Zentyal linux active directory

Users, Computers and File Sharing¶

Zentyal integrates Samba4 [1] as a Directory Service, implementing Windows domain controller functionality and file sharing.

A Domain, in this context, consists of several distributed services along all controllers, where LDAP directory, DNS server and distributed authentication through Kerberos [2] are the most important.

The Domain concept in Zentyal is strongly related to the Microsoft Active DirectoryВ® implementation, in other words, there are servers replicating directory information and clients joined to the domain, applying the policies assigned to their Organizational Unit (OU).

File sharing provides files available to users in the network, allowing access to work with them, download or modify them. The protocol SMB/CIFS [3] is used in Zentyal to maintain compatibility with Microsoft clients. SMB/CIFS is also supported by most Operating Systems, including mobiles and different network devices.

Configuring a Domain Server with Zentyal¶

LDAP configuration options¶

This first section describes the functionality and information available in Zentyal’s LDAP directory using any of the domain operation modes. The next sections will describe how to configure and make use of the features of those modes.

By going to the Domain menu you can check the operation mode of your LDAP server before enabling the module. If you have already enabled Users, Computers and File Sharing , your server will operate as a Stand-alone server by default.

Once you have enabled the module, you can access Users and Computers –> LDAP settings , where you can see some general LDAP information on the upper block

LDAP configuration in Zentyal

In the lower part, you can configure some PAM Settings

By enabling PAM (Pluggable Authentication Modules) you allow the users configured in the directory to be valid users in the local server as well. This way, you can, for example, create a user in your directory and access the Zentyal server through SSH using those credentials.

Managing Users, Groups and Computers¶

By going to Users and Computers ‣ Manage you will see the LDAP tree. From this interface you can also create and delete nodes, manage the LDAP attributes and adjust the permissions for other LDAP-connected services.

On the left side, you can see the tree, with your “local” domain as the root. There are several Organizational Units already created.

• Computers: Hosts joined to the domain, both servers and desktops, this section is useful for inventory reasons and also to apply host-based rules.
• Groups: Generic OU container node for the groups in your organization.
• Users: Generic OU container node for the users in your organization.
• Domain Controllers: Servers that replicate this directory information, they can also take on the different FSMO roles of a Samba4/Active Directory domain.

An Organizational Unit is a container for other objects, like groups, users or even other nested OUs. It’s a concept closely related to the tree data structure and the different policies associated with each node. If you are not using Samba4/Active Directory capabilities, you probably don’t need to create new Organizational Units in your domain.

You can delete any node using the trash can icon or you can create a new one by clicking on a container and then on the green plus icon.

Adding a new user

It’s important to note that each time you create a user in the LDAP tree, a directory /home/ is created in the file system of the server, if the directory already exists, you may have problems creating the user. Move or remove the directory before creating the user if this is the case.

The Contacts are personal information objects not related with the authorization mechanism. In other words, contacts will not be able to login on the domain services.

On the right side you can see and modify the LDAP attributes of the currently selected node, for example, the last name of an user. If you are using a Commercial Edition of Zentyal, you can also upload a profile photo for the user from here.

Clicking on a user, you can also modify user’s membership to the different groups, and make use of the user plugins. At the right bottom of the interface, you will see a section named Modules Configuration , this section has a variable number of subsections, depending on the Zentyal modules installed and enabled. From here, you can modify the specific parameters of that module regarding this user. The default configuration of the user plugins depends on the User Template explained below.

Mail user plugin interface

Clicking on a group, you can also modify the users belonging to the group, create distribution mail lists and change the type of group. The Security Group (default) contains users that will be able to login on the domain services, the Distribution Group contains user that will be used for other purposes, like mail lists.

Editing a group

User Template¶

By going to Users and Computers –> User Template you can modify the default service settings for the new user, for example, the default domain for their mail account. It’s important to note that any modifications will only be applied to the users created after changing the template. The number of sections is variable, depending on the user-related Zentyal modules present on your system.

Configuring Zentyal as a Standalone Domain server¶

Before enabling the Users, Computers and File Sharing you need to check certain server configurations. The reason is that during module activation the Domain is provisioned. This means that the LDAP, DNS and Kerberos data is initialized, creating all the LDAP objects, Kerberos security principals, DNS zones and so on. The operation can be reverted but it’s certainly more difficult than disabling and re-enabling other modules.

Before enabling the Users, Computers and File Sharing module for the first time make sure that:

• You have configured the operation mode (by default Domain Controller), but you can also configure your server to be an additional controller joined to another node. In the latter case, configure the server role and credentials to join the domain before enabling the module and look at the other instructions below. If this server is the first (or the only) Domain Controller, you don’t have to modify anything.

Configuring Zentyal as the Standalone Domain Controller

• Your local domain and host name parameters are correct. You can check this from System ‣ General , Hostname and Domain section. If you want to change this data, save changes and reboot the machine before enabling the module.

Checking Host Name and Domain

• In the DNS module configuration, you have a “local” domain that matches the one you have configured in System ‣ General , this domain has to contain the server Hostname as an A register (inside the Hostnames section) and this hostname has to have at least one local IP address. You have to associate all the internal IP addresses where you want to provide Domain services to the server’s DNS hostname.

zentyal hostname inside the zentyal-domain.lan DNS domain, pointing to all the internal IP addresses

• NTP module is installed and enabled, and your clients are receiving NTP information from the server, preferably via DHCP.

Once you have enabled Users, Computers and File Sharing you can provide File Sharing functionality, join Windows Clients to your Zentyal server, Configure and Link the Group Policy Objects and accept connections from additional controllers, either Windows ServerВ® or Zentyal.

Probably, one of the first operations you need to perform in your domain is to create a user in the directory and join it to the *Domain Admins* group, this will give the user all the effective permissions over the domain.

Joining an user to the Domain Admins group

Joining a Windows client to the domain¶

The process of joining a Windows Client to your domain is identical to joining with a Windows ServerВ®.

First of all, you need to use the Domain Admin user that you previously created.

Now, accessing the Windows client:

• Make sure Zentyal server and the Windows client can reach each other though a local network
• Make sure the Windows client has Zentyal as its DNS server
• Make sure both Server and client are perfectly time sync’ed using NTP

After checking the preconditions, you can join the domain the usual way.

Joining a domain with Windows

You will then enter the Domain Admin user to join.

Domain Admin credentials

After the process is complete, the Windows host will appear under the Computers OU and will apply the configured GPOs and obtain Kerberos tickets automatically (see the Kerberos section below).

Windows host in the LDAP tree

Now, you can log in your Windows client using the LDAP users created in Zentyal’s LDAP.

Kerberos Authentication System¶

Kerberos is an automatic authentication service that integrates with Samba4/Active Directory and all the compatible services across your domain.

The client only needs to provide his/her credentials once to obtain the “main” ticket, Ticket Granting Ticket.

This is done automatically with a Windows client joined to the domain, login credentials are sent to the Domain Controller (any of them), and if the LDAP user is correct, the controller automatically provides the TGT along with other tickets needed for file sharing to the client.

You can list the tickets currently active in your client using the command ‘klist’.

Kerberos tickets after domain login

In Debian/Ubuntu systems it also possible to obtain the Kerberos TGT installing the package heimdal-clients.

Obtaining Kerberos TGT in Ubuntu

Once the client has obtained the Kerberos TGT, all the other Kerberos-compatible services in your domain will accept Kerberos tickets, that are automatically issued on demand to authenticate the users.

This mechanism has two main advantages:

• Security: Passwords are secured while they travel through the local networks, the system is robust against sniffing or replay.
• Convenience: User just needs to provide credentials once, the other auth tickets are obtained transparently.

Zentyal Services currently compatible with Kerberos authorization:

• File Sharing (SMB/CIFS)
• Electronic mail

Changing the user password¶

Zentyal’s administrator can change the password of any user from the web interface. In most cases, however, it is more convenient that the user have the means to change his/her password without having to notify the administrator.

If you are using a Windows client joined to the Samba domain, you can directly change the password after logging in as a domain user, and this change will be reflected on the server.

From a Linux client, you need to install the package heimdal-clients and then run:

Group Policy Objects (GPO)В¶

The Group Policy Objects are policies associated to containers of the Domain.

Using GPOs, you can autoconfigure and enforce policies, global policies for all the domain or specific policies for Organizational Units or Sites.

Typical uses of the GPOs include:

• Installing and upgrading software packages without user intervention
• Configuring a HTTP Proxy in the browsers or the Certification Authority of the domain
• Deploying scripts to be executed in the client at login or logoff time
• Restricting part of the configuration of the Windows client to the user

It’s possible to create and enforce any GPO using a Windows client joined to the domain. This can be done by installing Microsoft RSAT tools and logging into the client using the Domain Admin LDAP account, you will use RSAT interface to design the desired GPO.

Managing GPO from RSAT tools in a Windows client

By using this tool, the GPOs will be automatically added to the domain SYSVOL and enforced by the Zentyal server.

Joining Zentyal Server to an existing domain¶

Integrating Samba4 technologies, Zentyal is able to become an Additional Controller of an existing domain, joining a Windows ServerВ® or any Samba4-based controller, like another Zentyal server.

After domain join, LDAP, the DNS domain associated with Samba (local domain) and Kerberos information will be transparently replicated.

