Options for authenticating Windows users and computers via Linux

[vbowers]

TheFu,
Yeah, it's not a modest little system, but I got it for $325 (along with a 325Gb and a 1Tb drive), so couldn't say no. I plan on running a number of servers, production (so to speak) and testing/playing, some of them Windows, some Linux. I also know what you mean about patching; in my working days I handled security (such as it was) for my employer and current patch testing and deployment is something I'm big on. One of the plans I have is weekly inventorying of all of our home systems and ensuring that all are current on patches and anti-malware definitions.

One of the server systems I'm going to be deploying is Sophos UTM. I want to set up some detailed logging of our network traffic, looking for rogue services or malware. We have a number of IoT devices and I want to see just what's flowing via them. I may annoy my family, but I will learn a lot and keep us safer than most at the same time.

After reading through all the comments, last night I cleaned up my Ubuntu system and took a swing at deploying SAMBA4 as an AD DC. So far it's looking like a success. I have started doing some testing of it prior to adding users and systems, but I got stuck running the SMBclient tests. Seems my system didn't have the SMB client installed and when I installed it, it of course wasn't configured for the new domain. I will get it configured yet this week, I hope, and finish the testing. The family and I will be gone for a long weekend, so it may well run over into next week. I will post back how it goes, as so far I'm pretty hopeful.

If this works, I will be demoing this at my local Linux users group later in the year. When I spoke of my needs and efforts at last month's meeting, while no one had much background for assisting me, there was a fair bit of interest in the capabilities of what I was looking to do. So this might be a chance for me to give back to the community, in a small way. I appreciate what you guys have done for me (TheFu, Gordintoronto, and volkswagner) in ideas, suggestions, and comments. Much appreciated!!

[TheFu]

TheFu,
Yeah, it's not a modest little system, but I got it for $325 (along with a 325Gb and a 1Tb drive), so couldn't say no. I plan on running a number of servers, production (so to speak) and testing/playing, some of them Windows, some Linux. I also know what you mean about patching; in my working days I handled security (such as it was) for my employer and current patch testing and deployment is something I'm big on. One of the plans I have is weekly inventorying of all of our home systems and ensuring that all are current on patches and anti-malware definitions.

One of the server systems I'm going to be deploying is Sophos UTM. I want to set up some detailed logging of our network traffic, looking for rogue services or malware. We have a number of IoT devices and I want to see just what's flowing via them. I may annoy my family, but I will learn a lot and keep us safer than most at the same time.

After reading through all the comments, last night I cleaned up my Ubuntu system and took a swing at deploying SAMBA4 as an AD DC. So far it's looking like a success. I have started doing some testing of it prior to adding users and systems, but I got stuck running the SMBclient tests. Seems my system didn't have the SMB client installed and when I installed it, it of course wasn't configured for the new domain. I will get it configured yet this week, I hope, and finish the testing. The family and I will be gone for a long weekend, so it may well run over into next week. I will post back how it goes, as so far I'm pretty hopeful.

If this works, I will be demoing this at my local Linux users group later in the year. When I spoke of my needs and efforts at last month's meeting, while no one had much background for assisting me, there was a fair bit of interest in the capabilities of what I was looking to do. So this might be a chance for me to give back to the community, in a small way. I appreciate what you guys have done for me (TheFu, Gordintoronto, and volkswagner) in ideas, suggestions, and comments. Much appreciated!!

I'm certain everyone here is happy to hear something useful came from it. I know I've learned by reading all the responses too!

Be careful running multiple services on the same system (inside the same VM or on the same subnet) when they really belong elsewhere. I'm concerned about UTM stuff. Had a few clients burned by them over the years. Security has to be layered and conveying a clear "no silver bullet" to the end-users is mandatory.

IoT ... ouch. I've avoided them for the most part, though I've had a Roku and SIP ATA for a long time. Those devices are on a special subnet, alone.

CIFS security will always be an issue. For your environment, there isn't much that can be done.

[vbowers]

Yeah, I subnet wireless from wired, servers from clients, etc. For home I don't go *too* crazy, but that's a matter of opinion. I host no external facing systems, firewalled off everything inbound, but still try to be careful.

