Controlling access to Samba file servers in an AD-based Windows domain
We continue a series of articles about the interaction of Linux and Windows. This article focuses on controlling access to Samba servers from the AD domain.
Unlike previous articles, where a test network was used as an example, this article is based on a real, “combat” network of the Moscow Power Engineering Institute. About 25000 users are registered in the MEI network. The network unites all educational buildings of Moscow Power Engineering Institute with more than 4500 workstations. We will look at setting up access to the Samba server, which provides users with the following services:
• access to the user's personal directory;
• access to shared directories;
• access control using both Samba and Windows tools.
The Information and Computing Network of the Moscow Power Engineering Institute (IVS MEI) uses a Windows domain structure based on AD. Our network supports multiple domains. The top-level domain is the mpei.local domain. Domain public.mpei.local is intended for users of the MEI, domain init.mpei.local is intended for employees of the Information and Computing Center MEI.
The server that we set up is a cluster file storage and is intended for hosting user directories - ITC MEI employees and MEI employees (users of the INIT and PUBLIC domain) and common directories. Server operating system - Ubuntu Linux 12.04 LTS.
• Backups Designed to store backups. Access to the directory have domain administrators.
• ISOs and Software Catalogs Designed for storing disk images of operating system distributions and other software used in IVS MEI. Information placed in these directories is available to all users, but the record is allowed only to domain administrators.
• Catalog VMImages Designed to store images of virtual machines used in the IVS MEI. This directory is available to all users, entry is allowed only to domain administrators.
• User directories are designed to accommodate user files.
')
Cluster file storage is based on distributed object storage and the Ceph file system. More information about Ceph can be found on the project website - www.ceph.com . The storage consists of three servers, which are at the same time storage facilities and manage the placement of data. Access to the storage file system is through the gateway, which is a client of the Ceph storage on the one hand, and on the other, it provides access to this storage through Samba . The Gateway machine is a KVM- based virtual machine running on servers with Ceph. It is this gateway machine that will be the server that we are setting up for access. The operating system is also Ubuntu Linux 12.04 LTS. Our server is called filer.mpei.local.
The way in which cluster file storage is organized is not crucial for solving the access control problem. To create such a storage can be used a variety of technologies and their implementation.
It should be noted that a large number of users are registered in our network - about 25,000. Therefore, creating directories for them is a very laborious task. However, not all users will have their own directories on the file storage. It follows that the creation of directories should be done automatically when the user first connects to the server. The way to automatically create user directories when using the Linux command shell was discussed earlier in the article about setting up CentOS. In our case, this method is inapplicable, since the institute network unites users with different work experience and knowledge of operating systems. Creating a directory during the first connection should be transparent to the user and not dependent on the server's operating system.
The way to enable a Samba server based on Ubuntu Linux has already been considered before. We include our server in the top level domain mpei.local . For user authorization, we will use winbind .
Since we use several domains, it is advisable to indicate in the samba global configuration section of the smb.conf file:
By disabling this option, we explain to Samba that users without specifying a domain name will be treated as local server users, and for other cases, you must specify a domain name. This is necessary because users may have matching names in different domains.
With the proper inclusion of the filer server into the domain in response to the getent passwd request, we should see a list of users of all domains, and in response to a query from the getent group , a list of groups of all domains. If this is not the case, check the contents of the /etc/nsswitch.conf file, which should look like this:
Check out how Samba users are logged in. To do this, look at the contents of the /etc/pam.d/samba file :
As you can see, the file is very simple and consists of links to the files /etc/pam.d/common-auth, /etc/pam.d/common-account and /etc/pam.d/common-session-noninteractive .
Accordingly, the contents of these files should also be checked for their use of the pam_winbind.so module. In most cases, there is no need to edit the contents of the PAM system files located in /etc/pam.d . But we have a requirement to automatically create user directories when you first log into the system. For our configuration, add the line to /etc/pam.d/common-session-noninteractive
You can include this line in /etc/pam.d/common-session . The presence of this line calls the pam_mkhomedir.so module (you can read more at http://manpages.ubuntu.com/manpages/maverick/man8/pam_mkhomedir.8.html or http://www.ibm.com/developerworks/ru/ library / l-pam / index.html ) to automatically create the user's home directory upon login.
As a result, the output of the getent passwd command should look something like this:
The fields correspond to the fields in the / etc / passwd file , the standard storage location for user data on Linux and Unix systems. Fields are named like this:
• login name
• optional encrypted password
• numerical user ID
• numerical group ID
• user name or comment field
• user home directory
• optional user command interpreter
When connecting to an AD-based Windows domain, the login name field is a combination of the domain name and user name, where the separator is either a backslash (\) or the character specified in the winbind separator option.
