[SoftNAS KB]: Integrate SoftNAS with Active Directory prior to Version 3
Symptoms
Integration of SoftNAS into Active Directory enables domain users to more securely share files and data in a corporate environment. Authentication is managed by Active Directory (AD) via Kerberos. Kerberos tickets are issued to users authenticated to AD. When a user accesses a CIFS share managed by SoftNAS, the ticket is then verified with AD to ensure it is authentic and valid before allowing access to the shares. Windowsuser ID's and groups (e.g., Domain Users) are transparently and dynamically mapped from AD into SoftNAS and Linux, making access seamless for Windows users.
When integrated into a domain environment, SoftNAS becomes another member server of the domain - like any other Windows server joined to the domain.
Authorization and granular access controls are available to manage the level of access available to various users and user groups.
Purpose
The following sections detail how to configure SoftNAS for integration with Active Directory and how to troubleshoot and resolve common issues that can arise during AD integration.
Resolution
On Linux, Samba is used to provide access to CIFS for access from Windows-based systems. Samba uses a program called "winbind", which binds Windows authentication and identities (e.g., AD users and groups) with Linux, and automatically maps Windows users and groups to Linux users and groups.
Please use the following process to integrate Active Directory with SoftNAS and Linux with Samba:
Adding Domain Controllers as DNS Server for SoftNAS
In order to integrate AD with the SoftNAS Linux operating system, the first step is enabling the SoftNAS Linux system to resolve host names into IP addresses for the Active Directory controller, DNS server(s) and the SoftNAS Linux system itself (so you can use host names instead of IP addresses in the following steps).
You need to verify that your hostname and DNS are set up correctly:
1. To do so, in the Left Navigation Pane, navigate to General System Settings -> Networking > Network Configuration > Hostname and DNS client and Host Addresses.
2. The DNS for SoftNAS, when integrated within an Active Directory environment, should be the domain controllers (like any other member server in the domain).
Begin by configuring your hostname and DNS client lookup for the SoftNAS server. Note that the Hosts file is configured to be used first for name resolution. In our examples, we use a domain name "SOFTNAS.local" and our domain controller and DNS is 172.16.150.1 on the local data center network. Our example host name is "SOFTNASTEST".
3. Press the "Save" button to save the changes. The following screen with reappear:
<screenshot>
4. Choose the "Host Addresses" menu item and add host table entries
In the following example, the IP address of the Active Directory controller is 172.16.150.1, so its FQDN is entered (WIN-00B96QSOC44).SOFTNAS.local, along with the "realm" name "SOFTNAS.LOCAL" in lower-case, upper-case and just the domain name "SOFTNAS". The next entry maps the IP address of the SoftNAS Linux host's IP address 172.16.150.50 to FQDN "softnastest.softnasdev.local", "softnastest" and "SOFTNASTEST".
To create each host table entry, click on the "Add a new host address" link, then fill in the form that appears, then press "Create":
5. Repeat for both the Active Directory and SoftNAS host entries so your final host table looks similar to this:
<screenshot>
5. Restart the network system to ensure the new DNS resolution rules are in effect.
NOTE: Anytime you change the DNS or network settings, be sure to either issue a service network restart command as the root user or reboot SoftNAS with a sync; sync; reboot sequence to restart the network subsystem so the new settings will take effect.
6. Verify the host mappings work correctly from a command line (on the SoftNAS host via SSH or a console)
You may also want to verify that your host entries are correct by pinging them with "ping" commands that confirm each mapping is correct. This is important because if these host name lookups are incorrect, other steps which follow will fail, so take a minute to verify the host mappings are working as expected for best results.
If you prefer to do this verification via the StorageCenter UI, you can use the following screen to do so. To reach the Command Shell screen, choose Settings > General System Settings, which will open a new window with access to the full Webmin console, then choose Others > Command Shell.
Be sure to specify the "count" of pings using the "-c 4" switch (or the command will run indefinitely and not return)
Configuring Kerberos to Connect to Active Directory
1. Log on to SoftNAS StorageCenter.
2. In the Left Navigation Pane, select the Settings > Identity and Access Control > Kerberos option (under the Settings section).
The Kerberos Configuration panel will be displayed.
3. Enter the the full AD server name in upper case in the Realm text entry box; e.g., YOURDOMAIN.COM, MYDOMAIN.LOCAL.
4. Click the Update Configuration button.
Verifying Kerberos is working
In the above example, SOFTNAS.LOCAL is the full domain name. Log in to a command shell using SSH, SoftNAS Console (VMware/Hyper-V) or use the Command Shell (see above example).
