Running the adbindproxy.pl Script
This section describes how to configure Samba using the adbindproxy.pl script.
If your current environment has Windows users accessing data on Samba member servers that are joined to the Active Directory domain, you may want to migrate those users to Verify Privilege Server Suite. This way, you can use Verify Privilege Server Suite zones to manage conflicting identities and rationalize UIDs and GIDs. For details on how to migrate those users, see Migrating existing Samba users to Verify Privilege Server Suite Complete the migration before integrating Samba and the Authentication Service.
The adbindproxy.pl script performs the following tasks:
-
Determines the computer’s operating system and adjusts accordingly.
-
Confirms that the DirectControl agent is installed.
-
Confirms that open-source Samba has been installed.
-
Determines if you are joined to an Active Directory domain and, if you are, displays the domain name and Verify Privilege Server Suite Zone.
-
Asks if you want to join Samba to the current Active Directory domain or another. If you choose another, the script guides you through the current domain leave and new domain join processes.
If you want to modify or set advanced join settings (for example, update PAM or NSS config, use DES for encryption, or use a computer alias), either run adleave before you run adbindproxy.pl or select a different domain when prompted in the script. Otherwise, the script does NOT prompt you to enter advanced join settings.
-
If you have a previous Samba installation, asks if you want to keep the smb.conf settings or use new ones. adbindproxy.pl automatically saves the existing copy.
The script automatically looks for an existing smb.conf file using the smbd -b command. If your current version of smbd does not support the -b option or you have smb.conf in a custom directory the script will not find it. If you want to use your existing smb.conf, move it to /etc/samba before you run the script.
-
Removes old state files from previous instances of Samba, including any existing winbind entries from the /etc/nsswitch.conf file.
-
Restarts the necessary clients (nmbd, winbindd, adbindd and smbd).
-
Installs scripts to automatically start the correct Samba and Verify Privilege Server Suite services each time the computer boots.
-
Optionally can pass additional options for adjoin and adleave.
-
Can generate a response file so that you can run the adbindproxy.pl script without any user interaction.
Before you run adbindproxy.pl, read through the prompts described below to make sure you’re prepared with the answers. For example, before you run the script be sure you know the path where Samba is installed.
The adbindproxy script requires the samba (smb, nmb, and winbind) services on all platforms. On CentOS 7, users must manually install the samba winbind package, as it is not installed with the samba package
To begin, log on and switch to the root user and proceed with the following steps:
To run the adbindproxy.pl script
-
To start the script, from root enter the following:
perl /usr/share/centrifydc/bin/adbindproxy.pl
-
Specify the path to the Samba installation:
- If Samba is not installed in the default location (/usr), enter the Samba path.
- If Samba is installed in /usr, press Enter to accept the default. Otherwise, enter your path.
-
Specify the domain to join.
You proceed based on whether the computer is already joined to a domain or not:
-
If you are already joined to a domain when you initiated the script, the script displays the domain name and zone and asks you the following:
Do you want to leave or join to another domain? [N]
To continue to join the current joined Active Directory domain press Enter and skip ahead to Step 6.
If you want to leave the current domain and join another OR change any advanced options (see the list below) in your current domain enter Y and then continue to Step 4.
-
If you are not joined to a domain, the script displays the following message:
Not joined to any domain. Make sure you enter the correct domain and zone information in the next steps
This initiates a set of prompts that ask you for the Active Directory domain name, the Centrify Zone and advanced options.
Continue to Step 4.
-
-
Join the new Active Directory domain.
You arrive at this step if you are not joined to an Active Directory Domain when you started adbindproxy.pl or if you decided to leave that domain OR you decided to change advanced options in your current join. If none of these conditions apply to you, skip to Step 6.
-
At this prompt, enter the domain name:
Enter the Active Directory domain to join:
-
At the DNS health prompt, press Enter to verify that the domain exists.
Check DNS health for [domain]? Note: this may take several minutes [Y]:
-
At the next prompt, enter the following domain properties:
If you are running Verify Privilege Server Suite in Express Mode or need to join the domain through Auto Zone, enter NULL_AUTO for the zone name.
- Verify Privilege Server Suite zone on the target Active Directory domain
- Computer name on which the adbindproxy package is installed
- Active Directory authorized user (default is Administrator)
-
-
(Optional) Specify advanced join options.
The script prompts you with the following message:
Do you wish to specify advanced join options? [N]:
The options are listed below. The defaults are in brackets.
-
If do not need any advanced join options, enter N. Otherwise, enter Y and make your selections.
Canonical name of Active Directory Computer Container
Preferred Domain Server to use (press Enter for none)
Update PAM and NSS Config [Y]
Trust computer for delegation? [N]
Use DES encryption only? [N]
Run adjoin in verbose mode? [N]
Addition computer alias (press Enter for none)
The script then displays the selections you made and asks if you want to proceed.
-
Enter Y to proceed or N to abort adbindproxy.pl.
If you were not joined to an Active Directory domain when you started the script, you are prompted to enter your password once.
-
Enter the password for the Active Directory Domain, computer and authorized user specified in the prompts.
If you choose to proceed AND you are leaving the current Active Directory domain to join another, the script prompts you twice to enter your password.
-
In response to the first prompt, enter the current Active Directory domain account password to leave that domain.
-
In response to the second prompt, enter the password for the Active Directory Domain, computer and authorized user specified in the prompts to join the new domain.
-
-
Enter the Samba winbindd path.
