http:///https:///api.php?action=feedcontributions&user=BBaumbach&feedformat=atomSambaWiki - User contributions [en]2024-03-28T15:14:57ZUser contributionsMediaWiki 1.39.5https://wiki.samba.org/index.php?title=TDB_Locations&diff=18572TDB Locations2023-01-18T10:16:14Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location|| Info || Description<br />
|-<br />
|account_policy.tdb || dbwrap || state || || Samba/NT account policy settings, includes password expiration settings.<br />
|-<br />
|autorid.tdb || dbwrap || state || || Mappings of which domain is mapped to which range. <br />
|-<br />
|brlock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Byte-range locking information.<br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || A temporary cache for current connection information used to enforce max connections.<br />
|-<br />
|eventlog/*.tdb || tdb || state || || Records of eventlog entries. In most circumstances this is just a cache of system logs.<br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Global locking information.<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* || Generic caching database for dead WINS servers and trusted domain data.<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST || <br />
|-<br />
|group_mapping.tdb || dbwrap || state || || Mapping table from Windows groups/SID to UNIX groups.<br />
|-<br />
|idmap2.tdb || dbwrap || private || ||<br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|login_cache.tdb || tdb || cache || || A temporary cache for login information, in particular bad password attempts.<br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST || Temporary storage of messages being processed by smbd.<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || ||<br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST* || Caches user net_info_3 structure data from net_samlogon requests (as a domain member).<br />
|-<br />
|notify.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|ntdrivers.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed driver information.<br />
|-<br />
|ntforms.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed forms information.<br />
|-<br />
|ntprinters.tdb || tdb || state || || Removed in 3.6. Stores the per-printer devmode configuration settings.<br />
|-<br />
|passdb.tdb || dbwrap || private || || Exists only when the tdbsam passwd backend is used. This file stores the SambaSAMAccount information. Note: This file requires that user POSIX account information is available from either the /etc/passwd file, or from an alternative system source. <br />
|-<br />
|perfmon/data.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|perfmon/names.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|printer_list.tdb || dbwrap || lock || (TDB_CLEAR_IF_FIRST in Samba < 4.16.4) ||<br />
|-<br />
|printing/*.tdb || tdb || cache || || Cached output from lpq command created on a per-print-service basis.<br />
|-<br />
|registry.tdb || dbwrap || state || || Read-only Samba database of a Windows registry skeleton that provides support for exporting various database tables via the winreg RPCs. <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST || A confidential file, stored in the PRIVATE_DIR, containing crytographic connection information so that clients that have temporarily disconnected can reconnect without needing to renegotiate the connection setup process. <br />
|-<br />
|secrets.tdb || dbwrap || private || || This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and a further collection of critical environmental data that is necessary for Samba to operate correctly. This file contains very sensitive information that must be protected. It is stored in the PRIVATE_DIR directory. <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Temporary cache for miscellaneous session information and for utmp handling.<br />
|-<br />
|share_info.tdb || dbwrap || state || || Stores per-share ACL information.<br />
|-<br />
|unexpected.tdb || tdb || lock || TDB_CLEAR_IF_FIRST || Removed in 3.6. Stores packets received for which no process is actively listening.<br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST* || Cache of Identity information received from an NT4 domain or from ADS. Includes user lists, etc.<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || || Winbindd's local IDMAP database.<br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|xattr.tdb || dbwrap || state || ||<br />
|-<br />
| || || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB ||<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB ||<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB ||<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned (truncated) if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_a_Print_Server&diff=16325Setting up Samba as a Print Server2019-11-18T15:15:50Z<p>BBaumbach: /* Enabling the spoolssd Service */</p>
<hr />
<div>= Introduction =<br />
<br />
If you set up Samba as a print server, clients in your network are able to send print jobs to the Samba host using the server message block (SMB) protocol. The examples shown in this documentation use a raw printer in the back end. This configuration requires that the print job is formatted by a driver on the client and thus can be processed by the printer without further processing or filtering.<br />
<br />
<br />
<br />
<br />
= Supported Print Server Back Ends =<br />
<br />
Samba supports the multiple print server back ends, such as [https://www.cups.org/ CUPS] and [http://www.lprng.com/ LPRng]. For a complete list, see the <code>printing</code> parameter in the <code>smb.conf(5)</code> man page.<br />
<br />
{{Imbox<br />
| type = note<br />
| text = You must set up the printer server back end locally on the Samba host. Samba cannot forward print jobs to a remote host. However, you can configure the local printer server back end to forward the job to a remote print server.<br />
}}<br />
<br />
For details how to set up the back end, see the print server's documentation.<br />
<br />
<br />
<br />
== Samba <code>CUPS</code> or <code>IPRINT</code> Back End Support ==<br />
<br />
When using the <code>CUPS</code> or <code>IPRINT</code> print server back end, Samba must have been built with CUPS support enabled. To verify, enter:<br />
<br />
# smbd -b | grep "HAVE_CUPS"<br />
HAVE_CUPS<br />
<br />
If no output is displayed:<br />
* Samba was built using the <code>--disable-cups</code> parameter.<br />
* The Samba <code>configure</code> script was unable to locate the required libraries for CUPS support. For details, see [[Package Dependencies Required to Build Samba]].<br />
<br />
<br />
<br />
<br />
<br />
= Adding a printer to the Print Server Back End =<br />
<br />
== CUPS ==<br />
<br />
To add a raw printer to an CUPS print server:<br />
<br />
* Open the CUPS admin web interface in your browser. For example, <nowiki>https://servername:631/admin</nowiki><br />
<br />
* Select the <code>Administration</code> tab and click <code>Add Printer</code>.<br />
<br />
* Select the connection type and enter the corresponding URL to the printer's queue or to the remote print server queue. For example:<br />
:* LPD-based printers: <code>lpd://''printer_name''/''queue''</code><br />
:* IPP (Internet Printing Protocol)-based printers: <code>ipp://''printer_name''/ipp/port</code><br />
:* SMB (Server Message Block)-based printers: <code>smb://''username'':''password''@''domain''/''windows_print_server_host_name''/''printer_name''</code><br />
:: Note that forwarding a job to a print server running Windows Vista or newer, or Windows Server 2008 or newer requires authentication.<br />
<br />
* Enter a name for the printer. This name is used in the <code>smb.conf</code> when sharing the printer using Samba.<br />
<br />
* Select the <code>Raw</code> printer vendor and model.<br />
<br />
* Save the settings.<br />
<br />
<br />
<br />
== LPRng ==<br />
<br />
