Samba4 Development

From SME Server
Revision as of 22:55, 30 July 2016 by Gzartman (talk | contribs)
Jump to navigation Jump to search

Sambalogo.png

Introduction

This wiki page will be used to track the integration effort of Samba 4 into SME 9+


  Note:
At this point, I'm just going to randomly ramble on this wiki page as I work on Samba 4. Once I get some workable pieces, I'll go back and format this page so that it makes more sense. - Gzartman


Lead developer: Gzartman

Overview and Objectives

The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy in integration, as is done on many of the other sub-systems on SME Server. Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options. Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deployments. Support for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console. The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity.


Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching.


Samba 4 on SME Server is targeted for Koozali SME Server 10, but is currently be developed simultaneously on both version 9.2 and 10.

Current Status

Current Release: Alpha 5

Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here: SME Server Samba 4 Packages

These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities. However, this code is available in CVS.

Samba 4 Packages

Upstream Centos 6 does not provide Samba 4 packages with full Active Directory support but they are provided in current Centos 7. The reason Samba + AD packages are not available on Centos 6 is is detailed here. A solution to provide Samba 4 active directory does not look to be forthcoming by viewing Samba status in the Fedora project.

To further development of support for Samba 4 on the Koozali SME Server, Samba 4 packages from Sernet were selected. These packages will not immediately install cleaning on SME 9 due to the customization of Centos associated with SME 9, so the Sernet packages where re-built for SME 9. Details of this rebuild along with a link to the rebuilt packages are located in bugzilla:8075. After rebuilding, these packages do install cleanly but the services will not start using the init.d scripts provided with the packaged due to changes made during the re-build of the packages for SME 9.

It should be noted that as of Samba 4.3, Sernet stopped providing packages for free. Samba 4.3+ sernet packages are commercial only. Therefore, we will only be able to provide support on SME 9+ through Samba 4.2 unless someone comes up with a solution to port Samba 4 + AD to Centos 6. The Sernet Samba packages up through Samba 4.2 work fine for providing Active Directory support on SME 9+. Given SME 10 is in Alpha, the lack of upstream support for Samba + AD on SME 9 likely won't be a big issue.

Installation

Change Log / Release Notes

Alpha 5

- Extend Active Directory schema to include quota and

 smeCustom attributes via the koozaliUser objectClass

- Remove adjust-samba event and use services2adjust - Add Group-create-AD action - Design changes to provision-domain-controller and

 bootstrap-provision-dc events to provision samba entirely
 cold using ldif

- Add pseudonym support to esmith::AD - Further enhancement to esmith::AD to provide user & group

 management functionality similar to that provided by AccountsDB

- Re-write createlinks to flow a more logical sequence - Fix dnsforwarder in smb.conf - Fix several esmith::AD::User and esmith::AD::Group methods broken

 in 0.1-0-3 when we added runtime binding

Alpha 4

- Add dnscache and tinydns config per bug [SME: 9711] - Add iptables preroute rule for DNS per bug [SME: 9711] - Fix issues with domain admins assignment during provisioning - Nearly full re-write of user-create-AD action to utilize

 esmith::AD class

- Add Legacy Mode to user-create-AD action to allow this

 action to work with AccountsDB

- Add user-create-AD to user-create event - Add user-AD-disable action to disable AD user - Continued development and enhancement to esmith::AD

 including POD documentation

- Continued development and enhancement to esmith::AD::User

 including POD documentation

- Add esmith::AD::OU to manage Organizational Units in the

 Active Directory

- Fix realm definition in provision action

Alpha 3

- Reconfigure provision event to account for default Samba

 complex password policy

- Abstract core LDAP queries in esmith::AD using runtime binding

Alpha 2

  • Sat Jun 18 2016 Greg Zartman <gzartman@koozali.org> 0.1.0-2

- Set requires to e-smith-base-5.6.0-30+ [SME:8668] - Set requries for e-smith-LPRng-2.5.0+ [SME:8632]

Alpha 1

  • Thu Feb 12 2015 Greg Zartman <gzartman@koozali.org> 0.1.0-1

- Roll new smeserver alpha package for Samba4 [SME:8075]


General Development Notes

Template Fragments

/etc/smb.conf

Complete rewrite of all template fragments

smb.conf Considerations

The smb.conf configuration file can be simplified significantly for Samba 4. Of specific interest are the following new parameters:


Server Services: This parameter is not very well documented, but from what I could find thefollow services can be provided by the Samba daemon: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, ntp_signd, kcc, dnsupdate, dns, smb, nmb, winbind. The default for this parameter is: server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns. Services can be added/remove from the default by a +/- and the service to add/remove. Example server services = -s3fs (remove) +smb (add). Note that the smb, nmb, and windbind services are services equivalent to the older, Samba 3, type services (stand alone daemons). Of specific interest to SME 9 may be the use of the nmb service for WINS support. As we begin testing we may need to enable this service and possibly smb for simple share access.

