In this article I will demonstrate how to configure Centrify-enhanced Samba using adbindproxy.pl.  This is a new method for Centrify Server Suite 2016 as Centrify is no longer publishing a Centrify-enhanced Samba package with the agent installer. 

 

Why use Centrify-enhanced samba?

• So that AD users don't have to type their passwords when connecting to Samba shares (SSO via Kerberos).
• To restrict access to Samba shares based on an Active Directory security group.
• To maintain file ownership/permissions (Centrify-enhanced samba features an ID mapper to maintain UNIX attribute values such as UID and GID for AD users).

 

Background and context:

Since badlock, Centrify has shifted the Samba integration strategy to provide an identity mapper (adbindproxy) for Samba that integrates with the Centrify DirectControl agent.  Samba’s usual ID mapper (winbind) is designed to provide user and name resolution for the configuration in the Samba directory -- but this can have undesirable effects to a domain-joined system or systems (e.g. file ownership issues).  To resolve this, Centrify's adbindproxy mapper uses the UNIX identity data that resides in AD (as contained within Centrify Zones).

 

If this sounds complicated, fear not -- it's easy to configure!  Read on, and check out the video at the end of the article.

 

Preparation

• Review Centrify 2016 Samba Integration Guide
• Read the Centrify 2016 adbindproxy release notes (there's a great summary contained within!) 
• Obtain adbindproxy from the Centrify Customer Support Portal (version specific for your OS and platform)
• Ensure your Linux/UNIX system is joined to the domain, like this: 

[dwirth@cent7 ~]$ adinfo
Local host name:   cent7
Joined to domain:  centrify.vms
Joined as:         cent7.centrify.vms
Pre-win2K name:    cent7
Current DC:        dc.centrify.vms
Preferred site:    Demo-Network
Zone:              centrify.vms/centrifyse/Zones/Global/Engineering
CentrifyDC mode:   connected
Licensed Features: Enabled

• Lastly, should you wish to test a restricted share with authorization based on an Active Directory security group, you will also need to create a group in Active Directory.

 

Configuration 

At a high level, the configuration consists of three steps:

1. Install native Samba packages
2. Run adbindproxy.pl to reconfigure Samba to interoperate with the Centrify agent
3. Configure Samba to your liking (e.g. configure a samba share restricted by an Active Directory security group for authorization)

 

Step 1 - Install Samba:

 

My test system is a CentOS 7.2 machine, so I will install samba using yum:

 

yum install samba samba-client samba-common samba-winbind -y

 

Take a minute to review and familiarize yourself with the stock samba configuration:

 

more /etc/samba/smb.conf

(Note: No changes need to be made to the config at this time).

 

 

 Step 2 - Install and configure adbindproxy: 

 

Explode the tarball and install:

 

tar xvf centrify-adbindproxy-5.3.0-rhel4-x86_64-2.tar
rpm -Uvh centrifydc-adbindproxy-5.3.0-rhel4-x86_64.rpm

 

Next, let's run through the configuration.  adbindproxy is a perl script that will interactively ask you some questions in order to set up Centrify-enhanced samba for you.  

 

Executing the perl script: 

 

/usr/share/centrifydc/bin/adbindproxy.pl

 

 Creates the following interactive output:  

 

  adbindproxy.pl is used to configure the Samba to interoperate with
  Centrify's DirectControl product. It checks if the machine is joined to an AD domain.
  If not, it will prompt for the join operation. It also updates smb.conf and tdb files.

  For security reason, you will be prompted for password several times in
  order to perform different AD operations when running this script.


Please specify Samba's path if it is not in [/usr/] : 
Using (/usr/)
The Samba base path is : /usr/

Joined to Domain: centrify.vms
          Zone: centrify.vms/centrifyse/Zones/Global/Engineering
Do you want to leave and join to another domain? [N] : 
Using (N)

Remove Winbind settings (if any) from /etc/nsswitch.conf.
No Winbind settings found.
Removing old state files...

Please specify the stock samba winbindd listen path(dir) if it is not in [/run/samba/winbindd] : 
Using (/run/samba/winbindd)

Existing file '/etc/centrifydc/centrifydc.conf' is backed up as '/etc/centrifydc/centrifydc.conf.pre_adbindproxy'
Do you want to keep the original Samba settings?  [Y] : 
Using (Y)

Backup existing /etc/samba/smb.conf and add Centrify recommended settings? [Y] : 
Using (Y)
Updating smb.conf with Centrify recommended settings...
Existing file '/etc/samba/smb.conf' is backed up as '/etc/samba/smb.conf.2016-07-07-22-35-30'

Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] : 

Init Samba start script ...
Restarting Samba daemons ...

Reloading systemd:                                         [  OK  ]
Restarting centrifydc-samba (via systemctl):               [  OK  ]

Current DirectControl Configuration:
Local host name:   cent7
Joined to domain:  centrify.vms
Joined as:         cent7.centrify.vms
Pre-win2K name:    cent7
Current DC:        dc.centrify.vms
Preferred site:    Demo-Network
Zone:              centrify.vms/centrifyse/Zones/Global/Engineering
Last password set: 2016-07-07 22:36:26 EDT
CentrifyDC mode:   connected
Licensed Features: Enabled

Current Samba Configuration:

LDAP server: 192.168.81.10
LDAP server name: dc.centrify.vms
Realm: CENTRIFY.VMS
Bind Path: dc=CENTRIFY,dc=VMS
LDAP port: 389
Server time: Thu, 07 Jul 2016 22:36:26 EDT
KDC server: 192.168.81.10
Server time offset: 45

Press ENTER to continue ...



Notes: If you need to join other domain, please re-run this script and enter a different domain name !

Done.

 

As you can see, it installs nicely with the defaults selected.  At this point I would suggest reviewing the samba configuration to see what changes adbindproxy has made: 

 

more /etc/samba/smb.conf

 

 Note that adbindproxy has created a test share: 

[samba-test]
    path = /samba/samba-test
    public = yes

    #  if set  public = No, we should  set parameter valid users .
    #  and when the user or group is in AD , the setting syntaxes is:
    #  valid users = CENTRIFY\username +CENTRIFY\group

    writable = yes

 

You can try navigating to it from a Windows machine on the domain and you'll be able to read and write to it. 

 

Step 3 (Optional) - Configure a samba share restricted by an Active Directory security group for authorization

 

Create the secured share in samba conf (as root or using dzdo): 

 

vi /etc/samba/smb.conf

 

Paste the following: 

 

[secured]
    path = /samba/secured
    comment = Samba secured share IT Members only
    public = no
    valid users = +CENTRIFY\IT_Members

    #  if set  public = No, we should  set parameter valid users .
    #  and when the user or group is in AD , the setting syntaxes is:
    #  valid users = CENTRIFY\username +CENTRIFY\group

    writable = yes

 Note: Replace "CENTRIFY\IT_MEMBERS" with your own domain and AD group name.

 

Create a directory for the new secured share:

 

mkdir /samba/secured

 

Put something in the directory for testing purposes, e.g.:

 

cp /tmp/samba/centrify-adbindproxy-guide.pdf /samba/secured/

 

 Restart Centrify-enhanced samba by running the following command as root or via dzdo:

 

/etc/init.d/centrifydc-samba restart

 

 

Finally, validate that only members of the specified AD group can access the share: 

 

 

Bonus! 

Here is a YouTube video demonstrating the configuration on a Ubuntu 16.04 machine: