SAMBA
Esta instalación de samba se realizará con la siguientes versiones:
- Titulo:
- SAMBA 3.5.11.0 (64-bit) sobre AIX 6.1
- Software:
- samba
- Tipo:
- howto
- SistemaOp:
- AIX
Software
El software que viene en el CD de Expasion Pack del AIX 6.1 no está compilado para el soporte de Activde Directory (para ver como se compiló ejecuta: smbd -b o smbd -b | grep WITH)
El software que se utilizó se descargó del sitio pWare — AIX Open Source Software for IBM AIX 5.3, 6.1 and 7.1 * http://pware.hvcc.edu/download/aix61-64/
Este es un listado de samba y todas las dependencias necesarias para su instalación.
-rw-r--r-- 1 root system 15K Jan 12 22:01 pware61-64.base.6.1.0.0.bff -rw-r--r-- 1 root system 2.6M Jan 12 22:01 pware61-64.bdb.4.8.30.0.bff -rw-r--r-- 1 root system 6.9M Jan 12 22:01 pware61-64.cyrus-sasl.2.1.23.0.bff -rw-r--r-- 1 root system 23M Jan 12 22:02 pware61-64.gettext.0.18.1.1.bff -rw-r--r-- 1 root system 22M Jan 12 22:02 pware61-64.krb5.1.9.1.0.bff -rw-r--r-- 1 root system 1.9M Jan 12 22:01 pware61-64.libiconv.1.13.1.0.bff -rw-r--r-- 1 root system 1.9M Jan 12 22:01 pware61-64.libtool.2.4.0.0.bff -rw-r--r-- 1 root system 6.0M Jan 12 22:01 pware61-64.ncurses.5.9.0.0.bff -rw-r--r-- 1 root system 5.3M Jan 12 22:01 pware61-64.openldap.2.4.23.0.bff -rw-r--r-- 1 root system 9.5M Jan 12 22:01 pware61-64.openssl.0.9.8.18.bff -rw-r--r-- 1 root system 459K Jan 12 22:01 pware61-64.popt.1.16.0.0.bff -rw-r--r-- 1 root system 1.2M Jan 12 22:01 pware61-64.readline.6.2.0.0.bff -rw-r--r-- 1 root system 159M Jan 12 22:02 pware61-64.samba.3.5.11.0.bff -rw-r--r-- 1 root system 448K Jan 12 22:01 pware61-64.zlib.1.2.5.0.bff
Una vez descompresos los archivos, ejecutamos smitty install → Install and Update Software → Install Software.
Ponemos un punto en el directorio para leer el directorio actual.
Install Software
Type or select a value for the entry field.
Press Enter AFTER making all desired changes.
[Entry Fields]
* INPUT device / directory for software [.] +
Install Software +--------------------------------------------------------------------------+ | SOFTWARE to install | | | | Move cursor to desired item and press F7. Use arrow keys to scroll. | | ONE OR MORE items can be selected. | | Press Enter AFTER making all selections. | | | | [TOP] | | #--------------------------------------------------------------------- | | # | | # KEY: | | # @ = Already installed | | # | | #--------------------------------------------------------------------- | | | | pware61-64.base ALL | | + 6.1.0.0 64-bit pWare base for 6.1 | | | | pware61-64.bdb ALL | | + 4.8.30.0 Berkeley DB 4.8.30 (64-bit) | | | | pware61-64.cyrus-sasl ALL | | + 2.1.23.0 cyrus-sasl 2.1.23 (64-bit) | | | | pware61-64.gettext ALL | | + 0.18.1.1 GNU gettext 0.18.1.1 (64-bit) | | | | pware61-64.krb5 ALL | | + 1.9.1.0 MIT Kerberos 1.9.1 (64-bit) | | | | pware61-64.libiconv ALL | | + 1.13.1.0 GNU libiconv 1.13.1 (64-bit) | | | | pware61-64.libtool ALL | | + 2.4.0.0 GNU libtool 2.4 (64-bit) | | | | pware61-64.ncurses ALL | | + 5.9.0.0 ncurses 5.9 (64-bit) | | | | pware61-64.openldap ALL | | + 2.4.23.0 OpenLDAP 2.4.23 (64-bit) | | | | pware61-64.openssl ALL | | + 0.9.8.18 OpenSSL 0.9.8r (64-bit) | | | | pware61-64.popt ALL | | + 1.16.0.0 popt 1.16 (64-bit) | | | | pware61-64.readline ALL | | + 6.2.0.0 GNU readline 6.2 (64-bit) | | [MORE...6] | | | | F1=Help F2=Refresh F3=Cancel | | F7=Select F8=Image F10=Exit | | Enter=Do /=Find n=Find Next | +--------------------------------------------------------------------------+
Configuración
El archivo smb.conf está en la ruta /opt/pware64/lib/smb.conf (se puede hacer una liga simbólica en /etc/ para encontrarlo mas facilmente. [/etc/smb.conf → /opt/pware64/lib/smb.conf] )
smb.conf
# Global parameters
[global]
