https://wiki.zentyal.org/index.php?title=En/5.0/Users,_Computers_and_File_Sharing&feed=atom&action=historyEn/5.0/Users, Computers and File Sharing - Revision history2024-03-29T11:47:03ZRevision history for this page on the wikiMediaWiki 1.20.3https://wiki.zentyal.org/index.php?title=En/5.0/Users,_Computers_and_File_Sharing&diff=9192&oldid=prevAdmin: Uploaded from built doc2017-04-18T18:16:06Z<p>Uploaded from built doc</p>
<p><b>New page</b></p><div><br />
<br />
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">[[En/5.0/HTTP Proxy Service|Previous]] | [[En/5.0/Zentyal 5.0 Official Documentation|Index]] | [[En/5.0/Configuring a file server with Zentyal|Next]]</div><br />
<br />
<br />
<div id="users-computers-and-file-sharing"></div><br />
<br />
<div id="directory-ref"></div><br />
<br />
<br />
Zentyal integrates '''Samba4'''([[#footnote_6|6]]) as a Directory Service, implementing ''Windows'' domain controller functionality and<br />
file sharing.<br />
<br />
<div id="footnote_6">[''6''] [http://en.wikipedia.org/wiki/Samba_software http://en.wikipedia.org/wiki/Samba_software]<br />
<br />
</div><br />
<br />
A '''Domain''', in this context, consists of several distributed services along all controllers, where LDAP directory, DNS server and distributed authentication through Kerberos ([[#footnote_7|7]]) are the most important.<br />
<br />
<div id="footnote_7">[''7''] [http://en.wikipedia.org/wiki/Kerberos_(protocol http://en.wikipedia.org/wiki/Kerberos_(protocol])<br />
<br />
</div><br />
<br />
The '''Domain''' concept in Zentyal is strongly related to the Microsoft Active Directory® implementation, in other words, there are servers replicating directory information and clients ''joined'' to the domain, applying the policies assigned to their ''Organizational Unit (OU)''.<br />
<br />
'''File sharing''' provides files available to users in the network, allowing access to work with them, download or modify them. The protocol SMB/CIFS ([[#footnote_8|8]]) is used in Zentyal to maintain compatibility with Microsoft clients. SMB/CIFS is also supported by most Operating Systems, including mobiles and different network devices.<br />
<br />
<div id="footnote_8">[''8''] [http://en.wikipedia.org/wiki/Server_Message_Block http://en.wikipedia.org/wiki/Server_Message_Block]<br />
<br />
</div><br />
<br />
<br />
<div id="configuring-a-domain-server-with-zentyal"></div><br />
<br />
<div id="zentyal-samba-ref"></div><br />
=Configuring a Domain Server with Zentyal=<br />
<br />
<br />
<div id="ldap-configuration-options"></div><br />
==LDAP configuration options==<br />
<br />
This first section describes the functionality and information available in Zentyal's LDAP directory using any of<br />
the domain operation modes. The next sections will describe how to configure and make use of the features of those<br />
modes.<br />
<br />
Going to Users and Computers ‣ Configure mode you can check the operation mode of your LDAP server<br />
before enabling the module. If you have already enabled Users, Computers and File Sharing, your server<br />
will operate as a ''Stand-alone server'' by default.<br />
<br />
Once you have enabled the module, you can access Users and Computers --> LDAP settings, where you can see some general LDAP<br />
information on the upper block<br />
<br />
[[File:en-5.0-images-directory-Zentyal_ldap_settings.png|center|450px|frame|LDAP configuration in Zentyal]]<br />
<br />
Base DN:Base name of the domain names in this server, it matches the ''local domain''.<br />
Your local domain is configured from System ‣ General, Domain. It will<br />
appear as blocked (you can not delete it) in your DNS module.<br />
<br />
Default User DN:Name of the default user container.<br />
<br />
Default Groups DN:Name of the default groups container.<br />
<br />
From the bottom block, you can configure some '''PAM Settings'''<br />
<br />
[[File:en-5.0-images-directory-Zentyal_pam_settings.png|center|frame|PAM configuration]]<br />
<br />
By enabling ''PAM'' (Pluggable Authentication Modules) you allow the users configured in the directory to be<br />
valid users in the local server as well. This way, you can, for example, create a user in your directory<br />
and access the Zentyal server through ''SSH'' using those credentials.<br />
<br />
<br />
<div id="managing-users-groups-and-computers"></div><br />
==Managing Users, Groups and Computers==<br />
<br />
Going to Users and Computers ‣ manage you will see the LDAP<br />
tree. From this interface you can also create and delete nodes, manage the LDAP attributes and<br />
adjust the permissions for other LDAP-connected services.<br />
