VPN Single SignOn with Samba AD
Creating a Single Sing-on VPN with Samba4 on Ubuntu/Debian Server
These instructions are pretty rough, but they "worked for me" and I hope they give others some guidance. I've tried to go into as much detail as possible (painfully so) but I'm sure there are things that I'm missing. Please expand upon this HOWTO if you do find errors.
Overview
1. The purpose of this guide is to provide an overview and a step by step guidelines how to create a L2TP VPN server which is fully integrated with the Samba4 Server.
Network Topology
2. Before we are going over how to actually build and configure the VPN server we need first to understand a little bit about out network topology. Basically our network is construct with a Layer II switch, a Firewall Server which is also our network gateway, at least one Samba4 Domain Controller and one or more linux/windows user machine.
NetID --------- Windows XP - 172.16.0.10/24
172.16.0.0/24 /
------ -------- /
| | | | /
| | | | /
Internet----Public-IP--| FW |--172.16.0.1/24--| Switch | ------------- Samba4 DC - 172.16.0.2/24
| | | | \
| | | | \
------ -------- \
\
---------- Fedora Linux - 172.16.0.50/24
Install & Configure Your Samba4 Domain Controller
2. This guide assume you have one/or more Samba4 Domain Controller runing in your network. For the purpose of thie guide, I will refer to our Domain Controller host-name as "DC.Domain.Local" and our Domain Name as "Domain.Local". If you unfamiler with how to install samba4 of Debian/Ubuntu Server, please see here.
Install & Configure Your Samba4 Domain Controller
3. Ensure Ubuntu core is up to date
sudo apt-get update sudo apt-get dist-upgrade sudo reboot
3. Install all required dependencies
sudo apt-get install build-essential git-core bind9 ntp libattr1-dev libblkid-dev libgnutls-dev libreadline5-dev \ python-dev autoconf libdb-dev libtool unixodbc-dev libwrap0-dev libmysqlclient15-dev libsasl2-dev libcurl4-gnutls-dev \ libslp-dev libperl-dev attr libcurl4-gnutls-dev
4. For now we need to kill apparmor... (I'm trying to figure out what we need to do better as this probably is a stupid fix)
sudo apt-get purge apparmor
5. Network setup: Change /etc/network/interfaces so that the interface you plan to use on your network (in my case eth0) has a static IP.
#The primary network interface
auto eth0
iface eth0 inet static
address 172.16.0.1
netmask 255.255.255.0
broadcast 172.16.0.255
gateway 172.16.0.1
6. Modify /etc/hosts so that the following line (adjusted for your chosen hostname) is present. Later we will use BIND for DNS resolution.
127.0.1.1 hydrogen.example.com ldap.example.com Hydrogen
Install Samba4 from source
1. Use git to clone the samba repository, checkout v4-0-stable, apply a specifc patch, configure, build, and install.
cd ~ mkdir -p src cd src git clone git://git.samba.org/samba.git samba cd samba git checkout -b v4-0-stable origin/v4-0-stable git clean -fdx cd source4 cd auth/ntlmssp git checkout 7a54cd041e04f901af5e73b9e57b9cff4e182955 ntlmssp_sign.c cd ../.. ./autogen.sh ./configure make sudo make install
Note: If there are newer versions of v4-0-stable then it's possible checking out the specific revision of the ntlmssp_sign.c might actually cause problems. However, at least on the version of v4-0-stable that I checked out on 2-Aug-2009, there is a fix for an issue where when I tried to search the Active Directory and no results would ever be returned. Something do to with how it always is signed by the client when it shouldn't always be... idk what exactly, but with the new version of the file it works.
Install OpenLDAP from source
1. Download the current release of OpenLDAP (or just in case use 2.4.17), configure, build, and install.
cd ~/src wget -c 'ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.4.17.tgz' tar xfz openldap-2.4.17.tgz cd openldap-2.4.17 ./configure --enable-overlays --enable-accesslog --enable-auditlog --enable-collect --enable-constraint \ --enable-dds --enable-deref --enable-dyngroup --enable-dynlist --enable-memberof --enable-ppolicy --enable-proxycache \ --enable-refint --enable-retcode --enable-rwm --enable-seqmod --enable-syncprov --enable-translucent --enable-unique \ --enable-valsort make depend make sudo make install
Note: Why do we enable all of those things? Because otherwise your'll get down to the povision section and things will break with errors about intref errors, overlays not found, and all sorts of annoying problems. Overkill for enabling things is good sometimes.