To add a raw printer to a LPRng print server:<br />
<br />
* Add the following line to the <code>/etc/printcap</code> file:<br />
<br />
''printer_name'':sd=/var/spool/lpd/''printer_name''/:sh:mx=0:mc=0:rm=''Printer_DNS_name_or_IP_address''<br />
: The printer name is used in the smb.conf when sharing the printer using Samba.<br />
: For further details about the options used, see the <code>printcap(5)</code> man page.<br />
<br />
* To create the spool directory, enter:<br />
<br />
# checkpc -f<br />
<br />
* Restart the LPRng service.<br />
<br />
<br />
<br />
<br />
<br />
= Enabling the <code>spoolssd</code> Service =<br />
<br />
The Samba <code>spoolssd</code> is a service that is integrated into the smbd service. If you configured Samba as a print server, you can additionally enable <code>spoolssd</code> to increase performance on print servers with a high number of jobs or printers.<br />
: Without <code>spoolssd</code>, Samba forks the <code>smbd</code> process or each print job and initializes the <code>printcap</code> cache. In case of a large number of printers, the <code>smbd</code> service can become unresponsive for multiple seconds when initializing the cache. The <code>spoolssd</code> service enables you to start pre-forked <code>smbd</code> processes that are processing print jobs without any delay. The main <code>spoolssd</code> <code>smbd</code> process uses a low amount of memory, and forks and terminates child processes<br />
<br />
To enable the <code>spoolssd</code> service:<br />
<br />
* Edit the <code>[global]</code> section in your <code>smb.conf</code> file: <br />
<br />
:* Add the following parameters:<br />
<br />
rpc_server:spoolss = external<br />
rpc_daemon:spoolssd = fork<br />
<br />
:* Optionally, you can set the following parameters:<br />
::{| class="wikitable"<br />
!Parameter<br />
!Default<br />
!Description<br />
|-<br />
|spoolssd:prefork_min_children<br />
|5<br />
|Minimum number of child processes<br />
|-<br />
|spoolssd:prefork_max_children<br />
|25<br />
|Maximum number of child processes<br />
|-<br />
|spoolssd:prefork_spawn_rate<br />
|5<br />
|Samba forks this number of new child processes, up to the value set in <code>spoolssd:prefork_max_children</code>, if a new connection is established<br />
|-<br />
|spoolssd:prefork_max_allowed_clients<br />
|100<br />
|Number of clients, a child process serves<br />
|-<br />
|spoolssd:prefork_child_min_life<br />
|60<br />
|Minimum lifetime of a child process in seconds. 60 seconds is the minimum.<br />
|}<br />
<br />
* Restart Samba.<br />
<br />
After the restart, Samba automatically starts <code>smbd</code> sub-processes: <br />
# ps axf<br />
...<br />
30903 smbd<br />
30912 \_ smbd<br />
30913 \_ smbd<br />
30914 \_ smbd<br />
30915 \_ smbd<br />
...<br />
<br />
= Enabling the Print Server Support in Samba =<br />
<br />
To enable the print server support:<br />
<br />
* Set the printing back end in the <code>printing</code> parameter of the <code>[global]</code> section in your <code>smb.conf</code> file. For example:<br />
printing = CUPS<br />
<br />
* Add the following section to your <code>smb.conf</code>:<br />
<br />
[printers]<br />
path = /var/spool/samba/<br />
printable = yes<br />
<br />
* Create the spool directory set in the <code>path</code> parameter:<br />
<br />
# mkdir -p /var/spool/samba/<br />
# chmod 1777 /var/spool/samba/<br />
<br />
* Reload Samba:<br />
<br />
# smbcontrol all reload-config<br />
<br />
<br />
<br />
<br />
<br />
= Sharing a Printer =<br />
<br />
== Automatic Sharing of All Printers Configured in the Print Server Back End == <br />
<br />
Using the default setting, all printers configured in the print server back end are automatically shared.<br />
<br />
<br />
<br />
=== Disabling the Automatic Printer Sharing ===<br />
<br />
To disable the automatic printer sharing:<br />
<br />
* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:<br />
<br />
load printers = no<br />
<br />
* Reload Samba:<br />
<br />
# smbcontrol all reload-config<br />
<br />
<br />
<br />
== Manual Sharing of Printers ==<br />
<br />
To manually share a printer:<br />
<br />
* Verify that the automatic printer sharing is disabled. See [[#Disabling_the_Automatic_Printer_Sharing|Disabling the Automatic Printer Sharing]].<br />
<br />
* Add the share for the printer to your <code>smb.conf</code> file:<br />
<br />
[''Samba_printer_name'']<br />
path = /var/spool/samba/<br />
printable = yes<br />
printer name = ''printer_name_in_the_back_end''<br />
<br />
: Set the <code>printer name</code> parameter to the name of the printer used in the local print server back end.<br />
<br />
* Reload Samba:<br />
<br />
# smbcontrol all reload-config<br />
<br />
<br />
<br />
<br />
<br />
= Setting up Automatic Printer Driver Download for Windows Clients =<br />
<br />
See [[Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients|Setting up Automatic Printer Driver Downloads for Windows Clients]].<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:Domain Members]]<br />
[[Category:NT4 Domains]]<br />
[[Category:Printing]]<br />
[[Category:Standalone Server]]</div>BBaumbachhttps://wiki.samba.org/index.php?title=DNS_Administration&diff=16117DNS Administration2019-08-06T11:52:40Z<p>BBaumbach: </p>
<hr />
<div>= Introduction =<br />
<br />
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.<br />
<br />
You will already find general [[The_Samba_AD_DNS_Back_Ends|information on the internal DNS and the BIND DLZ module]] and documentation about [[BIND9_DLZ_DNS_Back_End|Bind as DNS Backend]] in the Wiki.<br />
<br />
<br />
<br />
<br />
<br />
= General =<br />
<br />
By default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):<br />
<br />
* '''samdom.example.com''': Zone for your domain.<br />
* '''_msdcs.samdom.example.com''': This is the ForestDNSZone, that contains several service records for the entire directory.<br />
<br />
<br />
<br />
<br />
<br />
= Features =<br />
<br />
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.<br />
<br />
<br />
<br />
== Known/issues missing features ==<br />
<br />
* Managing zone transfers is not implemented yet. [https://bugzilla.samba.org/show_bug.cgi?id=9951 Bug report #9951:DNS MMC: Enabling DNS zone transfers in MMC fails]<br />
<br />
* Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). [https://bugzilla.samba.org/show_bug.cgi?id=9634 Bug report #9634: Samba Bind DLZ module allows zone transfers for everyone]<br />
<br />
<br />
<br />
<br />
<br />
= Importance of DNS for Active Directory =<br />
<br />
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.<br />
<br />
<br />
<br />
<br />
<br />
= Administering DNS on Windows =<br />
<br />
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[Installing RSAT|Installing RSAT on Windows for AD Management]] for more details.<br />
<br />
If you use the internal DNS server, there are the following known problems:<br />
<br />
* Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.<br />
* Conditional forwarders are not implemented yet. The same error message as above is returned.<br />
* The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.<br />
* Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be accidently deleted.<br />
<br />
<br />
<br />
<br />
== Adding new records ==<br />
<br />
* Navigate to the zone, where you want to to add a new record.<br />
<br />
* Right-click to it and choose the kind of record to add.<br />
<br />
: [[Image:DNS_Manager_Add_records.png]]<br />
<br />
* Fill the fields and save the new entry.<br />
<br />
<br />
<br />
== Updating existing records ==<br />
<br />
* Navigate to the zone that contains the record you want to edit.<br />
<br />
* Right-click the record and choose „Properties“.<br />
<br />
: [[Image:DNS_Manager_Change_record.png]]<br />
<br />
* Edit the entry and save the changes.<br />
<br />
<br />
<br />
== Delete a record ==<br />
<br />
