Escolar Documentos
Profissional Documentos
Cultura Documentos
net/cms -
Step 4 : Install the Samba 4 Packages apt-get install samba4 The installation will throw out an error and apt will set the package to half installed. As the error isnt relevant to us, we have to fix the package by manually setting the package to installed. 1. Edit /var/lib/dpkg/status and search for Package: samba4 2. Replace half-configured with installed Now we are going to build the Active Directory Domain: rm /etc/samba/smb.conf /usr/share/samba/setup/provision --realm=demo.local --domain=DEMO --adminpass='Test123' --server-role=dc This will set up all stuff needed for running a Domain (LDAP, Kerberos, ) Next step is to start Samba: initctl start samba4 Step 5 : Testing out our installation apt-get install samba4-clients smbclient -L localhost -U% The last command should display the currently defined and served shares on the server. Should look something like: Sharename --------netlogon sysvol IPC$ Type ---Disk Disk IPC Comment -------
IPC Service
We also need a naming service in our network to resolve hosts and services. Active Directory uses DNS to discover a huge amount of services, so here we go: Step 1 : Install Bind apt-get install bind9 Step 2 : Configure Bind Now you need to edit the bind configuration file to include the necessary configurations for Samba Active Directory relies heavily on special DNS entries to find various services on the network. Edit /etc/bind/named.conf and append the following line at the end: include "/var/lib/samba/private/named.conf" Step 3 : Adapt the AppArmor configuration As Ubuntu is securing its services using AppArmor we need to make sure that Bind has the rights to access the files provided by Samba. Edit /etc/apparmor.d/usr.sbin.named and append the following entries: /var/lib/samba/private/** rkw, /var/lib/samba/private/dns/** rkw, /usr/lib/x86_64-linux-gnu/samba/bind9/** rm, /usr/lib/x86_64-linux-gnu/samba/gensec/** rm, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm, /usr/lib/x86_64-linux-gnu/samba/ldb/** rm, Now reload the configuration to take effect: /etc/init.d/apparmor reload Step 4 : Start and test Bind Run the following command to start Bind: /etc/init.d/bind9 start To make sure that everything worked as expected, run the following commands and watch their output. It should return a result on every command: host -t SRV _ldap._tcp.demo.local. root@vupapsam401:/var/lib/samba/private# host -t SRV _kerberos._tcp.demo.local. root@vupapsam401:/var/lib/samba/private# host -t A vupapsam401.demo.local. The output should something like: _ldap._tcp.biomerx.local has SRV record 0 100 389 vupapsam401.demo.local. _kerberos._tcp.biomerx.local has SRV record 0 100 88 vupapsam401.demo.local. vupapsam401.biomerx.local has address 192.168.99.200 Step 5 : Allow dynamic DNS updates We want our clients to be able to update their DNS entries automatically. Edit /etc/bind/named.conf and append the following line: tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; Step 6 : Configure Bind as a Forwarder If you have another DNS Server (like a SOHO ROuter) on your Network which provides DNS Service to resolve external names (like www.google.com), youll need to configure Bind to use this DNS to resolve entries. First we need to disable IPv6 in Bind by editing /etc/default/bind9 and appending: OPTIONS="-4 -u bind" Now modify /etc/bind/named.conf to include the following directives in the options section: allow-query { any; }; allow-recursion { any; }; forwarders { 192.168.99.254; }; dnssec-validation no;
Kerberos
Step 1 : Install the Kerberos Utilities
apt-get install krb5-user When asked for the default realm, enter demo.local and vupapsam401 as the host. Test out if Kerberos works by executing: kinit administrator@DEMO.LOCAL The Domain Name needs to be written in UPPERCASE letters. If the command succeeds, run the following command to check if we have gotten a kerberos ticket: klist -e
comment = Global share for all users path = /data/global read only = No Restart samba: initctl restart samba4 Adding users When adding new uses, set their homedirectory to \\vupapsam401\users\ The directory will be created automatically. Adding new DNS entries Use the DNS Snap-In in the Management Console Error while copying If you copy files from a windows system to samba and get something like Not enough memory, this could be because of NTFS Streams within the files (Hidden Metadata). You can remove them with the tool streams available at: http://technet.microsoft.com/de-de/sysinternals/bb897440 and executing the following command: streams -s -d C:\data Permission problems If you have problems with access to files created by different users (even if the permissions look correct), append the following in /etc/samba/smb.conf (in the share section): directory mask = 0777 create mask = 0777 and restart samba: service samba4 restart
Article printed from Egon Rath's Notes: http://www.matrix44.net/cms URL to article: http://www.matrix44.net/cms/notes/gnulinux/samba-4-ad-domain-with-ubuntu-12-04