Support has helped multiple customers who are trying to meet the challenges posed by the badlock vulnerability in samba while also learning about how to move to Centrify's new adbindproxy component. This article is based on our recent experience helping customers migrate in hopes it will help other customers who are seeking similar guidance.
The following information applies to Red Hat Linux. If you are using a different operating system, please recognize that some of the commands may differ somewhat.
Let’s log into a Linux machine that is joined to a Centrify zone and has Centrify-enabled samba on it. Once logged in, let’s check the shares on the machine by running smbclient at the command prompt.
After verifying the correct shares are listed, let’s backup the samba configuration file:
dzdo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
We’re now ready to uninstall the Centrify-enabled samba installation form the machine using the rpm command:
dzdo rpm –e CentrifyDC-samba (This is case sensitive)
And then verify it was removed:
dzdo rpm –qa | grep –i Centrify
Ensure nothing for Centrify samba is listed. We’ll then want to remove any stock samba 3 installations. We will first search for them:
dzdo rpm –qa | grep samba
If any show up, we’ll then want to remove the packages with the yum command:
dzdo yum remove samba*
Enter a y to remove when prompted.
We’re now ready to install samba 4, again utilizing the yum command:
dzdo yum install samba4*
When prompted, enter a y to install.
We should then verify installation:
dzdo rpm –qa | grep samba
As long as the installation is listed, we are ready to move the backed up samba config file into place in order to utilize all of our previous samba settings:
dzdo cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
You can check the date stamp to ensure the smb.conf file is the one we just copied into place.
If you’d like to verify the share files are still showing correctly, please run testparm at the command prompt. The shares should show.
We’re now ready to download and install Centrify’s adbindproxy. Please open a browser and navigate to www.centrify.com and then go to Support and then Download Center and use your Support Portal login to log into the site. Once logged in, please go to “Tools and Troubleshooting” and find “Integration with Samba”. It will then show a list of the different operating systems. Please select the TGZ button next to the line that matches your operating system and download the file.
Once the download completes, please copy or move the file to the *nix machine. You can make a directory on the Linux machine where you’d like to untar the tgz file:
You can then navigate to the directory where the tgz file is located and untar it:
mv centrify-adbindproxy……..tgz /tmp/adbindproxy/
tar –xvf centrify-adbindproxy…….tgz
We’ll then install adbindproxy with the rpm command:
dzdo rpm –Uvh centrify-adbindproxy…….rpm
After the installation is complete, we’ll want to run the configuration script for adbindproxy and we’ll mostly be taking the defaults in the script with a few exceptions:
One of the prompts will ask if you want to join the machine to a zone, if it’s already joined, you can jess press enter. If you need to join it to a zone, you can enter the zone name here and press enter.
The next prompt you want to watch for is the one that says:
Please specify the stock samba winbind listen path(dir)if it is not in [/run/samba/winbindd]:
RHEL 6 often uses /var/run/samba/winbindd for its winbindd listen path so you’ll want to verify the winbindd path and change it here if necessary. If it uses the default path, you can just press enter.
You should just be able to take the defaults through the rest of the script but you may want to read them to verify they are correct before pressing enter.
After the script completes, the samba services, smbd, nmbd, winbindd and adbindd, will need to be restarted. Centrify has a built in command for restarting all four services so that they don’t have to be restarted one at a time. At the command prompt, please run:
dzdo service centrifydc-samba restart
You’ll be able to verify the services are starting OK at this point.
We’ll want to add this setting to chkconfig to ensure this command runs if the server is ever rebooted. We can do that by running the following command:
dzdo chkconfig --add centrifydc-samba
We then need to start this chkconfig process:
dzdo chkconfig centrifydc-samba
And then verify it started correctly for the run levels that are necessary:
dzdo chkconfig --list centrifydc-samba
We’re ready to verify the samba version installed:
We can also verify we see the Linux shares:
smbclient -L //localhost
And then connectivity to the shares:
It will go to a prompt that looks like smb:\> where you can type in ls and the shares should be listed.
You may also want to go to a Windows machine and verify you can get to the shares from there. If you go to Windows Explorer and, in the address window, type in \\servername\sharename, you should see the contents of the share.
You’re all set. You are now running on stock samba with Centrify’s adbindproxy in place to help integrate samba with Centrify.
Centrify has some additional resources on this subject if you’re interested.
There’s a Samba Integration Guide that came with the adbindproxy download and can be found in the directory where we untarred the tgz file. You can also get this documentation from the Centrify website by going to:
There is also a video that goes over the process step by step that you can view below.
There are also some knowledge-base articles that are helpful with this process. You can find them in the community section of the website. Links to these KBs are listed below.