There are some points to verify before joining another controller:

• Zentyal’s local LDAP data will be destroyed, since it will be overwritten with the domain LDAP information
• All the controllers have to be perfectly time synced, preferably using NTP
• When the users are synchronized from the other controller, Zentyal will create their associated /home/ directories, check that these will not collide with pre-existing home directories
• All the controllers have to belong to the same domain
• DNS configuration is critical, other domain controllers will try to push the information to the IP provided by your DNS system

If you have external IPs associated to your hostname (i.e. zentyal.zentyal-domain.lan), you may face synchronization problems if any of the controllers tries to use that IP to push data. Even if you have several internal IPs, you may have the same problem, because the DNS system performs round-robin when answering DNS queries. If that’s your case, you may want to uncomment sortlist = yes on the /etc/zentyal/dns.conf file and restart the DNS server. This way, the DNS system will always put the IP that matches the query netmask first.

Once you have checked all the points, you can join the domain from the Domain menu.

Joining the domain as an additional controller of a Windows Server

Saving the changes will take longer than usual, because Samba4 will be reprovisioned and all the domain information replicated.

Zentyal LDAP tree synchronized with the Windows Server

Exploring the LDAP tree from the Windows Server will also show the new domain controller.

Windows LDAP tree showing the new controller

From now on, Samba local DNS domain, LDAP and Kerberos information will be synchronized both ways. You can manage the LDAP information (users, groups, OUs) in any of the controllers and the information will be replicated to the others.

The process of joining to another Zentyal server is exactly the same.

Total Migration¶

All the domain controllers have the mentioned domain information, however there are some specific roles that belong to a specific server host, these are called FSMO roles or Operations Masters.

Operation Masters are critical to the domain functioning, there are five FSMO roles:

• Schema master: LDAP schema master, defines and pushes updates of the LDAP format
• Domain naming master: Creates and Deletes the domains of the forests
• Infrastructure master: Provides domain-unique GUID, SID and DN IDs
• Relative ID Master: Relative IDs assigned to the Security Principals
• PDC Emulator: Compatibility with Windows 2000/2003 hosts, root time server

Using the Total Migration script you can transfer all these roles to a Zentyal server joined to the domain.

From the /usr/share/zentyal-samba directory you execute:

From now on, Zentyal is the only critical controller in the domain, and all the features should continue working even if you turn off the others controllers, save scalability and network considerations.

Know Limitations¶

It’s important to check the list of current known limitations of Samba4 before planning your domain:

• Only one domain in the forest, Samba doesn’t support multiple domains or multiple forests
• Functional Domain level of the forest and the domain has to be min. 2003 R2, current max. 2008 R2
• Your hostname can not match your NETBIOS name, the NETBIOS name is generated using the left part of the domain, for example, if your hostname is ‘zentyal’ your domain can not be ‘zentyal.lan’, but it could be ‘zentyal-domain.lan’
• Trust relationships between domains and forests are not supported
• GPOs will not be synced, but this can be workarounded manually following the official Samba documentation: https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
• Users with non-ASCII names are not supported (accent marks, hyphen, special characters)

Configuring a file server with Zentyal¶

Once the Domain Controller and File Sharing module is enabled (either as a Domain Controller or as an Additional Domain Controller), your server can act as an SMB/CIFS File server.

By default each LDAP user has a personal /home/ directory on the server. If the Users, Computers and File Sharing module is active this directory will be accessible to the specific user (and only to the user) through SMB/CIFS. Furthermore, if a Windows client host is joined to the domain this directory will be automounted as drive H:.

To create a shared directory, use File Sharing , Shares tab and click Add new .

Adding a new share

Shared directories can be edited using Access control . By clicking on Add new , you can assign read, read/write or administration permissions to a user or group. If a user is a shared directory administrator, he/she can read, write and delete any user files within that directory.

Adding a new ACL (Access Control List)

If you want to store deleted files in a special directory called RecycleBin, you can check the Enable recycle bin box using File Sharing , Recycle bin tab. If you do not want to use this for all shared resources, then you can add exceptions using Resources excluded from Recycle Bin . Other default settings for this feature, such as the directory name, can be modified using the file /etc/zentyal/samba.conf .

Accessing the Antivirus menu, you can enable virus analysis for your shared files. You can also add exceptions for the folders that do not need require virus check. You need to have the Antivirus module installed and enabled to use this feature. The check is done in real time when trying to access a file, resulting in an access denied error if the file is infected.

Antivirus configuration for shared files

As you can see in the image, to prevent access to infected files you need to enable the Enable On-Access Prevention . By default, /home path is included recursively, including also /home/samba/shares with the Zentyal shares. A exclusion rule for /home/admin has been manually added and also a inclusion rule for the FTP data path, which is outside of /home and requires to be included explicitly.

SMB/CIFS is a really common protocol that can be used natively on any Windows Client, most flavors of Linux (Using the Nautilus file manager, for example), Androidв„ў and iOS.

Furthermore, the File Sharing daemon is tightly integrated with the Kerberos subsytem (See Kerberos Authentication System on the previous chapter), meaning that if your client is joined to the domain or has acquired the Kerberos TGT by other means, the ACL explained above will be honored without any user intervention.

Источник