* Navigate to the zone that contains the record you want to remove.<br />
<br />
* Right-click to the record and choose „Delete“.<br />
<br />
<br />
<br />
== Changing zone properties ==<br />
<br />
* Right-click to a zone of which you you want to do changes.<br />
<br />
* Choose „Properties“.<br />
<br />
'''Note''': Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
* Right-click to „Reverse Lookup Zones“ and choose „New Zone“.<br />
<br />
* The „New Zone Wizard“ appears.<br />
<br />
* Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_1.png]]<br />
<br />
* Zone Replication Scope: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_2.png]]<br />
<br />
* Reverse Lookup Zone Name: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_3.png]]<br />
<br />
: Dynamic Update: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_4.png]]<br />
<br />
* Finish the wizard.<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Right-click to a zone and choose „Delete“.<br />
<br />
: [[Image:DNS_Delete_Zone.png]]<br />
<br />
= Administering DNS on Linux/Unix with samba-tool =<br />
<br />
== Adding new records ==<br />
<br />
* Example: Adding an A record<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a PTR record to a reverse zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa 55 PTR demo.samdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a SRV record to _tcp.samdom.example.com<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
:A note on SRV records: The order of the four parameters in the last field („data“) are 'hostname port priority weight' and have to be between ' '.<br />
<br />
* Example: Adding a NS record to samdom.example.com zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS newdc.sambdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
== Updating existing records ==<br />
<br />
* Example: Changing an A record<br />
<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55 10.99.0.66<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated succefully<br />
<br />
* Example: Changing a SOA Resource Record<br />
: The data part of the SOA record consists of 7 space ('&#32;') separated elements in the following order:<br />
: ''nameserver, email, serial, refresh, retry, expire, minimum-ttl''<br />
: &nbsp;<br />
: The following example changes the host masters mail address:<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \<br />
"dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \<br />
"dc1.samdom.example.com admin.example.com 64 900 600 86400 3600"<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated successfully<br />
<br />
== Delete a record ==<br />
<br />
* Example: Deleting an A record<br />
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record deleted succefully<br />
<br />
* Example: Deleting a NS record from samdom.example.com zone<br />
<br />
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS olddc.sambdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record deleted successfully<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa created successfully<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Example: Deleting a reverse zone:<br />
<br />
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa delete successfully<br />
<br />
<br />
<br />
== Listing existing zones ==<br />
<br />
* Example: listing secondary zones<br />
# samba-tool dns zonelist <Your-AD-DNS-Server-IP-or-hostname> --secondary -U administrator<br />
<br />
<br />
<br />
== Listing zone information ==<br />
<br />
* Example: showing information about a zone<br />
# samba-tool dns zoneinfo <Your-AD-DNS-Server-IP-or-hostname> <zone-name> -U administrator<br />
<br />
<br />
<br />
== Listing zone records ==<br />
<br />
* Example: listing records from a zone<br />
# samba-tool dns query <Your-AD-DNS-Server-IP-or-hostname> <zone-name> @ ALL -U administrator<br />
<br />
= Configuring clients to use your AD DNS server =<br />
<br />
* [[Windows_DNS_Configuration|Windows]]<br />
* [[Linux_and_Unix_DNS_Configuration|Linux/Unix]]<br />
* [[MacOSX_DNS_Configuration|MacOSX]]<br />
<br />
<br />
<br />
<br />
<br />
= Testing your DNS Server =<br />
<br />
See [[Testing_the_DNS_Name_Resolution|Testing the DNS Name Resolution]].<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:DNS]]</div>BBaumbachhttps://wiki.samba.org/index.php?title=DNS_Administration&diff=16116DNS Administration2019-08-06T11:42:09Z<p>BBaumbach: </p>
<hr />
<div>= Introduction =<br />
<br />
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.<br />
<br />
You will already find general [[The_Samba_AD_DNS_Back_Ends|information on the internal DNS and the BIND DLZ module]] and documentation about [[BIND9_DLZ_DNS_Back_End|Bind as DNS Backend]] in the Wiki.<br />
<br />
<br />
<br />
<br />
<br />
= General =<br />
<br />
By default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):<br />
<br />
* '''samdom.example.com''': Zone for your domain.<br />
* '''_msdcs.samdom.example.com''': This is the ForestDNSZone, that contains several service records for the entire directory.<br />
<br />
<br />
<br />
<br />
<br />
= Features =<br />
<br />
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.<br />
<br />
<br />
<br />
== Known/issues missing features ==<br />
<br />
* Managing zone transfers is not implemented yet. [https://bugzilla.samba.org/show_bug.cgi?id=9951 Bug report #9951:DNS MMC: Enabling DNS zone transfers in MMC fails]<br />
<br />
* Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). [https://bugzilla.samba.org/show_bug.cgi?id=9634 Bug report #9634: Samba Bind DLZ module allows zone transfers for everyone]<br />
<br />
<br />
<br />
<br />
<br />
= Importance of DNS for Active Directory =<br />
<br />
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.<br />
<br />
<br />
<br />
<br />
<br />
= Administering DNS on Windows =<br />
<br />
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[Installing RSAT|Installing RSAT on Windows for AD Management]] for more details.<br />
<br />
If you use the internal DNS server, there are the following known problems:<br />
<br />
* Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.<br />
* Conditional forwarders are not implemented yet. The same error message as above is returned.<br />
* The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.<br />
* Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be accidently deleted.<br />
<br />
<br />
<br />
<br />
== Adding new records ==<br />
<br />
* Navigate to the zone, where you want to to add a new record.<br />
<br />
* Right-click to it and choose the kind of record to add.<br />
<br />
: [[Image:DNS_Manager_Add_records.png]]<br />
<br />
* Fill the fields and save the new entry.<br />
<br />
<br />
<br />
== Updating existing records ==<br />
<br />
* Navigate to the zone that contains the record you want to edit.<br />
<br />
* Right-click the record and choose „Properties“.<br />
<br />
: [[Image:DNS_Manager_Change_record.png]]<br />
<br />
* Edit the entry and save the changes.<br />
<br />
<br />
<br />
== Delete a record ==<br />
<br />
* Navigate to the zone that contains the record you want to remove.<br />
<br />
* Right-click to the record and choose „Delete“.<br />
<br />
<br />
<br />
== Changing zone properties ==<br />
<br />
* Right-click to a zone of which you you want to do changes.<br />
<br />
* Choose „Properties“.<br />
<br />
'''Note''': Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
* Right-click to „Reverse Lookup Zones“ and choose „New Zone“.<br />
<br />
* The „New Zone Wizard“ appears.<br />
<br />
* Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_1.png]]<br />
<br />
* Zone Replication Scope: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_2.png]]<br />
<br />
* Reverse Lookup Zone Name: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_3.png]]<br />
<br />
: Dynamic Update: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_4.png]]<br />
<br />