workgroup = PRIVADO
realm = PRIVADO.COM.MX
netbios name = AFODES01
server string = AFODES01 Samba Server
security = ADS
password server = afiserv25
auth methods = winbind
allow trusted domains = No
passdb backend = tdbsam
#log level = 5
log level = 2
log file = /var/samba/logs/log.%m
max log size = 2048
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
client use spnego = yes
client signing = yes
encrypt passwords = yes
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
#winbind use default domain = true
template shell = /bin/false
disable netbios = yes
name resolve order = hosts
nmbd bind explicit broadcast = no
ntlm auth = no
map untrusted to domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
[prueba]
comment = Prueba
path = /samba/prueba
valid users = "PRIVADO\fleal", @"PRIVADO\Sist-SopTec Especializado"
write list = "PRIVADO\fleal", @"PRIVADO\Sist-SopTec Especializado"
read list = "PRIVADO\fleal", @"PRIVADO\Sist-SopTec Especializado"
read only = No
browseable = yes
writable = yes
create mask = 0770
force user = samba
Una vez convertido el smb.conf a UTF-8, copiarlo de smb.conf.utf8 a smb.conf
# iconv -f iso-8859-1 -t utf-8 < smb.conf > smb.conf.utf8
Errores:
[2012/01/17 18:59:51.925886, 1] ../librpc/ndr/ndr.c:440(ndr_push_error) ndr_push_error(5): Bad character conversion [2012/01/17 18:59:51.925961, 0] rpc_server/srv_pipe.c:1650(api_rpcTNP) api_rpcTNP: \srvsvc: SRVSVC_NETSHAREENUMALL failed.
testparm
Para validar
[root@AFODES01 var]# testparm Load smb config files from /opt/pware64/lib/smb.conf rlimit_max: increasing rlimit_max (2000) to minimum Windows limit (16384) Processing section "[prueba]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions
[root@AFODES01 var]# ulimit -a core file size (blocks, -c) 1048575 data seg size (kbytes, -d) soft file size (blocks, -f) 1048575 max memory size (kbytes, -m) 32768 open files (-n) 2000 pipe size (512 bytes, -p) 64 stack size (kbytes, -s) 32768 cpu time (seconds, -t) unlimited max user processes (-u) 262144 virtual memory (kbytes, -v) unlimited
ulimit -n 16384
[root@AFODES01 var]# ulimit -n 16384 [root@AFODES01 var]# [root@AFODES01 var]# testparm Load smb config files from /opt/pware64/lib/smb.conf Processing section "[prueba]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions
Servicio AIX
Para usar el SRC (System Resource Controller) para que samba sea controlado por los servicios de AIX se debe ejecutar lo siguiente.
/usr/bin/mkssys -s nmbd -p /opt/pware64/sbin/nmbd -a '-F -s /opt/pware64/lib/smb.conf' -u 0 -S -n 15 -f 9 -R -G samba /usr/bin/mkssys -s smbd -p /opt/pware64/sbin/smbd -a '-F -s /opt/pware64/lib/smb.conf' -u 0 -S -n 15 -f 9 -R -G samba /usr/bin/mkssys -s winbindd -p /opt/pware64/sbin/winbindd -a '-F -s /opt/pware64/lib/smb.conf' -u 0 -S -n 15 -f 9 -R -G samba
Take notice that by using the “-F” switch with samba you tell it to not daemonize, and let startsrc/stopsrc control it fully. When this is done you should be able to start/stop Samba with:
startsrc -g samba stopsrc -g samba
Fuente: AIX Open
Kerberos
krb5.conf
Este se muestra ya configurado y se puede crear a mano en: /etc/krb5/krb5.conf (/etc/krb5.conf → /etc/krb5/krb5.conf)
- krb5.conf
[logging] default = FILE:/var/log/krb5/libs.log kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/admin.log [libdefaults] default_realm = PRIVADO.COM.MX dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC allow_weak_crypto = true [realms] PRIVADO.COM.MX = { kdc = afiserv25.privado.com.mx admin_server = afiserv25.privado.com.mx default_domain = privado.com.mx } [domain_realm] .kerberos.server = PRIVADO.COM.MX privado.com.mx = PRIVADO.COM.MX .privado.com.mx = PRIVADO.COM.MX
methods.cfg
3.- Agregar la directiva WINBIND al método de autenticación del AIX.
