Samba4/Domain Member
From SambaWiki
This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).
Contents |
Required packages
For compiling Samba, the following packages have to be installed on your system (on top of a RHEL6 basic installation):
- autoconf
- automake
- gcc
- gdb
- krb5-devel
- krb5-workstation
- make
- openldap-devel
- pam-devel
- python-devel
Compiling and installation
After you have downloaded and unpacked the sources, you have to run
# ./configure --with-ads --with-shared-modules=idmap_ad --{add other options if required for your environment}
# make
# make install
You have to run this commands inside the root of the extracted source directory.
If you have problems with the new waf build system, you can try using the old one by running the commands out of the 'source3' directory. But in this case, let the developers know on the samba-technical mailing list your problems, to get them fixed soon!
For additional information on the waf build system, see BUILD_SYSTEMS.txt and Buildsystem Use And Why.
Setting up Kerberos
Edit your /etc/krb5.conf and adapt the following example to your environment:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOUR.SAMBA.DOMAIN.NAME
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Setting up a basic smb.conf
The following is a very basic example of a smb.conf. Normally this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, it could be located on a different place, too):
[global] workgroup = SHORTDOMAINNAME security = ADS realm = YOUR.SAMBA.DOMAIN.NAME encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config SHORTDOMAINNAME:backend = ad idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:range = 500-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /srv/samba/test read only = no
This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.
For further explanation on the smb.conf parameters, see the manpage.
Joining the member server to the domain
# net ads join -U administrator
Make domain users/groups available locally through winbind
To make your domain users and groups available on your member server, you have to copy a library from the sources folder (of course after you have run 'make') and set a symlink:
# cp nsswitch/libnss_winbind.so /lib # ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # ldconfig
The next step is to add 'winbind' to the 'passwd' and 'group' entry of your /etc/nsswitch.conf:
passwd: compat winbind group: compat winbind
Starting the daemons
If you have finished the above steps, you can start the following services:
- smbd
- nmbd
- winbindd
You should write/get a start script to avoid starting the services by hand everytime.
Testing the winbind user/group mapping
To check if winbind receives user and groups from the domain, run the following commands:
# wbinfo -u # wbinfo -g
This should show up a list of all users and groups provided from the domain via winbind.
If you have setup your nsswitch.conf correct, you should also be able to chown/chgrp and use id:
# chown DomainUser:DomainGroup file # chgrp DomainGroup file # id DomainUser
Check your logfiles
To be sure that your member server works fine, you should check the samba logfiles for errors.
Other
NTP
Because Kerberos requires to have the same time on all your servers in your domain, you should think about setting up NTP on your machine to keep the time in sync.
