s4bind


s4bind: single sign on Active Directory for Linux and Windows 

What is it?

s4bind converts windows only domain users into both Linux and windows domain users.

It allows single sign on (SSO) for both Linux and Windows client computers on a local area network. It is served by a Samba4 domain controller (DC). Computers join the domain and receive network services from the DC.

How does it work?
Linux and Windows client computers join the domain created by the Samba4 DC. Users can authenticate (login) to any computer in the domain. They receive and can work on the same data on any client. Files are served via automounted Kerberized NFS for Linux and ntvfs/cifs for Windows. Unlike winbind, s4bind stores the necessary Posix attrinutes in LDAP along with the objects that they refer to. For example, a group needs the class posixGroup. So we simply add objectClass PosixGroup to the DN of the group itself. Similarly, a user needs a uidNumber, so once again we simply add that attribute to his entry in LDAP.  By using the excellent new nss-pam-ldapd, there can be no idmap problems.  All the necessary data is already available in the directory. The added advantage is the flexibility s4bind brings when allocating user home directories.

Prerequisites
1. An installation of Samba4
2. Linux clients
3. Windows clients
4. nss-pam-ldapd installed on both DC and Linux Clients
5. NFS server installed alongside Samba4 (optional)
6. autofs installed on the Linux clients (optional)

Download
Get s4bind here. If you know what you are doing, don't bother reading the rest of this. Learn it by looking at the script.

Quickstart
Full details for steps 4, 5 and 6 are given here. Here is an overview for more experienced users.

We'll assume you provisioned with
 --domain=MARINA
and store your home folders under
 /home2/MARINA

Copy the three s4bind files s4bind, check and setup to somewhere in your path e.g. /usr/local/bin. s4bind and check must be executable: chmod + x

There are only two settings that need to be edited. These are both in the file called setup:

1. The base directory where users home folders are stored (the default is /home2).
2. The folder where you installed samba4 (the default is /usr/local/samba).
There are highlighted in a copy of the file:

/usr/local/bin/setup
###s4bind setup environment
# This file is sourced by the s4bind script
# Setup envirinment variables that are used 
# Please edit this file with your settings for
# BASEDIR and SAMBAHOME
#
# Make sure the user has a ticket
#
ccache=$(klist -e | grep Ticket | cut -d ":" -f3)
if [ -z $ccache ]
then
echo "Please get a ticket. Try: kinit"
exit
fi
# The rest of the stuff that ldbmodify requires
#
host=$(hostname -f)
db="ldap://$host"
export db
# Get he base DN. The bits with dc= at the end
#
basedn=$(ldbsearch --url=$db -s base -b "" defaultNamingContext | grep defaultNamingContext | cut -d ":" -f2 |sed 's/^ *//g')
export basedn
# And the Kerberos command line stuff
#
auth="--kerberos=yes --krb5-ccache=$ccache"
export auth
#Base directory where our users are stored (decide yourself!)
### Please change this to whatever you have. We use /home2
#
BASEDIR="home2"
export BASEDIR
#WG the DOMAIN part of the DOMAIN\username
#Only used for readability. On Linux, you don't specify this when you login.
struid=$(wbinfo -i "Administrator")
WG=$(echo $struid | cut -d "\\" -f1)
export WG
### Please change this to whatever you have. The default is /usr/local/samba
#
SAMBAHOME=/usr/local/samba
export SAMBAHOME

Please make sure that the folder /home2/MARINA exists.

On the Samba4 DC
- install the nfs server
/etc/exports
/home2/MARINA *(rw,sec=krb5)

-install nss-pam-ldapd, nslcd and k5start
create /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://your.f.q.d.n
base dc=foo,dc=bar
filter passwd (objectclass=user)map passwd uid samAccountName
map    passwd homeDirectory unixHomeDirectory
filter group (objectclass=group)

# map group uniqueMember member
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/nslcd.tkt

note: 1. on versions of nss-pam-ldapd over 0.8.0, the 'map group' line is not needed. As of this version, ldapd works directly on the member attribute to obtain secondary group memberships.