The password field is represented by a *, which means an external password source.
The UID and GID field values are generated based on the idmap uid and idmap gid (or idmap config) options of the Samba configuration file.
The user home directory field is generated based on the Samba configuration file's homedir template option. And the user command interpreter field is based on the Samba configuration file's template shell option value.
Based on this conclusion, we can say that the home directory for the user khorkov in the domain PUBLIC is / ceph / home / PUBLIC / khorkov . It is this directory that should be automatically created. Thus, our /etc/samba/smb.conf file in the global and homes sections looks like this:
Most of the parameters have already been considered in previous articles (for example, http://habrahabr.ru/post/171057/ or http://habrahabr.ru/post/143190/ ). Let us dwell on those options that are important for security and access control.
The option obey pam restrictions = yes gives the Samba server directive to obey the instructions given in the pam directives for user accounts and sessions. In our case, we agree with the team to create a home directory.
The acl compatibility = auto and map acl inherit = yes options allow the Samba server to set the compatibility mode for file access lists and access list inheritance. These settings are important for supporting Samba access control from Windows clients. To work correctly, it is necessary that the file system that hosts the shared Samba resource supports POSIX ACL. To do this, you need to install the corresponding packages in Linux (for Ubuntu, these are acl and attr ).
Further, in the [homes] section, user directories are defined. The path to directories is determined by the path option. There are substitution rules in the Samba configuration file. In particular,% D is replaced with the short domain name,% U - with the user name,% S - with the session name (same as the user name). Directory access is determined to be read / write, as indicated by the option read only = no. The option valid users describes the list of users who are allowed to access (register) to this directory. The options create mask (rights mask when creating a file) and directory mask (rights when creating a directory) are important. In any case, the owner of the home directory, the files created and the directories will be the user connected to the resource. The user uid and gid are determined according to the result of the getent passwd command.
Note that in 99% of cases the group name will be \ Domain users. The specified values 0700 give the user full rights to access files or directories and deny access to all others (including the group). To allow a group to read, the third octet must be either 4 (read) or 5 (read and execute). The definition of access rights in Linux can be found in any book on this operating system.
Valid users option limits the list of users who have access to the directory to users of the INIT and PUBLIC domains.
We now turn to the settings of the common directories using the example of setting up the Software catalog:
The description of the path to the shared directory and restrictions for users we have already considered. The nt acl support = yes option gives the Samba directive to display Windows permissions for Linux permissions. Inherit options acls = yes, inherit owner = yes, inherit permissions = yes and map acl inherit = yes indicates Samba support for inheritance of rights and access lists. The option hide unreadable = yes hides unreadable directories and files from the user.
The admin users option specifies a list of users with administrative rights (superuser rights). The write list option specifies a list of users who have write access to this directory. When you create a directory should determine its ownership. For the most part, it is enough to own the owner as root, and define the group as Domain users (in our case, as MPEILOCAL \ Domain users). User lists can be specified both in the form of DOMAIN \ user (domain users), and in the form of user (users of the server itself). You can also set them in the form of group names, by prefixing the group name with the @ symbol. In the list fields are separated by spaces. Windows group names, when they consist of more than one word, should be enclosed in quotes. In our example, we gave permission to read the Software catalog to all users of the MPEILOCAL, INIT and PUBLIC domains, and write permissions for domain administrators. The rest of the directories ( Backups , ISOs and VMimages ) are configured in the same way as the above.
Connect to the filer server (Fig. 1).
Fig. 1. Access to the Samba server.
Check access to the home directory (Fig. 2).
Fig. 2. Access to the home directory.
You can check permissions to create and delete files and directories. The Linux home directory looks like this:
As you can see, the rights to any actions with files belong only to the owner. If we now try to make changes to the access settings using Windows tools, we will get an error on the prohibition of recording (Fig. 3).
Fig. 3. Error setting rights.
This error in setting rights to a directory to which a user has all rights arises because the file system where the directory is located does not support access lists. On the file system with support for access lists, this error does not occur. You can check for this support with the command:
Here we see that the file system on the / dev / sda1 device supports access control. The inclusion of acl support is possible when mounting the Linux file system, or through the tune2fs utility. For a list of file systems that support acl, see the man manual for the mount command in the FILESYSTEM SPECIFIC MOUNT OPTIONS section.