* Finish the wizard.<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Right-click to a zone and choose „Delete“.<br />
<br />
: [[Image:DNS_Delete_Zone.png]]<br />
<br />
= Administering DNS on Linux/Unix =<br />
<br />
== Adding new records ==<br />
<br />
* Example: Adding an A record<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a PTR record to a reverse zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa 55 PTR demo.samdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a SRV record to _tcp.samdom.example.com<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
:A note on SRV records: The order of the four parameters in the last field („data“) are 'hostname port priority weight' and have to be between ' '.<br />
<br />
* Example: Adding a NS record to samdom.example.com zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS newdc.sambdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
== Updating existing records ==<br />
<br />
* Example: Changing an A record<br />
<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55 10.99.0.66<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated succefully<br />
<br />
* Example: Changing a SOA Resource Record<br />
: The data part of the SOA record consists of 7 elements in the following order:<br />
: ''nameserver, email, serial, refresh, retry, expire, minimum-ttl''<br />
: &nbsp;<br />
: The following example changes the host masters mail address:<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \<br />
"dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \<br />
"dc1.samdom.example.com admin.example.com 64 900 600 86400 3600"<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated successfully<br />
<br />
== Delete a record ==<br />
<br />
* Example: Deleting an A record<br />
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record deleted succefully<br />
<br />
* Example: Deleting a NS record from samdom.example.com zone<br />
<br />
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS olddc.sambdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record deleted successfully<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa created successfully<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Example: Deleting a reverse zone:<br />
<br />
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa delete successfully<br />
<br />
<br />
<br />
== Listing existing zones ==<br />
<br />
* Example: listing secondary zones<br />
# samba-tool dns zonelist <Your-AD-DNS-Server-IP-or-hostname> --secondary -U administrator<br />
<br />
<br />
<br />
== Listing zone information ==<br />
<br />
* Example: showing information about a zone<br />
# samba-tool dns zoneinfo <Your-AD-DNS-Server-IP-or-hostname> <zone-name> -U administrator<br />
<br />
<br />
<br />
== Listing zone records ==<br />
<br />
* Example: listing records from a zone<br />
# samba-tool dns query <Your-AD-DNS-Server-IP-or-hostname> <zone-name> @ ALL -U administrator<br />
<br />
= Configuring clients to use your AD DNS server =<br />
<br />
* [[Windows_DNS_Configuration|Windows]]<br />
* [[Linux_and_Unix_DNS_Configuration|Linux/Unix]]<br />
* [[MacOSX_DNS_Configuration|MacOSX]]<br />
<br />
<br />
<br />
<br />
<br />
= Testing your DNS Server =<br />
<br />
See [[Testing_the_DNS_Name_Resolution|Testing the DNS Name Resolution]].<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:DNS]]</div>BBaumbachhttps://wiki.samba.org/index.php?title=DNS_Administration&diff=16115DNS Administration2019-08-06T11:38:56Z<p>BBaumbach: /* Adding new records */</p>
<hr />
<div>= Introduction =<br />
<br />
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.<br />
<br />
You will already find general [[The_Samba_AD_DNS_Back_Ends|information on the internal DNS and the BIND DLZ module]] and documentation about [[BIND9_DLZ_DNS_Back_End|Bind as DNS Backend]] in the Wiki.<br />
<br />
<br />
<br />
<br />
<br />
= General =<br />
<br />
By default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):<br />
<br />
* '''samdom.example.com''': Zone for your domain.<br />
* '''_msdcs.samdom.example.com''': This is the ForestDNSZone, that contains several service records for the entire directory.<br />
<br />
<br />
<br />
<br />
<br />
= Features =<br />
<br />
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.<br />
<br />
<br />
<br />
== Known/issues missing features ==<br />
<br />
* Managing zone transfers is not implemented yet. [https://bugzilla.samba.org/show_bug.cgi?id=9951 Bug report #9951:DNS MMC: Enabling DNS zone transfers in MMC fails]<br />
<br />
* Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). [https://bugzilla.samba.org/show_bug.cgi?id=9634 Bug report #9634: Samba Bind DLZ module allows zone transfers for everyone]<br />
<br />
<br />
<br />
<br />
<br />
= Importance of DNS for Active Directory =<br />
<br />
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.<br />
<br />
<br />
<br />
<br />
<br />
= Administering DNS on Windows =<br />
<br />
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[Installing RSAT|Installing RSAT on Windows for AD Management]] for more details.<br />
<br />
If you use the internal DNS server, there are the following known problems:<br />
<br />
* Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.<br />
* Conditional forwarders are not implemented yet. The same error message as above is returned.<br />
* The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.<br />
* Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be accidently deleted.<br />
<br />
<br />
<br />
<br />
== Adding new records ==<br />
<br />
* Navigate to the zone, where you want to to add a new record.<br />
<br />
* Right-click to it and choose the kind of record to add.<br />
<br />
: [[Image:DNS_Manager_Add_records.png]]<br />
<br />
* Fill the fields and save the new entry.<br />
<br />
<br />
<br />
== Updating existing records ==<br />
<br />
* Navigate to the zone that contains the record you want to edit.<br />
<br />
* Right-click the record and choose „Properties“.<br />
<br />
: [[Image:DNS_Manager_Change_record.png]]<br />
<br />
* Edit the entry and save the changes.<br />
<br />
<br />
<br />
== Delete a record ==<br />
<br />
* Navigate to the zone that contains the record you want to remove.<br />
<br />
* Right-click to the record and choose „Delete“.<br />
<br />
<br />
<br />
== Changing zone properties ==<br />
<br />
* Right-click to a zone of which you you want to do changes.<br />
<br />
* Choose „Properties“.<br />
<br />
'''Note''': Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
* Right-click to „Reverse Lookup Zones“ and choose „New Zone“.<br />
<br />
* The „New Zone Wizard“ appears.<br />
<br />
* Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_1.png]]<br />
<br />
* Zone Replication Scope: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_2.png]]<br />
<br />
* Reverse Lookup Zone Name: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_3.png]]<br />
<br />
: Dynamic Update: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_4.png]]<br />
<br />
* Finish the wizard.<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Right-click to a zone and choose „Delete“.<br />
<br />
: [[Image:DNS_Delete_Zone.png]]<br />
<br />
= Administering DNS on Linux/Unix =<br />
<br />
== Adding new records ==<br />
<br />
* Example: Adding an A record<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a PTR record to a reverse zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa 55 PTR demo.samdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a SRV record to _tcp.samdom.example.com<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
:A note on SRV records: The order of the four parameters in the last field („data“) are 'hostname port priority weight' and have to be between ' '.<br />
<br />
* Example: Adding a NS record to samdom.example.com zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS newdc.sambdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
