Friday, December 21, 2012

Extending the AD Schema on Samba4 - Part 2

Importing LDIF files into Samba4 and Active Directory

This is part 2 of the Extending AD Schema on Samba4 series.  The examples below are tested using the Samba4 LAB I created.  If you want more information on how that works then please read  http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html

For part one, please read http://david-latham.blogspot.co.nz/2012/12/extending-ad-schema-on-samba4.html

Unfortunately the format of an ldif file for creating new attributes and classes in the Schema Configuration are differ between Samba4 and Microsoft.

The tools are slightly different too.  So this article will attempt to make it all clear.

Find all the latest versions of code on this post at https://github.com/linuxplayground/yubikey-ldap/tree/master/microsoft-schema

Samba4 - ldbadd & ldbmodify


As far as I can tell the only way to create a new class with a custom attribute in Samba4 (on the Linux command line) is first add the attribute with ldbadd and then add the class with a seperate ldbadd followed by an ldbmodify command to update the User schema to include the new auxiliary class.

I wrote a README.md file for when this eventually ends up on GIT.  Rather than retype it all, I shall just copy it as is:

YubiKey LDIF Implimentation Into Samba4 Active Directory
=======================================================

This is an implimentation of the Openldap implimentation by Michal Ludvig <http://logix.cz/michal/devel/yubikey-ldap/> applied to Samba4 Active Directory.

CAUTION
-------
This process will permanently modify your schema.  If it breaks you will not be able to recover unless from a backup.  Please backup your schema files before starting.  On a default install they can be found at /usr/local/samba/private/sam.ldb and all the files in /usr/local/samba/private/sam.ldb.d/

yubikeyid.ldif
--------------
    dn: CN=yubiKeyId,CN=Schema,CN=Configuration,dc=samba4,dc=internal
    changetype: add
    objectClass: top
    objectClass: attributeSchema
    attributeID: 1.3.6.1.4.1.40789.2012.11.1.2.1.1
    cn: yubiKeyId
    name: yubiKeyId
    lDAPDisplayName: yubiKeyId
    description: Yubico YubiKey ID
    attributeSyntax: 2.5.5.5
    oMSyntax: 22
    isSingleValued: FALSE

Add the yubiKeyId attribute into the Schema Configuration first with:
    ldbadd -H /usr/local/samba/private/sam.ldb \
      yubikeyid.lidf \
      --option="dsdb:schema update allowed"=true

yubikeyuser.ldif
----------------
    dn: CN=yubiKeyUser,CN=Schema,CN=Configuration,dc=samba4,dc=internal
    changetype: add
    objectClass: top
    objectClass: classSchema
    governsID: 1.3.6.1.4.1.40789.2012.11.1.2.2.1
    cn: yubiKeyUser
    name: yubiKeyUser
    lDAPDisplayName: yubiKeyUser
    description: Yubico YubiKey User
    subClassOf: top
    objectClassCategory: 3
    mayContain: yubiKeyId

Next add the yubiKeyUser class into the Schema Configuration with:
    ldbadd -H /usr/local/samba/private/sam.ldb \
      yubikeyuser.lidf \
      --option="dsdb:schema update allowed"=true

updateUserClass.ldif
--------------------
    dn: CN=User,CN=Schema,CN=Configuration,DC=samba4,DC=internal
    changetype: modify
    add: auxiliaryClass
    auxiliaryClass: yubiKeyUser

Apply the User class update with:
    ldbmodify -H /usr/local/samba/private/sam.ldb \
      updateUserClass.ldif \
      --option="dsdb:schema update allowed"=true

Add YubiKeys to Users
---------------------
An example ldif:
    dn: CN=David Latham,CN=Users,DC=samba4,DC=internal
    changetype: modify
    add: objectClass
    objectClass: yubiKeyUser
    -
    add: yubiKeyId
    yubiKeyId: abcdefgh1234
    yubiKeyId: xyzxyz123456

Apply it with:
    ldapmodify -h samba -f addKeyToUser.ldif

Test it with:
    ldapsearch -h samba -b "CN=David Latham,CN=Users,DC=samba4,DC=internal" yubiKeyId

