Users and groups¶
Account providers¶
NethServer Enterprise supports authentication and authorization against either a local or remote account provider.
Supported provider types are:
Local OpenLDAP running on NethServer Enterprise itself
Remote LDAP server with RFC2307 schema
Local Samba 4 Active Directory Domain Controller
Remote Active Directory (both Microsoft and Samba)
Only the root user can configure an account provider from the Users & Groups page. Configuration of the account provider cannot be delegated.
Be aware of the following rule about account providers:
Once NethServer Enterprise has been bound to an account provider the FQDN cannot be changed any more
- Remote providers
After NethServer Enterprise has been bound to a remote account provider the User & groups page shows a read-only list of domain accounts.
- Local providers
After installing a local provider (either Samba 4 or OpenLDAP), the administrator can create, modify and delete the users and groups.
Warning
Please choose wisely your account provider because the choice could not be reversible. Also the system will forbid any change to the FQDN after the account provider has been configured.
Choosing the right account provider¶
Besides choosing to bind a remote provider or install a local one, the administrator has to decide which backend type suits his needs.
The File server application of NethServer Enterprise, which enables the File server > Shared folders page, can authenticate SMB/CIFS clients only if NethServer Enterprise is bound to an Active Directory domain. The LDAP providers allow access to shared folders only in guest mode. See Shared folders.
On the other hand, the local OpenLDAP provider is more easy to install and configure.
In the end, if the SMB file sharing protocol support is not required, an LDAP provider is the best choice.
OpenLDAP local provider installation¶
To install and configure an OpenLDAP local accounts provider, go to page Users & Groups > [Configure the account provider] > LDAP > Install local LDAP. The system needs a working internet connection to download additional packages.
At the end of the installation the package is automatically configured and the administrator will be able to manage users and groups from the User and groups page.
See Admin account section for more details about default administrative user and group.
Warning
The NethServer Enterprise OpenLDAP account provider does not fully support the user password expiration. Refer to Effects of expired passwords for more information
Samba Active Directory local provider installation¶
When installing Samba Active Directory as local account provider, the system needs an additional IP address and a working internet connection.
The additional IP is assigned to a Linux Container that runs the Active Directory Domain Controller roles and must be accessible from the LAN (green network).
Therefore the additional IP address must satisfy three conditions:
the IP address has to be free; it must not be used by any other machine
the IP address has to be in the same subnet range of a green network
the green network has to be bound to a bridge interface where the Linux Container can attach its virtual interface; the installation procedure can create the bridge interface automatically, if it is missing
To install a local Active Directory accounts provider, go to page Users & Groups > [Configure the account provider] > Active Directory > Create domain and become DC.
The Domain name defines the DNS suffix of the new domain. NethServer Enterprise acts as an authoritative DNS server for that domain. See also DNS and AD domain.
The NetBIOS domain name (also known as "domain short name", "NT domain name") is the alternative Active Directory domain identifier, compatible with older clients. See also Network access.
The DC IP address field must be filled with the additional IP address explained above.
When all fields are filled, press the Create domain button.
Warning
The Active Directory Domain name and NetBIOS domain name values cannot be changed once that the domain has been created
The Active Directory configuration procedure might require some time to run. It creates the Linux Container chroot, by downloading additional packages.
The Linux Container root directory is /var/lib/machines/nsdc/
and
requires the filesystem support to Posix ACLs. The default XFS filesystem has a
builtin support for Posix ACLs and no special configuration is required. For
other filesystems (i.e. EXT4) enable the ACLs as explained in Shared
folders requirements.
At the end of the procedure, the NethServer Enterprise host machine automatically joins the new Active Directory domain.
The previously assigned IP address can be changed from Users & Groups > Account provider > [Details] > Active Directory IP.
Warning
Changing the Domain Controller IP address can cause problems to Active Directory clients. If they use an external DNS server, update it to use the new IP address.
After installing Samba Active Directory, the Users & groups page has two default entries; both are disabled: administrator and admin. "Administrator" is the default Active Directory privileged account and is not required by NethServer Enterprise; it is safe to keep it disabled. "admin" is defined by NethServer Enterprise as the default system administrative account. It is member of the AD "domain admins" group. See Admin account section for more details.
DNS and AD domain¶
An Active Directory domain requires a reserved DNS domain to work. It is a good choice to allocate a subdomain of the public DNS domain for it. The AD subdomain can be accessible only from LAN (green) networks.
Example:
public (external) domain:
nethserver.org
server FQDN:
mail.nethserver.org
Active Directory (internal LAN only) domain:
ad.nethserver.org
domain controller FQDN (assigned by default):
nsdc-mail.ad.nethserver.org
Tip
When choosing a domain for Active Directory use an internal domain which is a subdomain of the external domain 1
Installing on a virtual machine¶
Samba Active Directory runs inside a Linux Container which uses a virtual network interface bridged to the network interface of the system. The virtual network interface has to be visible inside the physical network, but often virtualization solutions block ARP traffic. As a result, the Samba Active Directory container is not visible from LAN hosts.
When installing on virtual environment, make sure the virtualization solution allows traffic in promiscuous mode.
VirtualBox¶
To setup the promiscuous mode policy, select "Allow all" from the drop down list located in the network settings section.
VMWare¶
Enter the networking configuration section of the virtualization mode and set the virtual switch in promiscuous mode.
KVM¶
Make sure the virtual machine is bridged to a real bridge (like br0) and the bridge is put in promiscuous mode.
It is possible to force a bridge (i.e. br0
) in promiscuous mode using this
command:
ifconfig br0 promisc
Hyper-V¶
Configure MAC Address Spoofing for Virtual Network Adapters 2
Join an existing Active Directory domain¶
Here NethServer Enterprise is bound to a remote Active Directory account provider. It can be provided by either Samba or Microsoft implementations. In this scenario NethServer Enterprise becomes a trusted server of an existing Active Directory domain. When accessing a NethServer Enterprise resource from a domain workstation, user credentials are checked against one of the domain controllers, and the access to the resource is granted.
Joining an Active Directory domain has the following pre-requisite:
The Kerberos protocol requires the difference between systems clocks in the network is less than 5 minutes. Configure the network clients to align their clocks to a common time source. For NethServer Enterprise go to Date and time page.
After the prerequisite is fulfilled, proceed to the page Users & Groups > [Configure the account provider] > Active Directory > Join existing Domain Controller.
Enter the Domain name of the AD domain. Press the Check button
If required, fill the AD DNS server field. Usually it is the IP address of an AD domain controller. Press Check again.
Provide the Username and Password of an AD account with the privilege of joining a computer to the domain. Remember that the default administrator account could be disabled! Press Check again.
If the credentials are valid complete the procedure by pressing Next.
Some applications require an additional configuration step. See also LDAP account for additional applications.
Bind to a remote LDAP server¶
To configure a remote LDAP accounts provider, go to page Users & Groups > Configure the account provider > LDAP > Bind remote LDAP.
Type the LDAP server IP address in the field Hostname or IP. If the LDAP service runs on a non-standard TCP port, specify it in TCP port. Press the Check button to proceed.
Then an LDAP rootDSE query is sent to the specified host and a form is filled with returned data. Check the values are correct then press the Check button again.
If the LDAP server requires authentication, set Bind Type to Authenticated.
Set either ldaps://
in Service URI or enable StartTLS to encrypt the connection.
Tip
If the remote LDAP server is also a NethServer Enterprise installation and it is in the LAN (green) network, select Anonymous bind
Some applications require an additional configuration step. See also LDAP account for additional applications.
LDAP account for additional applications¶
Some additional applications, like Nextcloud, WebTop, Roundcube, Ejabberd, require a read-only and dedicated user account to perform simple LDAP binds.
For this purpose, the builtin ldapservice
account is automatically created
in local account providers with limited privileges. Its Bind password and full
Bind DN are shown under Users & Groups > Account provider > [Details].
It is recommended to use those credentials to connect external systems to the account provider.
On the other hand, if NethServer Enterprise is bound to a remote account provider follow these steps:
Create a dedicated user account in the remote AD or LDAP provider, then set a complex and non-expiring password for it. As said above, if the remote provider is a NethServer Enterprise too, it already provides
ldapservice
for this purpose.Once NethServer Enterprise is successfully bound to a remote AD or LDAP account provider, specify the dedicated user account credentials in Users & Groups > Account provider > Edit provider > Authentication credentials for LDAP applications.
If the remote account provider supports TLS, it is recommended to enable the StartTLS option or use the
ldaps://
URI scheme in the Service URI input field to avoid sending clear-text passwords over the network.
Warning
The NethServer Enterprise AD accounts provider supports TLS. MS-Windows AD might require additional setup to enable TLS.
Changing account provider¶
The configured account provider can be removed by root from Users & Groups > Account provider > Change provider.
When the account provider has been removed, existing files owned by users and groups must be removed manually. This is the list of system directories containing users and groups data:
/var/lib/nethserver/home
/var/lib/nethserver/vmail
/var/lib/nethserver/ibay
/var/lib/nethserver/nextcloud
Furthermore, if the account provider is local any user, group and computer
account is erased. A list of users and groups in TSV (Tab Separated Values) format
is dumped to /var/lib/nethserver/backup/users.tsv
and /var/lib/nethserver/backup/groups.tsv
.
See also Import and delete accounts from plain-text files.
Users¶
If a remote AD or LDAP account provider was configured, the Users & Groups page shows read-only lists. It is not possible to modify or delete users and groups from the Server Manager.
On the other hand, if a local AD or LDAP account provider was installed, the Users & Groups page allows to create, modify and delete users and groups.
A newly created user remains locked until it has set a password. Disabled users are denied to access system services.
When creating a user, the following fields are mandatory:
User name
Full name (name and surname)
A user can be added to one or more groups.
Sometimes you need to block user access to services without deleting the account. The safest approach is:
(optionally) change the user's password with a random one
lock the user using the Lock action
Note
When a user is deleted with a local account provider, the home directory and personal mail box are deleted too.
Changing the password¶
Users can change their password from the /user-settings
web page.
To enable it see User settings page.
If the system is bound to an Active Directory account provider, users can change their password also using the Windows tools. In this case you can not set passwords shorter than 6 characters regardless of the server policies. Windows performs preliminary checks and sends the password to the server where it is evaluated according to the configured policies.
Credentials for services¶
The user's credentials are the user name and their password. Credentials are required to access the services installed on the system.
The user name can be issued in two forms: long (default) and short. The long form is always accepted by services. It depends on the service to accept also the short form.
For instance if the domain is example.com and the user is goofy:
- User long name form
goofy@example.com
- User short name form
goofy
To access a shared folder, see also Network access.
User home directories¶
User home directories are stored inside the /var/lib/nethserver/home
directory,
in order to simplify the deployment of a single-growing partition system.
The administrator can still restore the well-known /home
path using the bind mount:
echo "/var/lib/nethserver/home /home none defaults,bind 0 0" >> /etc/fstab
mount -a
Groups¶
A group of users can be granted some permission, such as authorize access to SSH or over a shared folder. The granted permission is propagated to all group members.
The root user can delegate some Server Manager pages to a group, with the Delegations action of Users & Groups > List > [Groups].
See also
Admin account, for permissions of the
domain admins
group.
Admin account¶
If a local AD or LDAP provider is installed, an admin user, member of the domain admins group is created automatically. This account allows access to all configuration pages within the Server Manager. It is initially disabled and has no access from the console.
Tip
To enable the admin account, just set its password
Where applicable, the admin account is granted special privileges on some specific services, such as joining a workstation to an Active Directory domain.
If NethServer Enterprise is bound to a remote account provider, the admin user and domain admins group could be created manually, if they do not already exist.
If a user or group with a similar purpose is already present in the remote account provider database, but it is named differently, NethServer Enterprise can be configured to rely on it with the following commands:
config setprop admins user customadmin group customadmins
/etc/e-smith/events/actions/system-adjust custom
Password management¶
The system provides the ability to set constraints on password complexity and expiration for local account providers.
Password policies can be changed from the Users & Groups page of the Server Manager.
Complexity¶
The password complexity is a set of minimum conditions for password to be accepted by the system: You can choose between two different management policies about password complexity:
none: there is no specific control over the password entered, but minimum length is 7 characters
strong
The strong policy requires that the password must comply with the following rules:
Minimum length of 7 characters
Contain at least 1 number
Contain at least 1 uppercase character
Contain at least 1 lowercase character
Contain at least 1 special character
At least 5 different characters
Must be not present in the dictionaries of common words
Must be different from the username
Can not have repetitions of patterns formed by 3 or more characters (for example the password As1.$ AS1. $ is invalid)
If Samba Active Directory is installed, also the system will enable password history
The default policy is strong.
Warning
Changing the default policies is highly discouraged. The use of weak passwords often lead to compromised servers by external attackers.
Expiration¶
The password expiration is NOT enabled by default.
Each time a user changes his password, the date of the password change is recorded and, if the Force periodic password change option is enabled, the password is considered expired when the Maximum password age has elapsed.
For example, given that
last password was set in January,
in October the Maximum password age is set to
180 days
and Force periodic password change is enabled
thus the password is immediately considered expired (January + 180 days = June!).
Effects of expired passwords¶
Warning
no email notification related to password expiration is sent by the server!
The effects of an expired password depend on the configured accounts provider.
When a password is expired
with
Active Directory
(both local and remote) a user cannot authenticate himself with any service;with a NethServer Enterprise
LDAP
accounts provider (both local and remote) some services ignore the password expiration and grant access in any case.
Examples of services that do not fully support the password expiration with NethServer Enterprise LDAP accounts provider:
NextCloud
WebTop (contacts and calendars are available)
...and other services that authenticate directly with LDAP
Import and delete accounts from plain-text files¶
Import users¶
It is possible to create user accounts from a TSV (Tab Separated Values) file with the following format:
username <TAB> fullName <TAB> password <NEWLINE>
Example:
mario <TAB> Mario Rossi <TAB> 112233 <NEWLINE>
then execute:
/usr/share/doc/nethserver-sssd-<ver>/scripts/import_users <youfilename>
For example, if the user’s file is /root/users.tsv, execute following command:
/usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/import_users /root/users.tsv
Alternative separator character:
import_users users.tsv ','
Import emails¶
It is possible to create mail aliases from a TSV (Tab Separated Values) file with the following format:
username <TAB> emailaddress <NEWLINE>
Then you can use the import_emails
script. See Import and delete accounts from plain-text files for a sample script invocation.
Import groups¶
It is possible to create groups from a TSV (Tab Separated Values) file with the following format:
group1 <TAB> user1 <TAB> user2 <NEWLINE>
group2 <TAB> user1 <TAB> user2 <TAB> user3 <NEWLINE>
Example:
faxmaster <TAB> matteo <TAB> luca <NEWLINE>
managers <TAB> marco <TAB> francesco <TAB> luca <NEWLINE>
then execute:
/usr/share/doc/nethserver-sssd-<ver>/scripts/import_groups <youfilename>
For example, if the group file is /root/groups.tsv
, execute following command:
/usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/import_groups /root/groups.tsv
Group management is also available from the command line through group-create
and group-modify
events
signal-event group-create group1 user1 user2 user3
signal-event group-modify group1 user1 user3 user4
Delete users¶
It is possible to delete user accounts from a file with the following format:
user1
user2
...
userN
Example:
mario <NEWLINE>
then execute:
/usr/share/doc/nethserver-sssd-<ver>/scripts/delete_users <youfilename>
Tip
You can also use the same import users file to delete the users.
For example, if the user’s file is /root/users.tsv, execute following command:
/usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/delete_users /root/users.tsv
Alternative separator character:
delete_users users.tsv ','