Samba4 as AD + file server
In this article, I will step by step prepare for using Samba4 as a domain controller, along with an additional file server, also based on Samba4. What do we get in the end? Two configured servers with samba4, the first as a domain controller, the second as a member server with user files. I have been working on this bundle for about a month, for a sim, I don’t share the final recipe, I just don’t have the right ...
A little background: the company uses a file server based on samba3.6 with LDAP Backend, which contains a list of all users and groups with access rights. Access rights to directories are set using xattr_acl (Extended file attributes), LDAP stores a list of users with matching access groups. Actually it is required to move from this infrastructure to samba4 ...
1) We are preparing two servers for samba4, I use the SUSE Linux Enterprise 11 Service Pack 3 distribution (SLES11 SP3) as an enterprise standard, so I will deploy everything on its basis. Then you can build a samba from source, this is optional, but I use a ready-made assembly from sernet, which you can get for free just by registering on the portal - Portal Enterprise Samba
')
Sernet builds samba for several distributions - Debian, Ubuntu, RHEL, CentOS, SLES, openSUSE.
I used Samba4 version 4.1.6
2) On the first server, which in our country will play the role of DC, install sernet-samba-ad. If you have any problems, you can look at the official instructions - Samba AD DC HOWTO . We are not forgetting to register the name of our future domain in our DNS server indicating our new server.
Next, we perform the creation of a domain using samba-tools.
The system will ask for several parameters that you need to specify, for example, such as a domain name, etc., and also ask you to set a password. Actually only the domain name and you need to specify, all other questions can be left with the answers by default. The administrator password must comply with standard Windows password policies, i.e. have at least one small and one big letter, as well as numbers, plus at least 8 characters.
We copy the newly configured samba Kerberos config to the default location.
To verify the correct operation of Kerberos, you can install krb5-client and check the operation of authentication.
klist should show information on tickets, if everything is ok, go ahead.
It is necessary to correct the file / etc / default / sernet-samba
Rule SAMBA_START_MODE = to the next.
After that, you can run the samba
If the launch was successful, we can assume that our domain controller has already been deployed.
We edit the /etc/nsswitch.conf file so that the system sees the users of the domain and the group, and also can properly set permissions on the files. We bring these two lines to the following form:
Restart the system and check if it works ... with the help of the getent passwd and getent group. We need to see groups and users from our domain. For more information about this step, you can read the official instructions - Samba4 / Winbind
It remains to enter into the domain of any machine with Windows for administration, I think this will not cause problems.
3) On the machine with Windows, which we entered into the domain, install the admin pack. We use equipment on management of users in AD.
Each group and user must be assigned to unix uid \ gid for the future normal operation of xattr_acl on our second server.
4) It's time to start preparing our second server, which will act as a member server and will be a file server in the domain.
Install sssd, the standard SLES11 repository has version 1.9.4, which is fine for us. Also install sssd-tools. sssd is needed to get users with unix attributes from our domain. For more information about the setting, you can read in the official instructions - Local user management and authentication / sssd
We will configure AD communications through Kerberos.
On the first server (DC), you need to export the keytab from Kerberos.
For safety, we chop off excess rights. Copy the keytab file to our second server along the same path.
Editing sssd.conf
Do not forget to correct the name of your DC and your domain on your own. Put sssd into autorun, reboot the server.
Then you can reset the cache and check our groups with users.
The list should include our groups and users with uid \ gid, which we asked in AD for the hardware in Windows.
5) Go to setting up samba4 on the second server, install sernet-samba-nmbd, sernet-samba-smbd, sernet-samba-winbind and all dependencies for them. More details about the setting can be found in the official instructions - Samba / Domain Member
Create smb.conf, my file looks like this:
We do not forget to correct the config for yourself, you need to change the domain name to yours.
We correct our hosts file in it we need to directly specify the name of our member server, otherwise the DNS zones will not be automatically updated in AD.
Run the login procedure to our domain.
You will need to enter an administrator password.
Actually after this, our member server is already in the domain.
You can try the Windows machine connects to it under your login password and create some folder to check the rights ...
Created a folder 123, check the rights.
As you can see, all rights are correctly set.
Then you can start transferring users to our new domain, as well as set permissions on folders according to your wishes.
You can also use glusterfs along with samba4 to create a fault-tolerant file server, but that's another story ...
If anyone has questions, I will be happy to assist.
A little background: the company uses a file server based on samba3.6 with LDAP Backend, which contains a list of all users and groups with access rights. Access rights to directories are set using xattr_acl (Extended file attributes), LDAP stores a list of users with matching access groups. Actually it is required to move from this infrastructure to samba4 ...
1) We are preparing two servers for samba4, I use the SUSE Linux Enterprise 11 Service Pack 3 distribution (SLES11 SP3) as an enterprise standard, so I will deploy everything on its basis. Then you can build a samba from source, this is optional, but I use a ready-made assembly from sernet, which you can get for free just by registering on the portal - Portal Enterprise Samba
')
Sernet builds samba for several distributions - Debian, Ubuntu, RHEL, CentOS, SLES, openSUSE.
I used Samba4 version 4.1.6
2) On the first server, which in our country will play the role of DC, install sernet-samba-ad. If you have any problems, you can look at the official instructions - Samba AD DC HOWTO . We are not forgetting to register the name of our future domain in our DNS server indicating our new server.
