Setting up a basic Linux fileserver using Centrify DirectControl Express, Samba, and Active Directory

Windows File Servers are packed full of features but there are times where a Linux server may be necessary. Economic issues may hinder the purchase of additional software licenses or a more robust file system is needed (such as XFS or ZFS). Previously it was somewhat time consuming to get a Samba file server completely configured and integrated with Active Directory. With that said, the Centrify corporation has their DirectControl Express product allowing Linux servers to join and login to an Active Directory domain. Additionally, they offer a Samba package to provide seamless support with Windows domain computers.

I recently ran into this issue when working with software vendor’s database backups. Windows Backup, BackupExec, and others will not work properly to backup the databases, only proprietary software. Due to their slow software performance, it is necessary that 2-3 database backups run simultaneously to complete within the allotted time window. As anyone who works with storage has probably experienced, multiple writes poses a challenge…fragmentation. With databases being 20+ GB in size, there are millions upon millions of fragments. Thus, writing to tape and preforming restores can be very time consuming as these files are not contiguous. XFS was chosen to virtually eliminate fragmentation due to how contiguous blocks can be allocated whereas NTFS only allows 64K clusters. More on this later…

After testing and selecting a file system, Samba was installed to present Windows file shares to the database server and backup software. Centrify’s software comes with installers for most major distributions, but for this we’ll be focusing on Ubuntu.

The following prerequisites are required which will make this tutorial easier:

  1. A working Active Directory with a Windows workstation joined to the domain.
  2. Download Centrify DirectManage Express.
  3. Download Centrify Samba.
  4. Download a copy of Ubuntu Server either 32-bit or 64-bit (we will be using 11.10, but other versions will also work).
  5. Download WinSCP to easily transfer the Samba install files to the Ubuntu Server.
  6. Download Putty if you want to connect via SSH (Centrify’s version works with Kerberos).
  7. Basic understanding of Linux file permissions, file editing and Samba shares. I’ll include a basic scenario at the end, but you can make it much more robust.

Ok, let’s get started…

  1. Insert the Ubuntu media to begin the server installation. Choose English and then choose Install Ubuntu Server to launch the install wizard.
  2. Proceed through the installation wizard. When prompted for the software selection, only choose OpenSSH. There is an option for Samba, however this is not the Active Directory integrated version. Installing this with Centrify can cause conflicts.

  3. Once the installation has completed, install the latest security updates by running the following:
    sudo apt-get update
    sudo apt-get upgrade
  4. Log into the new server using Putty to verify SSH connectivity, as the Centrify software will use SSH and SCP for installation.
  5. If you have not done so already, install Centrify DirectManage Express on the Windows domain workstation (or server).
  6. After installation, launch the Centrify Deployment Manager.
  7. Under Step 1: Build Computer List, click the Add Computers button.
  8. When the wizard appears, choose Add a single computer, enter the IP Address under Computer name / IP address and click Next.
  9. Choose Specify a new set of account information and click Next. By chance if you are already using Centrify for other systems, you can also copy credentials from another server’s profile.
  10. Next, enter the username that you chose when setting up Ubuntu. Also, since Ubuntu uses sudo, specify that as well. Click Next.
  11. Setting the sudo password does not actually set the account’s password used for initial login. Re-enter the password for your Ubuntu admin account that was created during setup.
  12. Click Finish to save the password. The Deployment Manager will now connect to the server and gather basic operating system information.
  13. Under Step 2: Download Software, click the Download Software button. You will need to enter your Centrify website username and password to get the install packages. The software will download the corresponding packages for each OS that was added during Step 1.
  14. Next, we’ll analyze the current environment under Step 3: Analyze Your Environment. This process will determine what servers need new or updated software packages. Make sure the servers that you want to analyze are also checked. Click the Analyze button.
  15. Once Step 3 has completed, we are ready to deploy the software under Step 4: Deploy Centrify Software. Check the boxes next to the servers that you wish to deploy or upgrade, then click the Deploy button. When the deployment wizard appears, choose the Centrify Suite Express Edition option unless you have a license for the full version.
  16. Make sure to select Centrify DirectControl and Centrify-Enabled OpenSSH for deployment. This will install the DirectControl agent and update OpenSSH to allow Kerberos SSO. The version of Putty that was recommended comes with Kerberos support to access Linux server without typing in a password. Now due to sudo, you will still need to enter a password when dropping to a root prompt. You can think of this as similar to Windows User Account Control (UAC). Towards the end of this post, I’ll include the final step to activate SSO and Kerberos.
  17. Before completing the wizard, uncheck the option Add the computer into Active Directory after install. We will do this after the deployment has completed. There really isn’t a reason to do this other than personal preference. I have found in some situations it is a bit cleaner.
  18. Click Next through the remaining wizard pages to complete the installation process.
  19. Once the installation has completed, use the server’s console or SSH. We will now join the system to the domain by using the following command (replace test.local with your actual domain):
    adjoin -w test.local
  20. Before rebooting, we’ll give members of the Domain Admins group sudo access so that you can control the server using Active Directory credentials. From a prompt, type the sudo visudo command. If you have not run it before, Ubuntu will prompt you for the editor to use. I generally stick with vi but that a personal preference. Add the following line to the file and save your changes:
    %domain\ admins ALL=(ALL) ALL
  21. Reboot the server. When it restarts, we are now ready for the Samba configuration.
  22. Using WinSCP (or another application), copy the Samba package (at the time of writing it is samba-4.5.1-deb5-x86_64.tgz) to the /tmp directory of the Ubuntu server.
  23. Log into the server via the console or SSH (you should be able to use Active Directory credentials now) and navigate to the /tmp directory. Go ahead and type sudo su which will leave you at a root prompt for this session.
  24. Extract the Samba files using the tar command.
    taf -xvzf samba-4.5.1-deb5-x86_64.tgz
  25. Install the two *.deb packages which work similar to an RPM file
    dpkg -i centrifydc-adbindproxy-4.5.1-deb5-i386.deb
    dpkg -i centrifydc-samba-3.5.9-4.5.1-deb5-i386.deb
  26. Finally before you can access the server you much run the perl script. This will configure Samba and create the needed symbolic links back to the binary files. This script is designed similar to a wizard. Continue pressing enter and accept the defaults.
    cd /usr/share/centrifydc/bin/
  27. Navigate to \\SAMBATEST from your Windows workstation and you should now have access to the default file shares that are created upon installation.

Creating a new Samba share

  1. Drop to a root prompt using sudo su which will prevent you from having to type sudo with every command.
  2. Create a directory under the root named fileshare using mkdir /fileshare.
  3. Set the permissions on this directory so the owner when starting out is root and the group is Domain Admins. Deny access to all other users. The commands below will show you how to set the permissions for files and directories separately. Also the 2770 on the directory permission line says to set the +S or sticky bit which will inherit the group when new files are created. This way if multiple people create and edit them they are not locked out when getting to a file they do not own.
    cd /fileshare
    chown root."TEST\\Backup Operators" -R .
    find . -type=d -exec chmod 2770 {} \;
    find . -type=f -exec chmod 660 {} \;
  4. Modify the Samba configuration under /etc/samba/smb.conf and add the following to the end of the file:
      comment = This is where you put the share description
      browseable = yes
      read only = no
      valid users = +"TEST\Domain Admins"
      writable = yes
      guest ok = yes
      create mode = 0660
      directory mask = 2770
      store dos attributes = yes
      unix extensions = no
  5. To be safe issue the smbd restart command. If all goes well you should have a new share that only Domain Admins can access.

I hope this turorial is helpful to you and please drop me a line if I left anything out. Unless you are familiar with this process never start with a live/production server especially when changing file permissions as one mistake can render the server useless just as on a Windows system.

5 thoughts on “Setting up a basic Linux fileserver using Centrify DirectControl Express, Samba, and Active Directory

    • From what I remember with Webmin you need to configure the option under Webmin > Webmin Users > Configure Unix User Authentication. The last time I messed with webmin (a few years ago with Likewise Open), I needed to enable all users. There may be a few things you can do with PAM but not 100% sure there.

  1. There are several steps to enabling Webmin login via Centrify/AD. There’s an FAQ for Webmin that discusses the general process of enabling Unix User Authentication.

    There are a couple of fine points that I had to do in addition to the recommended steps in the FAQ for making it work with Centrify.

    The additional steps involved adding a step for authentication and verification in the System> PAM Authentication module > Webmin Service enabling Centrify. Select from the pulldown next to the “Add Step” button. Then click the “add step” button. Then promote the Centrify step to be first.

    Click on the centrify step and change the Failure level to Sufficient.

    Do this for both Authentication and Account Verification steps.

Leave a Reply

Your email address will not be published. Required fields are marked *