Let's have a look at some tools to help you with your RBAC/ABAC journey when securing your environment while not breaking the bank on Enterprise grade tooling but still providing the functionality. Although, you can find Cloud Providers that will help you set up a level of IAM against your hypervisor, there may be a requirement to have something validating machine authentication inside the environment that security will want your project to use. But what tools can we use without breaking the bank on a Microsoft product that will work with all our various Operating Systems, when we have to cater for more than one type of machine?
No matter what your system, from Windows to pure DOS or OS/2 computers, you can leverage Samba to communicate to and from those systems, this is because Samba (ab)uses the Server Message Block or SMB protocol, which was originally used by Windows alone to communicate with other nodes of it's kind. Using Samba, you can have your Linux systems map drives into the Windows systems, and you can even (more appropriately) have Windows systems map drives to Linux systems.
A Bit of History
The Samba project originally wanted to create the interoperability for each OS to enable more systems to take advantage of the RBAC/ABAC systems Microsoft were developing for their Enterprise users, such as Active Directory. At the time, this technology was closed-source and Microsoft (M$) wouldn't let the Same engineers near their code or schematics. This led the team to reverse engineer the entire protocol and as it found out more, or evolved to meet changes in Microsoft who would frequently try and shake them off, they would perceiver to create the system we all know and love today!
Because of the hard work Microsoft has relented and now Samba will easily let you mimic file, print and even domain services on a Linux system which will save you money and allowing for easier RBAC/ABAC administration within your organisation to help fulfil Security requirements!
Installation
Don't be fooled - Domains not really needed!
When I first started playing with Samba I was baffled by a lot of the configuration options, these as well as the guides found on the internet at the time all pointed to needing to set up a domain. Well, dear reader, this is FALSE! You can survive happily without the domain and make sure of the other services the Application Suite provides!
However, if you are finding yourself joining a domain, make sure you remember to SYNC THOSE PASSWORDS!
Syncing your passwords
The below is a run down of the use of the smbpasswd command which we will use to sync our password across the Domain we have joined. We should all be familiar with the general syntax of the passwd command within Linux and smbpasswd is very similar!
Once we have established our connection and the daemon is running happily we will need to add ourselves as a user with the following:
$ sudo smbpasswd -a phardy
Once this has been done we will THEN need to enabled this user, else we will be scratching our heads wondering why we cannot use our network services:
$ sudo smbpasswd -e phardy
Once we are enabled, let's change our password and get everything set up for us to explore the Domain
$ sudo smbpasswd phardy
In more advanced configurations we can play with the configuration file located at /etc/samba/smb.conf and tweak options to enable automatic syncing, but this is beyond the scope of this document, I intend to write another post on the different automation techniques at a later date.
Make sure the domain and workgroup match!
This is another common setup flaw I have seen around. When Samba is installed for the first time, it will default to the workground name SAMBA, if you are integrating your Server into a Windows environment, this will not help!
Update your configuration file to match the domain name and restart the Samba daemons to correct any issues between these. By doing this you will be able to match a lot of the functionality that an AD system has. However, you will not be able to control these instances with Group Policy from the Windows side, this is a time when a 3rd party provisioner like Ansible, Chef or Puppet will be handy to provide regulation across the estate!
Once properly configured a Samba-enabled Linux systems will look exactly like Windows systems, to the casual observer it would be extremely difficult to tell the difference from a Windows systems. For fun you can mimicking the Windows version of your choice and make the system report itself as such.
Wrap up!
Even if you are not using Samba in the wild, it can be a fun experiment to setup and play with. It's a cool project and can be used in a hobbyist context as well as enterprise. I have previously set this up to enable better network services site to site for my parents which allowed me to perform backups for them as well as remote administration as they needed.
Considering the times I was amazed at how out of the box it was and how easy the more complex Network configurations and topologies were to configure for my use cases. Plus you learn a lot about LDAPs and AD while you play for something first released in 1992, Samba has stood the test of time and proved its place in modern networks, and for providing no-cost interoperability to your heterogeneous environment!