Container Setup
First, create a new container:
lxc-create -n samba -t ubuntu -B lvm --vgname farm --fssize 10G
This uses the farm’s Ubuntu version (12.04 Precise Pangolin) but this does not have a suitable Samba 4 package so one needs to be built from source.
Configure the container to auto-start when the host boots:
ln -s /var/lib/lxc/samba/config /etc/lxc/auto/samba
Build Samba
Boot the container, log in and become root.
Ununtu 12.04 (or even 13.10) does not provide a working Samba 4 package. The solution is to build it from source. First, prepare:
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
(This setup obtained from the Samba Wiki)
When asked for the default Kerberos realm, enter mydomain.co.uk
and samba
as the Kerberos host.
(optional) The checkinstall tool makes a .deb
package from a build tree. having a package makes for easy re-installation. Install checkinstall:
apt-get install checkinstall
Decide on the version, for example, 4.1.4, and get the source:
apt-get install wget
cd /usr/src
wget http://samba.org/samba/ftp/stable/samba-4.1.4.tar.gz
tar xf samba-4.1.4.tar.gz
cd samba-4.1.4
An alternative method is to get the source from Samba’s Git repository (this may take some time, however):
apt-get install git
git clone git://git.samba.org/samba.git /usr/src/samba4
cd /usr/src/samba4
git checkout tags/samba-4.1.4
With the source downloaded, build
./configure --enable-fhs \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--with-configdir=/etc/samba \
--enable-gnutls \
--with-pammodulesdir=/lib/x86_64-linux-gnu/security
make
(./configure --help
explains the available options)
Then install it:either, without using checkinstall:
make install
or, with checkinstall to also make a .deb
:
checkinstall make install
Answer the question “The package documentation directory ./doc-pak does not exist. Should I create a default set of package docs? [y]:” with y
and then accept the defaults presented afterwards (or change them if you wish). this createssamba_4.1.4-1.deb
package in the source directory and installs it. The package can be copied to other machines and installed with:
dpkg -i samba-4.1.4.amd64.deb
note: the process using checkinstall was unverified at the time of writing. It’s included here as a note for reference. If in doubt, install without using checkinstall.
Set a Fully-qualified domain name
Edit /etc/hostname and add your unqualified hostname:
samba
Edit /etc/hosts
and add the fully qualified domain name to the entry for127.0.1.1
:
127.0.1.1 samba.amajohn.co.uk samba
Test your configuration by opening a terminal and enter the below commands:
hostname
should outputsamba
hostname -f
should outputsamba.amajohn.co.uk
Resolv.conf
The /etc/resolv.conf
file is managed by the resolvconf service, which updates the file automatically whenever network configuration changes.
As the man page describes, it appends the original configuration due to the presence of a symlink in its configuration. This is undesirable becuase it affects Samba’s own DNS configuration:
rm /etc/resolvconf/resolv.conf.d/tail
Set static network address
Edit /etc/network/interfaces
auto eth0
iface eth0 inet static
address 10.0.100.99
netmask 255.0.0.0
gateway 10.0.0.138
dns-nameservers 127.0.0.1
dns-search mydomain.co.uk
Reboot to effect these changes, or restart networking:
service networking restart
Then cat /etc/resolv.conf
should verify the presence ofnameserver 127.0.0.0
.
Storage
Give the container a filesystem for Samba things. Add the mount point for this and then and shut down the container.
mkdir /srv/samba
halt
On the host, create a logical volume for the Samba data filesystem:
$ lvcreate --name samba_files --size 10G farm
$ mkfs.ext4 /dev/farm/samba_files
Add the mount point to the container’s fstab configuration/var/lib/lxc/samba/fstab
:
/dev/farm/samba_files /var/lib/lxc/samba/rootfs/srv/samba ext4 defaults,user_xattr,acl 0 0
The use of user_xattr
and acl
allows most of the share configuration to be done via windows, especially the permission management with real Windows ACLs and multiple entries is much easier when done on Windows.
