The configuration of samba in standard mode is pretty self explanatory, but unless you are running a pretty basic configuration you are likely to want Active Directory to manage longons for MS Windows workstations.<\/p>\n
NOTE<\/strong>: In this example we are going to use the following<\/p>\n Server Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pine<\/strong><\/p>\n Domain Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uk<\/strong><\/p>\n And we will be adding a sub domain called lan<\/strong><\/p>\n Sub Domain Name sherwood.uk<\/strong><\/p>\n A few notes about this domain:<\/p>\n This is not a public domain albeit that it is good practice to use a prefix such as lan<\/strong> to a public domain suffix.<\/p>\n This domain is not and does not have to be the initial fqdn of your server. If you have followed the instructions in this booklet your server may be known by many different names and\/or domains. You are advised to create a new domain or sub domain as part of this process. It will NOT<\/strong> work if you use a domain name that can currently be reached by your bind dns server.<\/p>\n Before you start make sure you have an acl enabled file system (this seems to be enabled by default in Debian, but it does not hurt to check)<\/p>\n <\/p>\n Check that ACL is enabled<\/strong><\/p>\n First of all run df to get the names of your mounted file systems (or you could look in \/etc\/fstab<\/strong> if you like).<\/p>\n Now you need to run tune2fs on one of your filesystems eg.<\/p>\n NOTE:<\/strong> Your filesystem path may look quite a bit different from the one above.<\/p>\n You may append the above command with<\/p>\n if you are not interested in any of the other information. If you have acl enabled on the filesystem then it should return.<\/p>\n <\/p>\n Set a reasonable hostname<\/strong><\/p>\n If you want to change the hostname then now is the time to do it (and then never ever do it again J) run<\/p>\n If you have changed your hostname then reboot now, otherwise continue.<\/p>\n Set a proper hostname in \/etc\/hosts that points to your servers lan ip address rather than 127.0.0.1 eg<\/p>\n Make sure you can ping the short hostname<\/p>\n Install Packages<\/strong><\/p>\n Install the following packages in the usual way:<\/p>\n samba<\/p>\n krb5-user<\/p>\n krb5-config<\/p>\n winbind<\/p>\n libpam-winbind<\/p>\n libnss-winbind<\/p>\n During the installation you will be asked a series of questions about the Kerberos setup. The first will ask you for a \u201crealm<\/strong>\u201d. This should be the name of your sub domain in capital letters.<\/p>\n The next two questions will be about hostname of the Kerberos and administrative servers; In our example as we are only using one server the answer will be the fully qualified domain name of our server<\/p>\n Note<\/strong> this does not have to be in upper case.<\/p>\n <\/p>\n Provisioning<\/strong><\/p>\n Before we start to provision our server we need to shut down and disable the samba daemons.<\/p>\n Next we need to get rid of the samba configuration file as this is recreated during the provisioning process. It is good practice to move it rather than delete it (especially if you have a previous configuration that you might need information from).<\/p>\n Now we can start the domain provisioning process by invoking samba-tool<\/p>\n This will ask a series of questions<\/p>\n NOTE<\/strong>: depending on your configuration the defaults may not be correct.<\/p>\n The first will be the name of your Kerberos realm; this is the name that you provided in capitals at installation of Kerberos, so in our case it will be:<\/p>\n Thie second question will be about the Domain. This is the short name that you want your domain to be know by, as a default it should automatically pick SHERWOOD for our example, which is fine.<\/p>\n Next comes the server role which, as we are provisioning a domain controller we type<\/p>\n The DNS backend that we are using will be bind, and as samba is intent on depreciating BIND9_FLATFILE we are going to us BIND9_DLZ.