Issue the following commands:
"kinit" is used to log in as the AD administrator. Note that for best results use the actual domain administrator, not a user with domain admin rights.
[root@softnas]# kinit -p administrator Password for administrator@SOFTNAS.LOCAL:
Next, list the Kerberos ticket, which proves you successfully logged into AD.
[root@softnas]# klist
You should see something like:
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@SOFTNAS.LOCAL Valid starting Expires Service principal 01/21/13 17:26:12 01/22/13 03:26:20 krbtgt/SOFTNAS.LOCAL@SOFTNAS.LOCAL renew until 01/22/13 17:26:12
Editing Samba Windows Networking Options settings with SoftNAS GUI
1. Log on to SoftNAS StorageCenter.
2. In the Left Navigation Pane, select the CIFS option under the Storage section.
The CIFS Shares panel will be displayed. From here, you can configure and manage CIFS sharing.
3. Click the Windows Networking icon in the Global Configuration section.
4. Enter your short domain name (e.g., SOFTNAS) in the Workgroup field.
5. Enter the NetBIOS name of your SoftNAS Server (how it will show up under Windows Networking) in the Server Name text entry box.
6. Select the Active Directory option from the Security drop down list.
7. Enter the FQDN of your domain controller; e.g., dc01.softnas.local in the Password Server text entry box.
8. Click the Save button.
Configuring Winbind with SoftNAS GUI
1. Log on to SoftNAS StorageCenter.
2. In the Left Navigation Pane, select the CIFS option under the Storage section.
The CIFS Shares panel will be displayed. From here, you can configure and manage CIFS sharing.
3. Click the Winbind Options icon in the Global Configuration section.
4. Enter the full domain name of your Windows domain; e.g., SOFTNAS.LOCAL, MYDOMAIN.COM, etc in the Kerberos Realm on Domain Server text entry box.
5. Enter the range as 10000-30000 in the Range of UIDs for Windows Users text entry box. Using this numeric range, the mapping of Windows user ID's to Linux UID's occurs dynamically.
6. Similary enter the range as 10000-30000 in the Range of UIDs for Windows Groups text entry box for mapping of groups.
7. Click the Save button.
Editing the /etc/samba/smb.conf File
1. Navigate to nano or vi editor as root user.
2. Open the /etc/samba/smb.conf file.
3. Delete these 2 lines:
winbind trusted domains only = yeswinbind use default domain = yes
4. Add these 2 lines:
winbind enum users = yeswinbind enum groups = yes
Restarting Services and Joining the Active Directory domain
You need to restart samba, winbind, then connect softnas to domain and restart the services again.
[root@softnas] # service winbind restart [root@softnas] # service smb restart [root@softnas] # service nmb restart
Then join the AD domain:
[root@softnas] # net ads join -U administrator
When you run the net ads join -U administrator command, make certain the administrator's user name is exactly the same (it is case-senstive) and that the password matches exactly as entered in step 3 under Active Directory Integration above.
Then restart the services again. [root@softnas] # service winbind restart [root@softnas] # service smb restart [root@softnas] # service nmb restart
Verifying "winbind" Displays All Users and Groups
Use the "wbinfo" command to confirm that you are able to list the AD users and groups:
[root@softnas] wbinfo -uSOFTNAS\administratorSOFTNAS\guestSOFTNAS\krbtgt [root@softnas] wbinfo -gSOFTNAS\winrmremotewmiusers__SOFTNAS\domain computersSOFTNAS\domain controllersSOFTNAS\schema adminsSOFTNAS\enterprise adminsSOFTNAS\cert publishersSOFTNAS\domain adminsSOFTNAS\domain usersSOFTNAS\domain guestsSOFTNAS\group policy creator ownersSOFTNAS\ras and ias serversSOFTNAS\allowed rodc password replication groupSOFTNAS\denied rodc password replication groupSOFTNAS\read-only domain controllersSOFTNAS\enterprise read-only domain controllersSOFTNAS\dnsadminsSOFTNAS\dnsupdateproxy
Additional Information for Troubleshooting
For information on creating a CIFS Share and integrating it with AD, see:
Creating CIFS Share
Useful Commands
The following commands are useful when troubleshooting Active Directory integration issues.
