Implement Centrelized Sudo with SAMBA AD DC

Published: by Creative Commons Licence

Table Of Contents - Table Of Contents

Table Of Mechine

Host IP OS Info
addc1.roomit.tech 192.168.33.13 Centos 7 as Samba ad dc Server
client.roomit.tech 192.168.33.14 Centos 7 as Client will doing sudo
ws.roomit.tech 192.168.33.15 Windows Server 2008 RC 2 Installation Sudoers

Configure Vagrant

Create Directory and Configure Vagrant File

mkdir myVagrant
cd myVagrant/
vim Vagrantfile

Copy Paste

VAGRANTFILE_API_VERSION = "2"
Vagrant.configure("2") do |config|
    config.vm.box_check_update = false
    config.vm.define "addc1" do |addc1|
        addc1.vm.box = "bento/centos-7.7"
        addc1.vm.hostname = "addc1.roomit.tech"
        addc1.vm.network "private_network", ip: "192.168.33.13"
        addc1.vm.provider "virtualbox" do |vb|
                vb.name = "addc1"
                vb.memory = "1024"
                vb.cpus  = 1
        end
    end
    config.vm.define "client" do |client|
        client.vm.box = "bento/centos-7.7"
        client.vm.hostname = "client.roomit.tech"
        client.vm.network "private_network", ip: "192.168.33.14"
        client.vm.provider "virtualbox" do |vb|
                vb.name = "client"
                vb.memory = "1024"
                vb.cpus  = 1
        end
    end
    config.vm.define "ws" do |ws|
        ws.vm.box = "mrlunar/windows-server-2008r2"
        ws.vm.hostname = "ws.roomit.tech"
        ws.vm.network "private_network", ip: "192.168.33.15"
        ws.vm.provider "virtualbox" do |vb|
                vb.name = "ws"
                vb.memory = "2048"
                vb.cpus  = 2
                vb.gui  = true
        end
    end
end

Running Vagrant

vagrant up addc1 client ws

TURN OF FIREWALL IN ALL NODE (temporary)

Install And Configure SAMBA AD DC

Please, Install samba first source : Install Samba

Note

Make Sure Parameter when installation change to

  • REALM : ROOMIT.TECH
  • NETBIOS : addc1
  • WORKGROUP: ROOMIT

the purpose for match with this tutorial

Configure Sudoers using Windows Server

Setting Keyboard and Time

Go to

  • Control Panel
  • Clock, Language, And Region
  • Date And Time

    • Change Timezone

      change to UTC +7 Jakarta

      Timezone

  • Region And language

    • Change Keyboard and Languages

      Default Input Language US Indonesia

      Keyboard And Languages

Join Windows Server to SAMBA AD DC

Setting DNS

Go to

  • Control Panel
  • Network And Internet
  • Network And Sharing Center
  • Change Adapter Settings
  • Right Click Local Area Network 2 -> Properties
  • Internet Protocol Version 4 -> Properties
  • Use The Following DNS Server Address

    192.168.33.13 (IP Server AD)

    Setting DNS

Testing DNS

  • Windows + R
  • ping roomit.auth

Testing DNS

Output :

Replay …

Joining Windows Server

Go to

  • Control Panel
  • System And Security
  • System
  • Remote Settings
  • Computer Name (Tab)
  • Change Domain

    roomit.auth

  • Pop Up Dialog

    Username : Administrator

    Password : YourPassword

  • Restart Your
  • Login With account Administrator

    Username : administrator@roomit.auth

    Password : YourPassword

Make Sure Your Keyboard Still Using US - Indonesia

Joining Windows Server

Install RSAT (Remote Server Administrator Tools)

Go to

  • Control Panel
  • Programs
  • Programs And Features
  • Turn Windows Features on or off
  • Features (Below Roles)

  • Install RSAT

    Install RSAT

  • Restart

Import Schema Sudo

Go to

  • Start
  • Administrative Tools
  • Adsi Edit
  • Action
  • Connect to

Go to addc1.roomit.tech in your host

vagrant ssh addc1

Go to document sudo and listening port 8080

sudo su
cd /usr/share/doc/sudo-1.8.23/
python -m SimpleHTTPServer 8080

After that add option in [global] /etc/samba/smb.conf

# Global parameters
[global]
	dns forwarder = 10.0.2.3
	netbios name = ADDC1
	realm = ROOMIT.AUTH
	server role = active directory domain controller
	workgroup = ROOMIT
	idmap_ldb:use rfc2307 = yes
    dsdb:schema update allowed = Yes #add this 
    client ldap sasl wrapping = sign #add this
    ldap server require strong auth = no #add this
    bind interfaces only = yes  #add this
    interfaces = lo eth1  #add this