<\/p>\n Now it will ask us for, and to confirm, an Administrtor password; This needs to be a strong password (long with letters, at least one capital letter an numbers) or the provisioning will fail.<\/p>\n The provisioning tool will now set up your domain and if all is well will return something like<\/p>\n Next we need to rename or remove Kerberos main configuration file from \/etc<\/strong> directory and replace it using a symlink with Samba newly generated Kerberos file located in \/var\/lib\/samba\/private<\/strong><\/p>\n Now you can start samba, but before you do, the service will probably be masked so if it will not start:<\/p>\n When you check the status of the service you are likely to get some error messages, this is because you have not configured bind yet so do not worry, the service should however be running.<\/p>\n Use the samba tool to check that it appears to be running:<\/p>\n should return<\/p>\n or something similar.<\/p>\n To verify the service use the netstat command<\/p>\n This should show a lot of ports open. If it does not then don\u2019t worry too much for now, carry on with the configuration and check it again at the end if necessary.<\/p>\n <\/p>\n DNS<\/strong><\/p>\n Now we need to move on to our dns configuration. First of all we edit our network interfaces file so that we add dns-search to our lan port<\/p>\n Next our \/etc\/resolv.conf<\/strong> Here we need to make sure that we have our nameserver set to our local bind nameserver (depending on your configuration you may have to set it up to handle forwarding) and also add a search directive<\/p>\n Save the file and now make sure that you can ping the hostnames\/domain in all its forms:<\/p>\n If you do not get a response then you need to resolve this before going any further.<\/p>\n <\/p>\n configure bind<\/strong><\/p>\n The next thing to do is configure bind to allow sama to update the domain records<\/p>\n First we need to add a line to \/etc\/bind\/named.conf<\/p>\n save the file and then get the version of bind by issuing the command<\/p>\n which will return something like:<\/p>\n now edit the \/var\/lib\/samba\/bind-dns\/named.conf <\/strong>file and uncomment the line that matches the version of bind that you are using. Note: This was already done as part of the installation for me, but it is still worth checking.<\/p>\n Next we move on to named.conf.options where we and the following line to the \u201coptions\u201d stanza<\/p>\n before restarting bind run named-checkconf <\/strong>which should not return anything if the configuration is ok.<\/p>\n now restart bind. Before doing so it is a good idea to open another window and monitor the syslog as when bind is restarted it should start to provision the active directory zone. You can do this by running<\/p>\n If bind fails to start then syslog may provide information about the reason why; Note: it will not start if you have a zone of the same name as the AD zone configured in \/etc\/bind\/named.conf.default-zones <\/strong>as this will conflict with the zone that samba is trying to create.<\/p>\n If all is well then you should be able to lookup the AD zones using the \u201chost<\/strong>\u201c command.<\/p>\n If all is well then you can try and get a Kerberos ticket<\/p>\n <\/p>\n Troubleshooting<\/strong><\/p>\n If all is not well then first test dns by running<\/p>\n If this command eroros you can try to reconfigure the DNS settings by running samba_upgradedns<\/p>\n Once complete you will need to restart both bind and samba. You can verify that samba is running by calling<\/p>\n Then try kinit again. If the SRV records are not findable then there is no way that kinit will work; if it is a clean configuration then there should not be any problems, but after a few failed or reconfigured installs there may be issues.<\/p>\n If the previous command returns nothing then check that samba is actually running.<\/p>\n NOTE:\u00a0 For those of you used to administering regular samba, the service is samba-ad-dc<\/strong> and NOT<\/strong> smbd.