== Updating existing records ==<br />
<br />
* Example: Changing an A record<br />
<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55 10.99.0.66<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated succefully<br />
<br />
* Example: Changing a SOA Resource Record<br />
: The data part of the SOA record consists of 7 elements in the following order:<br />
: ''nameserver, email, serial, refresh, retry, expire, minimum-ttl''<br />
: &nbsp;<br />
: The following example changes the host masters mail address:<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \<br />
"dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \<br />
"dc1.samdom.example.com admin.example.com 64 900 600 86400 3600"<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated successfully<br />
<br />
== Delete a record ==<br />
<br />
* Example: Deleting an A record<br />
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record deleted succefully<br />
<br />
<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa created successfully<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Example: Deleting a reverse zone:<br />
<br />
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa delete successfully<br />
<br />
<br />
<br />
== Listing existing zones ==<br />
<br />
* Example: listing secondary zones<br />
# samba-tool dns zonelist <Your-AD-DNS-Server-IP-or-hostname> --secondary -U administrator<br />
<br />
<br />
<br />
== Listing zone information ==<br />
<br />
* Example: showing information about a zone<br />
# samba-tool dns zoneinfo <Your-AD-DNS-Server-IP-or-hostname> <zone-name> -U administrator<br />
<br />
<br />
<br />
== Listing zone records ==<br />
<br />
* Example: listing records from a zone<br />
# samba-tool dns query <Your-AD-DNS-Server-IP-or-hostname> <zone-name> @ ALL -U administrator<br />
<br />
= Configuring clients to use your AD DNS server =<br />
<br />
* [[Windows_DNS_Configuration|Windows]]<br />
* [[Linux_and_Unix_DNS_Configuration|Linux/Unix]]<br />
* [[MacOSX_DNS_Configuration|MacOSX]]<br />
<br />
<br />
<br />
<br />
<br />
= Testing your DNS Server =<br />
<br />
See [[Testing_the_DNS_Name_Resolution|Testing the DNS Name Resolution]].<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:DNS]]</div>BBaumbachhttps://wiki.samba.org/index.php?title=DNS_Administration&diff=16114DNS Administration2019-08-06T11:31:09Z<p>BBaumbach: /* Updating existing records */</p>
<hr />
<div>= Introduction =<br />
<br />
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.<br />
<br />
You will already find general [[The_Samba_AD_DNS_Back_Ends|information on the internal DNS and the BIND DLZ module]] and documentation about [[BIND9_DLZ_DNS_Back_End|Bind as DNS Backend]] in the Wiki.<br />
<br />
<br />
<br />
<br />
<br />
= General =<br />
<br />
By default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):<br />
<br />
* '''samdom.example.com''': Zone for your domain.<br />
* '''_msdcs.samdom.example.com''': This is the ForestDNSZone, that contains several service records for the entire directory.<br />
<br />
<br />
<br />
<br />
<br />
= Features =<br />
<br />
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.<br />
<br />
<br />
<br />
== Known/issues missing features ==<br />
<br />
* Managing zone transfers is not implemented yet. [https://bugzilla.samba.org/show_bug.cgi?id=9951 Bug report #9951:DNS MMC: Enabling DNS zone transfers in MMC fails]<br />
<br />
* Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). [https://bugzilla.samba.org/show_bug.cgi?id=9634 Bug report #9634: Samba Bind DLZ module allows zone transfers for everyone]<br />
<br />
<br />
<br />
<br />
<br />
= Importance of DNS for Active Directory =<br />
<br />
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.<br />
<br />
<br />
<br />
<br />
<br />
= Administering DNS on Windows =<br />
<br />
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[Installing RSAT|Installing RSAT on Windows for AD Management]] for more details.<br />
<br />
If you use the internal DNS server, there are the following known problems:<br />
<br />
* Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.<br />
* Conditional forwarders are not implemented yet. The same error message as above is returned.<br />
* The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.<br />
* Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be accidently deleted.<br />
<br />
<br />
<br />
<br />
== Adding new records ==<br />
<br />
* Navigate to the zone, where you want to to add a new record.<br />
<br />
* Right-click to it and choose the kind of record to add.<br />
<br />
: [[Image:DNS_Manager_Add_records.png]]<br />
<br />
* Fill the fields and save the new entry.<br />
<br />
<br />
<br />
== Updating existing records ==<br />
<br />
* Navigate to the zone that contains the record you want to edit.<br />
<br />
* Right-click the record and choose „Properties“.<br />
<br />
: [[Image:DNS_Manager_Change_record.png]]<br />
<br />
* Edit the entry and save the changes.<br />
<br />
<br />
<br />
== Delete a record ==<br />
<br />
* Navigate to the zone that contains the record you want to remove.<br />
<br />
* Right-click to the record and choose „Delete“.<br />
<br />
<br />
<br />
== Changing zone properties ==<br />
<br />
* Right-click to a zone of which you you want to do changes.<br />
<br />
* Choose „Properties“.<br />
<br />
'''Note''': Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].<br />
<br />
<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
* Right-click to „Reverse Lookup Zones“ and choose „New Zone“.<br />
<br />
* The „New Zone Wizard“ appears.<br />
<br />
* Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_1.png]]<br />
<br />
* Zone Replication Scope: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_2.png]]<br />
<br />
* Reverse Lookup Zone Name: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_3.png]]<br />
<br />
: Dynamic Update: Depends on your needs.<br />
<br />
: [[Image:DNS_Add_Zone_Wizzard_4.png]]<br />
<br />
* Finish the wizard.<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Right-click to a zone and choose „Delete“.<br />
<br />
: [[Image:DNS_Delete_Zone.png]]<br />
<br />
= Administering DNS on Linux/Unix =<br />
<br />
== Adding new records ==<br />
<br />
* Example: Adding an A record<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a PTR record to a reverse zone<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa 55 PTR demo.samdom.example.com<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
* Example: Adding a SRV record to _tcp.samdom.example.com<br />
<br />
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record added successfully<br />
<br />
:A note on SRV records: The order of the four parameters in the last field („data“) are 'hostname port priority weight' and have to be between ' '.<br />
<br />
<br />
<br />
== Updating existing records ==<br />
<br />
* Example: Changing an A record<br />
<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55 10.99.0.66<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated succefully<br />
<br />
* Example: Changing a SOA Resource Record<br />
: The data part of the SOA record consists of 7 elements in the following order:<br />
: ''nameserver, email, serial, refresh, retry, expire, minimum-ttl''<br />
: &nbsp;<br />
: The following example changes the host masters mail address:<br />
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \<br />
"dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \<br />
"dc1.samdom.example.com admin.example.com 64 900 600 86400 3600"<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record updated successfully<br />
<br />
== Delete a record ==<br />
<br />
* Example: Deleting an A record<br />
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Record deleted succefully<br />
<br />
<br />
<br />
== Creating a new zone ==<br />
<br />
As example we'll add a reverse lookup zone.<br />
