Managing access to Samba file servers in an AD-based Windows domain

    We continue a series of articles about the interaction of Linux and Windows. This article is about managing access to Samba servers from an AD domain.

    Unlike previous articles, where a test network was used as an example, this article is based on a real, “combat” network of the Moscow Power Engineering Institute. About 25,000 users are registered on the MPEI network. The network combines all the educational buildings of MPEI with more than 4,500 workstations. We will consider setting up access to the Samba server , which provides users with the following services:
    • access to the user's personal directory;
    • access to shared directories;
    • access control using both Samba tools and Windows tools.

    About the MEI network

    The computer network of the Moscow Power Engineering Institute (IVS MEI) uses the Windows domain structure based on AD. Our network supports multiple domains. The top-level domain is the mpei.local domain . The domain public.mpei.local is intended for MEI users, the domain init.mpei.local is intended for employees of the MEI Information and Computing Center.
    The server that we are setting up is a cluster file storage and is designed to host user directories - employees of the IEC MEI and MPEI employees (users of the INIT and PUBLIC domain) and shared directories. Server operating system - Ubuntu Linux 12.04 LTS.
    BackupsDesigned for storing backups. Directory administrators have access to the directory.
    ISOs and Software catalogs Designed for storing disk images of operating system distributions and other software used in the MEI MEI. The information in these directories is accessible to all users, but only domain administrators can write.
    VMImages catalog Designed to store images of virtual machines used in the IVS MEI. This directory is accessible to all users; only domain administrators can write.
    User directories Designed to host user files.

    Clustered file storage is based on distributed object storage and the Ceph file system. More information about Ceph can be found on the project website - www.ceph.com . The storage consists of three servers, which are both storage facilities and control the placement of data. Access to the file system of the repository is through a gateway, which is a client of the Ceph repository on the one hand, and on the other hand, provides access to this repository through Samba . The gateway machine is a KVM- based virtual machinerunning on servers with Ceph. It is this gateway machine that will be the server that we configure to organize access. The operating system is also Ubuntu Linux 12.04 LTS. Our server is called filer.mpei.local.

    The way to organize a clustered file storage is not crucial for solving the access control problem. To create such a storage, a variety of technologies and their implementation can be used.

    It should be noted that a large number of users are registered in our network - about 25,000. Therefore, creating directories for them is a very time-consuming task. However, not all users will have their own directories on file storage. It follows that the creation of directories should be done automatically, the first time the user connects to the server. The way to automatically create user directories when using the Linux command shell was discussed earlier in the article on CentOS configuration. In our case, this method is not applicable, since the institute network unites users with various work experience and knowledge of operating systems. Creating a directory on the first connection should be transparent to the user and not depend on the server operating system.

    Server enable methodUbuntu Linux based Samba has already been reviewed before. We include our server in the top-level domain mpei.local . To authorize users, we will use winbind .

    Since we use several domains, it is advisable to specify in the global Samba configuration section in the smb.conf file :
    winbind use default domain = no
    


    By disabling this option, we explain to Samba that users without specifying a domain name will be considered as local server users, and for other cases, it is necessary to specify a domain name. This must be done because users can have matching names in different domains.

    If the filer server is correctly included in the domain in response to a getent passwd request, we should see a list of users of all domains, and in response to a getent group request , a list of groups of all domains. If this is not the case, check the contents of the /etc/nsswitch.conf file , which should look like this:
     root@filer:~# cat /etc/nsswitch.conf
    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    


    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat
    


    hosts:          files dns
    networks:       files
    


    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    


    netgroup:       nis
    root@filer:~#
    


    You should check how Samba users are authorized . To do this, look at the contents of the /etc/pam.d/samba file :
    root@filer:~# cat /etc/pam.d/samba
    @include common-auth
    @include common-account
    @include common-session-noninteractive
    root@filer:~#
    


    As you can see, the file is very simple and consists of links to the /etc/pam.d/common-auth, /etc/pam.d/common-account and /etc/pam.d/common-session-noninteractive files .
    Accordingly, the contents of these files should also be checked for their use of the pam_winbind.so module . In the vast majority of cases, there is no need to edit the contents of the PAM system files located in /etc/pam.d . But we have a requirement to automatically create user directories at the first login. For our configuration, add the line to the /etc/pam.d/common-session-noninteractive file
    session 	required                 pam_mkhomedir.so skel=/etc/skel umask=0077
    