Server Role: Samba 4 currently only supports the active directory domain controller server role. For now, we'll force Samba config into DC server role, but provide a fragment for expansion later. There is a long explanation behind this, but for now, restriction doesn't hurt us. SME as a DC will provide auth for both domain membership and simple shares by either joining the domain or logging into the server every time.

/etc/raddb/radius.conf

Need to check and/or modify the following existing fragments:

etc/raddb/radiusd.conf/25modules30smbpasswd:    #  An example configuration for using /etc/samba/smbpasswd.
etc/raddb/radiusd.conf/25modules30smbpasswd:}   passwd smbpasswd \{
etc/raddb/radiusd.conf/25modules30smbpasswd:            filename = /etc/samba/smbpasswd
etc/raddb/radiusd.conf/25modules25mschap:               #  reading from /etc/smbpasswd.
etc/raddb/radiusd.conf/25modules25mschap:               #  If you are using /etc/smbpasswd, see the 'passwd'
etc/raddb/radiusd.conf/25modules25mschap:               #  module for an example of how to use /etc/smbpasswd
etc/raddb/radiusd.conf/65authorization40default:        #  If you are using /etc/smbpasswd, and are also doing
etc/raddb/radiusd.conf/65authorization40default:        #  configure the 'smbpasswd' module, above.
etc/raddb/radiusd.conf/65authorization40default:        ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';

/etc/krb5.conf

Create based new template fragments for this configuration file

Configuration Database Parameters

Default key and property values:

Database name Unique key Property name Default value Possible values Description
configuration SMBD DELETE Delete this key. Replaced by other keys
NMBD DELETE Delete this key. Replaced by other keys
SMB service Existing SMB key properties changes
UnixCharSet DELETE Delete this property
workgroup sme-server User defined
ServerString SME Server User defined
ServerRole DC SA / BD / DC Stand Alone, Backup Domain or Domain Controller
OpLocks enabled enabled / disabled
KernelOplocks enabled enabled / disabled
Level2Oplocks enabled enabled / disabled
AllowDNSUpdates nonsecure
DNSForwarder TBA


The DNSForwarder property is a new property that could be defined to forward DNS requests from the Samba DNS to another DNS.


  • Others (optional): These parameters are meant to take smb.conf inputs as defined the man pages. Defaults for these parameters are the same as the corresponding defaults in the smb.conf man page. Template fragments feed these parameters into the smb.conf file with minimal syntax checking, as it is assumed those who manually input them know what they are doing.


Database name Unique key Property name Default value Possible values Description
configuration SMB
NameResolver TBA The order in which name resolution will take place by the Samba daemon
ServerServices TBA See the server services discussion detailed under smb.conf section
SMBPorts TBA
SocketOptions TBA
WideLinks TBA
GuestAccount TBA
GuestOK no yes / no
LogonDrive TBA Drive letter to be used to the login drive when users login to a domain
RoamingProfiles no yes / no
LogonPath TBA
BindInterfacesOnly no yes / no
CaseSensitive yes yes / no
MaxLogSize 50 User defined Samba log size in kilobytes. Default set to 50


KRB5 : Create new configuration dbase entry for Kerberos service in Samba

Database name Unique key Property name Default value Possible values Description
configuration Kerberos
DefaultRealm uninitialized This parameter is built into a template fragment, but we will not define it at default. The template fragment will build the default realm by concatenating the SystemName and DomainName reordered elsewhere in the configuration dbase
DNSLookup false true / false
DNSLookupRealm false true / false
DNSLookupKDC false true / false

Services to Modify

Service name Type Action File Description
smbd Existing
Remove /var/service/smbd
Remove /services/smbd
Remove /etc/rc.d/init.d/supervise/smb
Remove /etc/rc.d/rc7.d/S91smb
Remove /etc/rc.d/init.d/smbd
nmbd Existing
Remove /var/service/smbd
Remove /services/smbd
Remove /etc/rc.d/init.d/smbd
smb New I would have liked to have called this "Samba," but that would have meant changing alot of existing code that looks for "smb"
Create /var/service/smb using smbd as a template. Samba 4 should be started with /usr/sbin/samba -D
Create symlink /service/smb -> /var/service/smb
Create symlink /etc/rc.d/init.d/smb -> /etc/rc.d/init.d/daemontools
Create symlink /etc/rc.d/rc7.d/S91smb -> /etc/rc.d/init.d/e-smith-service

DNS

Samba 4 includes an builtin DNS server that is required for proper operation of active directory. This internal DNS server is for AD functions only and does not provide caching DNS functions.

SME Server 9.0 includes a caching DNS (djb dnscache) that listens for DNS requests on the LAN IP address and the localhost. This caching DNS then routes DNS requests for domains defined in the server-manager to tinyDNS and other requests to a resolving dns cache (djb dnscache.forwarder).

One approach for DNS architecture with Samba 4 would have samba 4 primary dns requests to LAN clients, forwarding to the dnscache.forwarder service. The primary dnscache instance and tinydns would then be obsoleted.