    SASL/GSSAPI authentication started
    SASL username: administrator@SAMBA4.INTERNAL
    SASL SSF: 56
    SASL data security layer installed.
    # extended LDIF
    #
    # LDAPv3
    # base with scope subtree
    # filter: (objectclass=*)
    # requesting: yubiKeyId
    #

    # David Latham, Users, samba4.internal
    dn: CN=David Latham,CN=Users,DC=samba4,DC=internal
    yubiKeyId: abcdefgh1234
    yubiKeyId: xyzxyz123456

    # search result
    search: 5
    result: 0 Success

    # numResponses: 2
    # numEntries: 1

Acknowledgments
===============
Michal Ludvig for defining the schema.
Microsoft Documentation for information on attributeSyntax, oMSyntax and objecClassCategory



Active Directory & the LDIFDE tool


Use the following ldif file and the ldifde tool as described in the README.md below:
YubiKey Implimentation in Microsft Active Directory
===================================================
This is an implimentation of the Openldap implimentation by Michal Ludvig <http://logix.cz/michal/devel/yubikey-ldap/> applied to Microsft Active Directory.

Notes
-----
In order to manage the Schema from a Windows client, please add the following line to your smb.conf under the [globals] section and restart samba4:

    dsdb:schema update allowed = true

You can use tools like ADSI Edit to manage the keys for users.
There are also tutorials on the internet explaining how to crate a dialogue box / context menu tool for updating custom attributes in the Active Directory Server Admin tool. (dsa.msc)

For a complete tutorial on all of this look at:
    <http://www.informit.com/articles/article.aspx?p=169630&seqNum=1>
   
Implimentation
--------------

Log into a Windows Server 2003 as a domain administrator and start a
command prompt.

Then execute:
    ldifde -i -f path\to\yubikey-ads.ldif -j .

You should see something like:
    6 entries modified successfully
   
    The command has completed successfully

To test if this is all working you could add some kuys using the ADSI Edit
snap-in. 
* Browse to your Domain -> CN=Users
* Right mouse click the username you want to edit
* Select Properties
* Scroll down to and select YubiKeyId
* Click Edit
* Add values until you are done
* Click OK until you are finished.


The LDIF File

#
# YubiKey LDAP schema for Microsoft Active Directory Server
#
# Install with ldifde -i -f path\to\yubikey-ads.ldif -j .
# on a Windows Command prompt
#
#
# Author: Michal Ludvig
# Consider a small PayPal donation:
#         http://logix.cz/michal/devel/yubikey-ldap/
#
# Converted to Microsoft Active Directory Server format by
#         David Latham
#
dn: CN=yubiKeyId,CN=Schema,CN=Configuration,DC=samba4,DC=internal
changetype: add
objectClass: top
objectClass: attributeSchema
cn: yubiKeyId
description: Yubico YubiKey ID
attributeID: 1.3.6.1.4.1.40789.2012.11.1.2.1.1
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
oMSyntax: 22
lDAPDisplayName: yubiKeyId
name: yubiKeyId

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=yubiKeyUser,CN=Schema,CN=Configuration,DC=samba4,DC=internal
changetype: add
objectClass: top
objectClass: classSchema
cn: yubiKeyUser
description: Yubico YubiKey User
subClassOf: top
governsID: 1.3.6.1.4.1.40789.2012.11.1.2.2.1
mayContain: yubiKeyId
rDNAttID: cn
objectClassCategory: 3
lDAPDisplayName: yubiKeyUser
name: yubiKeyUser

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=User,CN=Schema,CN=Configuration,DC=samba4,DC=internal
changetype: modify
add: auxiliaryClass
auxiliaryClass: yubiKeyUser
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

Extending the AD Schema on Samba4 - Part 1

My last post on Samba4 showed how easy it is to install and configure an AD Service on Linux.  If you've not read it then please have a look. (http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html)

This post show's how to extend the Samba4 Active Directory Schema.  Specifically for YubiKey integration.

YubiKey's can be purchased for a relativlely low price from Yubico.  Please visit their website (www.yubico.com) for more information.