You can see the access lists themselves, with
To set access lists from the Linux command line, use the setfacl command or the smbcacls command. However, the interface of these commands is quite complicated, and it is more expedient to use the Windows access settings window.
We provided access control to the Samba server mainly through editing the /etc/samba/smb.conf file. This is one of the easiest and most effective ways. There are plenty of graphical Samba configuration applications that come with the Linux distribution. You can also use web-based management tools, such as swat or webmin . The advantage of swat , for example, is the built-in documentation - you do not need to constantly switch between settings and the reference manual. But both swat and webmin sin with errors in the settings.
Thus, we have successfully completed the task of setting up access to the Samba file server in an AD-based Windows domain.
The work was performed on the basis of the Information Computing Center of the Moscow Power Engineering Institute.
We welcome your comments and suggestions. We have the opportunity to build a test network on which to debug various options and system configurations to ensure their interaction.
Unlike previous articles, where a test network was used as an example, this article is based on a real, “combat” network of the Moscow Power Engineering Institute. About 25000 users are registered in the MEI network. The network unites all educational buildings of Moscow Power Engineering Institute with more than 4500 workstations. We will look at setting up access to the Samba server, which provides users with the following services:
• access to the user's personal directory;
• access to shared directories;
• access control using both Samba and Windows tools.
About the MEI network
The Information and Computing Network of the Moscow Power Engineering Institute (IVS MEI) uses a Windows domain structure based on AD. Our network supports multiple domains. The top-level domain is the mpei.local domain. Domain public.mpei.local is intended for users of the MEI, domain init.mpei.local is intended for employees of the Information and Computing Center MEI.
The server that we set up is a cluster file storage and is intended for hosting user directories - ITC MEI employees and MEI employees (users of the INIT and PUBLIC domain) and common directories. Server operating system - Ubuntu Linux 12.04 LTS.
• Backups Designed to store backups. Access to the directory have domain administrators.
• ISOs and Software Catalogs Designed for storing disk images of operating system distributions and other software used in IVS MEI. Information placed in these directories is available to all users, but the record is allowed only to domain administrators.
• Catalog VMImages Designed to store images of virtual machines used in the IVS MEI. This directory is available to all users, entry is allowed only to domain administrators.
• User directories are designed to accommodate user files.
')
Cluster file storage is based on distributed object storage and the Ceph file system. More information about Ceph can be found on the project website - www.ceph.com . The storage consists of three servers, which are at the same time storage facilities and manage the placement of data. Access to the storage file system is through the gateway, which is a client of the Ceph storage on the one hand, and on the other, it provides access to this storage through Samba . The Gateway machine is a KVM- based virtual machine running on servers with Ceph. It is this gateway machine that will be the server that we are setting up for access. The operating system is also Ubuntu Linux 12.04 LTS. Our server is called filer.mpei.local.
The way in which cluster file storage is organized is not crucial for solving the access control problem. To create such a storage can be used a variety of technologies and their implementation.
It should be noted that a large number of users are registered in our network - about 25,000. Therefore, creating directories for them is a very laborious task. However, not all users will have their own directories on the file storage. It follows that the creation of directories should be done automatically when the user first connects to the server. The way to automatically create user directories when using the Linux command shell was discussed earlier in the article about setting up CentOS. In our case, this method is inapplicable, since the institute network unites users with different work experience and knowledge of operating systems. Creating a directory during the first connection should be transparent to the user and not dependent on the server's operating system.
The way to enable a Samba server based on Ubuntu Linux has already been considered before. We include our server in the top level domain mpei.local . For user authorization, we will use winbind .
Since we use several domains, it is advisable to indicate in the samba global configuration section of the smb.conf file:
winbind use default domain = no By disabling this option, we explain to Samba that users without specifying a domain name will be treated as local server users, and for other cases, you must specify a domain name. This is necessary because users may have matching names in different domains.
With the proper inclusion of the filer server into the domain in response to the getent passwd request, we should see a list of users of all domains, and in response to a query from the getent group , a list of groups of all domains. If this is not the case, check the contents of the /etc/nsswitch.conf file, which should look like this:
root@filer:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis root@filer:~# Check out how Samba users are logged in. To do this, look at the contents of the /etc/pam.d/samba file :
root@filer:~# cat /etc/pam.d/samba @include common-auth @include common-account @include common-session-noninteractive root@filer:~# As you can see, the file is very simple and consists of links to the files /etc/pam.d/common-auth, /etc/pam.d/common-account and /etc/pam.d/common-session-noninteractive .
