Tag Archives: samba

Authenticate your Linux with Active Directory

Share Button

Think about that you are managing a network with 20 or more Workstations with various Operating Systems like Windows, Mac and Linux and that you have to manage or troubleshoot them one by one if you have authentication problems or just want to change passwords on those machines. This would be a lot of work, right? So what you need is a centralized user/group management like OpenLDAP or Active Directory. Most Businesses utilize already Microsoft’s Active Directory because of the majority of Microsoft Windows Workstations. Because of that I like to talk about Active Directory Authentication for non Windows workstations and introduce you to several solution that will help you do that.

The first solution is the full hands on solution which involves a lot of script modifications and the installation of additional libraries. The entire procedure is written down in the TechNet issue of December 2008 and available for download at Microsoft and because of that I am not going into detail on that one, instead I like to introduce you to three third party applications that will do all that by just installing it and performing a few little configuration steps. Those three Applications are Likewise, Quest Authentication Services and Centrify.

Likewise Solution:

Likewise offers basically two solutions. The first one is Likewise Open which is free and just allows you to join workstation to your Active Directory, authenticate your users against Active Directory and let you manage group memberships at the Active Directory side. The second Solution is Likewise Enterprise. Likewise Enterprise offers Single Sign-On for Enterprise Applications like Microsoft Sharepoint or other Application or Services that can Authentication via directory Services like apache, JBoss, MySQL, WebSphere and other systems via SSH and without Directory Service it would required separate User and Password credentials. With Likewise Enterprise Single Sign-On, LDAP, Kerberos and Applications or Services tied to Directory Authentication only one username and password will be managed centralized in the Datacenter. Likewise Enterprise also provides group policies tools to create granular access policies to ensure users have all the permissions they need to do their job and more. If you use Likewise Enterprise you can also produce reports of users activity and with Likewise Enterprise and  Operations Dashboard Administrator can see what’s going on with users in real time which makes security and policy monitoring simple and effective. Considered all the features described above makes Likewise Enterprise complaint with SOX, PCI BSS, Base II, HITECH and HIPAA. Likewise Enterprise let you also add additional security with its optional smart card feature. If your organization still uses SUN’s Network Information Services (NIS) you should migration to the more secure Active Directory from Microsoft since its not secure and no longer supported by SUN. Likewise Enterprise provides NIS Migration tools which moved user accounts and password files to Active Directory. Likewise Enterprise also provides Hypervisor Management tools so users managing VMware vSphere and Citrix XenServer are authenticated against Microsoft Active Directory. Likewise has Binary Packages available for Red Hat, Suse, Fedora, Centos, Debian, Ubuntu, Mac OS X, Solaris, HP-UX, AIX and FreeBSD in 32 Bit and 64 Bit Architecture.

You can join your Workstation to Active Directory with one command for example on Linux type: /opt/likewise/bin/domainjoin-cli join domainName ADjoinAccount and press enter. To authentication against Active Directory in the GUI use DOMAIN\username and on the CLI use: DOMAIN\\username and that is all you have to do.

Overall I think Likewise solution is well build and should offer you solutions for most of your IT challenges.

Quest Authentication Services

Quest Authentication services is a patented technology. If I look over the information about this solution it appears that you need to installed a portion on the Server it self and then the Agent on the non Windows clients. Quest claims to have 1000 customers with over over 5 million installed seats. It supports Linux, Unix and Mac OS X Clients. It also appears to be that this solution is not offering a free solution to at least authenticate your non Windows clients.

Quest extend the authentication, authorization and administration infrastructure of Active Directory to the rest of the enterprise, enabling Unix, Linux and Mac OS X systems to act as full citizens within Active Directory. It also enables Audits, alerts and shows the detailed change of history. This solution also enables a Group Policy framework which allows you to manage Linux and Mac Clients through Microsoft’s Group Policy management. Access control capabilities will also be extended to non Windows clients. Single Sign-on will be available to non Windows client by enabling Kerberos and LDAP like Windows Clients and you could authenticate to Applications like SAP, Siebel and DB2. Quest provides migration tools to migrate from NIS to Active Directory.

Quest appears to be that is provides all necessary features to run your heterogeneous network and manage all user accounts through Active Directory. The only thing I would wish for is that Quest would offer a free agent other than that I think its good.


Centrify offers its product in basically four version, Express, Standard, Enterprise and Platinum. Lets go over each edition and see what its features are.

Express Edition: Includes Centrify DirectControll Express and Centrify DirectManage Express plus Centrify-enabled open source tools.

Standard Edition: Includes Centrify DirectControl, Centrify DirectManage and DirectAuthorize plus Centrify enabled open source tools

Enterprise Edition: Includes everything in the Standard Edition plus Centrify DirectAudit

Platinum Edition: Includes everything in the Enterprise Edition plus Direct Secure

In edition add-on modules are available for Single Sign-On to SAP, web applications for apache and J2EE and DB2.

So lets have a look over all these editions and its features.

Centrify DirectControl (Express): Enables Active Directory-based single sign-on to Unix, Linux and Mac.

Centrify DirectManage (Express): Discovers non-Windows systems and join them to Active Directory.

Centrify-Enabled Open Source Tools: Enhances productivity with painless remote access and Samba integration.