<br />
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa created successfully<br />
<br />
Your new zone is directly live without restarting Samba or BIND.<br />
<br />
<br />
<br />
<br />
== Deleting a zone ==<br />
<br />
* Example: Deleting a reverse zone:<br />
<br />
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa<br />
Password for [administrator@SAMDOM.EXAMPLE.COM]:<br />
Zone 0.99.10.in-addr.arpa delete successfully<br />
<br />
<br />
<br />
== Listing existing zones ==<br />
<br />
* Example: listing secondary zones<br />
# samba-tool dns zonelist <Your-AD-DNS-Server-IP-or-hostname> --secondary -U administrator<br />
<br />
<br />
<br />
== Listing zone information ==<br />
<br />
* Example: showing information about a zone<br />
# samba-tool dns zoneinfo <Your-AD-DNS-Server-IP-or-hostname> <zone-name> -U administrator<br />
<br />
<br />
<br />
== Listing zone records ==<br />
<br />
* Example: listing records from a zone<br />
# samba-tool dns query <Your-AD-DNS-Server-IP-or-hostname> <zone-name> @ ALL -U administrator<br />
<br />
= Configuring clients to use your AD DNS server =<br />
<br />
* [[Windows_DNS_Configuration|Windows]]<br />
* [[Linux_and_Unix_DNS_Configuration|Linux/Unix]]<br />
* [[MacOSX_DNS_Configuration|MacOSX]]<br />
<br />
<br />
<br />
<br />
<br />
= Testing your DNS Server =<br />
<br />
See [[Testing_the_DNS_Name_Resolution|Testing the DNS Name Resolution]].<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:DNS]]</div>BBaumbachhttps://wiki.samba.org/index.php?title=Setting_the_Samba_Log_Level&diff=14199Setting the Samba Log Level2018-03-09T10:17:38Z<p>BBaumbach: </p>
<hr />
<div>__TOC__<br />
<br />
= Introduction =<br />
<br />
Setting a higher log level enables you to debug problems with Samba daemons and commands.<br />
<br />
Additional Samba logging information:<br />
<br />
* [[Client_specific_logging|Configure logging for a specific client and debug level changes during runtime]]<br />
* [[Setting_up_Audit_Logging|Logging of authentication and authorization events]]<br />
<br />
= Setting the Log Level in the smb.conf File =<br />
<br />
You can set the log level for Samba and all commands shipped with Samba using the <code>log level</code> parameter in the <code>smb.conf</code> file.<br />
<br />
To set the log level for all debug classes to <code>3</code>:<br />
<br />
log level = 3<br />
<br />
To set the general log level to <code>3</code> and for the <code>passdb</code> and <code>auth</code> classes to <code>5</code>:<br />
<br />
log level = 3 passdb:5 auth:5<br />
<br />
For further information and a list of the debug classes, see the <code>smb.conf (5)</code> man page.<br />
<br />
<br />
<br />
= Setting the Debug Level for a Command =<br />
<br />
Samba commands use the log level set in the <code>log level</code> parameter in the <code>smb.conf</code> file. For details, see [[#Setting_the_Log_Level_in_the_smb.conf_File|Setting the Log Level in the smb.conf File]].<br />
<br />
However, you can override this value using the <code>-d</code> parameter for all Samba commands. For example:<br />
<br />
# net ads join -U administrator -d 1<br />
<br />
For details, see the manual page of the Samba command.</div>BBaumbachhttps://wiki.samba.org/index.php?title=Release_Planning_for_Samba_4.2&diff=10935Release Planning for Samba 4.22015-09-07T15:07:34Z<p>BBaumbach: </p>
<hr />
<div>Samba 4.2 is the [[Samba_Release_Planning#Current_Stable_Release|'''Current Stable Release Series''']].<br />
<br />
== Samba 4.2.4 ==<br />
<small>('''Updated 14-July-2015''')</small><br />
<br />
* Tuesday, September 8 - Planned release date for Samba 4.2.4<br />
<br />
== Samba 4.2.3 ==<br />
<small>('''Updated 14-July-2015''')</small><br />
<br />
* Tuesday, July 14 - Samba 4.2.3 has been released<br />
[https://www.samba.org/samba/history/samba-4.2.3.html Release Notes Samba 4.2.3]<br />
<br />
== Samba 4.2.2 ==<br />
<small>('''Updated 27-May-2015''')</small><br />
<br />
* Wednesday, May 27 - Samba 4.2.2 has been released<br />
[https://www.samba.org/samba/history/samba-4.2.2.html Release Notes Samba 4.2.2]<br />
<br />
== Samba 4.2.1 ==<br />
<small>('''Updated 15-April-2015''')</small><br />
<br />
* Wednesday, April 15 - Samba 4.2.1 has been released<br />
[https://www.samba.org/samba/history/samba-4.2.1.html Release Notes Samba 4.2.1]<br />
<br />
== Samba 4.2.0 ==<br />
<small>('''Updated 04-March-2015''')</small><br />
<br />
* Wednesday, March 04 - Samba 4.2.0 has been released<br />
[https://www.samba.org/samba/history/samba-4.2.0.html Release Notes Samba 4.2.0]<br />
<br />
== Samba 4.2.0rc5 ==<br />
<small>('''Updated 24-February-2015''')</small><br />
<br />
* Tuesday, February 24 - Samba 4.2.0rc5 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc5.txt Release Notes Samba 4.2.0rc5]<br />
<br />
== Samba 4.2.0rc4 ==<br />
<small>('''Updated 16-January-2015''')</small><br />
<br />
* Friday, January 17 - Samba 4.2.0rc4 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc4.txt Release Notes Samba 4.2.0rc4]<br />
<br />
== Samba 4.2.0rc3 ==<br />
<small>('''Updated 20-December-2014''')</small><br />
<br />
* Saturday, December 20 - Samba 4.2.0rc3 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc3.txt Release Notes Samba 4.2.0rc3]<br />
<br />
== Samba 4.2.0rc2 ==<br />
<small>('''Updated 15-October-2014''')</small><br />
<br />
* Wednesday, October 15 - Samba 4.2.0rc2 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc2.txt Release Notes Samba 4.2.0rc2]<br />
<br />
== Samba 4.2.0rc1 ==<br />
<small>('''Updated 01-October-2014''')</small><br />
<br />
* Wednesday, October 1 - Samba 4.2.0rc1 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt Release Notes Samba 4.2.0rc1]</div>BBaumbachhttps://wiki.samba.org/index.php?title=Release_Planning_for_Samba_4.1&diff=10934Release Planning for Samba 4.12015-09-07T15:06:32Z<p>BBaumbach: </p>
<hr />
<div>Samba 4.1 is in the [[Samba_Release_Planning#Maintenance_Mode|'''Maintenance Mode''']].<br />
<br />
== Samba 4.1.21 ==<br />
<small>('''Updated 01-September-2015''')</small><br />
<br />
* Tuesday, October 13 - Planned release date for Samba 4.1.21<br />
<br />
== Samba 4.1.20 ==<br />
<small>('''Updated 01-September-2015''')</small><br />
<br />
* Tuesday, September 1 - Samba 4.1.20 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.20.html Release Notes Samba 4.1.20]<br />
<br />
== Samba 4.1.19 ==<br />
<small>('''Updated 23-June-2015''')</small><br />
<br />
* Tuesday, June 23 - Samba 4.1.19 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.19.html Release Notes Samba 4.1.19]<br />
<br />
== Samba 4.1.18 ==<br />
<small>('''Updated 12-May-2015''')</small><br />
<br />
* Tuesday, May 12 - Samba 4.1.18 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.18.html Release Notes Samba 4.1.18]<br />
<br />
== Samba 4.1.17 ==<br />
<small>('''Updated 23-Febrary-2015''')</small><br />
<br />
* Monday, February 23 - Samba 4.1.17 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240 CVE-2015-0240] (Unexpected code execution in smbd).<br />
[http://www.samba.org/samba/history/samba-4.1.17.html Release Notes Samba 4.1.17]<br />
<br />
== Samba 4.1.16 ==<br />
<small>('''Updated 15-January-2015''')</small><br />
<br />
* Thursday, January 15 - Samba 4.1.16 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8143 CVE-2014-8143] (Elevation of privilege to Active Directory).<br />
[http://www.samba.org/samba/history/samba-4.1.16.html Release Notes Samba 4.1.16]<br />
<br />
== Samba 4.1.15 ==<br />
<small>('''Updated 12-January-2015''')</small><br />
<br />
* Monday, January 12 - Samba 4.1.15 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.15.html Release Notes Samba 4.1.15]<br />
<br />
== Samba 4.1.14 ==<br />
<small>('''Updated 01-December-2014''')</small><br />
<br />
* Monday, December 01 - Samba 4.1.14 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.14.html Release Notes Samba 4.1.14]<br />
<br />