/usr/lib/security/methods.cfg
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
WINBIND:
program_64 = /usr/lib/security/WINBIND_64
options = authonly
Fuente: Configuring the AIX Kerberos Version 5 clients with a Windows 2000 active directory server
Sincronización de tiempo
La sincronización de tiempo es un prerrequisito para Kerberos.
Time synchronization is a prerequisite for Kerberos authentication. Therefore, Microsoft chooses to make all AD domain controllers act as time servers. Non-Microsoft clients can synchronize their system clocks with an AD DCs by using version 4 of the Simple Network Time Protocol (SNTP). The ntpdate tool, included in the NTP distribution from http://www.ntp.org, can synchronize the server's local clock with an AD DC. Most systems already have some form of the NTP tools included
[root@AFODES01 ~]# kinit Administrador Password for Administrador@PRIVADO.COM.MX: kinit: Clock skew too great while getting initial credentials
Si hay problema con la hora es necesario sincronizar el reloj. Para este server se sincronizó con le mismo 192.168.0.10 (Active Directory)
[root@AFODES01 ~]# ntpdate 192.168.0.10 18 Jan 10:37:21 ntpdate[13238480]: step time server 192.168.0.10 offset 319.733396 sec
Antes de unir el samba al dominio de AD, es necesario validar que la configuración del cliente de Kerberos funciona correctamente. Una manera de validar esto es usando el comando kinit para obtener un TGT para un usuario existente en el dominio . Aquí usamos la cuenta de emansep.adm.com, en lugar de la de Administrator:
[root@AFODES01 ~]# kinit Administrador Password for Administrador@PRIVADO.COM.MX: [root@AFODES01 ~]#
Si esto es correcto, podemos listar los tickets guardados en caché con el comando klist.
[root@AFODES01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrador@PRIVADO.COM.MX
Valid starting Expires Service principal
01/18/12 10:37:42 01/18/12 20:37:45 krbtgt/PRIVADO.COM.MX@PRIVADO.COM.MX
renew until 01/19/12 10:37:42
Unir al dominio y validación
Se ejecuta net ads join -S afiserv25.privado.com.mx -U cuenta_de_dominio.
[root@AFODES01 krb5]# net ads join -S afiserv25.privado.com.mx -U Administrador Enter Administrador's password: Using short domain name -- PRIVADO Joined 'AFODES01' to realm 'privado.com.mx' [root@AFODES01 krb5]#
Podemos verificar la cuenta del servidor en ActiveDirectory en cualquier momento, ejecutando:
[root@AFODES01 logs]# net ads testjoin Join is OK
Para validar que WINBIND puede hacer conexión
[root@AFODES01 etc]# wbinfo -t checking the trust secret for domain PRIVADO via RPC calls succeeded
Si se recibe el mensaje “could not ping winbindd!”, hay que asegurarse de que winbindd esté ejecutándose.
Para eso podemos enviarle una petición de ping.
[root@AFODES01 etc]# wbinfo -p Ping to winbindd failed could not ping winbindd!
Una vez que winbindd responda las peticiones, validar que pueda comunicarse adecuadamente con el controlador de dominio.
Al ejecutar wbinfo -t samba valida la cuenta en con la que se firmó la máquina.
[root@AFODES01 etc]# wbinfo -t checking the trust secret for domain PRIVADO via RPC calls succeeded
Para listar los usuarios de dominio use wbinfo -u
[root@AFODES01 ~]# wbinfo -u 0cedelrod mcsilrom 0bafercru ... ... ... vayaala sgoncar [root@AFODES01 ~]#
Consultar la descripción de un usuario.
