How to set up Samba as a Primary Domain Controller ...

How to set up Samba as a Primary Domain Controller   

A domain controller is a server which groups multiple computers to centralize their authentication system. When you are using a domain controller, you don't login to your computer, but instead login to the domain controller. Every authentication request is handled by the Primary Domain Controller (PDC).

 

Usually you hear about PDC using a Windows based server. In this tutorial, I'll describe how to set up a PDC using Samba, which is based on Linux.

 

There are four main steps for setting up Samba as a PDC:

• Install Samba
• Configure /etc/samba/smb.conf
• Add domain users
• Register all Windows computers with Samba PDC.

1. Samba Installation

If you are using a Debian based Linux, run the following command on the terminal window to install Samba:

$ sudo apt-get install samba
$ sudo apt-get install samba-common
$ sudo apt-get install samba-common-bin

 

If you are using a Red Hat based Linux, you may use rpm or yum package manager to install Samba.

2. Samba Configuration

The main configuration of Samba server is found in /etc/samba/smb.conf. For a PDC server, there are three part of the file which you need to configure: global, netlogon, and homes.
Before you start modifying the configuration file, I suggest you back up the existing Samba configuration file.

$ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.old

Configuring [global] parameters

[global]
 workgroup = sambadomain 
 netbios name = sambapdc 
 server string = Samba PDC 
 domain master = yes 
 preferred master = yes 
 domain logons = yes 
 add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u 
 security = user 
 encrypt passwords = yes 
 wins support = yes 
 name resolve order = wins lmhosts hosts bcast 

 logon path = \\%N\%U\profile 
 logon drive = H: 
 logon home = \\%N\%U

Change the names of the workgroup and the PDC according to your environment, so that they correspond to the actual values in your network. If you have another Wins server on your network, remove "wins support = yes", because having more than one causes a problem. "wins support = yes" means Samba acting as a Netbios server.

Creating LMHOSTS file

Don't forget to register your domain IP address to the LMHOSTS file. The LMHOSTS file is a mapper between the IP address of the domain controller and Netbios name. When you add a Windows computer to the SAMBADOMAIN, Windows tries to find the PDC's IP address. If Windows fails to find the PDC's IP address, then you won't be able to register a computer with the PDC.
The LMHOSTS file should be created and placed in /etc/samba/lmhosts. The content of LMHOSTS file is similar to /etc/resolv.conf file, except that you need to register the Netbios name instead of the host name. For example, if your PDC has an IP address 10.10.101.1 with sambadomain as workgroup name, and sambapdc as the Netbios name, the content of the lmhosts file should look like the following:

10.10.101.1 sambadomain
10.10.101.1 sambapdc

After creating /etc/samba/lmhosts, re-run the nmbd daemon as follows:

$ sudo nmbd -H /etc/samba/lmhosts -D

Configuring [netlogon] parameters

[netlogon]
 path = /var/lib/samba/netlogon 
 browseable = no 
 read only = no 
 create mask = 0700 
 directory mask = 0700 
 valid users = %S 

/var/lib/samba/netlogon is a startup directory for PDC logon. When users login to the Samba PDC, a script called netlogon.bat in the directory will be executed.

$ sudo mkdir -m 0755 /var/lib/samba/netlogon

 

For example, if you want to automatically mount a network drive from the PDC, Create the following netlogon.bat script in /var/lib/samba/netlogon

1 2	## Samba Logon Script net use x: \\sambapdc\share

Configuring [homes] parameters

This is a configuration file for PDC user's home directory.

[homes]
 valid users = %S 
 guest ok = yes 
    read only = yes 

Testing the configuration file

After saving all configuration files, test your configuration with the following command:

$ sudo testparm

If there is any syntax error detected, fix it and restart Samba.

3. Adding Domain Users

Adding admin user and group for the PDC

In Linux, admin user is the root user. So you need to run the following command to add the root user as the Samba admin:

$ sudo smbpasswd root

You should not use the same password as the Linux root user.

Create a machines group

The next step is to create a group called "machines".

$ sudo groupadd -g machines

Samba will automatically add users to this group, as long as you configure "add machine script" correctly in [global] section in /etc/samba/smb.conf.

Create a Linux Account for PDC login

You need to create a user on PDC for domain login. In this example, I will create an account that disables Linux login. So every access to the PDC must be done via Samba.
For example, creating user "arsalan":

$ sudo smbpasswd -a arsalan

Enter the same password twice.
You need to activate the user with the following command:

$ sudo smbpasswd -e dan

Grant user "arsalan" to login to the PDC:

$ sudo net rpc rights grant "SAMBADC\dan" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

$ sudo net groupmap add ntgroup="Administrator" unixgroup=root rid=512 type=d

4. Register Windows Computers with the Samba PDC

Under Windows computer properties, change the domain name to sambadomain. Reboot your Windows PC, and try to login with SAMBADC/arsalan. If you successfully login, then your Samba PDC is ready.

Referred from open source article

Advanced SSH security tips and tricks

The SSH server configuration file is located in /etc/ssh/sshd_conf. You need to restart the SSH service after every change you make to that file in order for changes to take effect.