== Samba 4.1.13 ==<br />
<small>('''Updated 20-October-2014''')</small><br />
<br />
* Monday, October 20 - Samba 4.1.13 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.13.html Release Notes Samba 4.1.13]<br />
<br />
== Samba 4.1.12 ==<br />
<small>('''Updated 08-September-2014''')</small><br />
<br />
* Monday, September 8 - Samba 4.1.12 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.12.html Release Notes Samba 4.1.12]<br />
<br />
== Samba 4.1.11 ==<br />
<small>('''Updated 01-August-2014''')</small><br />
<br />
* Friday, August 01 - Samba 4.1.11 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3560 CVE-2014-3560] (Remote code execution in nmbd).<br />
[http://www.samba.org/samba/history/samba-4.1.11.html Release Notes Samba 4.1.11]<br />
<br />
== Samba 4.1.10 ==<br />
<small>('''Updated 28-July-2014''')</small><br />
<br />
* Monday, July 28 - Samba 4.1.10 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.10.html Release Notes Samba 4.1.10]<br />
<br />
== Samba 4.1.9 ==<br />
('''Updated 23-June-2014''')<br />
<br />
* Monday, June 23 - Samba 4.1.9 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244 CVE-2014-0244] (Denial of service - CPU loop) and [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493 CVE-2014-3493] (Denial of service - Server crash/memory corruption).<br />
[http://www.samba.org/samba/history/samba-4.1.9.html Release Notes Samba 4.1.9]<br />
<br />
== Samba 4.1.8 ==<br />
<small>('''Updated 03-June-2014''')</small><br />
<br />
* Tuesday, June 3 - Samba 4.1.8 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.8.html Release Notes Samba 4.1.8]<br />
<br />
== Samba 4.1.7 ==<br />
<small>('''Updated 17-April-2014''')</small><br />
<br />
* Thursday, April 17 - Samba 4.1.7 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.7.html Release Notes Samba 4.1.7]<br />
<br />
== Samba 4.1.6 ==<br />
<small>('''Updated 11-March-2014''')</small><br />
<br />
* Tuesday, March 11 - Samba 4.1.6 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496 CVE-2013-4496] (Password lockout not enforced for SAMR password changes) and [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6442 CVE-2013-6442] (smbcacls will remove the ACL on a file or directory when changing owner or group owner).<br />
[http://www.samba.org/samba/history/samba-4.1.6.html Release Notes Samba 4.1.6]<br />
<br />
== Samba 4.1.5 ==<br />
<small>('''Updated 21-February-2014''')</small><br />
<br />
* Friday, February 21 - Samba 4.1.5 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.5.html Release Notes Samba 4.1.5]<br />
<br />
== Samba 4.1.4 ==<br />
<small>('''Updated 10-January-2014''')</small><br />
<br />
* Friday, January 10 - Samba 4.1.4 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.4.html Release Notes Samba 4.1.4]<br />
<br />
== Samba 4.1.3 ==<br />
<small>('''Updated 09-December-2013''')</small><br />
<br />
* Monday, December 09 - Samba 4.1.3 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4408 CVE-2013-4408] (ACLs are not checked on opening an alternate data stream on a file or directory) and [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6150 CVE-2012-6150] (pam_winbind login without require_membership_of restrictions).<br />
[http://www.samba.org/samba/history/samba-4.1.3.html Release Notes Samba 4.1.3]<br />
<br />
== Samba 4.1.2 ==<br />
<small>('''Updated 22-November-2013''')</small><br />
<br />
* Friday, November 22 - Planned release date for Samba 4.1.2<br />
[http://www.samba.org/samba/history/samba-4.1.2.html Release Notes Samba 4.1.2]<br />
<br />
== Samba 4.1.1 ==<br />
<small>('''Updated 11-November-2013''')</small><br />
<br />
* Monday, November 11 - Samba 4.1.1 has been released as a '''Security Release''' in order to address [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475 CVE-2013-4475] (ACLs are not checked on opening an alternate data stream on a file or directory) and [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476 CVE-2013-4476] (Private key in key.pem world readable).<br />
[http://www.samba.org/samba/history/samba-4.1.1.html Release Notes Samba 4.1.1]<br />
<br />
== Samba 4.1.0 ==<br />
<small>('''Updated 11-October-2013''')</small><br />
<br />
* Friday, October 11 - Samba 4.1.0 has been released<br />
[http://www.samba.org/samba/history/samba-4.1.0.html Release Notes Samba 4.1.0]<br />
<br />
== Samba 4.1.0rc4 ==<br />
<small>('''Updated 27-September-2013''')</small><br />
<br />
* Friday, September 27 - Samba 4.1.0rc4 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc4.txt Release Notes Samba 4.1.0rc4]<br />
<br />
== Samba 4.1.0rc3 ==<br />
<small>('''Updated 11-September-2013''')</small><br />
<br />
* Wednesday, September 11 - Samba 4.1.0rc3 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc3.txt Release Notes Samba 4.1.0rc3]<br />
<br />
== Samba 4.1.0rc2 ==<br />
<small>('''Updated 09-August-2013''')</small><br />
<br />
* Friday, August 9 - Samba 4.1.0rc2 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc2.txt Release Notes Samba 4.1.0rc2]<br />
<br />
== Samba 4.1.0rc1 ==<br />
<small>('''Updated 11-July-2013''')</small><br />
<br />
* Thursday, July 11 - Samba 4.1.0rc1 has been released<br />
[https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc1.txt Release Notes Samba 4.1.0rc1]</div>BBaumbachhttps://wiki.samba.org/index.php?title=Samba_CTDB_GPFS_Cluster_HowTo&diff=8203Samba CTDB GPFS Cluster HowTo2013-10-21T15:34:20Z<p>BBaumbach: fix a typo ;-)</p>
<hr />
<div>=Creating a Samba Cluster with CTDB and GPFS on CENTOS=<br />
<br />
Want to build a scalable networked storage system that is always available ?, A system that integrates with your Active Directory, supports SMB2 protocol and ACL's. Then read on...<br />
<br />
===Assumed knowledge===<br />
<br />
This guide is written to assist a relatively inexperienced users through the setup of a fairly complex system in a step by step fashion. However, for the sake brevity I'm going to assume you are reasonably comfortable with GNU\Linux, can use Vim, Emacs or Nano. Have a grasp of basic networking etc.. and are not afraid of compiling some code :) . Elements of this setup are somewhat interchangeable. You could probably replace CENTOS with another distro but would subsequently need to be familiar enough with that distro to be able to modify the appropriate commands and paths. Others may wish to replace GPFS with alternate clustered file system or use a variation of my Samba configuration below. This setup has been tested in a non production environment. Deploying as such in a production environment is at your own risk and the author as such assumes no responsibility .<br />
<br />
==Preparing the Servers==<br />
<br />
This is a simple test setup. I’m going to use a couple of KVM VM’s but the same principles should apply on bare metal . This approach should scale to many physical/virtual servers . The diagram below illustrates our setup.<br />
<br />
<br />
<br />
[[File:sambagpfs.png]]<br />
<br />
<br />
===Install CENTOS 6.===<br />
<br />
First we want to install a couple of servers. I have chosen CENTOS 6 as it is binary compatible with RHEL 6 which is well supported by both GPFS and Samba.<br />
Create a couple of CENTOS 6 VM’s (I use virt-manager on CENTOS 6 but you can use any tools you like) . I use an ISO image CentOS-6.4-x86_64-minimal.iso. The VM will have 1 CPU and 1G RAM and an 8Gig disk . Initially I allocate 1 NIC but we will add a further NIC for a private LAN later.<br />
<br />
Select all the usual defaults. Select the option to manually configure networking as we are going to configure this after install. Also make sure you install the SSH server. Once the servers are installed we need to set the IP address. You can do this by editing ''/etc/sysconfig/network-scripts/ifcfg-eth0'' file and setting static IP addresses .These are the publicly accessible IP addresses of the servers. For reference here is the ifcfig-eth0 file on the sambagpfs1 server :<br />