LDAP

Need to look at the LDAP authentication backend and mechanism on SME. On the surface, it looks like all of the Samba related LDAP code will be dropped and much of the standard authentication code will need to be converted to Active Directory auth. This task should include looking at openldap-proxy.

Local and Samba Authentication

  1. Local Authentication: Samba 4 provides support for local authentication through PAM. This will need to be looked and and sorted out, especially as it relates to the previous LDAP authentication work. Consider replacing with SSSD.
  2. Updates to esmith::util perl module: This perl module contains function for setting and modifying user passwords. We will need to redesign these functions to integrate with AD. Specific changes:
    • setSambaPassword function: This function needs to be completely re-written to set the Active directory password instead of the old samba password in smbpasswd
    • cancelSambaPassword function: Needs to be re-written for active directory instead of old smbpasswd file
    • local password functions: We need to look at these once we decide how we are going to handle local authentication on SME with Active directory.
    • ldapPassword function: Need to look at this and likely deprecate it, as we will likely set active directory passwords differently.

Home directories and Homes Share

Samba 4 changes the way Samba used to handle home directories.

  1. Samba 4 does not use the [homes] share with the [home] share.
  2. With respect to the [home] share, Samba 4 currently does not expand the %S variable in the smb.conf file due to a bug with Samba 4. Therefore, this will not work for us to share home directories: /home/e-smith/files/users/%S/home. Instead, we may be able to use this: '/home/%WORKGROUP%/%ACCOUNTNAME% and them link (symlink/hardlink) this to our current home directory structure so that we can share the home dirs via samba.
  3. We need to look at the "template homedir" configuration parameter in smb.conf and/or SSSD, as this may allow us to create home directories easier on a new user create event.
  4. The Samba active directory includes two attributes for home directories: homeDirectory (used by windows) and unixHomeDirectory(used by *nix). The current unixHomeDirectory attribute doesn't seem to be fully utilized by Samba.
  1. Good thread on the topic: https://lists.samba.org/archive/samba/2014-January/178151.html

Other Development Tasks to Research and Complete

  1. Domain Server-Manager Panel: A new Domain server-manager panel should be developed and the workgroup panel removed. Further discussion will need to take place to determine what needs to go into this new panel. This panel will likely be fairly simple, as much of the configuration parameters associated Samba Active directory will be incorporated into template fragments and database entries.
  2. User/Group Server-Manager Panels: These panels will need to be looked at as they relate to template fragments, adjusting services, and updating database entries associated with Samba.
  3. Ibay Server-Manager Panel: This panel will need to be looked at as it relates to template fragments, adjusting services, and updating database entries associated with Samba.
  4. Events/Actions': Existing events and actions related to samba will need to be reviewed and updated accordingly. A new event/action may need to be developed to provision a new Active Directory Domain using the Samba-Tool utility.
  5. e-smith-samba: This package needs to be updated with development pieces detailed in this wiki page, for wider testing and development assistance.

Status

# Task Status
1. Sernet Samba 4 package rebuild DONE
2. Create daemontools service for Samba 4 DONE
3. Re-Write smb.conf template fragments DONE
4. Create Kerberos template fragments DONE
5. Add/Modify SMB database entries DONE
6. Create krb5 configuration dbase key DONE
7. Re-configure init.d start-up/shutdown scripts DONE
8. Configure Samba DNS Service DONE
9. Configure DNS Cache Resolver DONE
10. Create Active Directory Provision/Re-Provision SME Event DONE
11. Add Active Directory Provisioning to Bootstrap-Console DONE
12. Reconfigure SME User Authentication for Active Directory UNDERWAY

References

  1. http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!)
  2. https://lists.samba.org/archive/samba/2014-April/180336.html
  3. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
  4. http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller


Bugzilla references

bugzilla:8075 Adding Samba 4
bugzilla:8638 Modify e-smith-dnscache for Samba 4 support
bugzilla:8660 User account authentication with Active Directory and AccountsDB
bugzilla:8663 Proftpd and active directory authentication (Samba 4)
bugzilla:8665 esmith::AD perl module for interacting with Active Directory
bugzilla:8667 Get rid of PPTP when we upgrade to Samba 4
bugzilla:8670 Qmail updates for Samba 4
bugzilla:8674 Remove smbpasswd and WINS pieces for Samba 4
bugzilla:8675 e-smith-LDAP + Samba 4
bugzilla:8687 Add SSSD daemon for Samba 4 local authentication
bugzilla:8703 Samba 4: Home directory

Active Directory Schema

Following is a direct dump of the active directory from a freshly provisioned SME Server domain. The DNS/Kerberos domain is domain.com, the hostname is virgin, and the windows domain is sme-server. The ipaddress for this test machine is 192.168.0.67. These data is quite long, but I found it very useful; as it is extremely difficult to find these attributes in any documentation about Samba 4 and ADDC:

Samba 4 Active Directory Schema