VPN Single SignOn with Samba AD: Difference between revisions
No edit summary |
No edit summary |
||
Line 3: | Line 3: | ||
== Overview == |
== Overview == |
||
1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server. |
1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server. |
||
== Network Topology == |
== Network Topology == |
||
2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user |
2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user machines. |
||
Line 21: | Line 21: | ||
---------- Fedora Linux - 172.16.0.50/24 |
---------- Fedora Linux - 172.16.0.50/24 |
||
Plese note that the Domain Controller (Samba4) can also be configure on the Firewall itself, but this is strongly not recommended due to a security issues. |
|||
== Install & Configure Your Samba4 Domain Controller == |
== Install & Configure Your Samba4 Domain Controller == |
||
3. This guide assume you have one/or more Samba4 Domain Controller runing in your network. |
|||
For the purpose of thie guide, I will refer to our Domain Controller host-name as "''DC.Domain.Local''" and our Domain Name as "''Domain.Local''". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see [http://wiki.samba.org/index.php/Samba4/HOWTO/Ubuntu_Server_9.04 here]. |
For the purpose of thie guide, I will refer to our Domain Controller host-name as "''DC.Domain.Local''" and our Domain Name as "''Domain.Local''". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see [http://wiki.samba.org/index.php/Samba4/HOWTO/Ubuntu_Server_9.04 here]. |
||
== Install & Configure |
== Install & Configure a Radius Server == |
||
4. Once you have a Samba4 Server up and runing, our next step is to install and configure a Radius Server as an alternative to the Microsoft [http://en.wikipedia.org/wiki/Internet_Authentication_Service IAS or NPS]. <BR> |
|||
There are plenary of radius implementation in the open source community, but I truly recomended to go with the [http://freeradius.org/ FreeRadius] solution. |
|||
3. Ensure Ubuntu core is up to date |
|||
sudo apt-get update |
|||
sudo apt-get dist-upgrade |
|||
sudo reboot |
|||
3. Install all required dependencies |
|||
sudo apt-get install build-essential git-core bind9 ntp libattr1-dev libblkid-dev libgnutls-dev libreadline5-dev \ |
|||
python-dev autoconf libdb-dev libtool unixodbc-dev libwrap0-dev libmysqlclient15-dev libsasl2-dev libcurl4-gnutls-dev \ |
|||
libslp-dev libperl-dev attr libcurl4-gnutls-dev |
|||
4. For now we need to kill apparmor... (I'm trying to figure out what we need to do better as this probably is a stupid fix) |
|||
sudo apt-get purge apparmor |
|||
5. Network setup: Change /etc/network/interfaces so that the interface you plan to use on your network (in my case eth0) has a static IP. |
|||
#The primary network interface |
|||
auto eth0 |
|||
iface eth0 inet static |
|||
address 172.16.0.1 |
|||
netmask 255.255.255.0 |
|||
broadcast 172.16.0.255 |
|||
gateway 172.16.0.1 |
|||
6. Modify /etc/hosts so that the following line (adjusted for your chosen hostname) is present. Later we will use BIND for DNS resolution. |
|||
127.0.1.1 hydrogen.example.com ldap.example.com Hydrogen |
|||
== Install Samba4 from source == |
|||
1. Use git to clone the samba repository, checkout v4-0-stable, apply a specifc patch, configure, build, and install. |
|||
cd ~ |
|||
mkdir -p src |
|||
cd src |
|||
git clone git://git.samba.org/samba.git samba |
|||
cd samba |
|||
git checkout -b v4-0-stable origin/v4-0-stable |
|||
git clean -fdx |
|||
cd source4 |
|||
cd auth/ntlmssp |
|||
git checkout 7a54cd041e04f901af5e73b9e57b9cff4e182955 ntlmssp_sign.c |
|||
cd ../.. |
|||
./autogen.sh |
|||
./configure |
|||
make |
|||
sudo make install |
|||
Note: If there are newer versions of v4-0-stable then it's possible checking out the specific revision of the ntlmssp_sign.c might actually cause problems. However, at least on the version of v4-0-stable that I checked out on 2-Aug-2009, there is a fix for an issue where when I tried to search the Active Directory and no results would ever be returned. Something do to with how it always is signed by the client when it shouldn't always be... idk what exactly, but with the new version of the file it works. |
|||
== Install OpenLDAP from source == |
