Difference between revisions of "SAMBA Cross-Domain Trust File Server"

From Michael's Information Zone
Jump to navigation Jump to search
 
(32 intermediate revisions by the same user not shown)
Line 16: Line 16:
 
prepend domain-search "domain1.tld", "domain2.tld";
 
prepend domain-search "domain1.tld", "domain2.tld";
 
prepend domain-name-servers 192.168.1.100, 192.168.1.101;
 
prepend domain-name-servers 192.168.1.100, 192.168.1.101;
sudo reboot -h now
 
 
</pre>
 
</pre>
 
<pre>
 
<pre>
sudo yum install epel-release yum-cron firewalld
+
sudo hostnamectl set-hostname smbshare
 +
sudo timedatectl set-timezone America/New_York
 +
sudo yum -y install yum-cron firewalld
 
sudo systemctl enable --now firewalld
 
sudo systemctl enable --now firewalld
 
sudo systemctl enable --now yum-cron
 
sudo systemctl enable --now yum-cron
sudo hostnamectl set-hostname myfileserver
 
 
sudo reboot -h now
 
sudo reboot -h now
</pre>
 
*Install kerberose and related packages, start sssd service, join realm.
 
<pre>
 
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd samba-common samba-common-tools samba
 
sudo systemctl enable --now sssd
 
sudo realm join -U <username> domain1.tld
 
 
</pre>
 
</pre>
  
Line 39: Line 33:
 
sudo mount /dev/disk/by-uuid/556cfbd6-18cf-4721-934c-f35835ee89c8 /mnt/data/
 
sudo mount /dev/disk/by-uuid/556cfbd6-18cf-4721-934c-f35835ee89c8 /mnt/data/
 
</pre>
 
</pre>
 +
Apply selinux context.
 +
<pre>
 +
sudo semanage fcontext -a -t samba_share_t "/mnt/data(/.*)?"
 +
sudo
 +
</pre>
 +
 
===Samba Config===
 
===Samba Config===
 
<ref>https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member</ref>
 
<ref>https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member</ref>
 
<ref>https://wiki.samba.org/index.php/Idmap_config_ad</ref>
 
<ref>https://wiki.samba.org/index.php/Idmap_config_ad</ref>
*This smb.conf global entry was created using the referenced wiki.samba.org links, as well as referencing a smb.conf file from a FreeNAS server.
+
*Install samba
 +
<pre>
 +
sudo yum -y install samba
 +
</pre>
 +
*This smb.conf global entry was created using the referenced wiki.samba.org links, as well as referencing a smb.conf file from a FreeNAS server.<br>
 +
In this case we also disable printing, as this is not used and one less service to be attacked.
 
<pre>
 
<pre>
 
[global]
 
[global]
Line 48: Line 53:
 
         security = ADS
 
         security = ADS
 
         realm = DOMAIN1.TLD
 
         realm = DOMAIN1.TLD
        idmap config * : backend = tdb
 
        idmap config * : range = 1
 
 
         idmap config *: backend = tdb
 
         idmap config *: backend = tdb
         idmap config *: range = 1500-19999
+
         idmap config *: range = 3000-7999
 
         idmap config DOMAIN1: backend = rid
 
         idmap config DOMAIN1: backend = rid
         idmap config DOMAIN1: range = 20000-79999
+
         idmap config DOMAIN1: range = 10000-999999
 
         idmap config DOMAIN2: backend = rid
 
         idmap config DOMAIN2: backend = rid
         idmap config DOMAIN2: range = 80000-100000
+
         idmap config DOMAIN2: range = 1000000-9999999
 
         allow trusted domains = yes
 
         allow trusted domains = yes
 
         winbind refresh tickets = Yes
 
         winbind refresh tickets = Yes
Line 61: Line 64:
 
         map acl inherit = Yes
 
         map acl inherit = Yes
 
         store dos attributes = Yes
 
         store dos attributes = Yes
 +
        username map = /etc/samba/user.map
 +
        dedicated keytab file = /etc/krb5.keytab
 +
        kerberos method = secrets and keytab
 +
        load printers = no
 +
        printing = bsd
 +
        printcap name = /dev/null
 +
        disable spoolss = yes
 +
 +
[DATA]
 +
        path = /mnt/data
 +
        read only = no
 