# kinit -p administrator
Verify that Kerberos (winbind) is able to authenticate to the configured Active Directory domain (enter a domain admin account and password).
# net ads leave -U administrator (or an account w/ domain admin prrivs)
Remove SoftNAS as a member of the domain.
# net ads join -U administrator
Join SoftNAS as a member of the domain.
# wbinfo -u
Display a list of Windows users that will be mapped as valid Linux users.
# wbinfo -g
Display a list of Windows groups that will be mapped as valid Linux groups.
# wbinfo -t
Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working
Log Files
Should you run into issues with AD integration, there are a number of log files in the /var/log/samba folder. You can increase the logging level with the "log level = 3" (up to 9), which provides standard Samba logging level control.
Also, remember to check your AD / domain controller's event logs if you find yourself troubleshooting AD integration issues, so you can see what is taking place from the AD perspective on your domain controller.
Domain Name Services
As with any network services, be sure DNS on your domain controller is configured with the SoftNAS node's IP address and name. Also, please ensure SoftNAS network interface is configured to use the domain controller(s) as its authoritative DNS server.
Kerberos and Server Times
Kerberos tickets are issued with a timestamp and expiration. Therefore, it is important that SoftNAS is properly time synchronized with the AD / domain controller. If your domain controller is your authoritative NTP server, then configure SoftNAS time server to point to the domain controller. If you use an external NTP server, make sure SoftNAS time is synchronized to the same source as your domain controller, so you don't experience any significant time drift between SoftNAS and your DC's time source.
Example Configuration Files
The following configuration files are properly formatted and valid, should you need to verify and/or troubleshoot configurations as you customize integration with your particular Active Directory environment (it's helpful to have a known working example as a reference point).
/etc/samba/smb.conf
[global]log file = /var/log/samba/log.%mload printers = noidmap gid = 10000-30000winbind enum users = yeswinbind enum groups = yeswinbind refresh tickets = yesencrypt passwords = yesrealm = SOFTNASDEV.LOCAL <==== This is your long domain name; e.g., MYDOMAIN.COM, ADOMAIN.LOCAL, etc.password server = WIN-00B96QS0C44.SOFTNASDEV.local <==== this is the DNS name of your AD / domain controllertemplate shell = /bin/bashnetbios name = SOFTNAS2 # <=== this is the name of your SoftNAS node in NetBIOSserver string = Samba Server Version %vidmap uid = 10000-30000workgroup = SOFTNASDEV <==== this is the short domain nameos level = 1security = ads <======== must be set to ads, since in the default 3.4.4 is shipped with tis option set to AUTOmax log size = 50winbind separator = \log level = 3 domain master = nolocal master = nopreferred master = noclient use spnego = yesclient ntlmv2 auth = yes [vol01]comment = Shared volumewriteable = yesbrowseable = yesread only = nopath = /naspool1/vol01valid users = "rbraddy" <=== use only the user name(s) here (not fully-qualified DOMAIN\username) or AD groups; e.g., "Domain Users", "Domain Admins"
Here are the other config files, in case you need working examples.
/etc/krb5.conf [logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log [libdefaults]default_realm = SOFTNASDEV.LOCALticket_lifetime = 24hrenew_lifetime = 7dforwardable = true [realms]SOFTNASDEV.LOCAL = {kdc = WIN-00B96QS0C44.SOFTNASDEV.localadmin_server = WIN-00B96QS0C44.SOFTNASDEV.localdefault_domain = SOFTNASDEV.LOCAL} [domain_realm].softnasdev.local = SOFTNASDEV.LOCALsoftnasdev.local = SOFTNASDEV.LOCAL [appdefaults]pam = {debug = falseticket_lifetime = 36000renew_lifetime = 36000forwardable = truekrb4_convert = false}
/etc/nsswitch.com passwd: files winbindshadow: filesgroup: files winbind #hosts: db files nisplus nis dnshosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: filesnetmasks: filesnetworks: files dnsprotocols: filesrpc: filesservices: files netgroup: files publickey: nisplus automount: filesaliases: files nisplus
Common errors
Host is not configured as a member server
root@rlazsn01:/etc/samba# net ads join -U administrator@SOFTNAS.LOCALHost is not configured as a member server.Invalid configuration. Exiting....Failed to join domain: This operation is only allowed for the PDC of the domain.
This error results from the configuration parameter security being set to AUTO in /etc/samba/smb.conf