<br />
[[File:en-5.0-images-directory-main_tree.png|center|frame|LDAP tree]]<br />
<br />
On the left side, you can see the tree, with your "local" domain as the root. There are several<br />
''Organizational Units'' already created.<br />
<br />
* Computers: Hosts joined to the domain, both servers and desktops, this section is useful for inventory reasons and<br />
also to apply host-based rules.<br />
<br />
* Groups: Generic OU container node for the groups in your organization.<br />
<br />
* Users: Generic OU container node for the users in your organization.<br />
<br />
* Domain Controllers: Servers that replicate this directory information, they can also take on the different FSMO roles<br />
of a Samba4/Active Directory domain.<br />
<br />
<br />
An ''Organizational Unit'' is a container for other objects, like groups, users or even other nested ''OUs''. It's a concept closely related<br />
to the tree data structure and the different policies associated with each node. If you are not using Samba4/Active Directory<br />
capabilities, you probably don't need to create new ''Organizational Units'' in your domain.<br />
<br />
You can delete any node using the trash can icon or you can create a new one clicking on a container and then on the green plus icon.<br />
<br />
[[File:en-5.0-images-directory-add_user.png|center|frame|Adding a new user]]<br />
<br />
It's important to note that each time you create a user in the LDAP tree, a directory ''/home/<username>'' is created in the<br />
file system of the server, if the directory already exists, you may have problems creating the user. Move or remove the directory before creating<br />
the user if this is the case.<br />
<br />
The ''Contacts'' are personal information objects not related with the authorization mechanism. In other words, contacts<br />
will not be able to login on the domain services.<br />
<br />
On the right side you can see and modify the LDAP attributes of the currently selected node, for example, the last name of<br />
an user.<br />
<br />
Clicking on a user, you can also modify user's membership to the different groups, and make use of the '''user plugins'''.<br />
At the right bottom of the interface, you will see a section named Modules Configuration, this<br />
section has a variable number of subsections, depending on the Zentyal modules installed and enabled. From here, you can modify<br />
the specific parameters of that module regarding this user. The default configuration of the '''user plugins''' depends on the<br />
''User Template'' explained below.<br />
<br />
[[File:en-5.0-images-directory-user_plugin.png|center|frame|Mail user plugin interface]]<br />
<br />
Clicking on a group, you can also modify the users belonging to the group, create distribution mail lists and<br />
change the type of group. The Security Group (default) contains users that will be able to login<br />
on the domain services, the Distribution Group contains user that will be used for other purposes, like<br />
mail lists.<br />
<br />
[[File:en-5.0-images-directory-edit_group.png|center|frame|Editing a group]]<br />
<br />
<br />
<div id="user-template"></div><br />
==User Template==<br />
<br />
Going to Users and Computers --> User Template you can modify the default service settings for the<br />
new user, for example, the default domain for their mail account. It's important to note that any modifications<br />
will only be applied to the users created '''after''' changing the template. The number of sections is variable, depending<br />
on the user-related Zentyal modules present on your system.<br />
<br />
[[File:en-5.0-images-directory-user_template.png|center|frame|User Template]]<br />
<br />
<br />
<div id="configuring-zentyal-as-a-standalone-domain-server"></div><br />
=Configuring Zentyal as a Standalone Domain server=<br />
<br />
Enabling the ''Users, Computers and File Sharing'' module has to be done carefully. The reason is that<br />
during module activation the Domain is ''provisioned''. This means that the LDAP,<br />
DNS and Kerberos data is initialized, creating all the LDAP objects, Kerberos security<br />
principals, DNS zones and so on. The operation can be reverted but it's certainly more difficult<br />
than disabling and re-enabling other modules.<br />
<br />
Before enabling the ''Users, Computers and File Sharing'' module for the first time make sure that:<br />
<br />
* You have configured the operation mode (by default ''Domain Controller''), but you can also configure your server<br />
to be an additional controller joined to another node. In the latter case, configure the server role and credentials<br />