[root@AFODES01 ~]# wbinfo -i fleal fleal:*:100001:100005::/home/PRIVADO/fleal:/bin/false
Listar los recursos compartidos.
[root@AFODES01 ~]# smbclient -L 192.168.0.20 -U fleal
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter fleal's password:
Domain=[PRIVADO] OS=[Unix] Server=[Samba 3.6.0]
Sharename Type Comment
--------- ---- -------
prueba Disk Prueba
IPC$ IPC IPC Service (AFODES01 Samba Server)
Domain=[PRIVADO] OS=[Unix] Server=[Samba 3.6.0]
Server Comment
--------- -------
AFODES01 AFODES01 Samba Server
Workgroup Master
--------- -------
PRIVADO COLDWEB-DESA
[root@AFODES01 var]#
Troubleshooting
Error: WBC_ERR_DOMAIN_NOT_FOUND - Al consultar la información de un usuario
[root@AFODES01 var]# wbinfo -i fleal failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user fleal
Este error se corrigió en las líneas del idmap. Se tuvo que colocar la manera anterior ( idmap uid y idmap uid).
idmap config privado.com.mx: default = yes
idmap config privado.com.mx: backend = ad
#idmap config privado.com.mx: range = 100001-200000
idmap uid = 100001-200000
idmap gid = 100001-200000
Cuenta samba y el árbol de directorios
Logs
- Logs: Crear la carpeta /var/samba/logs.
En la directiva del smb.conf se establece la ruta de los logs. (log file = /var/samba/logs/log.%m) - Los archivos logs del servicio de samba se guardan en
/opt/pware64/var.
Se debe crear la cuenta samba en el servidor AIX como el usuario dueño de los archivos escritos por samba.
Usuario
mkgroup id=704 samba mkdir -p /home/products/samba/ useradd -c "Usuario SAMBA para AFORE" -u 761 -g samba -m -d /home/products/samba/ -s /usr/bin/false samba
Carpetas
[root@AFODES01 /]# ll /samba/* /samba/DESA: total 0 drwxr-xr-x 2 samba samba 256 Jan 13 15:54 archivos drwxr-xr-x 2 samba samba 256 Jan 13 15:54 lost+found drwxr-xr-x 3 samba samba 256 Jan 13 17:26 p2000 /samba/QA: total 0 drwxr-xr-x 2 samba samba 256 Jan 13 01:21 archivos drwxr-xr-x 2 samba samba 256 Jan 11 22:29 lost+found drwxr-xr-x 5 samba samba 256 Jan 13 17:26 p2000
Firewall
Como este servidor está en una DMZ de desarrollo, se deben de solicitar los puertos de acceso al firewall
| Puerto | Tipo | Descripción |
|---|---|---|
| 445 | TCP | microsoft-ds . TCP port 445 is reserved for the Microsoft Server Message Block protocol underlying current file sharing and messaging applications. The name of the service is “Microsoft-DS”, reflecting an earlier use for Windows Directory service. UDP port 445 is reserved for the same thing. |
| TCP | LDAP | |
| 389 | UDP | |
| 88 | UDP | |
| UDP | kerberos | |
| 137 | UDP TCP | netbios-ns (NetBIOS name service) Port 137 NetBIOS name service. TCP port 137 and UDP port 137 are reserved for the service which translates between IP addresses and Windows NetBIOS names in a LAN. |
| 138 | UDP TCP | netbios-dgm (NetBIOS datagram service) |
| 139 | UDP TCP | netbios-ssn (NETBIOS Session Service). Port 139 NetBIOS session service. TCP port 139 and UDP port 139 are reserved for the connection-based transport underlying most Windows LAN applications such as those using SMB. |
| 1026 | TCP | Ports 1025 and 1026 Active Directory logon and directory replication. One of ports 1025 and 1026, both TCP and UDP, will normally be chosen for Active Directory support within the LAN. Port 1026, both TCP and UDP, is registered for Calendar Access, and the UDP port is often available to Windows Messenger. Actual intrusions through these ports seem not to be common in JANET, but they are the focus for considerable scanning activity. |
| 135 | no activado | Port 135 RPC endpoint mapper. TCP port 135 and UDP port 135 are reserved for the service which enables the low-level Remote Procedure Call facility to register each available procedure and invoke it when appropriate. Windows LAN applications make heavy use of RPC; on other platforms it is not generally enabled by default. |