|||
1. Download the current release of OpenLDAP (or just in case use 2.4.17), configure, build, and install. |
|||
cd ~/src |
|||
wget -c 'ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.4.17.tgz' |
|||
tar xfz openldap-2.4.17.tgz |
|||
cd openldap-2.4.17 |
|||
./configure --enable-overlays --enable-accesslog --enable-auditlog --enable-collect --enable-constraint \ |
|||
--enable-dds --enable-deref --enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache \ |
|||
--enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-syncprov --enable-translucent --enable-unique \ |
|||
--enable-valsort |
|||
make depend |
|||
make |
|||
sudo make install |
|||
Note: Why do we enable all of those things? Because otherwise your'll get down to the povision section and things will break with errors about intref errors, overlays not found, and all sorts of annoying problems. Overkill for enabling things is good sometimes. |
|||
== Linking for eaiser access == |
|||
cd /sbin |
|||
sudo ln -s /usr/local/samba/sbin/samba ./ |
|||
sudo ln -s /usr/local/libexec/slapd ./ |
|||
cd /bin |
|||
sudo ln -s /usr/local/samba/bin/* ./ |
|||
Note: That or you can modify paths and such. |
|||
== Provisioning == |
|||
1. Generate the openLDAP and BIND config files we will need to have a functional domain controller. |
|||
cd ~/src/samba/source4 |
|||
sudo ./setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --ldap-admin-pass=SuperSecretPassword \ |
|||
--ldap-backend-type=openldap --server-role='domain controller' |
|||
2. Verify that the openLDAP config is working. |
|||
sudo slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fprivate%2Fldap%2Fldapi |
|||
ldapsearch -x -b ’’ -s base '(objectClass=*)' namingContexts -H ldapi://%2Fusr%2Flocal%2Fprivate%2Fldap%2Fldapi |
|||
Note: You don't want to have slapd running on port 389 as Samba4 will later listen on that port as it will handle all the LDAP queries. |
|||
3. If you didn't get errors you should now be able to finish the provisioning. |
|||
sudo ./setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \ |
|||
--ldap-backend=ldapi --ldap-backend-type=openldap --username=samba-admin --password=SuperSecretPassword |
|||
4. If all went well you should see the following as well as instructions on other steps you are required to complete. |
|||
Take note of the password! This is the domain administrator password! |
|||
Server Role: domain controller |
|||
Hostname: hydrogen |
|||
NetBIOS Domain: EXAMPLE |
|||
DNS Domain: EXAMPLE.COM |
|||
DOMAIN SID: S-1-5-21-3012927460-1946624778-3082554826 |
|||
Admin password: GoyBLa,bPhUq |
|||
== Test progress so far == |
|||
1. Setup the /data/test directory... |
|||
sudo mkdir -p /data/test |
|||
sudo chmod -R 777 /data/test |
|||
touch /data/test/If_you_see_this-things-are-going-well |
|||
2. Modify /usr/local/samba/etc/smb.conf to have at least one file share as follows. |
|||
[test] |
|||
path = /data/test |
|||
read only = no |
|||
3. Start samba |
|||
sudo samba -i -M single |
|||
4. Connect to Samba using the client |
|||
smbclient //localhost/test -Uadministrator%GoyBLa,bPhUq |
|||
ls |
|||
quit |
|||
Note: If you say the file we created eariler when you ran "ls" then things are working well so far, awesome. |
|||
5. Use Ctrl-C to kill samba or run "sudo pkill samba" |
|||
== DNS using BIND9 == |
|||
1. Setup BIND9 |
|||
sudo cat /usr/local/samba/private/named.conf >> /etc/bind/named.conf.local |
|||
sudo cp /usr/local/samba/private/example.com.zone /etc/bind/example.com.zone |
|||
sudo cp /usr/local/samba/private/krb5.conf /etc/krb5.conf |
|||
chown -R bind.bind /etc/bind |
|||
2. Modify /etc/named.conf.local so that the zone "example.com" file attribute points to example.com.zone and not /usr/local/samba/private/example.com.zone |
|||
3. Follow the instructions in /usr/local/samba/private/named.txt |
|||
Note: The options file is /etc/bind9/named.conf.options |
|||
4. After the configuration changes restart bind |
|||
sudo /etc/init.d/bind9 restart |
|||
== Create scripts in /etc/init.d for both slapd and samba4 == |
|||
/etc/init.d/samba |
|||
#! /bin/sh -e |
|||
### BEGIN INIT INFO |
|||
# Provides: samba |
|||
# Required-Start: |
|||
# Required-Stop: |
|||
# Default-Start: 2 3 4 5 |
|||