Next, we perform the creation of a domain using samba-tools.
samba-tool domain provision --use-rfc2307 --interactive The system will ask for several parameters that you need to specify, for example, such as a domain name, etc., and also ask you to set a password. Actually only the domain name and you need to specify, all other questions can be left with the answers by default. The administrator password must comply with standard Windows password policies, i.e. have at least one small and one big letter, as well as numbers, plus at least 8 characters.
We copy the newly configured samba Kerberos config to the default location.
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf To verify the correct operation of Kerberos, you can install krb5-client and check the operation of authentication.
kinit administrator@EXAMPLE.COM klist klist should show information on tickets, if everything is ok, go ahead.
It is necessary to correct the file / etc / default / sernet-samba
Rule SAMBA_START_MODE = to the next.
SAMBA_START_MODE="ad" After that, you can run the samba
/etc/init.d/sernet-samba-ad start If the launch was successful, we can assume that our domain controller has already been deployed.
We edit the /etc/nsswitch.conf file so that the system sees the users of the domain and the group, and also can properly set permissions on the files. We bring these two lines to the following form:
passwd: compat winbind group: compat winbind Restart the system and check if it works ... with the help of the getent passwd and getent group. We need to see groups and users from our domain. For more information about this step, you can read the official instructions - Samba4 / Winbind
It remains to enter into the domain of any machine with Windows for administration, I think this will not cause problems.
3) On the machine with Windows, which we entered into the domain, install the admin pack. We use equipment on management of users in AD.
Each group and user must be assigned to unix uid \ gid for the future normal operation of xattr_acl on our second server.
4) It's time to start preparing our second server, which will act as a member server and will be a file server in the domain.
Install sssd, the standard SLES11 repository has version 1.9.4, which is fine for us. Also install sssd-tools. sssd is needed to get users with unix attributes from our domain. For more information about the setting, you can read in the official instructions - Local user management and authentication / sssd
We will configure AD communications through Kerberos.
On the first server (DC), you need to export the keytab from Kerberos.
samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=__DC$ chown root:root /etc/krb5.sssd.keytab chmod 600 /etc/krb5.sssd.keytab For safety, we chop off excess rights. Copy the keytab file to our second server along the same path.
Editing sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] ad_hostname = smbad.samba4.servdesk.ru ad_server = smbad.samba4.servdesk.ru ad_domain = samba4.servdesk.ru ldap_schema = rfc2307bis id_provider = ldap access_provider = simple # on large directories, you may want to disable enumeration for performance reasons enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = smbad$@SAMBA4.SERVDESK.RU krb5_realm = SAMBA4.SERVDESK.RU krb5_server = smbad.samba4.servdesk.ru krb5_kpasswd = smbad.samba4.servdesk.ru ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://smbad.samba4.servdesk.ru ldap_search_base = dc=samba4,dc=servdesk,dc=ru dyndns_update=false ldap_id_mapping=false ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_name = cn ldap_group_member = member Do not forget to correct the name of your DC and your domain on your own. Put sssd into autorun, reboot the server.
Then you can reset the cache and check our groups with users.
sss_cache -UG getent group ... Schema Admins:*:10110:Administrator Domain Users:*:10103: DnsAdmins:*:10117: servdesk:*:10102:test The list should include our groups and users with uid \ gid, which we asked in AD for the hardware in Windows.
5) Go to setting up samba4 on the second server, install sernet-samba-nmbd, sernet-samba-smbd, sernet-samba-winbind and all dependencies for them. More details about the setting can be found in the official instructions - Samba / Domain Member
Create smb.conf, my file looks like this:
[global] workgroup = SAMBA4 security = ADS realm = SAMBA4.SERVDESK.RU # map untrusted to domain = Yes idmap config *:backend = tdb idmap config *:range = 70001-80000 # idmap config SAMBA4:default = yes idmap config SAMBA4:backend = ad idmap config SAMBA4:schema_mode = rfc2307 idmap config SAMBA4:range = 500-40000 # idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes # winbind enum users = yes # winbind enum groups = yes #create mask = 0777 #directory mask = 0777 vfs objects = acl_xattr btrfs map acl inherit = Yes store dos attributes = Yes [data1] path = /data1/ read only = no We do not forget to correct the config for yourself, you need to change the domain name to yours.
We correct our hosts file in it we need to directly specify the name of our member server, otherwise the DNS zones will not be automatically updated in AD.
127.0.0.1 localhost 127.0.0.1 samba3.samba4.servdesk.ru samba3 Run the login procedure to our domain.
net ads join -U administrator You will need to enter an administrator password.
Actually after this, our member server is already in the domain.
You can try the Windows machine connects to it under your login password and create some folder to check the rights ...
Created a folder 123, check the rights.
getfacl /data1/123 # file: data1/123 # owner: test # group: Domain\040Users user::rwx user:test:rwx group::rx group:servdesk:rwx group:Domain\040Users:rx mask::rwx other::rx default:user::rwx default:user:test:rwx default:group::rx default:group:servdesk:rwx default:group:Domain\040Users:rx default:mask::rwx default:other::rx As you can see, all rights are correctly set.
Then you can start transferring users to our new domain, as well as set permissions on folders according to your wishes.
You can also use glusterfs along with samba4 to create a fault-tolerant file server, but that's another story ...
If anyone has questions, I will be happy to assist.
Source: https://habr.com/ru/post/216173/
All Articles