! The user_xattr
and acl
are no longer required on ext4
filesystems because those features are enabled by default. Instead, they must be explicitly disabled when they are not required. More hereand here. This can be confirmed with tune2fs -l /dev/sdX | grep 'Default mount options'
.
Write Barriers improve data integrity and are enabled by default on ext4
filesystems. Anobarrier
mount option disables this but doing so is a bad idea!. Barriers incur a small performance overhead.
Re-start the container (lxc-start -n samba
) and verify that the filesystem is mounted:
df -h /srv/samba
ntp server
Samba needs a reliable ntp server, so install it
apt-get install ntp
Review the time servers in /etc/ntp.conf
and change if desired. Some UK servers are
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org
Restart the ntp server and check it’s ok:
service ntp restart
ntpq -p
Verify time has synchronised:
ntpdate -q localhost
note: it may take a few minutes for time synchronisation to take effect, so repeat the above command if it fails on the first attempt.
Install Samba
Do the following
samba-tool domain provision
Select the “Domain Controller” option when prompted enter an administrator password when requested. The validity rules are quite fussy; an unacceptable password will be accepted but will break the install.
Resulting in
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba
NetBIOS Domain: MYDOMAIN
DNS Domain: mydomain.co.uk
DOMAIN SID: S-1-5-21-3652504537-2253945729-3606843742
Then do
cp /var/lib/samba/private/krb5.conf /etc
Get the Upstart script for the Samba service
wget -O /etc/init/samba.conf 'http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba-ad-dc.upstart;hb=HEAD'
Then manually start samba (Upstart will automatically start/stop it on startup/shutdown):
$ start samba
Now modify the configuration /etc/samba/smb.conf
as needed. For example to disable printing:
[global]
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
and to increase logging (only for debugging, please!)
[global]
log level = 2
Server Tests
The following tests will verify Samba is up and running correctly.
$ host -t SRV _ldap._tcp.mydomain.co.uk
$ host -t SRV _LDAP._TCP.dc._msdcs.mydomain.co.uk
$ host -t SRV _kerberos._udp.mydomain.co.uk
$ host -t A samba.mydomain.co.uk
$ kinit administrator@MYDOMAIN.CO.UK
$ klist
$ smbclient -L localhost -U%
Some background:a Windows client performs a DNS query to locate a domain controller. The query is for a record of the form_LDAP._TCP.dc._msdcs.domainname
, where domainname
is the local network’s domain.
Winbind
Add winbind
to the passwd
and group
stanzas in /etc/nsswitch.conf
:
passwd: compat winbind
group: compat winbind
test with
$ wbinfo -p
$ wbinfo -u
$ getent passwd
Printing
For the purpose of this exercise, explicitly disable printing by adding to the/etc/smb.conf
file:
[global]
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Client Test
These tests require a suitable Windows client machine, for example Windows 7 Professional or Ultimate. First, update it to Service Pack 1 and, if the client is to be used for domain administration, also install the Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
http://www.microsoft.com/en-gb/download/details.aspx?id=5842
http://www.microsoft.com/en-gb/download/details.aspx?id=7887
Reboot and log in as the local administrator. To make the Active Directory Users and Computers tool available, go to “control panel>programs and features>Turn Windows features on or off”.
Now, set its DNS to the Samba server’s IP address and then join the domain.
Configuration Tasks
Sanity-check configuration changes with
$ testparm /etc/samba/smb.conf
Samba automatically reloads configuration but, to perform this immediately:
$ smbcontrol all reload-config
Add Shares
To add a share (a directory or filesystem to be shared on the network by Samba), add a stanza to /etc/samba/smb.conf
:
[public]
path = /srv/samba/public
read only = No
make the directory on the server
mkdir /srv/samba/public
chmow 777 /srv/samba/public
To connect the share from Windows command prompt:
C:> NET USE P: \samba\public
Or browse to \samba\public
in Windows Explorer.
