The configuration of samba in standard mode is pretty self explanatory, but unless you are running a pretty basic configuration you are likely to want Active Directory to manage longons for MS Windows workstations.
NOTE: In this example we are going to use the following
Server Name: pine
Domain Name: uk
And we will be adding a sub domain called lan
Sub Domain Name sherwood.uk
A few notes about this domain:
This is not a public domain albeit that it is good practice to use a prefix such as lan to a public domain suffix.
This domain is not and does not have to be the initial fqdn of your server. If you have followed the instructions in this booklet your server may be known by many different names and/or domains. You are advised to create a new domain or sub domain as part of this process. It will NOT work if you use a domain name that can currently be reached by your bind dns server.
Before you start make sure you have an acl enabled file system (this seems to be enabled by default in Debian, but it does not hurt to check)
Check that ACL is enabled
First of all run df to get the names of your mounted file systems (or you could look in /etc/fstab if you like).
Now you need to run tune2fs on one of your filesystems eg.
#tune2fs -l /dev/mapper/pine--vg-root
NOTE: Your filesystem path may look quite a bit different from the one above.
You may append the above command with
| grep "Default mount options:"
if you are not interested in any of the other information. If you have acl enabled on the filesystem then it should return.
Default mount options: user_xattr acl
Set a reasonable hostname
If you want to change the hostname then now is the time to do it (and then never ever do it again J) run
#hostnamectl set-hostname yourhostnamehere
If you have changed your hostname then reboot now, otherwise continue.
Set a proper hostname in /etc/hosts that points to your servers lan ip address rather than 127.0.0.1 eg
192.168.1.1 pine.lan.sherwood.uk
Make sure you can ping the short hostname
Install Packages
Install the following packages in the usual way:
samba
krb5-user
krb5-config
winbind
libpam-winbind
libnss-winbind
# apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
During the installation you will be asked a series of questions about the Kerberos setup. The first will ask you for a “realm”. This should be the name of your sub domain in capital letters.
SHERWOOD.UK
The next two questions will be about hostname of the Kerberos and administrative servers; In our example as we are only using one server the answer will be the fully qualified domain name of our server
lan.sherwood.uk
Note this does not have to be in upper case.
Provisioning
Before we start to provision our server we need to shut down and disable the samba daemons.
#systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service #systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
Next we need to get rid of the samba configuration file as this is recreated during the provisioning process. It is good practice to move it rather than delete it (especially if you have a previous configuration that you might need information from).
#mv /etc/samba/smb.conf /etc/samba/smb.conf.old
Now we can start the domain provisioning process by invoking samba-tool
#samba-tool domain provision --use-rfc2307 --interactive
This will ask a series of questions
NOTE: depending on your configuration the defaults may not be correct.
The first will be the name of your Kerberos realm; this is the name that you provided in capitals at installation of Kerberos, so in our case it will be:
LAN.SERWOOD.UK
Thie second question will be about the Domain. This is the short name that you want your domain to be know by, as a default it should automatically pick SHERWOOD for our example, which is fine.
Next comes the server role which, as we are provisioning a domain controller we type
dc
The DNS backend that we are using will be bind, and as samba is intent on depreciating BIND9_FLATFILE we are going to us BIND9_DLZ.
BIND9_DLZ
Now it will ask us for, and to confirm, an Administrtor password; This needs to be a strong password (long with letters, at least one capital letter an numbers) or the provisioning will fail.
The provisioning tool will now set up your domain and if all is well will return something like
Server Role: active directory domain controller Hostname: pine NetBIOS Domain: SHERWOOD DNS Domain: lan.sherwood.uk DOMAIN SID: S-1-5-21-XXXXXXX-XXXXXXX-XXXXXXXXX
Next we need to rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private
#mv /etc/krb5.conf /etc/krb5.conf.initial #ln –s /var/lib/samba/private/krb5.conf /etc/
Now you can start samba, but before you do, the service will probably be masked so if it will not start:
#systemctl unmask samba-ad-dc.service #systemctl start samba-ad-dc #systemctl status samba-ad-dc #systemctl enable samba-ad-dc.service
When you check the status of the service you are likely to get some error messages, this is because you have not configured bind yet so do not worry, the service should however be running.