to join the domain before enabling the module and look at the other instructions below. If this server is the first<br />
(or the only) ''Domain Controller'', you don't have to modify anything. Check the operation mode from Domain ‣ Settings<br />
<br />
<br />
[[File:en-5.0-images-filesharing-main_controller.png|center|frame|Configuring Zentyal as the Standalone Domain Controller]]<br />
<br />
* Your local domain and host name parameters are correct. You can check this from System ‣ General,<br />
Hostname and Domain section. If you want to change these, save changes and reboot the machine before<br />
enabling the module.<br />
<br />
<br />
[[File:en-5.0-images-filesharing-hostanddomain.png|center|frame|Checking Host Name and Domain]]<br />
<br />
* In the DNS module configuration, you will have a DNS "local" domain that matches the one you have configured in<br />
System ‣ General, this domain has to contain the server Hostname as an A register (inside the Hostnames section)<br />
and this hostname has to have at least one local IP address. You have to associate all the internal IPs addresses where you<br />
want to provide Domain services to the server's DNS hostname.<br />
<br />
<br />
[[File:en-5.0-images-filesharing-dns.png|center|frame|zentyal hostname inside the zentyal-domain.lan DNS domain, pointing to all the internal IP addresses]]<br />
<br />
* NTP module is installed and enabled, and your clients are receiving NTP information from the server, generally though DHCP.<br />
<br />
<br />
Once you have enabled Users, Computers and File Sharing you can provide File Sharing functionality, join Windows Clients to your Zentyal server,<br />
Configure and Link the Group Policy Objects and accept connections from additional controllers, either Windows Server® or Zentyal.<br />
<br />
Probably, one of the first operations you need to perform in your domain is to '''create a user in the directory and join it to the *Domain Admins* group''',<br />
this will give the user all the effective permissions over the domain.<br />
<br />
[[File:en-5.0-images-directory-adminuser.png|center|frame|Joining an user to the Domain Admins group]]<br />
<br />
<br />
<div id="joining-a-windows-client-to-the-domain"></div><br />
=Joining a Windows client to the domain=<br />
<br />
The process of joining a Windows Client to your domain is identical to joining with a Windows Server®.<br />
<br />
First of all, you need to use the ''Domain Admin'' user that you created.<br />
<br />
Now, accessing the Windows client:<br />
<br />
* Make sure Zentyal server and the Windows client can reach each other though a local network<br />
<br />
* Make sure the Windows client has Zentyal as its DNS server<br />
<br />
* Make sure both Server and client are perfectly time sync'ed using NTP<br />
<br />
<br />
After checking the preconditions, you can join the domain the usual way<br />
<br />
[[File:en-5.0-images-filesharing-join_win1.png|center|frame|Joining a domain with Windows]]<br />
<br />
You will then enter the ''Domain Admin'' user to join<br />
<br />
[[File:en-5.0-images-filesharing-join_win2.png|center|frame|Domain Admin credentials]]<br />
<br />
After the process is complete, the Windows host will appear under the ''Computers OU''<br />
and will apply the configured GPOs and obtain Kerberos tickets automatically (See sections below).<br />
<br />
[[File:en-5.0-images-filesharing-join_win3.png|center|frame|Windows host in the LDAP tree]]<br />
<br />
Now, you can log in your Windows client using the LDAP users created in Zentyal's LDAP.<br />
<br />
<br />
<div id="kerberos-authentication-system"></div><br />
=Kerberos Authentication System=<br />
<br />
Kerberos is an automatic authentication service that integrates with Samba4/Active Directory<br />
and all the compatible services across your domain.<br />
<br />
The client only needs to provide his/her credentials once to obtain the "main" ticket, ''Ticket Granting Ticket''.<br />
<br />
This is done automatically with a Windows client joined to the domain, login credentials are sent to the<br />
''Domain Controller'' (any of them), and if the LDAP user is correct, the controller automatically provides<br />
the ''TGT'' along with other tickets needed for file sharing to the client.<br />
<br />
You can list the tickets currently active in your client using the command 'klist'<br />
<br />
[[File:en-5.0-images-filesharing-winkrb.png|center|frame|Kerberos tickets after domain login]]<br />
<br />
In Debian/Ubuntu systems it also possible to obtain the Kerberos ''TGT'' installing the package ''heimdal-clients''<br />
<br />