<\/p>\n Needless to say, if it is dead then try starting it and then running the netstat command above again<\/p>\n That should be it, your domain controller should now be up and running and ready to allow windows pc\u2019s to join the domain.\u00a0 Netstat should return something that looks a bit like:<\/p>\n <\/p>\n <\/p>\n Administration, the samba-tool<\/strong><\/p>\n This next section is going to deal with administration of the active directory using the samba tool.<\/p>\n <\/p>\n USERS<\/strong><\/p>\n Adding a user<\/strong> – just like windows active directory, this can be as complex or as simple as you like. In our example we are just going to add a username but if you wish to supply additional particulars then a good place to start will be by calling<\/p>\n which will display all the options available. The absolute simplest way to add a user is to<\/p>\n From here it will just ask you to supply a user password and that is it, job done.<\/p>\n Other user administrative functions<\/p>\n Listing users<\/strong> – # samba-tool user list<\/p>\n Deleting users<\/strong> – # samba-tool user delete johndoe<\/p>\n Reset a user password<\/strong> – # samba-tool user setpassword johndoe<\/p>\n Enable a user<\/strong> – # samba-tool user enable johndoe<\/p>\n Disable\/lockout a user<\/strong> – # samba-tool user disable johndoe<\/p>\n GROUPS<\/strong><\/p>\n Groups are almost identical to users, use samba-tool group -h<\/strong> for a list of commands.<\/p>\n Prepending the -h flag at the end of any command will give you a list of options<\/p>\n <\/p>\n PASSWORD SETTINGS<\/strong><\/p>\n It is recommended that you keep the password settings in as they are in order to prevent users from using extremely simple passwords however if for some reason you do what to change them they are in samba-tool domain passowrdsettings<\/strong>, again use the -h flag to view the options available.<\/p>\n","protected":false},"excerpt":{"rendered":" The configuration of samba in standard mode is pretty self explanatory, but unless you are running a pretty basic configuration you are likely to want Active Directory to manage longons for MS Windows workstations. NOTE: In this example we are going to use the following Server Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pine Domain Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uk And we will be […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-debian-server"],"_links":{"self":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=149"}],"version-history":[{"count":8,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":451,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/149\/revisions\/451"}],"wp:attachment":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}#tune2fs -l \/dev\/mapper\/pine--vg-root<\/pre>\n
| grep \"Default mount options:\"<\/pre>\n
Default mount options:\u00a0\u00a0 user_xattr acl<\/pre>\n
#hostnamectl set-hostname yourhostnamehere<\/pre>\n
192.168.1.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pine.lan.sherwood.uk<\/pre>\n
# apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind<\/pre>\n
SHERWOOD.UK<\/pre>\n
lan.sherwood.uk<\/pre>\n
#systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service\r\n#systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service<\/pre>\n
#mv \/etc\/samba\/smb.conf \/etc\/samba\/smb.conf.old<\/pre>\n
#samba-tool domain provision --use-rfc2307 --interactive<\/pre>\n
LAN.SERWOOD.UK<\/pre>\n
dc<\/pre>\n
BIND9_DLZ<\/pre>\n
Server Role:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 active directory domain controller\r\nHostname:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pine\r\nNetBIOS Domain:\u00a0\u00a0 SHERWOOD\r\nDNS Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 lan.sherwood.uk\r\nDOMAIN SID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-5-21-XXXXXXX-XXXXXXX-XXXXXXXXX<\/pre>\n
#mv \/etc\/krb5.conf \/etc\/krb5.conf.initial\r\n#ln \u2013s \/var\/lib\/samba\/private\/krb5.conf \/etc\/<\/pre>\n