LDAP Integration is very well covered by Michal Ludvig on his website and github.  (http://www.logix.cz/michal/devel/yubikey-ldap/) In fact we are planning to leverage his implementation at our work and are considering donating towards what's obviously a very good cause.

Now seeing as though LDAP and AD are so similar and exhibit many of the same APIs, I began to wonder how this might fit in with Samba4.  Eventually we might end up using Samba4 for our domain and so I needed to figure out if I could, somehow, "port" the LDAP Schemas for Yubikey to AD.  I think I have managed it with extensive help from another blog.   Thanks to Kurt Hudson and his wonderful article on www.informit.com titled, "Making AD Work Harder | Extending the Active Directory Schema to Track Custom Info"

I should also acknowledge, once again, the Samba Wiki for a crucial piece of the puzzle in which we allow extensions to the Schema. (https://wiki.samba.org/index.php/Samba4/Schema_extenstions)

Step 1: Backup Your Master Server

In my case this was fairly simple.  I just took a snapshot of my Virtualbox image.  You need to do this though.  Messing with an AD schema can be fairly dangerous, especially if it's a Samba4 AD.  Samba's Wiki makes this quite clear.

Step 2: Enable Schema Extensions

This is fairly straight forward and well explained on the Samba Wiki.  First edit your smb.conf and add the following line into the [globals] section.
dsdb:schema update allowed = true
Then restart the samba service.. (btw: If you are interested in an init script for Samba4 on Centos 6 then find it at the end of this article.)

Step 3: Set up Active Directory Schema Console (on Windows)

From here on, we will be working in Windows space.  The Active Directory Schema console is not registered by default.  So register it and create yourself a console.

In a windows command prompt type:
regsvr32 schmmgmt.dll

Then use MMC -> Add Remove Snap-ins ->  Active Directory Schema snap-in. (follow the instructions on Kurt Hudson's page.

Step 4: Add Yubikey Class and Attribute

You need an attribute before you can create an object class.
The details for the Yubikey schema are available on Michal Ludvig's github site: https://raw.github.com/mludvig/yubikey-ldap/master/ldap-schema/yubikey-SunDS.ldif
The SunDS describes most closely the AD Version used in this article:
Here it is:

dn: cn=schema
objectclass: top
#
# YubiKey LDAP schema for Sun Directory Server and OpenDJ
#
# Copy this file to /config/schema/05-yubikey.ldif
#
# Author: Michal Ludvig 
# Consider a small PayPal donation:
#         http://logix.cz/michal/devel/yubikey-ldap/
#
# Converted for OpenDJ and Sun Directory Server by
#         Ludovic Poitou 
#
attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1.1
  NAME 'yubiKeyId'
  DESC 'Yubico YubiKey ID'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2.1
  NAME 'yubiKeyUser'
  DESC 'Yubico YubiKey User'
  SUP top
  AUXILIARY
  MAY ( yubiKeyId ) )

Step 4a: Attribute

In the Active Directory Schema Snap-in Console do the following:
  • Right click the Attributes Node and select Create Attribute on the context menu.  A message about the permanence of your operation will show up.  Well, jump right in.  You backed up in step 1.
  • Fill in the details as follows:
    • Common Name = yubiKeyId
    • LDAP Display Name = yubiKeyId
    • Unique X500 Object ID:  = 1.3.6.1.4.1.40789.2012.11.1.2.1.1
    • Description = Yubico YubiKey User
    • Syntax = Case Insensitive String
    • Minimum = 0
    • Maximum = 128
    • Multi Valued = Ticked
  • Click OK to add the attribute to the Attributes list.  If you expand the list, and scroll to the bottom, you will find yubiKeyId and you can right click, select properties and see something like this:
Note, I ticked "multi valued" but in the part where I create a dialogue box to enter the key id's I do not allow for multiple values.  That's on my TO DO List.