Use the samba tool to check that it appears to be running:
#samba-tool domain level show
should return
Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2
or something similar.
To verify the service use the netstat command
#netstat –tulpn| egrep 'smbd|samba'
This should show a lot of ports open. If it does not then don’t worry too much for now, carry on with the configuration and check it again at the end if necessary.
DNS
Now we need to move on to our dns configuration. First of all we edit our network interfaces file so that we add dns-search to our lan port
#vi /etc/network/interfaces
allow-hotplug eth1 iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0 dns-search lan.sherwood.uk
Next our /etc/resolv.conf Here we need to make sure that we have our nameserver set to our local bind nameserver (depending on your configuration you may have to set it up to handle forwarding) and also add a search directive
search lan.sherwood.uk
Save the file and now make sure that you can ping the hostnames/domain in all its forms:
#ping -c3 pine #ping -c3 pine.lan.sherwood.uk #ping -c3 lan.sherwood.uk
If you do not get a response then you need to resolve this before going any further.
configure bind
The next thing to do is configure bind to allow sama to update the domain records
First we need to add a line to /etc/bind/named.conf
include "/var/lib/samba/bind-dns/named.conf";
save the file and then get the version of bind by issuing the command
#named -v
which will return something like:
BIND 9.9.5-9+deb8u16-Debian (Extended Support Version)
now edit the /var/lib/samba/bind-dns/named.conf file and uncomment the line that matches the version of bind that you are using. Note: This was already done as part of the installation for me, but it is still worth checking.
Next we move on to named.conf.options where we and the following line to the “options” stanza
options {
…..
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
……
}
before restarting bind run named-checkconf which should not return anything if the configuration is ok.
now restart bind. Before doing so it is a good idea to open another window and monitor the syslog as when bind is restarted it should start to provision the active directory zone. You can do this by running
tail -f /var/log/syslog
If bind fails to start then syslog may provide information about the reason why; Note: it will not start if you have a zone of the same name as the AD zone configured in /etc/bind/named.conf.default-zones as this will conflict with the zone that samba is trying to create.
If all is well then you should be able to lookup the AD zones using the “host“ command.
#host -t A lan.serwood.uk #host -t A pine.lan.sherwood.uk #host -t SRV _kerberos._udp.lan.sherwood.uk #host -t SRV _ldap._tcp.lan.sherwood.uk
If all is well then you can try and get a Kerberos ticket
#kinit administrator@LAN.SHERWOOD.UK
Troubleshooting
If all is not well then first test dns by running
#samba_dnsupdate --verbose --all-names
If this command eroros you can try to reconfigure the DNS settings by running samba_upgradedns
#samba_upgradedns --dns-backend=BIND9_DLZ
Once complete you will need to restart both bind and samba. You can verify that samba is running by calling
#netstat -tulpn| egrep 'smbd|samba'
Then try kinit again. If the SRV records are not findable then there is no way that kinit will work; if it is a clean configuration then there should not be any problems, but after a few failed or reconfigured installs there may be issues.
If the previous command returns nothing then check that samba is actually running.
NOTE: For those of you used to administering regular samba, the service is samba-ad-dc and NOT smbd.