[[File:en-5.0-images-filesharing-ubuntukrb.png|center|frame|Obtaining Kerberos TGT in Ubuntu]]<br />
<br />
Once the client has obtained the Kerberos ''TGT'', all the other Kerberos-compatible services in your domain will<br />
accept Kerberos tickets, that are automatically issued on demand to authenticate the users.<br />
<br />
This mechanism has two main advantages:<br />
<br />
* Security: Passwords are secured while they travel through the local networks, the system is robust against sniffing or replay.<br />
<br />
* Convenience: User just needs to provide credentials once, the other auth tickets are obtained transparently.<br />
<br />
<br />
Zentyal Services currently compatible with Kerberos authorization:<br />
<br />
* Samba File Sharing (SMB/CIFS)<br />
<br />
* Electronic mail<br />
<br />
<br />
<br />
<div id="changing-the-user-password"></div><br />
=Changing the user password=<br />
<br />
Zentyal's administrator can change the password of any user from the web interface. In most cases, however, it is more convenient that<br />
the user have the means to change his/her password without having to notify the administrator.<br />
<br />
If you are using a Windows client joined to the samba domain, you can directly change the password after logging in as a domain user, and this<br />
change will be reflected on the server.<br />
<br />
From a linux client, you need to install the package ''heimdal-clients'' and then run:<br />
<br />
$ kinit <user>@DOMAIN<br />
$ kpasswdFor example:<br />
<br />
$ kinit user1@ZENTYAL-DOMAIN.LAN<br />
user1@ZENTYAL-DOMAIN.LAN's Password:<br />
$ kpasswd<br />
user1@ZENTYAL-DOMAIN.LAN's Password:<br />
New password:<br />
Verify password - New password:<br />
Success : Password changed<br />
<div id="group-policy-objects"></div><br />
=Group Policy Objects=<br />
<br />
The Group Policy Objects are policies associated to containers of the Domain.<br />
<br />
Using GPOs, you can autoconfigure and enforce policies, global policies for all<br />
the domain or specific policies for ''Organizational Units'' or ''Sites''.<br />
<br />
Typical uses of the GPOs include:<br />
<br />
* Installing and upgrading software packages without user intervention<br />
<br />
* Configuring a HTTP Proxy in the browsers or the ''Certification Authority'' of the domain<br />
<br />
* Deploying scripts to be executed in the client at login or logoff time<br />
<br />
* Restricting part of the configuration of the Windows client to the user<br />
<br />
<br />
It's possible to create and enforce any GPO using a Windows client joined to the domain. Installing Microsoft RSAT tools and logging into the client using the<br />
''Domain Admin'' LDAP account, you will use RSAT interface to design the desired GPO.<br />
<br />
[[File:en-5.0-images-filesharing-rsat.png|center|frame|Managing GPO from RSAT tools in a Windows client]]<br />
<br />
The GPOs will be automatically added to the domain SYSVOL and enforced by the Zentyal server.<br />
<br />
<br />
<div id="joining-zentyal-server-to-an-existing-domain"></div><br />
=Joining Zentyal server to an existing domain=<br />
<br />
Integrating Samba4 technologies, Zentyal is able to become an ''Additional Controller'' of an existing domain,<br />
joining a Windows Server® or any Samba4-based controller, like another Zentyal server.<br />
<br />
After domain join, LDAP, the DNS domain associated with samba (local domain), Kerberos and SYSVOL information will be transparently replicated.<br />
<br />
There are some points to verify before joining another controller:<br />
<br />
* Zentyal's local LDAP data will be destroyed, since it will be overwritten with the domain LDAP information<br />
<br />
* All the controllers have to be perfectly time synced, preferably using NTP<br />
<br />
* When the users are synchronized from the other controller, Zentyal will create their associated ''/home/<username>''<br />
directories, check that these will not collide with pre-existing home directories<br />
<br />
* All the controllers have to belong to the same domain<br />
<br />
* DNS configuration is critical, other domain controllers will try to push the information to the IP provided<br />
by your DNS system<br />
<br />
<br />
If you have external IPs associated to your hostname (i.e. zentyal.zentyal-domain.lan), you may have synchronization<br />
problems if any of the controllers tries to use that IP to push data. Even if you have several internal IPs, you<br />
may have the same problem, because the DNS system performs round-robin when answering DNS queries. If that's your case,<br />