Accordingly, the contents of these files should also be checked for their use of the pam_winbind.so module. In most cases, there is no need to edit the contents of the PAM system files located in /etc/pam.d . But we have a requirement to automatically create user directories when you first log into the system. For our configuration, add the line to /etc/pam.d/common-session-noninteractive
session required pam_mkhomedir.so skel=/etc/skel umask=0077 You can include this line in /etc/pam.d/common-session . The presence of this line calls the pam_mkhomedir.so module (you can read more at http://manpages.ubuntu.com/manpages/maverick/man8/pam_mkhomedir.8.html or http://www.ibm.com/developerworks/ru/ library / l-pam / index.html ) to automatically create the user's home directory upon login.
As a result, the output of the getent passwd command should look something like this:
PUBLIC\khorkov:*:28972:10007: :/ceph/home/PUBLIC/khorko :/bin/bash The fields correspond to the fields in the / etc / passwd file , the standard storage location for user data on Linux and Unix systems. Fields are named like this:
• login name
• optional encrypted password
• numerical user ID
• numerical group ID
• user name or comment field
• user home directory
• optional user command interpreter
When connecting to an AD-based Windows domain, the login name field is a combination of the domain name and user name, where the separator is either a backslash (\) or the character specified in the winbind separator option.
The password field is represented by a *, which means an external password source.
The UID and GID field values are generated based on the idmap uid and idmap gid (or idmap config) options of the Samba configuration file.
The user home directory field is generated based on the Samba configuration file's homedir template option. And the user command interpreter field is based on the Samba configuration file's template shell option value.
Based on this conclusion, we can say that the home directory for the user khorkov in the domain PUBLIC is / ceph / home / PUBLIC / khorkov . It is this directory that should be automatically created. Thus, our /etc/samba/smb.conf file in the global and homes sections looks like this:
[global] log file = /var/log/samba/log.%m obey pam restrictions = yes map to guest = bad user encrypt passwords = true dns proxy = no netbios name = Filer server string = %h server (Samba, Ubuntu) unix password sync = yes workgroup = MPEILOCAL os level = 20 security = ads syslog = 4 panic action = /usr/share/samba/panic-action %d usershare allow guests = yes max log size = 1000 pam password change = yes realm = MPEI.LOCAL idmap uid = 10000-50000 idmap gid = 10000-50000 template shell = /bin/bash template homedir = /ceph/home/%D/%U winbind enum groups = yes winbind enum users = yes winbind refresh tickets = yes acl compatibility = auto map acl inherit = yes usershare path = /var/lib/samba/usershares [homes] comment = Home Directories browseable = no path = /ceph/home/%D/%U read only = no create mask = 0700 directory mask = 0700 valid users = PUBLIC\%S INIT\%S Most of the parameters have already been considered in previous articles (for example, http://habrahabr.ru/post/171057/ or http://habrahabr.ru/post/143190/ ). Let us dwell on those options that are important for security and access control.
The option obey pam restrictions = yes gives the Samba server directive to obey the instructions given in the pam directives for user accounts and sessions. In our case, we agree with the team to create a home directory.
The acl compatibility = auto and map acl inherit = yes options allow the Samba server to set the compatibility mode for file access lists and access list inheritance. These settings are important for supporting Samba access control from Windows clients. To work correctly, it is necessary that the file system that hosts the shared Samba resource supports POSIX ACL. To do this, you need to install the corresponding packages in Linux (for Ubuntu, these are acl and attr ).
Further, in the [homes] section, user directories are defined. The path to directories is determined by the path option. There are substitution rules in the Samba configuration file. In particular,% D is replaced with the short domain name,% U - with the user name,% S - with the session name (same as the user name). Directory access is determined to be read / write, as indicated by the option read only = no. The option valid users describes the list of users who are allowed to access (register) to this directory. The options create mask (rights mask when creating a file) and directory mask (rights when creating a directory) are important. In any case, the owner of the home directory, the files created and the directories will be the user connected to the resource. The user uid and gid are determined according to the result of the getent passwd command.
Note that in 99% of cases the group name will be \ Domain users. The specified values 0700 give the user full rights to access files or directories and deny access to all others (including the group). To allow a group to read, the third octet must be either 4 (read) or 5 (read and execute). The definition of access rights in Linux can be found in any book on this operating system.
Valid users option limits the list of users who have access to the directory to users of the INIT and PUBLIC domains.