#systemctl status samba-ad-dc
Needless to say, if it is dead then try starting it and then running the netstat command above again
That should be it, your domain controller should now be up and running and ready to allow windows pc’s to join the domain. Netstat should return something that looks a bit like:
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 10208/smbd tcp 0 0 192.168.1.254:445 0.0.0.0:* LISTEN 10208/smbd tcp 0 0 192.168.1.254:1024 0.0.0.0:* LISTEN 10207/samba tcp 0 0 127.0.0.1:1024 0.0.0.0:* LISTEN 10207/samba tcp 0 0 192.168.1.254:3268 0.0.0.0:* LISTEN 10211/samba tcp 0 0 127.0.0.1:3268 0.0.0.0:* LISTEN 10211/samba tcp 0 0 192.168.1.254:3269 0.0.0.0:* LISTEN 10211/samba tcp 0 0 192.168.1.254:389 0.0.0.0:* LISTEN 10211/samba tcp 0 0 127.0.0.1:3269 0.0.0.0:* LISTEN 10211/samba tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 10211/samba tcp 0 0 192.168.1.254:135 0.0.0.0:* LISTEN 10207/samba tcp 0 0 127.0.0.1:135 0.0.0.0:* LISTEN 10207/samba tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 10208/smbd tcp 0 0 192.168.1.254:139 0.0.0.0:* LISTEN 10208/smbd tcp 0 0 192.168.1.254:464 0.0.0.0:* LISTEN 10213/samba tcp 0 0 127.0.0.1:464 0.0.0.0:* LISTEN 10213/samba tcp 0 0 192.168.1.254:88 0.0.0.0:* LISTEN 10213/samba tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 10213/samba tcp 0 0 192.168.1.254:636 0.0.0.0:* LISTEN 10211/samba tcp 0 0 127.0.0.1:636 0.0.0.0:* LISTEN 10211/samba tcp6 0 0 ::1:445 :::* LISTEN 10208/smbd tcp6 0 0 ::1:1024 :::* LISTEN 10207/samba tcp6 0 0 ::1:3268 :::* LISTEN 10211/samba tcp6 0 0 ::1:3269 :::* LISTEN 10211/samba tcp6 0 0 ::1:389 :::* LISTEN 10211/samba tcp6 0 0 ::1:135 :::* LISTEN 10207/samba tcp6 0 0 ::1:139 :::* LISTEN 10208/smbd tcp6 0 0 ::1:464 :::* LISTEN 10213/samba tcp6 0 0 ::1:88 :::* LISTEN 10213/samba tcp6 0 0 ::1:636 :::* LISTEN 10211/samba udp 0 0 192.168.1.254:88 0.0.0.0:* 10213/samba udp 0 0 127.0.0.1:88 0.0.0.0:* 10213/samba udp 0 0 192.168.1.254:137 0.0.0.0:* 10209/samba udp 0 0 192.168.1.255:137 0.0.0.0:* 10209/samba udp 0 0 127.0.0.1:137 0.0.0.0:* 10209/samba udp 0 0 127.255.255.255:137 0.0.0.0:* 10209/samba udp 0 0 192.168.1.254:138 0.0.0.0:* 10209/samba udp 0 0 192.168.1.255:138 0.0.0.0:* 10209/samba udp 0 0 127.0.0.1:138 0.0.0.0:* 10209/samba udp 0 0 127.255.255.255:138 0.0.0.0:* 10209/samba udp 0 0 192.168.1.254:389 0.0.0.0:* 10212/samba udp 0 0 127.0.0.1:389 0.0.0.0:* 10212/samba udp 0 0 192.168.1.254:464 0.0.0.0:* 10213/samba udp 0 0 127.0.0.1:464 0.0.0.0:* 10213/samba udp6 0 0 ::1:88 :::* 10213/samba udp6 0 0 ::1:389 :::* 10212/samba udp6 0 0 ::1:464 :::* 10213/samba
Administration, the samba-tool
This next section is going to deal with administration of the active directory using the samba tool.
USERS
Adding a user – just like windows active directory, this can be as complex or as simple as you like. In our example we are just going to add a username but if you wish to supply additional particulars then a good place to start will be by calling
#samba-tool user add -h
which will display all the options available. The absolute simplest way to add a user is to
#samba-tool user add johndoe
From here it will just ask you to supply a user password and that is it, job done.
Other user administrative functions
Listing users – # samba-tool user list
Deleting users – # samba-tool user delete johndoe
Reset a user password – # samba-tool user setpassword johndoe
Enable a user – # samba-tool user enable johndoe
Disable/lockout a user – # samba-tool user disable johndoe
GROUPS
Groups are almost identical to users, use samba-tool group -h for a list of commands.
Prepending the -h flag at the end of any command will give you a list of options
PASSWORD SETTINGS
It is recommended that you keep the password settings in as they are in order to prevent users from using extremely simple passwords however if for some reason you do what to change them they are in samba-tool domain passowrdsettings, again use the -h flag to view the options available.
Recent Comments