</pre>
 
</pre>
*Reload the config
+
*<ref>https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting</ref>Create file /etc/samba/user.map with the following
 +
<pre>
 +
!root = DOMAIN1\michael.mast
 +
</pre>
 +
*Start services
 +
<pre>
 +
sudo systemctl enable --now smb
 +
sudo systemctl enable --now nmb
 +
</pre>
 +
 
 
<pre>
 
<pre>
 
sudo smbcontrol all reload-config
 
sudo smbcontrol all reload-config
 +
</pre>
 +
 +
===AD Authentication===
 +
====Using winbind====
 +
 +
<ref>https://wiki.centos.org/TipsAndTricks/WinbindADS</ref>
 +
<ref>https://www.server-world.info/en/note?os=CentOS_7&p=samba&f=3</ref>
 +
<pre>
 +
sudo yum -y install samba-winbind samba-winbind-clients
 +
sudo net ads join -U michael.mast
 +
</pre>
 +
*Edit /etc/nsswitch.conf and add winbind for passwd and group, in example:
 +
<pre>
 +
...
 +
passwd:    files winbind sss
 +
...
 +
group:      files winbind sss
 +
...
 +
</pre>
 +
*Start services
 +
<pre>
 +
sudo systemctl enable --now smb
 +
sudo systemctl enable --now nmb
 +
sudo systemctl enable --now winbind
 +
</pre>
 +
*Grant SeDiskOperatorPrivilege
 +
<pre>
 +
net rpc rights grant 'DOMAIN1\linuxadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
 +
Enter DOMAIN1\michael.mast's password:
 +
Successfully granted rights.
 +
</pre>
 +
 +
====FAILED : Using SSSD====
 +
This process was not working when I got to the Windows Management side of things.<br>
 +
*Install kerberose and related packages, will join later. <ref>https://github.com/sous-chefs/samba/issues/88</ref> Don't forget sssd-libwbclient.
 +
<pre>
 +
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd sssd-libwbclient
 +
sudo systemctl enable --now sssd
 +
sudo realm join -U <username> domain1.tld
 +
</pre>
 +
*At this point we want to make sure a domain security group can manage the share from a Windows server. In my case I created a linuxadmins group.
 +
<pre>
 +
net rpc rights grant 'DOMAIN1\lunixadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
 +
</pre>
 +
However, at the time of this writing I am unable to get this to work. Getting the following error
 +
<pre>
 +
Enter DOMAIN1\michael.mast's password:
 +
Could not connect to server 127.0.0.1
 +
The username or password was not correct.
 +
Connection failed: NT_STATUS_LOGON_FAILURE
 +
</pre>
 +
==SELinux Config==
 +
<pre>
 +
sudo setsebool -P nis_enabled 1
 +
sudo setsebool -P samba_export_all_rw 1
 
</pre>
 
</pre>

Latest revision as of 10:47, 18 November 2020

Purpose

Existing file server is not configured properly. Will be moving this non-critical data to a new server running in AWS. Since I can live with some downtime if needed, it is much cheaper to use a small AWS instance than to use the expensive Windows based file service AWS offers.

Host

Host is t3a.small CentOS7 instance running on EC2. At the time of this writing CentOS8 is not available on the AWS store.
Though not a critical system, it will be holding sensitive data and I want native SELinux.

