Login Security Part 2 - Setting up a Solaris11 to authenticate to AD using SAMBA

Setting up a Solaris11 to authenticate to AD using SAMBA:

1. Add to /etc/system and reboot (This is once off on the global zone only)
2. vi /etc/samba/smb.conf*
3. mv /etc/pam.conf /etc/pam.conf.bak
4. mv /etc/pam.conf-winbind /etc/pam.conf
5. svccfg -s name-service/switch
   > setprop config/password = "files winbind"
   > setprop config/group = "files winbind"
   > exit
6. svcadm refresh name-service/switch
7. net join -U ADUserThatCanAddToDomain -S ADDomainControllerName
8. svcadm enable samba winbind
9. getent passwd

*Truncated smb.conf:

[global]
        workgroup = <HELLO>
        #realm = <HELLO.COM>
        encrypt passwords = yes
        netbios aliases = <hostname>
        server string = <hostname>
        security = DOMAIN
        auth methods = winbind
        password server = <ADDomainControllerIP>
        unix password sync = Yes
        log level = 2 vfs:3
        syslog = 2
        log file = /var/log/samba/smb-%U-%M.log
        max xmit = 65535
        name resolve order = host bcast
        deadtime = 15
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        load printers = No
        disable spoolss = Yes
        show add printer wizard = No
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        socket address =
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = yes
        hide special files = Yes
        hide unreadable = Yes
        veto files = /lost+found/samba_recycle_bin/

Login Security Part1

I'm busy looking at how we allow users to log into our systems and improving it. This post will explain how it's done currently.

Well first of all, there are two ways we let users access our Solaris machines, SSH and Samba. So running "netservices limited" pretty much closes down all the unnecessary stuff like ftp and rlogin.

Secondly, we want users to enter using their AD accounts. LDAP methinks is the most popular way to do this but here we have a Samba/Winbind implementation - where our UNIX server is added into the AD domain. It's pretty simple - when it works. When it doesn't it can be frustrating. I'll do a separate post on the setting up the Samba Winbind AD integration.

Lastly, when any user logs in (except root), a menu comes up. The user has to choose the relevant application user (e.g. oracle, ctma, uptime) and is changed to it. When a user logs out of the application user it's back to the menu. Exit the menu and the user is logged out.

The menu logs the user into the application user using ssh and key authentication so the only the password the user has to know is the AD password. Effectively the only thing a user can do as them self on the machine is choose which application user to change to.

Notes:

1. Access to Samba shares is controlled using /etc/samba/smb.conf
2. Access to ssh login is using the AllowUsers option in /etc/ssh/sshd_config and setting up key authentication for user
3. Because the change from user to application user is done using ssh - this screws with auditing.

*Most of this setup was in place when I got here, so I can't really take any credit for it