# Default-Stop: 0 1 6 |
|||
# Short-Description: Samba |
|||
# Description: Samba Domain controller |
|||
# scheduler |
|||
### END INIT INFO |
|||
# |
|||
# |
|||
# |
|||
set -e |
|||
PATH=/bin:/usr/bin:/sbin:/usr/sbin |
|||
DAEMON=/usr/local/samba/sbin/samba |
|||
test -x $DAEMON || exit 0 |
|||
. /lib/lsb/init-functions |
|||
case "$1" in |
|||
start) |
|||
log_daemon_msg "Starting Samba" "samba" |
|||
start_daemon $DAEMON -D |
|||
log_end_msg $? |
|||
;; |
|||
stop) |
|||
log_daemon_msg "Stopping Samba" "samba" |
|||
PIDSMB=`ps -ef | grep $DAEMON | awk '{ print $2 }'` |
|||
kill $PIDSMB |
|||
log_end_msg $? |
|||
;; |
|||
force-reload|restart) |
|||
$0 stop |
|||
$0 start |
|||
;; |
|||
*) |
|||
echo "Usage: /etc/init.d/samba {start|stop|restart)" |
|||
exit 1 |
|||
;; |
|||
esac |
|||
exit 0 |
|||
/etc/init.d/openldap |
|||
#! /bin/sh -e |
|||
### BEGIN INIT INFO |
|||
# Provides: openldap |
|||
# Required-Start: |
|||
# Required-Stop: |
|||
# Default-Start: 2 3 4 5 |
|||
# Default-Stop: 0 1 6 |
|||
# Short-Description: OpenLdap |
|||
# Description: OpenLdap |
|||
# scheduler |
|||
### END INIT INFO |
|||
# |
|||
# |
|||
# |
|||
set -e |
|||
PATH=/bin:/usr/bin:/sbin:/usr/sbin |
|||
DAEMON=/usr/local/libexec/slapd |
|||
test -x $DAEMON || exit 0 |
|||
. /lib/lsb/init-functions |
|||
case "$1" in |
|||
start) |
|||
log_daemon_msg "Starting OpenLdap" "slapd" |
|||
start_daemon $DAEMON -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi |
|||
log_end_msg $? |
|||
;; |
|||
stop) |
|||
log_daemon_msg "Stopping OpenLdap" "slapd" |
|||
PIDLDAP=`ps -ef | grep $DAEMON | awk '{ print $2 }'` |
|||
kill $PIDLDAP |
|||
log_end_msg $? |
|||
;; |
|||
force-reload|restart) |
|||
$0 stop |
|||
$0 start |
|||
;; |
|||
*) |
|||
echo "Usage: /etc/init.d/openldap {start|stop|restart)" |
|||
exit 1 |
|||
;; |
|||
esac |
|||
exit 0 |
|||
== Create the symlinks in the right /etc/rc*.d == |
|||
update-rc.d samba defaults 60 40 |
|||
update-rc.d openldap defaults 50 50 |
|||
== Test propper attr things == |
|||
cd /data/test |
|||
touch test.txt |
|||
setfattr -n user.test -v test test.txt |
|||
setfattr -n security.test -v test2 test.txt |
|||
getfattr -d test.txt |
|||
getfattr -n security.test -d test.txt |
|||
== How to manage your domain with the Microsoft Active Directory tools == |
|||
5. Install FreeRadius software |
|||
Click [http://wiki.samba.org/index.php/Samba4/HOWTO#Configure_Windows_XP_Pro_client_to_join_Samba_4_Active_Directory here] to read more about managing your domain with the Microsoft Active Directory tools. |
|||
sudo apt-get install |
Revision as of 22:40, 14 April 2010
Creating a Single Sing-on VPN with Samba4 on Ubuntu/Debian Server
These instructions are pretty rough, but they "worked for me" and I hope they give others some guidance. I've tried to go into as much detail as possible (painfully so) but I'm sure there are things that I'm missing. Please expand upon this HOWTO if you do find errors.
Overview
1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server.
Network Topology
2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user machines.
NetID --------- Windows XP - 172.16.0.10/24 172.16.0.0/24 / ------ -------- / | | | | / | | | | / Internet----Public-IP--| FW |--172.16.0.1/24--| Switch | ------------- Samba4 DC - 172.16.0.2/24 | | | | \ | | | | \ ------ -------- \ \ ---------- Fedora Linux - 172.16.0.50/24
Plese note that the Domain Controller (Samba4) can also be configure on the Firewall itself, but this is strongly not recommended due to a security issues.
Install & Configure Your Samba4 Domain Controller
3. This guide assume you have one/or more Samba4 Domain Controller runing in your network. For the purpose of thie guide, I will refer to our Domain Controller host-name as "DC.Domain.Local" and our Domain Name as "Domain.Local". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see here.
Install & Configure a Radius Server
4. Once you have a Samba4 Server up and runing, our next step is to install and configure a Radius Server as an alternative to the Microsoft IAS or NPS.
There are plenary of radius implementation in the open source community, but I truly recomended to go with the FreeRadius solution.
5. Install FreeRadius software
sudo apt-get install