Step 4b: Add Yubikey Schema Object Class

  • Begin by right mouse clicking Classes and select Create Class in the context menu.
  • Fill in the details as follows:
    • Common Name: yubiKeyUser
    • LDAP Display Name: yubiKeyUser
    • Unique X500 Object ID:  1.3.6.1.4.1.40789.2012.11.1.2.2.1
    • Description: Yubico YubiKey User
    • Parent Class: top
    • Class Type: Select Auxilary
  • Click Next
    • Click Add next to Opional:
    • Scroll all the way to the bottom and select yubiKeyId
    • Click OK
    • Click Finish
  • Expand the Classes node, scroll to the bottom and right click yubiKeyUser, select Properties to see the following:



So that's the GUI method.
My next post will show how to import ldif files to make this process easier.

Monday, December 17, 2012

Samba4 GA Release - Virtualbox LAB

Introduction

Configuring Samba has always been a pain in the you-know-what.  There is always some kind of permission here or there missing or misconfiguration resulting in endless hours of log trawling and frustrated users.
My profile photo on this blog was taken during just such a time...

So I decided to build a LAB for Samba 4.  My LAB is for a fresh install.  I have not yet tried an upgrade.  Maybe that will come in a later post.

The Samba4 how-to on their WIKI is very good and formed the basis of most of the work.  (http://wiki.samba.org/index.php/Samba4/HOWTO)

Lab Environment

  • LAB Built on Virtual Box using Ubuntu 12.04 LTS
  • Samba Server
  • Client
    • Windows2003 R2 Standard Edition

Samba OS Build

Hard Disk Configuration

The Samba HOW-TO wiki states that some specific mount attributes are applied to your disks.  Here is my fstab.
[root@samba ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Thu Dec 13 13:55:41 2012
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/VolGroup-lv_root /            ext4 user_xattr,acl,barrier=1 1 1
ther "system" lines not shown here>
# SAMBA
/dev/mapper/vgsamba-lvwinhome /samba/home ext4 user_xattr,acl,barrier=1 1 1

Network Interface Configuration

  • /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=samba.example.com
  • /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO="dhcp"
DHCP_HOSTNAME=samba.vbox.local
  • /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE="eth1"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO="none"
IPADDR="10.1.1.1"
NETMASK="255.255.255.0"

Iptables

For Iptables, I went with an open configuration.  You should have a good and proper IPTABLES configuration in your production environment.  This LAB is about SAMBA4 not IPTABLES.
  • /etc/sysconfig/iptables
    • The IPTABLES script below impliments a SNAT on all traffic to the IP Address of eth0.  Your IP address might be different.  This all depends on how you configured your host only network in Virtualbox.
# Generated by iptables-save v1.4.7 on Thu Dec 13 14:26:37 2012
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.56.76

COMMIT
# Completed on Thu Dec 13 14:26:37 2012
# Generated by iptables-save v1.4.7 on Thu Dec 13 14:26:37 2012
*filter
:INPUT ACCEPT [12:1634]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Dec 13 14:26:37 2012

Enable IPv4 Packet Forwarding

Once you do this, routing will take care of itself.
  • Set net.ipv4.ip_forward = 1 in /etc/sysctl.conf
  • execute
    • sysctl -p to read the new value.

Software pre-requisites and services

Software packages

First establish the following dependancies.  (Note I used the groupinstall "Development tools" for convenience.

Read: http://wiki.samba.org/index.php/Samba_4/OS_Requirements
  • yum -y install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel openssh-clients bind-utils dhcpd tcpdump man manpages wget
  • yum -y groupinstall 'Development tools'

NTP

  • Download and install the latest NTP.
# Start NTP Daemon
/sbin/ntpd -c /etc/ntp.conf

DHCP Server

  •  Configure dhcpd to provide ip addresses on the internal network.
    • dhcpd should also provide the netbios and wins ip addresses.
 subnet 10.1.1.0 netmask 255.255.255.0 {
        option routers          10.1.1.1;
        option subnet-mask      255.255.255.0;
        option domain-name      "internal.local";
        option domain-name-servers 10.1.1.1;
        option netbios-name-servers 10.1.1.1;
        range 10.1.1.10 10.1.1.100;
}
    • Edit /etc/sysconfig/dhcpd and set DHCPDARGS=eth1
    • service start dhcpd
    • chkconfig dhcpd on

DNS Server

I did not configure bind or dnsmasq for the Domain.  Samba4 Ships with an internal DNS server which is adequate for the purposes of demonstrating Samba4 awesomness.  The excellent BIND Nameserver is supported by Samba4 along with dns replication and all that jazz.  I have not tried it.  If you have, let us know in the comments below how it went.