[netlogon]
	path = /var/lib/samba/sysvol/roomit.auth/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

Copy Kerberos Config

cp /etc/samba/krb5.conf /etc/samba

content krb5.conf:

[libdefaults]
	default_realm = ROOMIT.AUTH
	dns_lookup_realm = false
	dns_lookup_kdc = true

Restart samba on root

systemctl restart samba

Go to Windows Server Again

  • Open Browser Internet Explorer
  • Open Url : http://192.168.33.13:8080
  • Download schema.ActiveDirectory
  • Create Folde in C:\SUDO
  • Save schema.ActiveDirectory in C:\SUDO
  • Open CMD
  • execute this command
cd \
cd SUDO
ldifde -i -f schema.ActiveDirectory -c dc=X dc=roomit,dc=auth

Output:

Import Schema

Go to Server addc1 Create OU

samba-tool ou create "ou=sudoers"

Listing OU

samba-tool ou list

Output:

OU=sudoers
OU=Domain Controllers

Create and Import Profile Sudo

Go to addc1 Server Create file crud.ldif:

dn: CN=crud,OU=sudoers,DC=roomit,DC=auth
objectClass: top
objectClass: sudoRole
cn: crud
distinguishedName: CN=crud,OU=sudoers,DC=roomit,DC=auth
name: crud
sudoHost: ALL
sudoUser: dwiyan.wijatmiko
sudoCommand: /usr/bin/less
sudoCommand: /usr/bin/vi /etc/hosts
sudoCommand: /usr/bin/vim /etc/hosts
sudoCommand: /usr/bin/nano /etc/hosts
sudoCommand: /usr/bin/tail
sudoCommand: /usr/bin/more

Import Profile Ldif

ldbadd  -H  /etc/samba/sam.ldb  crud.ldif

Remove Unused DNS Record

Remove A with IP 10.0.2.15

samba-tool dns delete localhost roomit.auth @ A 10.0.2.15 -U administrator

Remove A record with name addc1 and ip 10.0.2.15

samba-tool dns delete localhost roomit.auth  addc1 A 10.0.2.15 -U administrator

Add User

samba-tool user create dwiyan.wijatmiko

Check user

samba-tool user list | grep dwiyan.wi

Permission Group Sudo

Go to Windows Server

  • Start
  • Administrative Tools
  • Adsi Edit
  • Action
  • Connect to
  • Expand DC=roomit,DC=auth
  • Click Right on ou=sudoers - Properties
  • Tab Security
  • Add Group "Domain Users" And "Domain Computer"

Add User and Group

  • Advanced
  • Domain Computers -> edit
  • Apply to this object and all descendant objects
  • Domain Users -> edit
  • Apply to this object and all descendant objects

Add User and Group

Configure Centralized Authentication in Client

Running VM Client

vagrant up client

login to VM Client

vagrant ssh client

Install Tools

Update First For debian:

apt update

For DEB Base

apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user

For RPM Base

yum install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation

Setting DNS

vi /etc/resolv.conf or you can manage in network setting using networkmanager or netplan.

nameserver 192.168.33.13

PAM

Configure PAM DEB Base

echo "session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022" >>  /etc/pam.d/common-session

Configure PAM RPM BASE

authconfig --enablemkhomedir --update

Join

Discover AD Domain

realm discover ROOMIT.AUTH

roomit.auth
  type: kerberos
  realm-name: ROOMIT.AUTH
  domain-name: roomit.auth
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

join

realm join ROOMIT.AUTH -U Administrator

Check User

id dwiyan.wijatmiko@roomit.auth

uid=1157201105(dwiyan.wijatmiko@roomit.auth) gid=1157200513(domain users@roomit.auth) groups=1157200513(domain users@roomit.auth)

change sssd config /etc/sssd/sssd.conf

....
use_fully_qualified_names = False
fallback_homedir = /home/%u
...

or change become

[sssd]
domains = roomit.auth
config_file_version = 2
services = nss, pam, sudo

[sudo]

[pam]
offline_credentials_expiration = 120 #120 days offline cache

[domain/roomit.auth]
debug_level = 6 
ad_domain = roomit.auth
krb5_realm = ROOMIT.AUTH
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False #Remove Domain 
fallback_homedir = /home/%u #Standard home directory
access_provider = ad
sudo_provider = ad
ldap_sudo_search_base = ou=sudoers,dc=roomit,dc=auth
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600

add this if you want limit user login in mechine

ad_access_filter = (memberOf=CN=Operation,CN=Users,DC=roomit,DC=auth) #Filtering by Group

Testing Sudo

sudo -l