At the next prompt, if the samba winbindd listen path is not in /run/samba/winbindd, enter the path or press Enter to accept the default.
-
If there is an existing smb.conf file, continue to Step 8.
Otherwise, if there is no existing smb.conf file (which is true for new installations of Samba), the adbindproxy script searches for existing smb.conf files. If it does not find an existing smb.conf file, it automatically creates a new one, stores it in /etc/samba, and displays the following message:
Updating smb.conf with recommended settings ...
and finishes the script.
This new smb.conf file has minimal global settings and a samba-test share.
Regardless of whether you update an existing smb.conf or create a new one, you will need to modify the
/etc/samba/smb.conf
file to have the [global] section settings and the appropriate shares for your environment. See Modifying the Samba smb.conf configuration file for instructions. The file created by adbindproxy.pl should be used for verifying the Samba integration only.If you do have at least one existing smb.conf file, continue to Step 8.
-
Specify existing or new smb.conf settings:
If you have an existing smb.conf file, you next specify whether to update the settings in the existing smb.conf file or create a new, skeletal smb.conf file. If you choose to use the existing settings, you can also choose to do a backup of the existing smb.conf file.
If the script does find an existing smb.conf file, the script copies the smb.conf file to
/etc/samba
and asks the following question:Do you want to keep the original samba settings? [Y]:
If the script finds more than one smb.conf, it displays the list and asks you to select one. After you make the selection, it copies that one to
/etc/samba
and continues.Regardless of whether you update an existing smb.conf or create a new one, you will need to modify the
/etc/samba/smb.conf
file to have the [global] section settings and the appropriate shares for your environment. See Modifying the Samba smb.conf configuration file for instructions. The file created by adbindproxy.pl should be used for verifying the Samba integration only.-
Don’t keep the original Samba settings: Enter N to not keep the original Samba settings and instead create the new, basic smb.conf.
The script creates a backup copy of your smb.conf in
/etc/samba
. The backup filename is in this format: smb.conf.yyyy-mm-dd-hh-mm. This new smb.conf file has minimal global settings and a samba-test share, if no shares exist.Continue to Finishing Up.
-
Keep the original Samba settings: Enter Y to modify the existing file and continue to Step 9.
-
-
If you’ve chosen to keep the original Samba settings, the script displays the following prompt about backing up the existing settings:
Backup existing /etc/samba/smb.conf and add recommended settings? [Y]
-
Enter Y to create a backup in the form,
smb.conf.yyyy-mm-dd-hh-mm
. -
Enter N to use the existing smb.conf without making a backup.
If the existing smb.conf has Security = ADS and the workgroup and realm are set, the script does NOT modify the existing file; the original is left unchanged.
-
-
For ubuntu and Suse computers where AppArmor exists, the script displays the following prompt about updating the AppArmor policy profiles:
Update AppArmor policy profiles? [Y]
Use the default [Y], unless you don't want to update the AppArmor profiles now.
If you don't update the AppArmor profiles now, be sure to update them manually later. Otherwise, winbindd might fail to start and you won't be able to access the samba share. For ubuntu systems, the profiles aren't updated because the winbindd policy profile doesn't exist.
-
If you're configuring a Linux system that has SELinux enabled and Samba supports your system's version of samba_selinux, the script checks the configurations and, if needed, displays the following prompt:
Update SELinux policy to allow r/w on non samba_share_t types? [Y]
Use the default [Y] unless you have labeled all the share folders with the type samba_share_t.
If you don't update the SELinux policy, Samba cannot read or write to the shared folder is not labeled with the samba_share_t type.
For more information about samba_selinux, see the samba_selinux man page.
-
If you’ve chosen to keep the original Samba settings, the script displays the following prompt about resetting the Samba cache for user and group IDs.
Reset the Samba User/Group ID Cache (Verify Privilege Server Suite Samba may create conflicting mappings) [Y]
Unless you have created custom mappings, use the default [Y]. This flushes the cache and displays the following message:
This prompt is only pertinent to the small set of Samba administrators who created custom user and group ID mappings. If you do have custom mappings, use the default to flush the cache and prevent potential conflicts. After adbindproxy.pl completes, re-add your mappings as necessary.
If you entered Y, the script creates new mappings in the Samba User/Group ID cache, which may result in conflicts if there are any mappings in place already.
Finishing Up
To complete the configuration, adbindproxy.pl stops any running versions of smbd
, adbindd
, winbindd
and nmbd
, starts the required Verify Privilege Server Suite processes, and displays a set of progress and configuration messages. You should see the following messages:
Init Samba start script ...
Restarting Samba daemons ...
Reloading systemd: [ OK ]
Restarting centrifydc-samba (via systemctl): [ OK ]
Current DirectControl Configuration:
...
Current Samba Configuration:
...
The adbindproxy script displays the following:
Press ENTER to continue ...
Notes: If you need to join another domain, please re-run this script and enter the new domain name!
Done.
If any service fails to start, you should run one of the following after the adbindproxy.pl script completes its execution.
On Linux or Solaris computers, run:
/etc/init.d/centrifydc-samba restart
On HP-UX computers, run:
/sbin/init.d/centrifydc-samba restart
On AIX computers, run:
stopsrc -g samba && startsrc -g samba
On Linux computers that support systemd, run:
systemctl restart centrifydc-samba
As a quick test, log off as the root user and log on with an Active Directory user account that has been granted access to the local computer’s zone. If this is the first time that you are logging on with this user account, check that the user’s home directory is created, which is created automatically by the Authentication Service the first time you log on.