Have run into a snag on the SAMBA AD DC. Seems that when I ran the SAMBA install (samba-tool domain provision --use-rfc2307 --interactive), it did not create a krb5.conf file. Or if it did, it didn't do so at the location specified in the documentation at https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Con troller. Supposedly this was done in a /usr/local/samba/private/ folder, but there's no "samba" folder in the /usr/local/ area. Consequently, no working Kerberos. My other tests of the setup work, but not Kerberos.

Pretty sure the file got created, but gotta believe it landed somewhere else. Now I get to learn how to look through all the file folders on a Linux install to see where this puppy landed. Can't have it all go perfectly!

[TheFu]

Distros move things around.

Projects tend to assume everyone is installing using their source code packages.

Distros put system-level settings into /etc/

Projects put system-level settings into /usr/local/etc/

Of course, all these locations can be overridden at run-time either by environment variables, config files or command line options. Usually, it is just easier to go with the distro installs and let them put things into /etc/.

How and why different directories are used is VERY WELL THOUGHT OUT over the decades by Unix people. For Linux, there is a file system hierarchy document (the wikipedia article is a nice summary). If you plan to be an admin, reviewing that document is mandatory.

Disk storage can be local, local-access-only, remote, read-write or read-only. Files can be system specific, specific to a family of OSes, specific to a specific type of CPU, etc. It was common for /usr/local/ to be an NFS mount and shared by all the similar systems on a network, for example. Upgrade the programs in 1 place and 200 workstations all got the update. /var and /etc must be local storage (or at least unique to a specific OS running instance). Anyway, there are specific reasons for where and why each directory is on a specific storage and in a specific location.

Make sense?

Oh ... and the 'tree' command will be your friend, but definitely take a look at this: https://en.wikipedia.org/wiki/Filesy...archy_Standard for an overview.

[gordintoronto]

Pragmatic answer:
locate krb5.conf

[vbowers]

Yup, that was the issue. In order to be sure I got it right, I removed the old SAMBA setup, following the instructions at https://wiki.samba.org/index.php/Set...ain_Controller. Besides being a good set of instructions on setting up the ADDC, it also explains how to clean up SAMBA before starting the install. THIS time I had a notepad where I wrote down where the install put the d*mn krb5.conf file. Instead of /usr/local/samba/private/ as shown in the example, the Ubuntu install put it at /var/lib/samba/private/.

Armed with that knowledge, I revised the later link instruction so that it could link to the proper file location and things went much better. Unfortunately not perfectly, just much better. At this point, my server now passes all of the recommended AD DC tests except those for Kerberos, which is frustrating. However, the failures are a bit better. The issue now seems to be in configuring Kerberos to specify the local default domain. Hopefully I will be able to find someone out there with a little bit of experience with Kerberos on SAMBA who can help me with that issue. I won't go into boring details, but I think it shouldn't be too hard to fix. I am going to do more Googling on my own, but if I can't come up with something after an hour of that, I'll post a question on the board here and at AskUbuntu. Hopefully between the two I can find someone who can direct me to the edit I need.

At this point though, I'm hopeful that I can slay this dragon. Server host resolution for what server is the Kerberos server is working (that's new), both for TCP and UDP, so it SEEMS that I'm pretty much down to one issue, figuring out how to specify to the Kerberos setup what the local default realm is and I should be golden.

It's really odd to me that I have not been able to find a decent set of instructions that give a complete list of services needed and configuration instructions for doing this. Once I'm done and have a working, tested solution, I think I'm going to try to write up a solid process for this. IMHO, this would really help someone with a small office/home network situation have a fairly simple, secure method for authenticating computers and users. But the current state of instructions out there really leaves a bit to be desired. None note that you need to set up time synch for your domain systems, but elsewhere I found information on this creating authentication issues, just like it does in a Windows domain environment. Some instructions show how to link UNIX and Windows groups for authentication, some don't, but it's something you really should do. None note that you should put file and print shares on a separate server, but you should, for a variety of reasons. The info is just too scattered and needs to be brought together somehow. If I get this all working, maybe putting together a blog or site dedicated to this might be worthwhile.