VPN Single SignOn with Samba AD: Difference between revisions

From SambaWiki
No edit summary
 
No edit summary
Line 3: Line 3:


== Overview ==
== Overview ==
1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server.
1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server.


== Network Topology ==
== Network Topology ==
2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user machine.
2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user machines.




Line 21: Line 21:
---------- Fedora Linux - 172.16.0.50/24
---------- Fedora Linux - 172.16.0.50/24
Plese note that the Domain Controller (Samba4) can also be configure on the Firewall itself, but this is strongly not recommended due to a security issues.


== Install & Configure Your Samba4 Domain Controller ==
== Install & Configure Your Samba4 Domain Controller ==
2. This guide assume you have one/or more Samba4 Domain Controller runing in your network.
3. This guide assume you have one/or more Samba4 Domain Controller runing in your network.
For the purpose of thie guide, I will refer to our Domain Controller host-name as "''DC.Domain.Local''" and our Domain Name as "''Domain.Local''". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see [http://wiki.samba.org/index.php/Samba4/HOWTO/Ubuntu_Server_9.04 here].
For the purpose of thie guide, I will refer to our Domain Controller host-name as "''DC.Domain.Local''" and our Domain Name as "''Domain.Local''". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see [http://wiki.samba.org/index.php/Samba4/HOWTO/Ubuntu_Server_9.04 here].




== Install & Configure Your Samba4 Domain Controller ==
== Install & Configure a Radius Server ==
4. Once you have a Samba4 Server up and runing, our next step is to install and configure a Radius Server as an alternative to the Microsoft [http://en.wikipedia.org/wiki/Internet_Authentication_Service IAS or NPS]. <BR>

There are plenary of radius implementation in the open source community, but I truly recomended to go with the [http://freeradius.org/ FreeRadius] solution.
3. Ensure Ubuntu core is up to date
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

3. Install all required dependencies
sudo apt-get install build-essential git-core bind9 ntp libattr1-dev libblkid-dev libgnutls-dev libreadline5-dev \
python-dev autoconf libdb-dev libtool unixodbc-dev libwrap0-dev libmysqlclient15-dev libsasl2-dev libcurl4-gnutls-dev \
libslp-dev libperl-dev attr libcurl4-gnutls-dev

4. For now we need to kill apparmor... (I'm trying to figure out what we need to do better as this probably is a stupid fix)
sudo apt-get purge apparmor

5. Network setup: Change /etc/network/interfaces so that the interface you plan to use on your network (in my case eth0) has a static IP.

#The primary network interface
auto eth0
iface eth0 inet static
address 172.16.0.1
netmask 255.255.255.0
broadcast 172.16.0.255
gateway 172.16.0.1

6. Modify /etc/hosts so that the following line (adjusted for your chosen hostname) is present. Later we will use BIND for DNS resolution.
127.0.1.1 hydrogen.example.com ldap.example.com Hydrogen

== Install Samba4 from source ==
1. Use git to clone the samba repository, checkout v4-0-stable, apply a specifc patch, configure, build, and install.
cd ~
mkdir -p src
cd src
git clone git://git.samba.org/samba.git samba
cd samba
git checkout -b v4-0-stable origin/v4-0-stable
git clean -fdx
cd source4
cd auth/ntlmssp
git checkout 7a54cd041e04f901af5e73b9e57b9cff4e182955 ntlmssp_sign.c
cd ../..
./autogen.sh
./configure
make
sudo make install

Note: If there are newer versions of v4-0-stable then it's possible checking out the specific revision of the ntlmssp_sign.c might actually cause problems. However, at least on the version of v4-0-stable that I checked out on 2-Aug-2009, there is a fix for an issue where when I tried to search the Active Directory and no results would ever be returned. Something do to with how it always is signed by the client when it shouldn't always be... idk what exactly, but with the new version of the file it works.

== Install OpenLDAP from source ==
1. Download the current release of OpenLDAP (or just in case use 2.4.17), configure, build, and install.
cd ~/src
wget -c 'ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.4.17.tgz'
tar xfz openldap-2.4.17.tgz
cd openldap-2.4.17
./configure --enable-overlays --enable-accesslog --enable-auditlog --enable-collect --enable-constraint \
--enable-dds --enable-deref --enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache \
--enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-syncprov --enable-translucent --enable-unique \
--enable-valsort
make depend
make
sudo make install

Note: Why do we enable all of those things? Because otherwise your'll get down to the povision section and things will break with errors about intref errors, overlays not found, and all sorts of annoying problems. Overkill for enabling things is good sometimes.

== Linking for eaiser access ==
cd /sbin
sudo ln -s /usr/local/samba/sbin/samba ./
sudo ln -s /usr/local/libexec/slapd ./
cd /bin
sudo ln -s /usr/local/samba/bin/* ./

Note: That or you can modify paths and such.

== Provisioning ==
1. Generate the openLDAP and BIND config files we will need to have a functional domain controller.

cd ~/src/samba/source4
sudo ./setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --ldap-admin-pass=SuperSecretPassword \
--ldap-backend-type=openldap --server-role='domain controller'

2. Verify that the openLDAP config is working.
sudo slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fprivate%2Fldap%2Fldapi
ldapsearch -x -b &rsquo;&rsquo; -s base '(objectClass=*)' namingContexts -H ldapi://%2Fusr%2Flocal%2Fprivate%2Fldap%2Fldapi

Note: You don't want to have slapd running on port 389 as Samba4 will later listen on that port as it will handle all the LDAP queries.