Once Samba is installed and operational there is a step required to make Samba forward DNS queries to your host's network as well as make the OS resolv.conf use the correct DNS.  This is because dhclient likes to automagially configure your resolv.conf every time you boot.  My work-around is just to overwrite it in /etc/rc.local.

# fix resolv.conf
mv /etc/resolv.conf /etc/resolv.conf.old
cat >> /etc/resolv.conf << EOF
# Updated by rc.local script
domain samba4.internal
nameserver 10.1.1.1
EOF


Install Samba4

Installing Samba4 is fairly straightforward once you have all the pre-requisites in place.  It's well documented on the samba4 wiki so I won't get into it in any great detail here.

I highly recommend completing the file system and kerberos tests outlined in the wiki how-to. (http://wiki.samba.org/index.php/Samba4/HOWTO#Step_6:_Testing_Samba4)

smb.conf

This is my lab smb.conf.

  • workgroups, realm, netbios and server role all define the function of this samba instance.
  •  dns forwarder tells samba where to send dns requests for hosts it knows nothing about.
  • The netlogon share is for the logon script.  I have a log on script located in it's path and I set the default logon script in windows for each user to point to this script.
  • sysvol is (unused at this stage)
  • home is where all the user's WINDOWS home directories live
    • There are no unix home directories that map to the windows home directories
  • share is where all standard shares will live.


[root@samba ~]# cd /usr/local/samba/etc
[root@samba etc]# cat smb.conf
# Global parameters
[global]
        workgroup = SAMBA4
        realm = SAMBA4.INTERNAL
        netbios name = SAMBA
        server role = active directory domain controller
        dns forwarder = 192.168.56.1

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samba4.internal/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
[home]
        comment = Home Directories
        path = /samba/home
        read only = No
[share]
        comment = Office Shares
        path = /samba/home/shares
        read only = No
[root@samba etc]#


Configuring File Permissions and Shares

Once these shares were configured in this basic way using smb.conf I was able to browse to the folders in my windows client using as follows:
\\samba\home
\\samba\share
\\samba\netlogon\logon.bat
\\samba\sysvol

This was easily the most difficult part of the process for me to work out.  Once worked out though, it's a piece of cake.  Critically your file system must be mounted with the acl mount option.

I have figured out that the most straight forward way of managing file shares is via Windows.  ie: Let samba take care of the acl entries in Linux.

User accounts and home directories

Home directory ACLs

Before creating user accounts its critical to make sure that the windows ACLs are configured correctly for \\samba\home.  Mine are as follows:

First remove inheritance.  IE: The permissions for \\samba\home must not inherit from \\samba.  When removing inheritance hit the remove button and remove any other permissions groups / users listed.

Then add new ones as follows:
  • Administrators = Full Control
  • Everyone = No Control (all boxes unticked)
  • Domain Users = Special Permissions as follows
    • Traverse Folder and Execute File = TICKED
    • All other special permissions = UNTICKED

Creating new users

Run the dsa.msc snap in.  Installation instructions for the dsa.msc are covered in the samba4 wiki howto.

Create a new user using the "New -> User" task in the DSA Snapin.  The following screenshots show what to do:

Dialogue box showing how to add a user with teh Windows DSA.  First, Last and user name
Add user Test User with username test.user

Dialogue box showing how to add a user with teh Windows DSA.  Password
Set a password

Dialogue box showing how to add a user with teh Windows DSA.  Confirmation
Confirm details
Dialogue box showing how to configure the user profile in the Windows DSA.  Set the logon path and the home folder
Bring up the Profile tab under properties for this new user.


Here, on the profile tab you should set the logon script for your user and map the home drive on the connect  button.  When you apply this, the test.user folder will be created on the share for you.  The permissions will also be configured appropriately as per the next screenshot.

Windows Security permissions dialogue box for new user home folder.
Confirm folder security permissions are correct.


Use a similar approach to managing shared folders for group access.

So far I have not encountered any gotchas with this approach.