Linking for eaiser access
cd /sbin sudo ln -s /usr/local/samba/sbin/samba ./ sudo ln -s /usr/local/libexec/slapd ./ cd /bin sudo ln -s /usr/local/samba/bin/* ./
Note: That or you can modify paths and such.
Provisioning
1. Generate the openLDAP and BIND config files we will need to have a functional domain controller.
cd ~/src/samba/source4 sudo ./setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --ldap-admin-pass=SuperSecretPassword \ --ldap-backend-type=openldap --server-role='domain controller'
2. Verify that the openLDAP config is working.
sudo slapd -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fprivate%2Fldap%2Fldapi ldapsearch -x -b ’’ -s base '(objectClass=*)' namingContexts -H ldapi://%2Fusr%2Flocal%2Fprivate%2Fldap%2Fldapi
Note: You don't want to have slapd running on port 389 as Samba4 will later listen on that port as it will handle all the LDAP queries.
3. If you didn't get errors you should now be able to finish the provisioning.
sudo ./setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \ --ldap-backend=ldapi --ldap-backend-type=openldap --username=samba-admin --password=SuperSecretPassword
4. If all went well you should see the following as well as instructions on other steps you are required to complete.
Take note of the password! This is the domain administrator password! Server Role: domain controller Hostname: hydrogen NetBIOS Domain: EXAMPLE DNS Domain: EXAMPLE.COM DOMAIN SID: S-1-5-21-3012927460-1946624778-3082554826 Admin password: GoyBLa,bPhUq
Test progress so far
1. Setup the /data/test directory...
sudo mkdir -p /data/test sudo chmod -R 777 /data/test touch /data/test/If_you_see_this-things-are-going-well
2. Modify /usr/local/samba/etc/smb.conf to have at least one file share as follows.
[test]
path = /data/test
read only = no
3. Start samba
sudo samba -i -M single
4. Connect to Samba using the client
smbclient //localhost/test -Uadministrator%GoyBLa,bPhUq ls quit
Note: If you say the file we created eariler when you ran "ls" then things are working well so far, awesome.
5. Use Ctrl-C to kill samba or run "sudo pkill samba"
DNS using BIND9
1. Setup BIND9
sudo cat /usr/local/samba/private/named.conf >> /etc/bind/named.conf.local sudo cp /usr/local/samba/private/example.com.zone /etc/bind/example.com.zone sudo cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
chown -R bind.bind /etc/bind
2. Modify /etc/named.conf.local so that the zone "example.com" file attribute points to example.com.zone and not /usr/local/samba/private/example.com.zone
3. Follow the instructions in /usr/local/samba/private/named.txt Note: The options file is /etc/bind9/named.conf.options
4. After the configuration changes restart bind
sudo /etc/init.d/bind9 restart
Create scripts in /etc/init.d for both slapd and samba4
/etc/init.d/samba
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: samba
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Samba
# Description: Samba Domain controller
# scheduler
### END INIT INFO
#
#
#
set -e
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/local/samba/sbin/samba
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Samba" "samba"
start_daemon $DAEMON -D
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping Samba" "samba"
PIDSMB=`ps -ef | grep $DAEMON | awk '{ print $2 }'`
kill $PIDSMB
log_end_msg $?
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart)"
exit 1
;;
esac
exit 0
/etc/init.d/openldap
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: openldap
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: OpenLdap
# Description: OpenLdap
# scheduler
### END INIT INFO
#
#
#
set -e
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/local/libexec/slapd
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting OpenLdap" "slapd"
start_daemon $DAEMON -f /usr/local/samba/private/ldap/slapd.conf -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping OpenLdap" "slapd"
PIDLDAP=`ps -ef | grep $DAEMON | awk '{ print $2 }'`
kill $PIDLDAP
log_end_msg $?
;;
force-reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/openldap {start|stop|restart)"
exit 1
;;
esac
exit 0
Create the symlinks in the right /etc/rc*.d
update-rc.d samba defaults 60 40 update-rc.d openldap defaults 50 50
Test propper attr things
cd /data/test touch test.txt setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt getfattr -d test.txt getfattr -n security.test -d test.txt
How to manage your domain with the Microsoft Active Directory tools
Click here to read more about managing your domain with the Microsoft Active Directory tools.