you may want to uncomment ''sortlist = yes'' on the ''/etc/zentyal/dns.conf'' file and restart the DNS server. This way,<br />
the DNS system will always put the IP that matches the query netmask first.<br />
<br />
Once you have checked all the points, you can join the domain from Domain ‣ Settings<br />
<br />
[[File:en-5.0-images-filesharing-join_windows.png|center|frame|Joining the domain as an additional controller of a Windows Server]]<br />
<br />
Saving the changes will take longer than usual, because Samba4 will be reprovisioned and all the domain information replicated.<br />
<br />
[[File:en-5.0-images-filesharing-zentyal_synced.png|center|frame|Zentyal LDAP tree synchronized with the Windows Server]]<br />
<br />
Exploring the LDAP tree from the Windows Server will also show the new domain controller<br />
<br />
[[File:en-5.0-images-filesharing-windows_synced.png|center|frame|Windows LDAP tree showing the new controller]]<br />
<br />
From now on, DNS, LDAP and Kerberos information will be synchronized both ways. You can manipulate<br />
the LDAP information (users, groups, OUs) in any of the controllers and the information will be<br />
replicated to the others.<br />
<br />
The process of joining to another Zentyal server is exactly the same.<br />
<br />
<br />
<div id="total-migration"></div><br />
=Total Migration=<br />
<br />
All the domain controllers have the mentioned domain information, however there are some specific roles<br />
that belong to an specific server host, these are called ''FSMO roles'' or ''Operations Masters''.<br />
<br />
Operation Masters are critical to the domain functioning, there are five FSMO roles:<br />
<br />
* Schema master: LDAP schema master, defines and pushes updates of the LDAP format<br />
<br />
* Domain naming master: Creates and Deletes the domains of the forests<br />
<br />
* Infrastructure master: Provides domain-unique GUID, SID and DN IDs<br />
<br />
* Relative ID Master: relative IDs assigned to the ''Security Principals''<br />
<br />
* PDC Emulator: Compatibility with Windows 2000/2003 hosts, root time server<br />
<br />
<br />
Using the ''Total Migration'' script you can transfer all these roles to a Zentyal server joined to the domain.<br />
<br />
From the ''/usr/share/zentyal-samba'' directory:<br />
<br />
administrator@zentyal:/usr/share/zentyal-samba$ sudo ./ad-migrate<br />
WARNING: This script will transfer all FSMO roles from the current owners to<br />
the local server.<br />
After all roles has been successfully transferred, you can shutdown<br />
the other domain controllers.<br />
Do you want to continue [Y/n]? Y<br />
<br />
Checking server mode...<br />
<br />
Checking if server is provisioned...<br />
<br />
Synchronizing sysvol share...<br />
syncing [SYSVOL] files and directories including ACLs, without DOS Attributes<br />
<br />
Transferring FSMO roles...<br />
Transferring Schema Master role from owner: CN=NTDS Settings,...<br />
Transferring Domain Naming Master role from owner: CN=NTDS Settings,...<br />
Transferring PDC Emulation Master role from owner: CN=NTDS Settings,...<br />
Transferring RID Allocation Master role from owner: CN=NTDS Settings,...<br />
Transferring Infrastructure Master role from owner: CN=NTDS Settings,...<br />
<br />
Migrated successfully!From now on, Zentyal is the only critical controller in the domain, and all the features should continue working even if you turn off the others<br />
controllers, save scalability and network considerations.<br />
<br />
<br />
<div id="know-limitations"></div><br />
=Know Limitations=<br />
<br />
It's important to check the list of current known limitations of Samba4 before planning your domain:<br />
<br />
* Only one domain in the forest, Samba doesn't support multiple domains<br />
<br />
* Your hostname can not match your NETBIOS name, the NETBIOS name is generated using the<br />
left part of the domain, for example, if your hostname is 'zentyal' your domain can not be<br />
'zentyal.lan', but it could be 'zentyal-domain.lan'<br />
<br />
* Functional Domain level of the forest and the domain has to be min 2003 R2, current max 2008 R2<br />
<br />
* Trust relationships between domains and forests are not supported<br />
<br />
* GPOs will not be synced, this can be workarounded manually following the official Samba documentation: [https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround]<br />
<br />
<br />
<br />
<br />
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">[[En/5.0/HTTP Proxy Service|Previous]] | [[En/5.0/Zentyal 5.0 Official Documentation|Index]] | [[En/5.0/Configuring a file server with Zentyal|Next]]</div><br />
<br />
[[Category:Documentation]]</div>Admin