    You can also include this line in the /etc/pam.d/common-session file . The presence of this line causes the pam_mkhomedir.so module (for more details, see http://manpages.ubuntu.com/manpages/maverick/man8/pam_mkhomedir.8.html or http://www.ibm.com/developerworks/ru/ library / l-pam / index.html ) to automatically create the user's home directory upon login.
    As a result, the output of the getent passwd command should look something like this:
    PUBLIC\khorkov:*:28972:10007:Хорьков Сергей Николаевич:/ceph/home/PUBLIC/khorko :/bin/bash
    


    The fields correspond to the fields of the / etc / passwd file , the standard storage location for user data on Linux and Unix systems. The fields are named as follows:
    • login name
    • optional encrypted password
    • numerical user ID
    • numerical group ID
    • user name or comment field
    • user home directory
    • optional user command interpreter
    When connecting to an AD-based Windows domain, the login name field is a combination of the domain name and username, where the delimiter is either a backslash (\) or the character specified in the winbind separator option.
    The password field is represented by *, which means an external source of passwords.
    The values ​​of the UID and GID fields are formed based on the idmap uid and idmap gid (or idmap config) options of the Samba configuration file .
    The user home directory field is generated based on the template homedir option of the Samba configuration file . And the user command interpreter field is based on the value of the template shell option of the Samba configuration file .

    Based on this conclusion, we can say that the home directory for user khorkov in the PUBLIC domain will be / ceph / home / PUBLIC / khorkov . It is this directory that should be automatically created. Thus, our /etc/samba/smb.conf file in the global and homes sections looks like this:
    [global]
            log file = /var/log/samba/log.%m
            obey pam restrictions = yes
            map to guest = bad user
            encrypt passwords = true
            dns proxy = no
            netbios name = Filer
            server string = %h server (Samba, Ubuntu)
            unix password sync = yes
            workgroup = MPEILOCAL
            os level = 20
            security = ads
            syslog = 4
            panic action = /usr/share/samba/panic-action %d
            usershare allow guests = yes
            max log size = 1000
            pam password change = yes
            realm = MPEI.LOCAL
            idmap uid = 10000-50000
            idmap gid = 10000-50000
            template shell = /bin/bash
            template homedir = /ceph/home/%D/%U
            winbind enum groups = yes
            winbind enum users = yes
            winbind refresh tickets = yes
            acl compatibility = auto
            map acl inherit = yes
            usershare path = /var/lib/samba/usershares
    [homes]
       comment = Home Directories
       browseable = no
        path = /ceph/home/%D/%U
       read only = no
       create mask = 0700
       directory mask = 0700
       valid users = PUBLIC\%S INIT\%S
    


    Most of the parameters have already been considered in previous articles (for example, http://habrahabr.ru/post/171057/ or http://habrahabr.ru/post/143190/ ). Let us dwell on the options that are important for security and access control.

    The obey pam restrictions = yes option instructs the Samba server to obey the instructions in the pam directives for user accounts and sessions. In our case, we agree with the team to create a home directory.
    The acl compatibility = auto and map acl inherit = yes options allow the Samba server to set file access list compatibility mode and access list inheritance. These options are important to support.Samba access control from Windows clients. For correct operation, the file system hosting the Samba shared resource must support the POSIX ACL. To do this, you must install the appropriate packages on Linux (for Ubuntu it is acl and attr ).

    Next, user directories are defined in the [homes] section. The directory path is determined by the path option. In the Samba configuration filewildcard rules apply. In particular,% D is replaced with the short domain name,% U - with the username,% S - with the name of the session (matches the username). Access to directories is determined for read-write, as indicated by the read only = no option. The valid users option describes the list of users who are allowed access (registration) to this directory. The create mask (rights mask when creating a file) and directory mask (rights when creating a directory) options are important. In any case, the owner of the home directory, created files and directories will be the user who connected to the resource. In this case, the user uid and gid are determined in accordance with the result of the getent passwd command .

    Note that in 99% of cases the group name will be \ Domain users. The indicated values ​​0700 give the user full rights to access files or directories and prohibit access to everyone else (including the group). To allow group access to read, the third octet must be either 4 (read) or 5 (read and execute). You can read about determining access permissions in Linux in any book on this operating system.
    Valid values ​​valid users restricts the list of users who have access to the directory to users of the INIT and PUBLIC domains.

