In this article I will demonstrate how to configure Centrify-enhanced Samba using adbindproxy.pl. This is a new method for Centrify Server Suite 2016 as Centrify is no longer publishing a Centrify-enhanced Samba package with the agent installer.
Why use Centrify-enhanced samba?
- So that AD users don't have to type their passwords when connecting to Samba shares (SSO via Kerberos).
- To restrict access to Samba shares based on an Active Directory security group.
- To maintain file ownership/permissions (Centrify-enhanced samba features an ID mapper to maintain UNIX attribute values such as UID and GID for AD users).
Background and context:
Since badlock, Centrify has shifted the Samba integration strategy to provide an identity mapper (adbindproxy) for Samba that integrates with the Centrify DirectControl agent. Samba’s usual ID mapper (winbind) is designed to provide user and name resolution for the configuration in the Samba directory -- but this can have undesirable effects to a domain-joined system or systems (e.g. file ownership issues). To resolve this, Centrify's adbindproxy mapper uses the UNIX identity data that resides in AD (as contained within Centrify Zones).
If this sounds complicated, fear not -- it's easy to configure! Read on, and check out the video at the end of the article.
- Review Centrify 2016 Samba Integration Guide
- Read the Centrify 2016 adbindproxy release notes (there's a great summary contained within!)
- Obtain adbindproxy from the Centrify Customer Support Portal (version specific for your OS and platform)
- Ensure your Linux/UNIX system is joined to the domain, like this:
[dwirth@cent7 ~]$ adinfo Local host name: cent7 Joined to domain: centrify.vms Joined as: cent7.centrify.vms Pre-win2K name: cent7 Current DC: dc.centrify.vms Preferred site: Demo-Network Zone: centrify.vms/centrifyse/Zones/Global/Engineering CentrifyDC mode: connected Licensed Features: Enabled
- Lastly, should you wish to test a restricted share with authorization based on an Active Directory security group, you will also need to create a group in Active Directory.
At a high level, the configuration consists of three steps:
- Install native Samba packages
- Run adbindproxy.pl to reconfigure Samba to interoperate with the Centrify agent
- Configure Samba to your liking (e.g. configure a samba share restricted by an Active Directory security group for authorization)
Step 1 - Install Samba:
My test system is a CentOS 7.2 machine, so I will install samba using yum:
yum install samba samba-client samba-common samba-winbind -y
Take a minute to review and familiarize yourself with the stock samba configuration:
(Note: No changes need to be made to the config at this time).
Step 2 - Install and configure adbindproxy:
Explode the tarball and install:
tar xvf centrify-adbindproxy-5.3.0-rhel4-x86_64-2.tar rpm -Uvh centrifydc-adbindproxy-5.3.0-rhel4-x86_64.rpm
Next, let's run through the configuration. adbindproxy is a perl script that will interactively ask you some questions in order to set up Centrify-enhanced samba for you.
Executing the perl script:
Creates the following interactive output:
adbindproxy.pl is used to configure the Samba to interoperate with Centrify's DirectControl product. It checks if the machine is joined to an AD domain. If not, it will prompt for the join operation. It also updates smb.conf and tdb files. For security reason, you will be prompted for password several times in order to perform different AD operations when running this script. Please specify Samba's path if it is not in [/usr/] : <ENTER> Using (/usr/) The Samba base path is : /usr/
Joined to Domain: centrify.vms Zone: centrify.vms/centrifyse/Zones/Global/Engineering Do you want to leave and join to another domain? [N] : <ENTER> Using (N)
Remove Winbind settings (if any) from /etc/nsswitch.conf. No Winbind settings found. Removing old state files...
Please specify the stock samba winbindd listen path(dir) if it is not in [/run/samba/winbindd] : <ENTER> Using (/run/samba/winbindd)
Existing file '/etc/centrifydc/centrifydc.conf' is backed up as '/etc/centrifydc/centrifydc.conf.pre_adbindproxy' Do you want to keep the original Samba settings? [Y] : <ENTER> Using (Y)
Backup existing /etc/samba/smb.conf and add Centrify recommended settings? [Y] : <ENTER> Using (Y) Updating smb.conf with Centrify recommended settings... Existing file '/etc/samba/smb.conf' is backed up as '/etc/samba/smb.conf.2016-07-07-22-35-30'
Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] : <ENTER>
Init Samba start script ... Restarting Samba daemons ... Reloading systemd: [ OK ] Restarting centrifydc-samba (via systemctl): [ OK ] Current DirectControl Configuration:
Local host name: cent7 Joined to domain: centrify.vms Joined as: cent7.centrify.vms Pre-win2K name: cent7 Current DC: dc.centrify.vms Preferred site: Demo-Network Zone: centrify.vms/centrifyse/Zones/Global/Engineering Last password set: 2016-07-07 22:36:26 EDT CentrifyDC mode: connected Licensed Features: Enabled Current Samba Configuration: LDAP server: 192.168.81.10 LDAP server name: dc.centrify.vms Realm: CENTRIFY.VMS Bind Path: dc=CENTRIFY,dc=VMS LDAP port: 389 Server time: Thu, 07 Jul 2016 22:36:26 EDT KDC server: 192.168.81.10 Server time offset: 45 Press ENTER to continue ... <ENTER> Notes: If you need to join other domain, please re-run this script and enter a different domain name ! Done.
As you can see, it installs nicely with the defaults selected. At this point I would suggest reviewing the samba configuration to see what changes adbindproxy has made:
Note that adbindproxy has created a test share:
[samba-test] path = /samba/samba-test public = yes # if set public = No, we should set parameter valid users . # and when the user or group is in AD , the setting syntaxes is: # valid users = CENTRIFY\username +CENTRIFY\group writable = yes
You can try navigating to it from a Windows machine on the domain and you'll be able to read and write to it.
Step 3 (Optional) - Configure a samba share restricted by an Active Directory security group for authorization
Create the secured share in samba conf (as root or using dzdo):
Paste the following:
[secured] path = /samba/secured comment = Samba secured share IT Members only public = no valid users = +CENTRIFY\IT_Members # if set public = No, we should set parameter valid users . # and when the user or group is in AD , the setting syntaxes is: # valid users = CENTRIFY\username +CENTRIFY\group writable = yes
Note: Replace "CENTRIFY\IT_MEMBERS" with your own domain and AD group name.
Create a directory for the new secured share:
Put something in the directory for testing purposes, e.g.:
cp /tmp/samba/centrify-adbindproxy-guide.pdf /samba/secured/
Restart Centrify-enhanced samba by running the following command as root or via dzdo:
Finally, validate that only members of the specified AD group can access the share:
Here is a YouTube video demonstrating the configuration on a Ubuntu 16.04 machine:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.