#systemctl unmask samba-ad-dc.service\r\n#systemctl start samba-ad-dc\r\n#systemctl status samba-ad-dc\r\n#systemctl enable samba-ad-dc.service<\/pre>\n
#samba-tool domain level show<\/pre>\n
Forest function level: (Windows) 2008 R2\r\nDomain function level: (Windows) 2008 R2\r\nLowest function level of a DC: (Windows) 2008 R2<\/pre>\n
#netstat \u2013tulpn| egrep 'smbd|samba'<\/pre>\n
#vi \/etc\/network\/interfaces<\/pre>\n
allow-hotplug eth1\r\niface eth1 inet static\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 address 192.168.1.254\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 netmask 255.255.255.0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dns-search lan.sherwood.uk<\/pre>\n
search lan.sherwood.uk<\/pre>\n
#ping -c3 pine\r\n#ping -c3 pine.lan.sherwood.uk\r\n#ping -c3 lan.sherwood.uk<\/pre>\n
include \"\/var\/lib\/samba\/bind-dns\/named.conf\";<\/pre>\n
#named -v<\/pre>\n
BIND 9.9.5-9+deb8u16-Debian (Extended Support Version)<\/pre>\n
options {\r\n \u2026..\r\n tkey-gssapi-keytab \"\/var\/lib\/samba\/private\/dns.keytab\";\r\n \u2026\u2026\r\n}<\/pre>\ntail -f \/var\/log\/syslog<\/pre>\n
#host -t A lan.serwood.uk\r\n#host -t A pine.lan.sherwood.uk\r\n#host -t SRV _kerberos._udp.lan.sherwood.uk\r\n#host -t SRV _ldap._tcp.lan.sherwood.uk<\/pre>\n
#kinit administrator@LAN.SHERWOOD.UK<\/pre>\n
#samba_dnsupdate --verbose --all-names<\/pre>\n
#samba_upgradedns --dns-backend=BIND9_DLZ<\/pre>\n
#netstat -tulpn| egrep 'smbd|samba'<\/pre>\n
#systemctl status samba-ad-dc<\/pre>\n
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 10208\/smbd\r\ntcp 0 0 192.168.1.254:445 0.0.0.0:* LISTEN 10208\/smbd\r\ntcp 0 0 192.168.1.254:1024 0.0.0.0:* LISTEN 10207\/samba\r\ntcp 0 0 127.0.0.1:1024 0.0.0.0:* LISTEN 10207\/samba\r\ntcp 0 0 192.168.1.254:3268 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 127.0.0.1:3268 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 192.168.1.254:3269 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 192.168.1.254:389 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 127.0.0.1:3269 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 192.168.1.254:135 0.0.0.0:* LISTEN 10207\/samba\r\ntcp 0 0 127.0.0.1:135 0.0.0.0:* LISTEN 10207\/samba\r\ntcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 10208\/smbd\r\ntcp 0 0 192.168.1.254:139 0.0.0.0:* LISTEN 10208\/smbd\r\ntcp 0 0 192.168.1.254:464 0.0.0.0:* LISTEN 10213\/samba\r\ntcp 0 0 127.0.0.1:464 0.0.0.0:* LISTEN 10213\/samba\r\ntcp 0 0 192.168.1.254:88 0.0.0.0:* LISTEN 10213\/samba\r\ntcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 10213\/samba\r\ntcp 0 0 192.168.1.254:636 0.0.0.0:* LISTEN 10211\/samba\r\ntcp 0 0 127.0.0.1:636 0.0.0.0:* LISTEN 10211\/samba\r\ntcp6 0 0 ::1:445 :::* LISTEN 10208\/smbd\r\ntcp6 0 0 ::1:1024 :::* LISTEN 10207\/samba\r\ntcp6 0 0 ::1:3268 :::* LISTEN 10211\/samba\r\ntcp6 0 0 ::1:3269 :::* LISTEN 10211\/samba\r\ntcp6 0 0 ::1:389 :::* LISTEN 10211\/samba\r\ntcp6 0 0 ::1:135 :::* LISTEN 10207\/samba\r\ntcp6 0 0 ::1:139 :::* LISTEN 10208\/smbd\r\ntcp6 0 0 ::1:464 :::* LISTEN 10213\/samba\r\ntcp6 0 0 ::1:88 :::* LISTEN 10213\/samba\r\ntcp6 0 0 ::1:636 :::* LISTEN 10211\/samba\r\nudp 0 0 192.168.1.254:88 0.0.0.0:* 10213\/samba\r\nudp 0 0 127.0.0.1:88 0.0.0.0:* 10213\/samba\r\nudp 0 0 192.168.1.254:137 0.0.0.0:* 10209\/samba\r\nudp 0 0 192.168.1.255:137 0.0.0.0:* 10209\/samba\r\nudp 0 0 127.0.0.1:137 0.0.0.0:* 10209\/samba\r\nudp 0 0 127.255.255.255:137 0.0.0.0:* 10209\/samba\r\nudp 0 0 192.168.1.254:138 0.0.0.0:* 10209\/samba\r\nudp 0 0 192.168.1.255:138 0.0.0.0:* 10209\/samba\r\nudp 0 0 127.0.0.1:138 0.0.0.0:* 10209\/samba\r\nudp 0 0 127.255.255.255:138 0.0.0.0:* 10209\/samba\r\nudp 0 0 192.168.1.254:389 0.0.0.0:* 10212\/samba\r\nudp 0 0 127.0.0.1:389 0.0.0.0:* 10212\/samba\r\nudp 0 0 192.168.1.254:464 0.0.0.0:* 10213\/samba\r\nudp 0 0 127.0.0.1:464 0.0.0.0:* 10213\/samba\r\nudp6 0 0 ::1:88 :::* 10213\/samba\r\nudp6 0 0 ::1:389 :::* 10212\/samba\r\nudp6 0 0 ::1:464 :::* 10213\/samba<\/pre>\n
#samba-tool user add -h<\/pre>\n
#samba-tool user add johndoe<\/pre>\n