See also
* https://wiki.samba.org/index.php/Setup_and_configure_file_shares#setup_share_permissions
Add the [homes]
share to give each user a home directory.
! Current practice is not to use [homes]
with Active Directory Samba; this is described at the above link. This article needs updating accordingly.
Add Users
User administration can be performed either from the Samba server command prompt or from a Windows client. First, add sharing configurations:
[homes]
comment = Home directories
path = /srv/samba/home/%S
valid users = %S
read only = No
browsable = No
create mask = 0700
directory mask = 0700
[profiles]
comment = Roaming profiles
path = /srv/samba/profiles
read only = No
browsable = No
[homes]
defines home directories under /srv/samba/home
and [profiles]
defines roaming profiles.
For roaming profiles to work, create the directory root on the server:
mkdir -p /srv/samba/profiles
chmod 1770 /srv/samba/profiles
chgrp "Domain Users" /srv/samba/profiles
Also create the homes directory
mkdir -p /srv/samba/home
To give a user a roaming profile, set their profile directory. Either use ADUC or do:
$ pdbedit -p='\MYDOMAIN\profiles\joe' joe
Conversely, to remove a roaming profile:
$ pdbedit -p= joe
To put roaming profiles in a subdirectory of the user’s home directory, use a pre-exec to create the directory and a veto to prevent external acccess to it:
[homes]
...
veto files = /.samba_roaming_profile/
[profiles]
comment = Roaming Profiles
path = /home/%U/.samba_roaming_profile
writable = yes
browsable = no
root preexec = bash -c '[[ -d /home/%U/.samba_roaming_profile ]] || mkdir -m 0700 /home/%U/.samba_roaming_profile && chown %U:"Domain Users" /home/%U/.samba_roaming_profile'
This example a .samba_roaming_profile
subdirectory. Windows creates a subdirectory within this one and writes the profile there.
From the server
To add a user:
$ samba-tool user add joe
A password will be requested and it must meet certain complexity criteria. It should:
- be equal or longer than 7 characters
- meet the complexity criteria – a mix upper, lower and numerals.
Arguments can be specified (e.g. when using from a script):
# See `samba-tool user add --help`
samba-tool user add joe \
--random-password --use-username-as-cn \
--given-name="Joe" --surname="Schmoe" \
--mail-address=joeschmoe@example.com \
--profile-path=\\MYDOMAIN\profiles\joe \
--home-drive=H --home-directory=\\MYDOMAIN\joe
To list users’ details
$ pdbedit -L -v
$ getent passwd
Add the user’s home directory
$ mkdir -p /srv/samba/home/joe
$ chown joe:users /srv/samba/home/joe
From the client
This is the preferred way to create users because it offers more scope for configuration. When logged on to the domain as MYDOMAIN/Administrator
, create users using *Active Directory Users and Computers” (Start->Administrative Tools->Active Directory Users and Computers).
When creating a user (or amending an existing one), change to the profiles tab to configure roaming profile and home directory. The roaming profile path is
\samba\profiles\%USERNAME%
which refers to a subdirectory of /srv/samba/profiles
on the server thai will be automatically created when the user logs on. Select a drive letter for the home directory path, which is
\samba\home\%USERNAME%
and this refers to a subdiretory of /srv/samba/profiles
on the server that must be manually created on the server:
$ mkdir /srv/samba/home/joe
$ chown joe:users /srv/samba/home/joe
Troubleshooting
If a user is unable to log in because the group policy client service failed the logon, and especially if the user was deleted and re-added to Samba, it’s probably due to a profile mismatch. The quickest way to fix this is to log in as an administrator and delete the user’s profile (e.g. C:/Users/myuser
. Also delete the user’s profile data from the registryHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Look for the user’s SID (you can get this on the server withpdbedit -L -v username
). See also this post.
Logon script
A logon script can be run when a user logs on and can do things such as mapping network drives to shares.
Create the script in the [sysvol]
defined in smb.conf
, for example/var/lib/samba/sysvol
; put it in the subdirectory e.g.mydomain.co.uk/scripts
.
