ and then run samba-conf.

Connecting client to the share

On a Windows client, use Windows Explorer and navigate to \\hostname.example.com\ and see if the share is available. If you must log in as a different user, you can use the Windows command on the command line:

net use \\hostname.example.com\bgscripts /user:example\bgscripts

Also to clear a connection to a shared location, use:

net use \\hostname.example.com\bgscripts /delete

Appendices

Sample share file /etc/samba/smb.conf.d/bgscripts.conf

mkdir -p /etc/samba/smb.conf.d/
cat <<EOF > /etc/samba/smb.conf.d/bgscripts.conf
[bgscripts]
        path = /mnt/scripts/share
        comment = Test samba share
        browsable = yes
        public = yes
        writable = yes
        valid users = @"Linux-Server-Access_grp@EXAMPLE.COM"
EOF

References

Weblinks

  1. https://wiki.centos.org/HowTos/SetUpSamba
  2. https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note
  3. Complete working guide with AD users and everything http://www.hexblot.com/blog/centos-7-active-directory-and-samba
  4. SELinux managing contexts http://www.linuxquestions.org/questions/linux-security-4/selinux-and-help-with-chcon-762735/

SELinux Policy: Managing File Contexts
Change file context

chcon -R -t public_content_t /mydata/html

Does not persist across a relabel! (eg reboot)
Add new mapping

semanage fcontext -a -t public_content_t '/mydata/html(/.*)?'

Apply the policy context to existing files

restorecon -vvFR /mydata/html
  1. SELinux policy http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
  2. Ubuntu needed help accessing AD through SSSD. Found solution here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

Internal documents

  1. The environment required, including krb5.conf and sssd.conf, comes from Building the Centos 7 Template
  2. Firewall commands from Adding the service httpd