Configurare Samba

There are multiple ways to configure Samba. For details on some common configurations see Capitolo 18, Reti Windows [277]. To configure Samba to use LDAP, edit it's configuration file ^/

etc/samba/smb.conf commenting out the default passdb backend parameter and adding some ldap-related ones:

# passdb backend = tdbsam

# LDAP Settings

passdb backend = ldapsam:ldap://hostname ldap suffix = dc=example,dc=com

ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap

ldap admin dn = cn=admin,dc=example,dc=com ldap ssl = start tls

ldap passwd sync = yes ...

add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Change the values to match your environment.

Riavviare samba per abilitare le nuove impostazioni:

sudo restart smbd sudo restart nmbd

Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):

sudo smbpasswd -w password

If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra attributes. The smbpasswd utility can do this as well (your host will need to be able to see (enumerate) those users via NSS; install and configure either libnss-ldapd or libnss-ldap):

sudo smbpasswd -a NOME_UTENTE

You will prompted to enter a password. It will be considered as the new password for that user.

Making it the same as before is reasonable.

To manage user, group, and machine accounts use the utilities provided by the smbldap-tools package. Here are some examples:

• To add a new user:

sudo smbldap-useradd -a -P NOME_UTENTE

The -a option adds the Samba attributes, and the -P option calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user.

• To remove a user:

sudo smbldap-userdel NOME_UTENTE

In the above command, use the -r option to remove the user's home directory.

• To add a group:

sudo smbldap-groupadd -a NOME_GRUPPO

As for smbldap-useradd, the -a adds the Samba attributes.

• To make an existing user a member of a group:

sudo smbldap-groupmod -m NOME_UTENTE NOME_GRUPPO

The -m option can add more than one user at a time by listing them in comma-separated format.

• To remove a user from a group:

sudo smbldap-groupmod -x NOME_UTENTE NOME_GRPPO

• To add a Samba machine account:

sudo smbldap-useradd -t 0 -w NOME_UTENTE

Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script parameter in /etc/samba/smb.conf was changed to use smbldap-useradd.

There are utilities in the smbldap-tools package that were not covered here. Here is a complete list:

smbldap-groupadd³⁷

• For more information on installing and configuring Samba see Capitolo 18, Reti Windows [277]

of this Ubuntu Server Guide.

• There are multiple places where LDAP and Samba is documented in the upstream Samba HOWTO Collection⁴⁹.

• Regarding the above, see specifically the passdb section⁵⁰.

• Although dated (2007), the Linux Samba-OpenLDAP HOWTO⁵¹ contains valuable notes.

37 http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupadd.8.html

• The main page of the Samba Ubuntu community documentation⁵² has a plethora of links to articles that may prove useful.

52 https://help.ubuntu.com/community/Samba#samba-ldap

3. Kerberos

Kerberos è un sistema di autenticazione di rete basato sul principio di un "agente" terzo fidato. Le altre due parti sono l'utente e il servizio a cui l'utente vuole autenticarsi. Non tutti i serivizi e le applicazioni possono usare Kerberos, ma quelle che ne sono in grado, consentono di portare la rete a essere un SSO (Single Sign On).

Questa sezione spiega come installare e configurare un server Kerberos, fornendo alcuni esempi di configurazione.

3.1. Panoramica

Se si è nuovi di Kerberos, ci sono alcuni termini che è bene comprendere prima di procedere. Molti di questi termini potrebbero essere simili ad altri concetti di altri ambienti più familiari.

• Principal: qualsiasi utente, computer e servizio fornito da server deve essere difinito come

"Kerberos Principal".

• Istanze: usate dai principal di servizio e da quelli amministrativi.

• Realms: the unique realm of control provided by the Kerberos installation. Think of it as the domain or group your hosts and users belong to. Convention dictates the realm should be in

uppercase. By default, ubuntu will use the DNS domain converted to uppercase (EXAMPLE.COM) as the realm.

• Key Distribution Center (KDC): consiste di tre parti, un database di tutti i principal, il server di autenticazione e il server che garantisce i ticket. Per ogni reame deve esserci almeno un KDC.

• Ticket Granting Ticket (TGT): emesso dallo "Authentication Server" (AS), il "Ticket Granting Ticket" è cifrato con la password dell'utente ed è quindi noto solo all'utente e al KDC.

• Ticket Granting Server (TGS): emette i ticket su richiesta dei client.

• Ticket:: conferma l'identità dei due principal. Uno è l'utente e l'altro il servizio richiesto. Il ticket stabilisce una chiave di cifratura usata per garantire la sicurezza della comunicazione durante la fase di autenticazione.

• File keytab: sono file estratti dal KDC e contengono le chiavi di cifratura per un servizio o un host.

To put the pieces together, a Realm has at least one KDC, preferably more for redundancy, which contains a database of Principals. When a user principal logs into a workstation that is configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password.