Centrify Direct Authorize: it enables you to lock down sensitive systems and eliminate uncontrolled use of root permissions.

Centrify DirectAudit: helps you to run detailed logging and spot suspicious activity by showing which user access what system and it allows you to monitor current user sessions.

Centrify DirectSecure: can block untrusted systems from communicating with trusted systems, encrypt data in motion.

Centrify also offers Centrify-Enabled Compnents like Kerberos Utilities, NIS Services, OpenSSH, Putty and SAMBA. Centrify supports the following Operating Systems: Apple Mac OS X, Centos, Citrix XenServer, Debian, HP-UX, IBM AIX, Mandriva, Suse, Solaris, Red Hat, Fedora, IRIX, Ubuntu and VMWare ESX Server all in 32 Bit and 64 Bit. Centrify also is the only one that is Microsoft Certified which means a lot for businesses that uses already Microsoft and like to integrate non Windows clients. The only difference I found between the Centrify Express and the other suites is that the Express Edition only offers Community Support and the other Editions offer 24/7 professional support.

My conclusion is that I like Centrify Suite the best because you get the most features in the free Edition compared to the other solutions and it supports the most Operating Systems. Coming in on second place is Likewise it offers basic features for free to get you started and the ability to integrate your non Windows clients and then if you like more you could upgrade and purchase one of the more advanced features and last but not least is Quest Authentication Services because I was not able to find a free client that at least enables you to authenticate your non Windows clients against Active Directory and I think their package offers you the most important features but not all the features that the other two offers. Overall I think either one of those solutions will get you where you like to be.

Please let me know if you know any other solutions that might be better or at least worth mentioning here also let me know if I stated something wrong here and I am happy to correct it. I hope that this article helped you to make a decision with which product you like to go or at least get you started with Active Directory Authentication for non Windows Clients.

UbuntuVideoCast: Windows File-Shareing with SAMBA

Share Button

Samba is the SMB (Server Message Block) and CIFS (Common Internet File System) implementation which makes it possible to share files with windows platforms and even makes is possible to create a PDC (Primary Domain Controller). The PDC maintains Users, Groups, Permissions, Printers and File-Shares. Here is a explanation of what SMB and CIFS is, I borrowed it from Microsofts website:
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems. The technical reference to CIFS is available from Microsoft Corporation at Common Internet File System (CIFS) File Access Protocol. Although its main purpose is file sharing, additional Microsoft SMB Protocol functionality includes the following:

  • Dialect negotiation
  • Determining other Microsoft SMB Protocol servers on the network, or network browsing
  • Printing over a network
  • File, directory, and share access authentication
  • File and record locking
  • File and directory change notification
  • Extended file attribute handling
  • Unicode support
  • Opportunistic locks

In the OSI networking model, Microsoft SMB Protocol is most often used as an Application layer or a Presentation layer protocol, and it relies on lower-level protocols for transport. The transport layer protocol that Microsoft SMB Protocol is most often used with is NetBIOS over TCP/IP (NBT). However, Microsoft SMB Protocol can also be used without a separate transport protocol—the Microsoft SMB Protocol/NBT combination is generally used for backward compatibility. The Microsoft SMB Protocol is a client-server implementation and consists of a set of data packets, each containing a request sent by the client or a response sent by the server. These packets can be broadly classified as follows:

  • Session control packets—Establishes and discontinues a connection to shared server resources.
  • File access packets—Accesses and manipulates files and directories on the remote server.
  • General message packets—Sends data to print queues, mailslots, and named pipes, and provides data about the status of print queues.

Some message packets may be grouped and sent in one transmission to reduce response latency and increase network bandwidth. This is called “batching.” The Microsoft SMB Protocol Packet Exchange Scenario section describes an example of a Microsoft SMB Protocol session that uses packet batching.

In order to install Samba you can use apt-get, aptitude or tasksel. After the installation the smbd and nmbd services get started and will start automatically every time the systems boots. On Ubuntu the following directories are good to know.

This directory contains all of the main configuration files used by Samba, including local password files.

The smb.conf file is the core configuration file for Samba and is used to define file-shares and global settings for Samba itself.

This is Samba’s init script to start, stop, restart, reload the services.

This tool will be used to add users to the Samba Users Database but a linux user need to exist prior to this task otherwise you receive an error. Here are some switches that can be used:
-a  = add a user account
-x  = delete user account
-d  = disable user account
-e  = enable user account
-m  = add machine account (needed for PDC configuration)

contains documentation and configuration examples

contains all databases like users and passwords

contains Samba’s own log files.

The first clip demonstrate how to set up an easy file share open to everybody and in the second clip it demonstrate to set up an easy file share where specific users have access to. Later on I will write another article about How to set up a simple PDC with Samba. Enjoy those two Youtube Clips.

Here are the two parts for an easy share and how to add some security to it:

Part 1:

Part 2:

Integration of CUPS into Samba to share Printer to the Windows World

Share Button

In this little clip I demonstrate how to integrate C.U.P.S. into Samba and share out Printers to the Windows World. A Windows User will not recognise a difference other then that this Server doesn’t provide a print driver. Follow the Video and it will work for you as well.

This is not complete, I am missing a piece to integrate Windows Printer Drivers, If someone of you know how to integrate this piece please let me know and I post and addition to it in form of a clip.

Thank you

1 2