!Windows mounts the sysvol at %LOGONSERVER%\SYSVOL
, which is the same as \mydomain\SYSVOL
.
There are two ways to configure logon scripts. You can assign scripts to run when a user logs on via Group Policy or as user logon scripts, although the latter is considered a to be a legacy option for NT4 backwards compatibility.
The sysvol contains two policies within the Policies
directory, each in a subdirectory named {GUID}
where GUID is the policy’s unique identifier.
- the Default Domain Policy applies to all the objects in the domain.
- the Default Domain Controllers Policy only applies to domain controllers.
These can be identified with ldbsearch
:
$ ldbsearch -H /var/lib/samba/private/sam.ldb objectCategory=groupPolicyContainer
Or, to list just one:
$ ldbsearch -H /var/lib/samba/private/sam.ldb cn={6AC1786C-016F-11D2-945F-00C04FB984F9}
or, more specifically,
$ ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectCategory=groupPolicyContainer)(name={6AC1786C-016F-11D2-945F-00C04FB984F9}))'
! Use ADUC to search on Windows: right-click the domain and select Find. Then select Custom Search from the Find dropdown. Select the Advanced tab and enter the query into the Enter LDAP Query box.
The displayName field contains one of the above descriptions to identify the policy. The windows search shows an icon against the default domain controller policy (it also displays a description, which is another field that is blank.)
! Use ldbedit -H /var/lib/samba/private/sam.ldb objectCategory=groupPolicyContainer
to modify the descriptions.
The logon script should go in the domain policy, in a subdirectoryUSER/Scripts/Logon
. It can have any name with a .bat
extension (logon.bat
is a generic example):
# Logon script
net use /PERSISTENT:NO P: %LOGONSERVER%\public
net use /PERSISTENT:NO T: %LOGONSERVER%\transfer
The /PERSISTENT:NO
means the mount won’t persist across logins; this means it won’t appear unless the login script is run. Adding this is optional.
Make the script executable:
$ chmod 755 logon.bat
To check the policy of the current user (view the file with notepad):
C:> gpresult /v > gp.txt
or for a specific user
C:> gpresult /v /USER myuser > gp.txtls -l
- gpupdate
To install the group policy editor, use Control Panel -> programs -> Add or Remove Windows Features to add Remote Server Administration Tools -> Feature Administration Tools -> Group Policy Management Tools.
The Group Policy Editor can then be opened with Start -> Administrative Tools -> Group Policy Management.
To open the Local group Policy Editor,
See
Windows Configuration
This section presents useful suggestions worth considering when establishing a Windows desktop to use for Samba Active Directory administration.
Firstly, install Windows 7, Service Pack 1 and the remote server administration tools.
Launch Control Panel -> Programs -> Turn Windows Features on or off
Enable the following:
- Remote Server Administration Tools >> Role Administration Tools >> AD DS and AD LDS Tools >> AD DS Tools >> Server for NIS Tools*
The Server for NIS Tools option is what enables the Unix Attributes tab in ADUC.
PAM Authentication
PAM can authenticate users via winbind, thus allowing Linux to authenticate active directory users.
This can be used to allow AD users to log in to the server as Linux users.
Winbind must return a valid shell. This currently must be configured in smb.conf (all config items in this section go in the [global]
section):
template shell = /bin/bash
It applies to all users which means that either ALL or NO users will be able to log in depending on the value of this setting. Its default value, /bin/false
, prevents login.
Usernames must include the domain, e.g. MYDOMAIN\myuser
. The separator character, \
can be changed in smb.conf:
winbind separator = +
Winbind will default the domain if it is not given if the following setting is defined:
winbind use default domain = yes
The typical PAM configuration will check for a local user first and tries winbind if one doesn’t exist. This means that a password in /etc/passwd
takes precedence over one defined in Active Directory if an AD user is defined there also.
This override is a way of supporting local logins for certain users without setting a valid template shell
.