3. If you didn't get errors you should now be able to finish the provisioning.
sudo ./setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \
--ldap-backend=ldapi --ldap-backend-type=openldap --username=samba-admin --password=SuperSecretPassword

4. If all went well you should see the following as well as instructions on other steps you are required to complete.
Take note of the password! This is the domain administrator password!
Server Role: domain controller
Hostname: hydrogen
NetBIOS Domain: EXAMPLE
DNS Domain: EXAMPLE.COM
DOMAIN SID: S-1-5-21-3012927460-1946624778-3082554826
Admin password: GoyBLa,bPhUq

== Test progress so far ==
1. Setup the /data/test directory...
sudo mkdir -p /data/test
sudo chmod -R 777 /data/test
touch /data/test/If_you_see_this-things-are-going-well

2. Modify /usr/local/samba/etc/smb.conf to have at least one file share as follows.
[test]
path = /data/test
read only = no

3. Start samba
sudo samba -i -M single

4. Connect to Samba using the client
smbclient //localhost/test -Uadministrator%GoyBLa,bPhUq
ls
quit

Note: If you say the file we created eariler when you ran "ls" then things are working well so far, awesome.

5. Use Ctrl-C to kill samba or run "sudo pkill samba"

== DNS using BIND9 ==
1. Setup BIND9
sudo cat /usr/local/samba/private/named.conf >> /etc/bind/named.conf.local
sudo cp /usr/local/samba/private/example.com.zone /etc/bind/example.com.zone
sudo cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

chown -R bind.bind /etc/bind

2. Modify /etc/named.conf.local so that the zone "example.com" file attribute points to example.com.zone and not /usr/local/samba/private/example.com.zone

3. Follow the instructions in /usr/local/samba/private/named.txt
Note: The options file is /etc/bind9/named.conf.options

4. After the configuration changes restart bind
sudo /etc/init.d/bind9 restart

== Create scripts in /etc/init.d for both slapd and samba4 ==

/etc/init.d/samba
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: samba
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Samba
# Description: Samba Domain controller
# scheduler
### END INIT INFO
#
#
#
set -e
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/local/samba/sbin/samba
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Samba" "samba"
start_daemon $DAEMON -D
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping Samba" "samba"
PIDSMB=`ps -ef | grep $DAEMON | awk '{ print $2 }'`
kill $PIDSMB
log_end_msg $?
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart)"
exit 1
;;
esac
exit 0

/etc/init.d/openldap
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: openldap
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: OpenLdap
# Description: OpenLdap
# scheduler
### END INIT INFO
#
#
#
set -e
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/local/libexec/slapd
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting OpenLdap" "slapd"
start_daemon $DAEMON -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping OpenLdap" "slapd"
PIDLDAP=`ps -ef | grep $DAEMON | awk '{ print $2 }'`
kill $PIDLDAP
log_end_msg $?
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/openldap {start|stop|restart)"
exit 1
;;
esac
exit 0

== Create the symlinks in the right /etc/rc*.d ==

update-rc.d samba defaults 60 40
update-rc.d openldap defaults 50 50

== Test propper attr things ==
cd /data/test
touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt
getfattr -d test.txt
getfattr -n security.test -d test.txt

== How to manage your domain with the Microsoft Active Directory tools ==


5. Install FreeRadius software
Click [http://wiki.samba.org/index.php/Samba4/HOWTO#Configure_Windows_XP_Pro_client_to_join_Samba_4_Active_Directory here] to read more about managing your domain with the Microsoft Active Directory tools.
sudo apt-get install

Revision as of 22:40, 14 April 2010

Creating a Single Sing-on VPN with Samba4 on Ubuntu/Debian Server

These instructions are pretty rough, but they "worked for me" and I hope they give others some guidance. I've tried to go into as much detail as possible (painfully so) but I'm sure there are things that I'm missing. Please expand upon this HOWTO if you do find errors.

Overview

1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server.

Network Topology

2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user machines. 


                         NetID                                  --------- Windows XP - 172.16.0.10/24
                     172.16.0.0/24                             /
                         ------                   --------    /
                        |      |                 |        |  /
                        |      |                 |        | /
 Internet----Public-IP--|  FW  |--172.16.0.1/24--| Switch | ------------- Samba4 DC - 172.16.0.2/24
                        |      |                 |        | \
                        |      |                 |        |  \
                         ------                   --------    \
                                                               \
                                                                ---------- Fedora Linux - 172.16.0.50/24

Plese note that the Domain Controller (Samba4) can also be configure on the Firewall itself, but this is strongly not recommended due to a security issues.

Install & Configure Your Samba4 Domain Controller

3. This guide assume you have one/or more Samba4 Domain Controller runing in your network. For the purpose of thie guide, I will refer to our Domain Controller host-name as "DC.Domain.Local" and our Domain Name as "Domain.Local". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see here.


Install & Configure a Radius Server

4. Once you have a Samba4 Server up and runing, our next step is to install and configure a Radius Server as an alternative to the Microsoft IAS or NPS.
There are plenary of radius implementation in the open source community, but I truly recomended to go with the FreeRadius solution.

5. Install FreeRadius software 

sudo apt-get install
Retrieved from "https://wiki.samba.org/index.php?title=VPN_Single_SignOn_with_Samba_AD&oldid=5220"