2. The filter lines are needed if your user DN's do not include:
objectClass: posixAccount
and group DN's:
objectClass: posixGroup

Linux Clients
-Install kerberos client
Copy /etc/krb5.conf from DC to client

-Install nss-pam-ldapd, nslcd and k5start as on the server

-Setup the automounter
/etc/auto.master
/home2/MARINA /etc/auto.home

/etc/auto.home
* -rw,sec=krb5,vers=3 server-f.q.d.n:/home2/MARINA/&

- Join the domain
create /etc/samba/smb.conf
workgroup = MARINA
realm = your.realm
security = ADS

net ads join -UAdministrator
net ads keytab create
create domain users for nfs and nslcd and extract their keytabs
k5start -f /etc/nslcd.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt &

-Login
You may want to read the more detailed version.


s4bind in action

synopsis
s4bind <command> <arg1> [arg2. .[arg3]]

command arguments
------- ----------------------------
edit     <object>
useradd <user>
groupadd          <group>
groupdel   <group>
userdel <user>
setgid <group> <gidNumber>
setprimarygroup <group> <user>
changehome <directory> <user> [group]
upgradegroup <group> <gidNumber>"

examples
s4bind edit "Domain Users"
Opens the "Domain Users" group for editing. Be sure to quote "objects with spaces".
Current editor is set to gedit

s4bind useradd steve
Adds a user steve to the Domain Users group and creates his home directory in /home2/MARINA/steve. His Windows share is set to [home] and his Windows home drive is set to Z:
in smb.conf we have:
[home]
path = /home2/MARINA
read only = No

s4bind groupadd staff
Creates the group called staff with the gidNumber set to whatever Samba4 decided. It would be a good idea to change the gidNumber to something more meaningful using. . .

s4bind groupdel staff
Removes the group staff. First checks to see if the group has members.

s4bind setgid staff 21018
Sets the group staff to gidNumber 21018. We chose 21018 as 1018 is the primaryGroupID for staff. You can of course change this to whatever you want. Try not to make it collide with local groups.

s4bind userdel steve
Deletes the user steve. Asks if you want to delete his home folder and profile.

s4bind setprimarygroup anothergroup steve
Sets the primaryGroupID and gidNumber for steve to that of anothergroup. steve remains a member of any other groups he has membership of. Finally, updates ownerships of his home folder to that of anothergroup.

s4bind changehome staff steve
Changes steve's home folder from wherever it was to staff. Note, we arrange our home folders:
/home2/MARINA (new users)
/home2/MARINA/staff (users who are staff members)
It may be convenient to change the staff folder to staff ownership and chmod 0750 it. In this case, steve would need adding as a staff group member. Make sure steve is a member of the staff group.
samba-tool group addmembers staff steve
or
s4bind setprimarygroup staff steve

s4bind upgradegroup "Domain Users" 20513
Adds posixGroup and gidNumber: 20513 to Domain Users
Used to make Windows groups suitable for Linux

Example use case
s4bind is very flexible. In this example we create a minimal SSO setup.

[profiles] is a share where we store the windows roaming profiles. Make sure that it is writeable by everyone. 1777 is a good idea. s4bind automatically sets the profile path for each user you create.

[dropbox] is a general share under /data/dropbox which has a rw acl set for the group staff.

[stuff] is a general free for all, insecure space for of our staff to put stuff (very useful)

[staff] is a share which is 0750 root:staff where the staff home directories are held. Create the group staff and add members of staff to it (s4bind groupadd staff). There is no need to set the primary group of staff members to staff.

Don't forget to export /data via nfs too for the Linux clients.
/usr/local/samba/etc/smb.conf
# Global parameters
[global]
server role = domain controller
workgroup = MARINA
realm = hh3.site
netbios name = HH1
passdb backend = samba4
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[home]
path = /home2/MARINA
read only = No
[profiles]
path = /home2/MARINA/profiles
read only = No
[dropbox]
path = /data/dropbox
read only = No
create mask = 0770
[stuff]
path = /data/stuff
read only = No
create mask = 0777
[staff]
path = /home2/MARINA/staff
read only = No