Change SSH listening port
By default, SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It's wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don't scan high ports.
Open the /etc/ssh/sshd_config file and look for the line that says:
Port 22
Change the port number and restart the SSH service:
/etc/init.d/ssh restart

Allow only SSH protocol 2
There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure; SSH protocol 1 is subject to security issues including man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and look for the line that says:
Protocol 2,1
Change the line so it says only protocol 2.

Allow only specific users to log in via SSH
You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:
PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it's in the wheel group, so that you can switch to superuser.
If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let's say I want to allow users anze, dasa, and kimy to log in via SSH. At the end of sshd_config file I would add a line like this:
AllowUsers anze dasa kimy

Create a custom SSH banner
If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:

*****************************************************************
*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *
*****************************************************************
When done editing, save the file. In the sshd_conf file, find a line that says:
#Banner /etc/issue.net

Uncomment the line and change the path to your custom SSH banner text file.

Using DSA public key authentication

Instead of using login names and passwords for SSH authentication, you can use DSA public keys for authentication. Note that you can have both login names and DSA public key authentication enabled at the same time. Having a DSA public keys authentication enabled makes your system bulletproof against dictionary attacks, because you don't need a login name and password to log in into SSH service. Instead, you need a pair of DSA keys -- one public and one private. You keep the private key on your machine and copy the public key to the server. When you want to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don't match, you are disconnected.

In this example the private machine (from which I will connect to the server) is station1 and the server machine is server1. On both machines I have the same home folder; this won't work if the home folders are different on client and server machine. First you need to create a pair of keys on your private machine with the command ~$ ssh-keygen -t dsa. You'll be prompted for a pass-phrase for your private key, but you can leave it blank because this is not a recommended method. A key pair is generated: your private key is located in ~/.ssh/id_dsa and your public key is located in .ssh/id_dsa.pub.

Next, copy the contents of ~/.ssh/id_dsa.pub to server1 into the ~/.ssh/authorized_keys file. The content of ~/.ssh/id_dsa.pub file should look something like this:
~$ cat .ssh/id_dsa.pub

 ssh-dss AAAAB3NzaC1kc3MAAACBAM7K7vkK5C90RsvOhiHDUROvYbNgr7YEqtrdfFCUVwMWcJYDusNG
AIC0oZkBWLnmDu+y6ZOjNPOTtPnpEX0kRoH79maX8NZbBD4aUV91lbG7z604ZTdrLZVSFhCI/Fm4yROH
Ge0FO7FV4lGCUIlqa55+QP9Vvco7qyBdIpDuNV0LAAAAFQC/9ILjqII7nM7aKxIBPDrQwKNyPQAAAIEA
q+OJC8+OYIOeXcW8qcB6LDIBXJV0UT0rrUtFVo1BN39cAWz5puFe7eplmr6t7Ljl7JdkfEA5De0k3WDs
9/rD1tJ6UfqSRc2qPzbn0p0j89LPIjdMMSISQqaKO4m2fO2VJcgCWvsghIoD0AMRC7ngIe6btaNIhBbq
ri10RGL5gh4AAACAJj1/rV7iktOYuVyqV3BAz3JHoaf+H/dUDtX+wuTuJpl+tfDf61rbWOqrARuHFRF0
Tu/Rx4oOZzadLQovafqrDnU/No0Zge+WVXdd4ol1YmUlRkqp8vc20ws5mLVP34fST1amc0YNeBp28EQi
0xPEFUD0IXzZtXtHVLziA1/NuzY= 

If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on server1. The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:

~$ chmod 600 ~/.ssh/authorized_keys

Now, configure the sshd_conf file to use the DSA keys authentication. Make sure you have the following three lines uncommented:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Restart the service. If you configured everything correctly, you should now be able to SSH to your server and fall directly into your home folder without any interaction.
If you would like to use DSA authentication only, make sure you uncomment and change the

PasswordAuthentication line in sshd_config from yes to no:
PasswordAuthentication no

If anyone tries to connect to your SSH service and doesn't have a public key on the server, he will be rejected without even seeing the login prompt with this error:
Permission denied (publickey).

Using TCP wrappers to allow only specific hosts to connect
This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don't want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper. I will make a rule to allow only hosts on my local subnet 192.168.1.0/24 and remote host 193.180.177.13 to connect to my SSH service.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. I'll create a rule like this in /etc/hosts.deny:
sshd: ALL

This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.
Next, create a rule in /etc/hosts.allow to allow only specific hosts (as defined earlier) to use the SSH service:
sshd: 192.168.1 193.180.177.13

Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:

ssh_exchange_identification: Connection closed by remote host

Using iptables to allow only specific hosts to connect
An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here's a simple example of how you can allow only a specific host to connect to your SSH service:

~# iptables -A INPUT -p tcp -m state --state NEW --source 193.180.177.13 --dport 22 -j ACCEPT

And make sure no one else has access to SSH service:

~# iptables -A INPUT -p tcp --dport 22 -j DROP
Save your new rules and you're all done.

SSH time-lock tricks
You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP

Conclusion

These features are not hard to configure, but they are very powerful techniques for securing your SSH
service. It's a small price to pay for a good night's sleep.