    Now let's move on to the settings of shared directories using the example of setting the Software directory :
    [Software]
            browseable = yes
            comment = Various soft
            read only = yes
            valid users = MPEILOCAL\%U  PUBLIC\%U  INIT\%U
            path = /ceph/data/Software
            inherit acls = yes
            inherit owner = yes
            inherit permissions = yes
            map acl inherit = yes
            nt acl support = yes
            write list = @"MPEILOCAL\enterprise admins" @"PUBLIC\Domain admins" @"IN
    IT\Domain admins"  PUBLIC\khorkov
            admin users = PUBLIC\khorkov
            hide unreadable = yes
    


    We have already considered the description of the path to the shared directory and the restrictions for users. Option nt acl support = yes directive gives Samba display Windows permissions on Linux permissions. The options inherit acls = yes, inherit owner = yes, inherit permissions = yes and map acl inherit = yes indicate that Samba supports inheritance of rights and access lists. The option hide unreadable = yes hides unreadable directories and files from the user.
    The admin users option sets the list of users who have administrative rights (superuser rights). The write list option specifies a list of users who have write permissions to this directory. When creating a directory, you should determine its affiliation. For the most part, it is enough to designate root as the owner, and define the group as Domain users (in our case, as MPEILOCAL \ Domain users). User lists can be specified both in the form of DOMAIN \ user (domain users), and in the form of user (server users). You can also specify them in the form of group names, preceding the group name with the @ symbol. Fields in the list are separated by spaces. Windows group names, when they consist of more than one word, should be enclosed in quotation marks. In our example, we gave permission to read the Software directoryall users of the MPEILOCAL, INIT, and PUBLIC domains, and the write permission is for domain administrators. Other directories ( Backups , ISOs and VMimages ) are configured similarly to the above example.

    Connect to the filer server (Fig. 1).


    Fig. 1. Access to the Samba server.

    Check access to the home directory (Fig. 2).


    Fig. 2. Access to the home directory.

    You can check permissions to create and delete files and directories. The Linux home directory is as follows:
    root@filer:~#
    root@filer:~# ls -l /ceph/home/PUBLIC/khorkov
    total 0
    drwx------ 1 PUBLIC\khorkov PUBLIC\domain users 45360157 Oct 11 19:36 For Cisco
    root@filer:~#
    


    As you can see, the rights to any actions with files belong only to the owner. If now we try to make changes to the access settings using Windows, we will get an error about the write ban (Fig. 3).


    Fig. 3. Error setting rights.

    This error of assigning rights to a directory to which the user has all rights arises because the file system where the directory is located does not support access lists. On a file system that supports access lists, this error does not occur. You can check for this support with the command:
    root@filer:~# tune2fs -l /dev/sda1
    tune2fs 1.42 (29-Nov-2011)
    Filesystem volume name:   
    Last mounted on:          /
    Filesystem UUID:          e4136579-9486-4e54-a8cf-6b28d4015e92
    Filesystem magic number:  0xEF53
    Filesystem revision #:    1 (dynamic)
    Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
    Filesystem flags:         signed_directory_hash
    Default mount options:    user_xattr acl
    Filesystem state:         clean
    Errors behavior:          Continue
    Filesystem OS type:       Linux
    


    Here we see that the file system on the device / dev / sda1 supports access control. Enabling acl support is possible when mounting the Linux file system, or through the tune2fs utility . For a list of acl-supported file systems, see the man command for the mount command in the FILESYSTEM SPECIFIC MOUNT OPTIONS section.
    You can see the access lists themselves, by the command
    root@filer:~# getfacl /srv
    getfacl: Removing leading '/' from absolute path names
    # file: srv
    # owner: root
    # group: root
    user::rwx
    user:MPEILOCAL\134horkovsn:rwx
    group::r-x
    mask::rwx
    other::r-x
    default:user::rwx
    default:user:MPEILOCAL\134horkovsn:rwx
    default:group::---
    default:mask::rwx
    default:other::---
    root@filer:~#
    


    You can use the setfacl command or the smbcacls command to set access lists from the Linux command line . True, the interface of these commands is quite complicated, and it is more advisable to use the Windows access settings window.

    We provided access control to the Samba server mainly through editing the /etc/samba/smb.conf file . This is one of the easiest and most effective ways. There are tons of graphical Samba customization applications that ship with the Linux distribution. It is also possible to use a web-control means such as swat or webmin . Dignity swat, for example, is the built-in documentation - no need to constantly switch between the settings and the reference guide. But both swat and webmin have error settings.

    Conclusion


    Thus, we successfully completed the task of setting up access to the Samba file server in the AD-based Windows domain.

    The work was performed on the basis of the Information and Computing Center MPEI.

    We welcome your comments and suggestions. We have the opportunity to build a test network on which to debug various options and configurations of systems to ensure their interaction.

    Also popular now: