Thursday, 30 June 2011

One-way trust Samba DC and AD Windows Server 2003

One-way trust Samba DC & MS AD 2003

Idea: There are many branches with SAMBA as domain controller and local resources server and central site with Windows 2003 AD and file resources.
We have to authorize users from branches on DCs in Windows 2003 domain to allow them use their credentials instead of creating the new ones (one-way trust).

Test installation:
Linux - OS CENTOS 5.5
Windows AD domain controller - Windows 2003 Ent evaluation
Windows 2003 and AD installed with default settings
I have installed WINS on AD but it's not necessary
There are two networks:
172.19.1.0/24 - Windows
172.19.2.0/24 - Linux SAMBA
Internetwork router - Linux PC set up only for routing - firewall disabled
Broadcasts throught router are not allowed.

Windows Server settings:
Domain name: WIN
C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : winsrv
Primary Dns Suffix . . . . . . . : win.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : win.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-ED-27-37
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.19.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.19.1.200
DNS Servers . . . . . . . . . . . : 127.0.0.1
Primary WINS Server . . . . . . . : 172.19.1.10
type c:\windows\system32\drivers\etc\lmhosts
172.19.2.10 AISRV #PRE #DOM:AI
172.19.2.10 "AISRV \0x3"
172.19.2.10 "AISRV \0x20"
172.19.2.10 "AI \0x1b"
172.19.2.10 "AI \0x1e"
Important: NETBIOS names of SAMBA server must be exactly 15 characters long and with hex codes 1c and 1b beginning on 16th position!
Example (- means spaces):
172.19.2.10 "AI-------------\0x1e"

SAMBA server setup:
[root@dc2 samba]# cat smb.conf
[global]
workgroup = AI
server string = Samba Server Version %v
netbios name = AISRV
# interfaces = lo eth0 172.19.1.0/24 172.19.2.0/24
log level = 2
log file = /var/log/samba/%m.log
max log size = 50
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
local master = yes
os level = 33
preferred master = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = \
wins support = yes
name resolve order = wins bcast host lmhosts
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
[Profiles]
path = /var/lib/samba/profiles
browseable = no
guest ok = yes
[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
write list = +staff

[root@dc2 samba]#cat /etc/hosts
127.0.0.1 dc2 localhost
172.19.2.10 aisrv
172.19.1.10 winsrv
[root@dc2 samba]# cat lmhosts
127.0.0.1 localhost
172.19.1.10 win#1c
172.19.1.10 win#1b
172.19.1.10 winsrv

Prepare SAMBA to work
Set up domain admin
#smbpasswd root
Set up one way trust (Win->SAMBA)
#smbpasswd -a -i win
Enter trust password.

What we have to do on Windows domain controller WINSRV:
Check that WINSRV knows about SAMBA domain and it controller (lmhosts file descibed before)
Clear NETBIOS cache:
nbtstat -RR

Try to establish trust using Domain and Trusts MMC snap-is and after that check NETBIOS names:
nbtstat -c
NetBios Remote Cache Name Table
	Name		Type	Host	Address		Life [sec] --------------------------------------------------------------------- AISRV		<03>	UNIQUE		172.19.2.10		-1 AISRV		<00>	UNIQUE		172.19.2.10		-1 AISRV		<20>	UNIQUE		172.19.2.10		-1 AI		<1C>	GROUP		172.19.2.10		-1
Set up trust
Start-->Settings-->Control Panel-->Administrative Tools-->Active Directory Domains and Trusts
Right click Windows domain name
Properties->Trusts->New Trus
Enter domain name AI, select One-way:Outgoing and insert trust password (created before on SAMBA server with smbpasswd command)
After we have to add to SAMBA domain unprivileged SAMBA user to read users list when we set up file or folder permission in the Windows domain.

Note: If Windows DC installed on the virtual machine under VMWare Server 1.0 (as in my case) I have to remove Shared Folder VMWare Tools component. Instead I usually have an error "RPC server unavailable" during trust creation.

No comments: