FileserverFileThis post shows one way to set up an Active Directory server using Samba . This example creates a virtual server in a Linux Container on a server farm.

Container Setup

First, create a new container:

lxc-create -n samba -t ubuntu -B lvm --vgname farm --fssize 10G

This uses the farm’s Ubuntu version (12.04 Precise Pangolin) but this does not have a suitable Samba 4 package so one needs to be built from source.

Configure the container to auto-start when the host boots:

ln -s /var/lib/lxc/samba/config /etc/lxc/auto/samba

Build Samba

Boot the container, log in and become root.

Ununtu 12.04 (or even 13.10) does not provide a working Samba 4 package. The solution is to build it from source. First, prepare:

apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl

(This setup obtained from the Samba Wiki)

When asked for the default Kerberos realm, enter mydomain.co.uk and sambaas the Kerberos host.

(optional) The checkinstall tool makes a .deb package from a build tree. having a package makes for easy re-installation. Install checkinstall:

apt-get install checkinstall

Decide on the version, for example, 4.1.4, and get the source:

apt-get install wget    
cd /usr/src
wget http://samba.org/samba/ftp/stable/samba-4.1.4.tar.gz
tar xf samba-4.1.4.tar.gz
cd samba-4.1.4

An alternative method is to get the source from Samba’s Git repository (this may take some time, however):

apt-get install git
git clone git://git.samba.org/samba.git /usr/src/samba4
cd /usr/src/samba4
git checkout tags/samba-4.1.4

With the source downloaded, build

./configure --enable-fhs \
             --prefix=/usr \
             --sysconfdir=/etc \
             --localstatedir=/var \
             --with-configdir=/etc/samba \
             --enable-gnutls \
             --with-pammodulesdir=/lib/x86_64-linux-gnu/security
make

(./configure --help explains the available options)

Then install it:either, without using checkinstall:

make install

or, with checkinstall to also make a .deb:

checkinstall make install

Answer the question “The package documentation directory ./doc-pak does not exist. Should I create a default set of package docs? [y]:” with y and then accept the defaults presented afterwards (or change them if you wish). this createssamba_4.1.4-1.deb package in the source directory and installs it. The package can be copied to other machines and installed with:

dpkg -i samba-4.1.4.amd64.deb

note: the process using checkinstall was unverified at the time of writing. It’s included here as a note for reference. If in doubt, install without using checkinstall.

Set a Fully-qualified domain name

Edit /etc/hostname and add your unqualified hostname:

samba

Edit /etc/hosts and add the fully qualified domain name to the entry for127.0.1.1:

127.0.1.1 samba.amajohn.co.uk samba

Test your configuration by opening a terminal and enter the below commands:

  • hostname should output samba
  • hostname -f should output samba.amajohn.co.uk

Resolv.conf

The /etc/resolv.conf file is managed by the resolvconf service, which updates the file automatically whenever network configuration changes.

As the man page describes, it appends the original configuration due to the presence of a symlink in its configuration. This is undesirable becuase it affects Samba’s own DNS configuration:

rm /etc/resolvconf/resolv.conf.d/tail

Set static network address

Edit /etc/network/interfaces

auto eth0
iface eth0 inet static
address 10.0.100.99
netmask 255.0.0.0
gateway 10.0.0.138
dns-nameservers 127.0.0.1
dns-search mydomain.co.uk

Reboot to effect these changes, or restart networking:

service networking restart

Then cat /etc/resolv.conf should verify the presence ofnameserver 127.0.0.0.

Storage

Give the container a filesystem for Samba things. Add the mount point for this and then and shut down the container.

mkdir /srv/samba
halt

On the host, create a logical volume for the Samba data filesystem:

$ lvcreate --name samba_files --size 10G farm
$ mkfs.ext4 /dev/farm/samba_files

Add the mount point to the container’s fstab configuration/var/lib/lxc/samba/fstab:

/dev/farm/samba_files /var/lib/lxc/samba/rootfs/srv/samba ext4 defaults,user_xattr,acl 0 0

The use of user_xattr and acl allows most of the share configuration to be done via windows, especially the permission management with real Windows ACLs and multiple entries is much easier when done on Windows.

! The user_xattr and acl are no longer required on ext4 filesystems because those features are enabled by default. Instead, they must be explicitly disabled when they are not required. More hereand here. This can be confirmed with tune2fs -l /dev/sdX | grep 'Default mount options'.

Write Barriers improve data integrity and are enabled by default on ext4 filesystems. Anobarrier mount option disables this but doing so is a bad idea!. Barriers incur a small performance overhead.

Re-start the container (lxc-start -n samba) and verify that the filesystem is mounted:

df -h /srv/samba

ntp server

Samba needs a reliable ntp server, so install it

apt-get install ntp

Review the time servers in /etc/ntp.conf and change if desired. Some UK servers are

 server 0.uk.pool.ntp.org
 server 1.uk.pool.ntp.org
 server 2.uk.pool.ntp.org
 server 3.uk.pool.ntp.org

Restart the ntp server and check it’s ok:

service ntp restart
ntpq -p

Verify time has synchronised:

ntpdate -q localhost

note: it may take a few minutes for time synchronisation to take effect, so repeat the above command if it fails on the first attempt.

Install Samba

Do the following

samba-tool domain provision

Select the “Domain Controller” option when prompted enter an administrator password when requested. The validity rules are quite fussy; an unacceptable password will be accepted but will break the install.

Resulting in

A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              samba
NetBIOS Domain:        MYDOMAIN
DNS Domain:            mydomain.co.uk
DOMAIN SID:            S-1-5-21-3652504537-2253945729-3606843742

Then do

cp /var/lib/samba/private/krb5.conf /etc

Get the Upstart script for the Samba service

wget -O /etc/init/samba.conf 'http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD'

Then manually start samba (Upstart will automatically start/stop it on startup/shutdown):

$ start samba

Now modify the configuration /etc/samba/smb.conf as needed. For example to disable printing:

[global]
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

and to increase logging (only for debugging, please!)

[global]
    log level = 2

Server Tests

The following tests will verify Samba is up and running correctly.

$ host -t SRV _ldap._tcp.mydomain.co.uk
$ host -t SRV _LDAP._TCP.dc._msdcs.mydomain.co.uk
$ host -t SRV _kerberos._udp.mydomain.co.uk
$ host -t A samba.mydomain.co.uk
$ kinit administrator@MYDOMAIN.CO.UK
$ klist
$ smbclient -L localhost -U%

Some background:a Windows client performs a DNS query to locate a domain controller. The query is for a record of the form_LDAP._TCP.dc._msdcs.domainname, where domainname is the local network’s domain.

Winbind

Add winbind to the passwd and group stanzas in /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind

test with

$ wbinfo -p
$ wbinfo -u
$ getent passwd

Printing

For the purpose of this exercise, explicitly disable printing by adding to the/etc/smb.conf file:

[global]
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

Client Test

These tests require a suitable Windows client machine, for example Windows 7 Professional or Ultimate. First, update it to Service Pack 1 and, if the client is to be used for domain administration, also install the Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

http://www.microsoft.com/en-gb/download/details.aspx?id=5842
http://www.microsoft.com/en-gb/download/details.aspx?id=7887

Reboot and log in as the local administrator. To make the Active Directory Users and Computers tool available, go to “control panel>programs and features>Turn Windows features on or off”.

Now, set its DNS to the Samba server’s IP address and then join the domain.

Configuration Tasks

Sanity-check configuration changes with

$ testparm /etc/samba/smb.conf

Samba automatically reloads configuration but, to perform this immediately:

$ smbcontrol all reload-config

Add Shares

To add a share (a directory or filesystem to be shared on the network by Samba), add a stanza to /etc/samba/smb.conf:

[public]
    path = /srv/samba/public
    read only = No

make the directory on the server

mkdir /srv/samba/public
chmow 777 /srv/samba/public

To connect the share from Windows command prompt:

C:> NET USE P: \samba\public

Or browse to \samba\public in Windows Explorer.

See also

* https://wiki.samba.org/index.php/Setup_and_configure_file_shares#setup_share_permissions

Add the [homes] share to give each user a home directory.

! Current practice is not to use [homes] with Active Directory Samba; this is described at the above link. This article needs updating accordingly.

Add Users

User administration can be performed either from the Samba server command prompt or from a Windows client. First, add sharing configurations:

[homes]
    comment = Home directories
    path = /srv/samba/home/%S
    valid users = %S
    read only = No
    browsable = No
    create mask = 0700
    directory mask = 0700


[profiles]
    comment = Roaming profiles
    path = /srv/samba/profiles
    read only = No
    browsable = No

[homes] defines home directories under /srv/samba/home and [profiles]defines roaming profiles.

For roaming profiles to work, create the directory root on the server:

mkdir -p /srv/samba/profiles
chmod 1770 /srv/samba/profiles
chgrp "Domain Users" /srv/samba/profiles

Also create the homes directory

mkdir -p /srv/samba/home

To give a user a roaming profile, set their profile directory. Either use ADUC or do:

$ pdbedit -p='\MYDOMAIN\profiles\joe' joe

Conversely, to remove a roaming profile:

$ pdbedit -p= joe

To put roaming profiles in a subdirectory of the user’s home directory, use a pre-exec to create the directory and a veto to prevent external acccess to it:

[homes]
    ...
    veto files = /.samba_roaming_profile/
[profiles]
    comment = Roaming Profiles
    path = /home/%U/.samba_roaming_profile
    writable = yes
    browsable = no
    root preexec = bash -c '[[ -d /home/%U/.samba_roaming_profile ]] || mkdir -m 0700 /home/%U/.samba_roaming_profile && chown %U:"Domain Users" /home/%U/.samba_roaming_profile' 

This example a .samba_roaming_profile subdirectory. Windows creates a subdirectory within this one and writes the profile there.

From the server

To add a user:

$ samba-tool user add joe

A password will be requested and it must meet certain complexity criteria. It should:

  • be equal or longer than 7 characters
  • meet the complexity criteria – a mix upper, lower and numerals.

Arguments can be specified (e.g. when using from a script):

# See `samba-tool user add --help`
samba-tool user add joe \
--random-password --use-username-as-cn \
--given-name="Joe" --surname="Schmoe" \
--mail-address=joeschmoe@example.com \   
--profile-path=\\MYDOMAIN\profiles\joe \
--home-drive=H --home-directory=\\MYDOMAIN\joe

To list users’ details

$ pdbedit -L -v
$ getent passwd

Add the user’s home directory

$ mkdir -p /srv/samba/home/joe
$ chown joe:users /srv/samba/home/joe

From the client

This is the preferred way to create users because it offers more scope for configuration. When logged on to the domain as MYDOMAIN/Administrator, create users using *Active Directory Users and Computers” (Start->Administrative Tools->Active Directory Users and Computers).

When creating a user (or amending an existing one), change to the profiles tab to configure roaming profile and home directory. The roaming profile path is

\samba\profiles\%USERNAME%

which refers to a subdirectory of /srv/samba/profiles on the server thai will be automatically created when the user logs on. Select a drive letter for the home directory path, which is

\samba\home\%USERNAME%

and this refers to a subdiretory of /srv/samba/profiles on the server that must be manually created on the server:

$ mkdir /srv/samba/home/joe
$ chown joe:users /srv/samba/home/joe

Troubleshooting

If a user is unable to log in because the group policy client service failed the logon, and especially if the user was deleted and re-added to Samba, it’s probably due to a profile mismatch. The quickest way to fix this is to log in as an administrator and delete the user’s profile (e.g. C:/Users/myuser. Also delete the user’s profile data from the registryHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Look for the user’s SID (you can get this on the server withpdbedit -L -v username). See also this post.

Logon script

A logon script can be run when a user logs on and can do things such as mapping network drives to shares.

Create the script in the [sysvol] defined in smb.conf, for example/var/lib/samba/sysvol; put it in the subdirectory e.g.mydomain.co.uk/scripts.

!Windows mounts the sysvol at %LOGONSERVER%\SYSVOL, which is the same as \mydomain\SYSVOL.

There are two ways to configure logon scripts. You can assign scripts to run when a user logs on via Group Policy or as user logon scripts, although the latter is considered a to be a legacy option for NT4 backwards compatibility.

The sysvol contains two policies within the Policies directory, each in a subdirectory named {GUID} where GUID is the policy’s unique identifier.

  • the Default Domain Policy applies to all the objects in the domain.
  • the Default Domain Controllers Policy only applies to domain controllers.

These can be identified with ldbsearch:

$ ldbsearch -H /var/lib/samba/private/sam.ldb objectCategory=groupPolicyContainer

Or, to list just one:

$ ldbsearch -H /var/lib/samba/private/sam.ldb cn={6AC1786C-016F-11D2-945F-00C04FB984F9}

or, more specifically,

$ ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=groupPolicyContainer)(name={6AC1786C-016F-11D2-945F-00C04FB984F9}))'

! Use ADUC to search on Windows: right-click the domain and select Find. Then select Custom Search from the Find dropdown. Select the Advanced tab and enter the query into the Enter LDAP Query box.

The displayName field contains one of the above descriptions to identify the policy. The windows search shows an icon against the default domain controller policy (it also displays a description, which is another field that is blank.)

! Use ldbedit -H /var/lib/samba/private/sam.ldb objectCategory=groupPolicyContainer to modify the descriptions.

The logon script should go in the domain policy, in a subdirectoryUSER/Scripts/Logon. It can have any name with a .bat extension (logon.batis a generic example):

# Logon script
net use /PERSISTENT:NO P: %LOGONSERVER%\public
net use /PERSISTENT:NO T: %LOGONSERVER%\transfer

The /PERSISTENT:NO means the mount won’t persist across logins; this means it won’t appear unless the login script is run. Adding this is optional.

Make the script executable:

$ chmod 755 logon.bat

To check the policy of the current user (view the file with notepad):

C:> gpresult /v > gp.txt

or for a specific user

C:> gpresult /v /USER myuser > gp.txtls -l
  • gpupdate

To install the group policy editor, use Control Panel -> programs -> Add or Remove Windows Features to add Remote Server Administration Tools -> Feature Administration Tools -> Group Policy Management Tools.

The Group Policy Editor can then be opened with Start -> Administrative Tools -> Group Policy Management.

To open the Local group Policy Editor,

See

Windows Configuration

This section presents useful suggestions worth considering when establishing a Windows desktop to use for Samba Active Directory administration.

Firstly, install Windows 7, Service Pack 1 and the remote server administration tools.

Launch Control Panel -> Programs -> Turn Windows Features on or off

Enable the following:

  • Remote Server Administration Tools >> Role Administration Tools >> AD DS and AD LDS Tools >> AD DS Tools >> Server for NIS Tools*

The Server for NIS Tools option is what enables the Unix Attributes tab in ADUC.

PAM Authentication

PAM can authenticate users via winbind, thus allowing Linux to authenticate active directory users.

This can be used to allow AD users to log in to the server as Linux users.

Winbind must return a valid shell. This currently must be configured in smb.conf (all config items in this section go in the [global] section):

template shell = /bin/bash

It applies to all users which means that either ALL or NO users will be able to log in depending on the value of this setting. Its default value, /bin/false, prevents login.

Usernames must include the domain, e.g. MYDOMAIN\myuser. The separator character, \ can be changed in smb.conf:

winbind separator = +

Winbind will default the domain if it is not given if the following setting is defined:

winbind use default domain = yes

The typical PAM configuration will check for a local user first and tries winbind if one doesn’t exist. This means that a password in /etc/passwd takes precedence over one defined in Active Directory if an AD user is defined there also.

This override is a way of supporting local logins for certain users without setting a valid template shell.