We now turn to the settings of the common directories using the example of setting up the Software catalog:
[Software] browseable = yes comment = Various soft read only = yes valid users = MPEILOCAL\%U PUBLIC\%U INIT\%U path = /ceph/data/Software inherit acls = yes inherit owner = yes inherit permissions = yes map acl inherit = yes nt acl support = yes write list = @"MPEILOCAL\enterprise admins" @"PUBLIC\Domain admins" @"IN IT\Domain admins" PUBLIC\khorkov admin users = PUBLIC\khorkov hide unreadable = yes The description of the path to the shared directory and restrictions for users we have already considered. The nt acl support = yes option gives the Samba directive to display Windows permissions for Linux permissions. Inherit options acls = yes, inherit owner = yes, inherit permissions = yes and map acl inherit = yes indicates Samba support for inheritance of rights and access lists. The option hide unreadable = yes hides unreadable directories and files from the user.
The admin users option specifies a list of users with administrative rights (superuser rights). The write list option specifies a list of users who have write access to this directory. When you create a directory should determine its ownership. For the most part, it is enough to own the owner as root, and define the group as Domain users (in our case, as MPEILOCAL \ Domain users). User lists can be specified both in the form of DOMAIN \ user (domain users), and in the form of user (users of the server itself). You can also set them in the form of group names, by prefixing the group name with the @ symbol. In the list fields are separated by spaces. Windows group names, when they consist of more than one word, should be enclosed in quotes. In our example, we gave permission to read the Software catalog to all users of the MPEILOCAL, INIT and PUBLIC domains, and write permissions for domain administrators. The rest of the directories ( Backups , ISOs and VMimages ) are configured in the same way as the above.
Connect to the filer server (Fig. 1).
Fig. 1. Access to the Samba server.
Check access to the home directory (Fig. 2).
Fig. 2. Access to the home directory.
You can check permissions to create and delete files and directories. The Linux home directory looks like this:
root@filer:~# root@filer:~# ls -l /ceph/home/PUBLIC/khorkov total 0 drwx------ 1 PUBLIC\khorkov PUBLIC\domain users 45360157 Oct 11 19:36 For Cisco root@filer:~# As you can see, the rights to any actions with files belong only to the owner. If we now try to make changes to the access settings using Windows tools, we will get an error on the prohibition of recording (Fig. 3).
Fig. 3. Error setting rights.
This error in setting rights to a directory to which a user has all rights arises because the file system where the directory is located does not support access lists. On the file system with support for access lists, this error does not occur. You can check for this support with the command:
root@filer:~# tune2fs -l /dev/sda1 tune2fs 1.42 (29-Nov-2011) Filesystem volume name: <none> Last mounted on: / Filesystem UUID: e4136579-9486-4e54-a8cf-6b28d4015e92 Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize Filesystem flags: signed_directory_hash Default mount options: user_xattr acl Filesystem state: clean Errors behavior: Continue Filesystem OS type: Linux Here we see that the file system on the / dev / sda1 device supports access control. The inclusion of acl support is possible when mounting the Linux file system, or through the tune2fs utility. For a list of file systems that support acl, see the man manual for the mount command in the FILESYSTEM SPECIFIC MOUNT OPTIONS section.
You can see the access lists themselves, with
root@filer:~# getfacl /srv getfacl: Removing leading '/' from absolute path names # file: srv # owner: root # group: root user::rwx user:MPEILOCAL\134horkovsn:rwx group::rx mask::rwx other::rx default:user::rwx default:user:MPEILOCAL\134horkovsn:rwx default:group::--- default:mask::rwx default:other::--- root@filer:~# To set access lists from the Linux command line, use the setfacl command or the smbcacls command. However, the interface of these commands is quite complicated, and it is more expedient to use the Windows access settings window.
We provided access control to the Samba server mainly through editing the /etc/samba/smb.conf file. This is one of the easiest and most effective ways. There are plenty of graphical Samba configuration applications that come with the Linux distribution. You can also use web-based management tools, such as swat or webmin . The advantage of swat , for example, is the built-in documentation - you do not need to constantly switch between settings and the reference manual. But both swat and webmin sin with errors in the settings.
Conclusion
Thus, we have successfully completed the task of setting up access to the Samba file server in an AD-based Windows domain.
The work was performed on the basis of the Information Computing Center of the Moscow Power Engineering Institute.
We welcome your comments and suggestions. We have the opportunity to build a test network on which to debug various options and system configurations to ensure their interaction.
Source: https://habr.com/ru/post/172115/
All Articles