Config

Work in progress

Packages and Domain

  • Prep base OS with automatic updates and a firewall. Make sure to edit the yum-cron config to install security only, and to install updates after downloading.
sudo yum upgrade -y
  • Edit /etc/dhcp/dhclient.conf to include domain specific settings, then reboot.
prepend domain-search "domain1.tld", "domain2.tld";
prepend domain-name-servers 192.168.1.100, 192.168.1.101;

sudo hostnamectl set-hostname smbshare
sudo timedatectl set-timezone America/New_York
sudo yum -y install yum-cron firewalld
sudo systemctl enable --now firewalld
sudo systemctl enable --now yum-cron
sudo reboot -h now

Disk

  • Create partition, mount data disk, create fstab entry. The below is for general reference only and omits finding the UUID and what options to use.
sudo fdisk /dev/nvme1n1
sudo mkfs.xfs /dev/nvme1n1p1
sudo mount /dev/disk/by-uuid/556cfbd6-18cf-4721-934c-f35835ee89c8 /mnt/data/

Apply selinux context. 

sudo semanage fcontext -a -t samba_share_t "/mnt/data(/.*)?"
sudo

Samba Config

[1] [2]

  • Install samba
sudo yum -y install samba
  • This smb.conf global entry was created using the referenced wiki.samba.org links, as well as referencing a smb.conf file from a FreeNAS server.

In this case we also disable printing, as this is not used and one less service to be attacked. 

[global]
        workgroup = DOMAIN1
        security = ADS
        realm = DOMAIN1.TLD
        idmap config *: backend = tdb
        idmap config *: range = 3000-7999
        idmap config DOMAIN1: backend = rid
        idmap config DOMAIN1: range = 10000-999999
        idmap config DOMAIN2: backend = rid
        idmap config DOMAIN2: range = 1000000-9999999
        allow trusted domains = yes
        winbind refresh tickets = Yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        username map = /etc/samba/user.map
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

[DATA]
        path = /mnt/data
        read only = no
  • [3]Create file /etc/samba/user.map with the following
!root = DOMAIN1\michael.mast
  • Start services
sudo systemctl enable --now smb
sudo systemctl enable --now nmb

sudo smbcontrol all reload-config

AD Authentication

Using winbind

[4] [5] 

sudo yum -y install samba-winbind samba-winbind-clients
sudo net ads join -U michael.mast
  • Edit /etc/nsswitch.conf and add winbind for passwd and group, in example:
...
passwd:     files winbind sss
...
group:      files winbind sss
...
  • Start services
sudo systemctl enable --now smb
sudo systemctl enable --now nmb
sudo systemctl enable --now winbind
  • Grant SeDiskOperatorPrivilege
net rpc rights grant 'DOMAIN1\linuxadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'
Enter DOMAIN1\michael.mast's password:
Successfully granted rights.

FAILED : Using SSSD

This process was not working when I got to the Windows Management side of things.

  • Install kerberose and related packages, will join later. [6] Don't forget sssd-libwbclient.
sudo yum install -y realmd krb5-workstation oddjob oddjob-mkhomedir sssd sssd-libwbclient
sudo systemctl enable --now sssd
sudo realm join -U <username> domain1.tld
  • At this point we want to make sure a domain security group can manage the share from a Windows server. In my case I created a linuxadmins group.
net rpc rights grant 'DOMAIN1\lunixadmins' SeDiskOperatorPrivilege -U'DOMAIN1\michael.mast'

However, at the time of this writing I am unable to get this to work. Getting the following error 

Enter DOMAIN1\michael.mast's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

SELinux Config

sudo setsebool -P nis_enabled 1
sudo setsebool -P samba_export_all_rw 1
  1. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
  2. https://wiki.samba.org/index.php/Idmap_config_ad
  3. https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
  4. https://wiki.centos.org/TipsAndTricks/WinbindADS
  5. https://www.server-world.info/en/note?os=CentOS_7&p=samba&f=3
  6. https://github.com/sous-chefs/samba/issues/88
Retrieved from "https://wiki.1701technology.com/index.php?title=SAMBA_Cross-Domain_Trust_File_Server&oldid=1569"