Secure your Samba Authentications Automatically via OpenVPN
Samba 4 has become the tool of choice to provide Linux-based identity management to diverse clients.
However, a growing number of organizations are offering work from home options and manage distributed operations, like construction companies with a computer at every construction site or a medical service provider with one person doctors offices.
If these companies want to enjoy the advantages of single sign-on and policies that Samba provides, a VPN solution, which starts before the login, needs to be added to the domain. This how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.
Most Linux distributions will come with the needed software preinstalled. For this tutorial, we assume that you already have Samba 4 and a certificate authority installed on your server. If you are looking for a distribution with Samba 4 and a certificate authority integrated, you can quickly spin up a Univention Corporate Server, that also makes user management easy. On Debian or Ubuntu, you can use the easy-rsa tools to manually create the certificate authority
The article https://www.linux.com/learn/intro-to-linux/2017/3/build-real-vpn-openvpn provides an intro no how to set up OpenVPNs PKI.
Further, the OpenVPN Documentation, in Debian at /usr/share/doc/openvpn/examples/easy-rsa/2.0/, provides many usefull tools to setting up a certificate authority for OpenVPN.
The server or virtual machine needs a fixed IP or utilize a service, such as DynDNS, to be locatable from the Internet without additional steps to be undertaken by the end user.
OpenVPN is an open source virtual network daemon, whose client allows a computer to access a remote server securely. Most distributions have OpenVPN included in their repository. Thus it can be installed using the package management system. On Debian-based systems such as Debian, Ubuntu, or UCS:
$ sudo apt-get install openvpn
Configuring OpenVPN Server
Upon startup of OpenVPN the software scans the directory /etc/openvpn for files ending in ".conf" and starts a separate server process for each of them. Thus, the following configuration files, copied into "/etc/openvpn/clientconnect .conf", should automatically be run upon restarting the OpenVPN.
Please note, that lines starting with "#" denote a comment and that you will need to change values depending on your environment.
## The following entries should point to your certificate information. ## Encryption parameters dh /etc/openvpn/dh2048.pem ## Certificate Authority Certificate ca /etc/univention/ssl/ucsCA/CAcert.pem ## Server Certificate cert /etc/univention/ssl/master/cert.pem ## Private key for the Server Certificate key /etc/univention/ssl/master/private.key ## Certificate Revocation List crl-verify /etc/openvpn/crl.pem ## Encryption Cypher to use for the VPN cipher AES-256-CBC ##Compression algorithm to use comp-lzo ## Persistent endpoint addresses ## Always give the same IP to a device ifconfig-pool-persist ipp.txt ## Push route for the server network push "route 10.210.0.0 255.255.0.0" push "redirect-gateway def1" ## Set the current server as the DNS server for domain server ## Change the IP to the internal IP of the server push "dhcp-option DNS 10.210.140.219" ## Push the server's domain as DNS domain push "dhcp-option DOMAIN outsidevpn.univention.com" ## Additional server configuration keepalive 10 120 persist-key persist-tun ## Configure the logfile and the verbosity verb 1 mute 5 status /var/log/openvpn-status.log ## The port on which the VPN Server should listen on port 1194 ## The network to use for communication within the VPN server 172.24.1.0 255.255.255.0 ## Additional network settings management /var/run/management-udp unix dev tun topology subnet proto udp
In most cases the diffie hellman parameters file has to be created. The matching command is
$ sudo openssl dhparam -out "/etc/openvpn/dh2048.pem" 2048
$ sudo ./easyrsa gen-dh
On UCS, the revoked certificates have to be converted between formats
sudo -- sh -c "/usr/bin/wget -qO /etc/openvpn/ca.crl http://$(/usr/sbin/ucr get ldap/master)/ucsCA.crl && /usr/bin/openssl crl -inform der -outform pem -in /etc/openvpn/ca.crl -out /etc/openvpn/crl.pem"
As certificates might be retracted when exposed, it would be advisable to set up a cron job to periodically convert the list.
You might also need to open the firewall. Please note, the article assumes, that the port in the configuration above remains unchanged. If not, please change it in the following commands as well.
On UCS that can be achieved using the configuration registry
$ sudo ucr set security/packetfilter/udp/1194/all=ACCEPT $ sudo service univention-firewall restart
On Debian and Ubuntu you can manually add the port to your IP tables configuration
$ sudo iptables -A INPUT -p "udp" --dport 1194 -j ACCEPT
Creating the Client Configuration
The client configuration consists of two parts - one for the client certificates and one for the configuration file.
The client certificates are easy to set up:
On Debian/Ubuntu servers the following commands create the certificates for a single client.
$ sudo /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool clientname
On the UCS Master, the following command creates the certificates for all current and future clients. They are saved in "/etc/univention/ssl/"
$ sudo ucr set ssl/host/objectclass='univentionDomainController,univentionMemberServer,univentionClient,univentionMobileClient,univentionCorporateClient,univentionWindows' $ sudo univention-directory-listener-ctrl resync gencertificate
The client configuration file itself is the same for every system. Adapt the following settings according to your need and save it as clientconfig.opnv
## client protocol and devices client dev tun proto udp ## Server address and port ## Change to match your external address remote 126.96.36.199 1194 ## Hostname of the server verify-x509-name master name-prefix ## Clint configuration resolv-retry infinite nobind persist-key persist-tun ## Certificate names and locations ca CAcert.pem cert cert.pem key private.key ## Encryption configuration cipher AES-256-CBC comp-lzo ## Logging verbosity verb 3
Copy this configuration file, the root CA, on UCS /etc/univention/ssl/ucsCA/CAcert.pem, and the client certificates to C:\Program Files\OpenVPN\config\clientconfig
Autostart the VPN Client
To automatically start OpenVPN on the client, go to control panel, select small icons, go to administrative tools and then services.
Here choose the OpenVPN service, right-click on properties, and change the startup type to automatic. At the next reboot, the configuration from above for OpenVPN will automatically start.
Due to the fact that NetBIOS is not transferred without any additional manual changes, the domain join has to be completed using the full domain name.
After a reboot, you should be able to log in to the client as a domain user.
While the setup provides the most convenience of connecting a computer to an offsite Samba-based domain controller, it also presents a risk.
A stolen PC will always have access to the domain, allowing a thief to test numerous user name and password combinations. Strong password policies can help to minimize the risk as can organizational policies regarding stolen computers. Extending the setup with smart card encrypted certificates, however, would present the most secure option.
The automation of the VPN connection in conjunction with Samba-based DCs provides a convenient, yet secure access to central authentication and policy services. This technique allows offsite users and computers to authenticate using centralized credentials and load domain wide settings. It thus contributes to enforcing compliance policies. At the same time, it enhances the user experience by reducing the number of credentials and steps needed to start productive work. In conjunction with UCS, the combination of OpenVPN and Samba provides on top an easy to manage Linux-based identity management solution.