Samba 4 has become the tool of choice for companies with diverse clients that seek a Linux-based central identity management. However, a growing number of organizations are offering work from home options and manage distributed operations like construction companies with a computer at every construction site or an insurance provider with several offices. The securing of all authentication processes when employees log in your network also from outside, is critical to protect your data.
But how to do that?
You need to add a VPN solution which starts before the login if you want to enjoy the advantages of single sign-on and policies that Samba provides. The following how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.
Most Linux distributions will come with the needed software preinstalled.
For this tutorial, we assume that you already have Samba 4 and a certificate authority installed on your server. If you are looking for a distribution with Samba 4 and a certificate authority integrated, you can quickly spin up a Univention Corporate Server, that also makes user management easy. On Debian or Ubuntu you can use the easy-rsa tools to manually create the certificate authority.
The article Build a Real VPN with OpenVPN provides an introduction to how to set up OpenVPN’s Public Key Infrastructure (PKI).
In addition, the OpenVPN documentation in Debian at “/usr/share/doc/openvpn/examples/easy-rsa/2.0/” provides many useful tools for setting up a certification authority for OpenVPN.
The server or virtual machine needs a fixed IP or uses a service, For example, DynDNS, to be localizable from the Internet without the end user having to take additional steps.
OpenVPN is an open source virtual network daemon, whose client allows a computer to access a remote server securely. Most distributions have OpenVPN included in their repository. Thus it can be installed using the package management system. On Debian-based systems such as Debian, Ubuntu, or UCS:
$ sudo apt-get install openvpn
Configuring an OpenVPN Server
Upon startup of OpenVPN the software scans the directory /etc/openvpn for files ending in “.conf” and starts a separate server process for each of them. Thus, the following configuration files, copied into “/etc/openvpn/clientconnect .conf”, should automatically be run upon restarting the OpenVPN.
Please note, that lines starting with “#” denote a comment and that you will need to change values depending on your environment.
## The following entries should point to your certificate information. ## Encryption parameters dh /etc/openvpn/dh2048.pem ## Certificate Authority Certificate ca /etc/univention/ssl/ucsCA/CAcert.pem ## Server Certificate cert /etc/univention/ssl/master/cert.pem ## Private key for the Server Certificate key /etc/univention/ssl/master/private.key ## Certficate Revocation List crl-verify/etc/openvpn/crl.pem ## Encryption Cypher to use for the VPN cipher AES-256-CBC ## Compression algorithm to use comp-lzo ## Persistent endpoint addresses ## Always give the same IP to a device ifconfig-pool-persist ipp.txt ## Push route for the server network push "route 10.210.0.0 255.255.0.0" push "redirect-gateway def1" ## Set the current server as the DNS server for domain server ## Change the IP to the internal IP of the server push "dhcp-option DNS 10.210.140.219" ## Push the server's domain as DNS domain push "dhcp-option DOMAIN outsidevpn.univention.com" ## Additional server configuration keepalive 10 120 persist-key persist-tun ## Configure the logfile and the verbosity verb 1 mute 5 status /var/log/openvpn-status.log ## The port on which the VPN Server should listen on port 1194 ## The network to use for communication within the VPN server 172.24.1.0 255.255.255.0 ## Additional network settings management /var/run/management-udp unix dev tun topology subnet proto udp
In most cases the diffie hellman parameters file has to be created. The matching command is
$ sudo openssl dhparam -out "/etc/openvpn/dh2048.pem" 2048
for Debian / Ubuntu:
$ sudo ./easyrsa gen-dh
On UCS, the revoked certificates have to be converted between formats
$ sudo -- sh -c "/usr/bin/wget -qO /etc/openvpn/ca.crl http://$(/usr/sbin/ucr get ldap/master)/ucsCA.crl && /usr/bin/Openssl crl -inform der -outform pem -in /etc/openvpn/ca.crl -out /etc/openvpn/crl.pem"
As certificates might be retracted when exposed, it would be advisable to set up a cron job to periodically convert the list.
You might also need to open the firewall. Please note, the article assumes, that the port in the configuration above remains unchanged. If not, please change it in the following commands as well.
On UCS that can be achieved using the configuration registry
$ sudo ucr set security/packetfilter/udp/1194/all=ACCEPT $ sudo service univention-firewall restart
On Debian and Ubuntu you can manually add the port to your IP tables configuration
$ sudo iptables -A INPUT -p "udp" --dport 1194 -j ACCEPT
Creating the Client Configuration
The client configuration consists of two parts – one for the client certificates and one for the configuration file.
The client certificates are easy to set up:
On Debian/Ubuntu servers the following commands create the certificates for a single client.
$ sudo /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool clientname
On the UCS Master, the following command creates the certificates for all current and future clients. They are saved in “/etc/univention/ssl/”
$ sudo ucr set ssl/host/objectclass= 'univentionDomainController, univentionMemberServer, univentionClient, univentionMobileClient, univentionCorporateClient, univentionWindows' $ sudo univention-directory-listener-ctrl resync gencertificate
The client configuration file itself is the same for every system. Adapt the following settings according to your need and save it as clientconfig.opnv
## client protocol and devices client dev tun proto udp ## Server address and port ## Change to match your external address remote 220.127.116.11 1194 ## Hostname of the Server verify-x509- name master name-prefix ## Client configuration resolv-retry infinite nobind persist-key persist-tun ## Certificate names and locations ca CAcert.pem cert cert.pem key private.key ## Encryption configuration cipher AES-256-CBC comp-lzo ## Logging verbosity verb 3
Copy this configuration file, the root CA, on UCS /etc/univention/ssl/ucsCA/CAcert.pem, and the client certificates to C:\Program Files\OpenVPN\config\clientconfig
Autostart the VPN Client
To automatically start OpenVPN on the client, go to control panel, select small icons, go to administrative tools and then services.
Here choose the OpenVPN service, right-click on properties, and change the startup type to automatic. At the next reboot, the configuration from above for OpenVPN will automatically start.
Due to the fact that NetBIOS is not transferred without any additional manual changes, the domain join has to be completed using the full domain name.
After a reboot, you should be able to log in to the client as a domain user.
While the setup provides the most convenience of connecting a computer to an offsite Samba-based domain controller, it also presents a risk.
A stolen PC will always have access to the domain, allowing a thief to test numerous user name and password combinations. Strong password policies can help to minimize the risk as can organizational policies regarding stolen computers. Extending the setup with smart card encrypted certificates, however, would present the most secure option.
The automation of the VPN connection in conjunction with Samba-based DCs provides a convenient, yet secure access to central authentication and policy services. This technique allows offsite users and computers to authenticate using centralized credentials and load domain wide settings. It thus contributes to enforcing compliance policies. At the same time, it enhances the user experience by reducing the number of credentials and steps needed to start productive work. In conjunction with UCS, the combination of OpenVPN and Samba provides on top an easy to manage Linux-based identity management solution.
Find further information on OpenVPN with UCS in the Univention App Catalog.