Tabla de Contenidos
Samba4 as AD Domain Member
Introduction
This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).
Samba4 have four roles:
- Active Directory Domain Controller:
- Read Only Domain Controller (RODC):
- Member Server (File Server):
- Standalone Server:
Required Packages
See Samba4 Requirements for dependencies and recommendations.
Compiling and installation
After you have downloaded and unpacked the sources, you have to run inside of the extracted directory:
# ./configure --with-ads --with-shared-modules=idmap_ad,idmap_rid --enable-debug --enable-selftest # make # make install
Note: you can see './configure' options:
# ./configure --help | less
To install Samba4 from SerNet repositories (before check http://ftp.uo.edu.cu to configure repositories):
# apt-get install sernet-samba-ad attr acl krb5-user
Setting up Kerberos
You must to backup the original file in /etc/krb5.conf':
# mv /etc/krb5.conf{,.orig}
Create the new file:
# nano /etc/krb5.conf
Then adjust the content with the following content:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REDTIC.UCLV.CU dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Configure NTP
Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. You can follow the instructions in Samba4 Requirements web page. or simply install “ntpdate”:
# apt-get install ntpdate
To configure ntpdate:
# nano /etc/default/ntpdate
Then adjust the parameters to your configuration.
Note: Remember that you need to sync your 'ntpd' with your Active Directory Server.
Setting up a basic smb.conf
The following is a very basic example of a 'smb.conf'. Normally this file is located in '/usr/local/samba/etc/'. Depending on your 'configure' parameters, it could be located on a different place.
If you use Samba from repositories the location is /etc/samba/.
global] workgroup = REDTIC # SHORTDOMAINNAME security = ADS realm = REDTIC.UCLV.CU # YOUR.SAMBA.DOMAIN.NAME idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config REDTIC:backend = ad idmap config REDTIC:schema_mode = rfc2307 idmap config REDTIC:range = 500-40000 winbind nss info = rfc2307 printing = bsd [public] path = /srv/samba/public read only = no
This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.
For further explanation on the 'smb.conf' parameters, see the manpage:
# man smb.conf
Notes:
- The choice domain back-end depends of who provide the domain. If you have MSAD without “Services for Unix (SFU)”, you should use 'rid' back-end; instead for Samba4 AD use 'ad' back-end, as showed in the previous example.
- The parameter values of “idmap config *:range” can't not contained in “idmap config SHORTDOMAINNAME:range”.
- In case that you have a big database, last number in the interval in “idmap config SHORTDOMAINNAME:range =” should be a big number, because some user are not detected by Samba.
Joining the member server to the domain
# net ads join -Uadministrator
Make domain users/groups available locally through winbind
To have your domain users and groups available on your member server, you have to place two links in your /lib (/lib64 for amd64) folder:
For i386:
# ln -s /usr/local/samba/lib/libnss_winbind.so /lib # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # ldconfig
For amd64:
# ln -s /usr/local/samba/lib/libnss_winbind.so /lib64 # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 # ldconfig
For Samba4 Sernet:
For i386:
# ln -s /lib/i386-linux-gnu/libnss_winbind.so /lib # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # ldconfig
For amd64:
# ln -s /lib/x86_64-linux-gnu/libnss_winbind.so /lib64 # ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 # ldconfig
To check if library are enables correctly:
# ldconfig -v | grep libnss_winbind | grep -v grep
The next step is to add 'winbind' to the 'passwd' and 'group' entry of your '/etc/nsswitch.conf':
passwd: compat winbind group: compat winbind
Starting the daemons
Once you have finished the above steps, you must start the following services:
- winbindd
- smbd
- nmbd
You should write/get a start script to avoid starting the services by hand everytime. Make sure that winbind is being started before smbd. You can find some examples in Samba4 Requirements page.
If you installed Samba form SerNet repositories you must enable Samba4 as a sercice:
# nano /etc/default/sernet-samba
Then locate the line 'SAMBA_START_MODE=“none”' and change “none” for “classic”.
# service sernet-samba-ad start
Finally start Samba4 deamons:
# /etc/init.d/sernet-samba-smbd start # /etc/init.d/sernet-samba-nmbd start # /etc/init.d/sernet-samba-winbindd start
To reload Samba configuration
# smbcontrol all reload-config
Enable Samba4 at startup
If you use Samba4 from SerNet Repositories the file '/etc/default/samba-sernet' controls the way that Samba daemon start. You must edit this file and adjust to yours requirements. Keep in mind that Member Server is part of Samba AD therefore you should enable “classic” option in '/etc/default/samba-sernet':
# nano /etc/default/sernet-samba
Then select 'SAMBA_START_MODE=“classic”' because when you use Samba as Member Server, the daemons smbd, nmbd and winbbind are used.
Testing the winbind user/group mapping
To check if winbind receives user and groups from the domain, run the following commands:
# wbinfo -u # wbinfo -g
This should show up a list of all users and groups provided from the domain via winbind.
If you have setup your nsswitch.conf correct, you should also be able to get users and groups from the domain:
# id [domain_user] # wbinfo -i [domain_user] # getent passwd [domain_user]
Or
# getent passwd DOMAIN\\user # getent group DOMAIN\\group
The enumeration of users and groups (“getent passwd/group” without another argument) is disabled by default because the domain can be very big and enumeration is ad bad thing in cases like that.
If you are not able to look up users using “getent”, even though you see them with “wbinfo”, look at AD and verify that all groups have GIDs. It may not be strictly necessary to have GIDs on *all* groups, but unless someone with a better understanding can clarify the requirement, it's the safe thing to do.