<br />
DEVICE=eth0<br />
HWADDR=52:54:00:D1:C5:25<br />
TYPE=Ethernet<br />
UUID=0b83419e-f28a-4a6d-84e5-64c813bf4f51<br />
ONBOOT=yes<br />
NM_CONTROLLED=yes<br />
IPADDR="10.10.23.46"<br />
NETMASK="255.255.255.0"<br />
GATEWAY="10.10.23.253"<br />
<br />
Don’t forget to set a valid DNS server in /etc/resolv.conf also. Once you're sure you have a working network connection, install the latest updates with the ''yum update'' command.<br />
<br />
===Configure shared disks===<br />
<br />
In virt-manager create a couple of 1GB IDE disks for our GPFS Cluster. When you try to add the disk to the 2nd server (sambagpfs2) virt-manager will give you a warning that “the disk is already in use by another guest” but this is OK. We are building a clustered file system where shared access to the underlying disks is necessary.<br />
<br />
In a production scenario these disks would usually be shared LUN’s on a SAN. When you reboot your servers you should see the additional disks as reported by the ''dmesg'' command. <br />
You should see something like :<br />
<br />
sd 0:0:0:0: [sda] 2048000 512-byte logical blocks: (1.04 GB/1000 MiB)<br />
sd 0:0:1:0: [sdb] 2048000 512-byte logical blocks: (1.04 GB/1000 MiB)<br />
<br />
Make sure you can see both disks from both servers (sambagpfs1 and sambagpfs2).<br />
<br />
===Disable SELINUX and iptables===<br />
<br />
There appears to be a communication problem between the GPFS Daemons when SELINUX is enabled. Edit the ''/etc/selinux/config'' file and set SELINUX=disabled. <br />
Also stop the iptables server and disable it on restart.<br />
<br />
service iptables stop<br />
chkconfig iptables off<br />
<br />
It goes without saying that you need to consider these steps more carefully in a production environment.<br />
<br />
<br />
===Create an addition network card and set up password less login===<br />
<br />
Create an additional network card in virt-manager for each of our guests. These NIC’s are for communication (GPFS and CTDB Stuff) between the guests so we place them on the Virtual network ‘default’ NAT. Give <br />
the NIC’s sensible addresses, something like 192.168.1.x ..<br />
Create a file ''/etc/sysconfig/network-scripts/ifcfg-eth1'' for the new network interface . Sample config below :<br />
<br />
DEVICE=eth1<br />
TYPE=Ethernet<br />
ONBOOT=yes<br />
NM_CONTROLLED=yes<br />
IPADDR="192.168.1.11"<br />
NETMASK="255.255.255.0"<br />
<br />
Generate the ssh key with the ''ssh-keygen -t rsa'' command on sambagpfs1 and copy to the other server using the command ''ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.1.12'' .<br />
<br />
Also in the ~/.ssh folder run ''cat id_rsa.pub >> authorized_keys'' . This is necessary as our GPFS setup uses the ssh shell to execute commands locally as well as remotely. Otherwise we will be prompted for a login on the local machine when executing GPFS commands .<br />
<br />
Now, perform the inverse of the above on the second server gpfstest2. You should now be able to zip between the two servers with the ''ssh <IP address>'' command. If not use the -v switch in the ssh command to debug.<br />
<br />
<br />
===Hostnames in hosts file===<br />
<br />
Add your hostnames and internal IP addresses to the /etc/hosts file . My settings displayed below for reference.<br />
<br />
192.168.1.11 sambagpfs1<br />
192.168.1.12 sambagpfs2<br />
10.10.23.48 smbgpfscluster<br />
10.10.23.49 smbgpfscluster<br />
<br />
<br />
===Keep time synchronised===<br />
<br />
Install the ntp service :<br />
<br />
''yum install ntp''<br />
<br />
Set your local ntp server in /etc/ntp.conf . Set service to start on boot :<br />
<br />
''chkconfig ntpd on''<br />
<br />
and start the service :<br />
<br />
''service ntpd start''<br />
<br />
Check the time is synchronised using the date command.<br />
<br />
Now we are just about ready to begin installing GPFS :) .<br />
<br />
== Install and configure GPFS ==<br />
<br />
<br />
Important !. Ensure you have the appropriate licensing before installing GPFS. For more information see http://publib.boulder.ibm.com/infocenter/clresctr/vxrx/index.jsp?topic=%2Fcom.ibm.cluster.gpfs.doc%2Fgpfs_faqs%2Fgpfsclustersfaq.html<br />
<br />
Copy the appropriate GPFS related rpm’s onto your servers. You must install the base GPFS rpm’s and then install the patch rpm’s<br />
<br />
===Machine 1 - sambagpfs1===<br />
First of all we need to install some dependencies necessary to install GPFS and build the portability layer rpm :<br />
<br />
''yum install perl rsh ksh compat-libstdc++-33 make kernel-devel gcc gcc-c++ rpm-build''<br />
<br />
Now, install the GPFS base rpms :<br />
<br />
''rpm -ivh gpfs.*0-0*''<br />
<br />
then the patch rpm’s :<br />
<br />
''rpm -Uvh gpfs.*0-14*.rpm''<br />
<br />
Build the Portability layer :<br />
<br />
''yum install''<br />
<br />
''make LINUX_DISTRIBUTION=REDHAT_AS_LINUX Autoconfig''<br />
<br />
''make World''<br />
<br />
''make rpm'' (Note it’s not best practice to build rpm as root)<br />
<br />
This will build an rpm for the portability layer . The benefit of building this rpm is that we will not need as many prerequisites in our other cluster members.<br />
<br />
Install the portability rpm. <br />
<br />
''rpm -Uvh /root/rpmbuild/RPMS/x86_64/gpfs.gplbin-2.6.32-358.18.1.el6.x86_64-3.4.0-14.x86_64.rpm''<br />
<br />
In general it is bad practice to build as root. See http://serverfault.com/questions/10027/why-is-it-bad-to-build-rpms-as-root . As this is a non production test system i’m going to give myself a pass (for the moment).<br />
<br />
Finally, copy the portability rpm to the other cluster servers, in this case sambagpfs2 . <br />
<br />
===Machine 2 - sambagpfs2===<br />
<br />
Install some dependencies :<br />
<br />
''yum install perl rsh ksh compat-libstdc++-33''<br />
<br />
the base rpm’s :<br />
<br />
''rpm -ivh gpfs.*0-0*''<br />
<br />
the patch rpm’s :<br />
<br />
''rpm -Uvh gpfs.*0-14*.rpm''<br />
<br />
Install the portability RPM. <br />
<br />
''rpm -Uvh gpfs.gplbin-2.6.32-358.18.1.el6.x86_64-3.4.0-14.x86_64.rpm''<br />
<br />
===Update your path to include the GPFS administration commands===<br />
<br />
Add the GPFS commands to the path (you don’t strictly need to do this but it makes administration of GPFS more convenient !).<br />
Edit you .bash_profile and set the path to something like :<br />
<br />
PATH="/usr/lpp/mmfs/bin:${PATH}:$HOME/bin"<br />
<br />
and run source .bash_profile to update your path<br />
<br />
===Creating the GPFS Cluster===<br />
<br />
Create a file gpfsnodes.txt containing information about our GPFS cluster nodes<br />
<br />
sambagpfs1:manager-quorum:<br />
sambagpfs2:manager-quorum:<br />
<br />
Create the test cluster using the mmcrcluster command.<br />
<br />
''mmcrcluster -N gpfsnodes.txt -p sambagpfs1 -s sambagpfs2 -r /usr/bin/ssh -R /usr/bin/scp -C SAMBAGPFS -A''<br />
<br />
This sets sambagpfs1 as the primary server and sambagpfs2 as the secondary server. -A specifies that the GPFS daemons start on boot.<br />
<br />
Accept the license for you servers :<br />
<br />
''mmchlicense server --accept -N sambagpfs1''<br />
<br />
''mmchlicense server --accept -N sambagpfs2''<br />
<br />
Use the mmlscluster command to verify that the cluster has been created correctly.<br />
<br />
Now create our NSD’s for our two shared disks /dev/sda and /dev/sdb. <br />
<br />
Firstly create two files, nsd.txt :<br />
<br />
sda:sambagpfs1,sambagpfs2::dataAndMetadata:1:test01:system<br />
<br />
and nsd2.txt<br />
<br />
sdb:sambagpfs2,sambagpfs1::dataAndMetadata:1:test02:system<br />
<br />
Now issue the command :<br />
<br />
''mmcrnsd -F nsd.txt''<br />
<br />
and <br />
<br />
''mmcrnsd -F nsd2.txt''<br />
<br />
Use the mmlsnsd command to verify creation.<br />
<br />
Start up the cluster :<br />
<br />
''mmstartup -a''<br />
<br />
<br />
Check the cluster is up with'' mmgetstate -a''<br />
<br />
Create the GPFS file system :<br />
<br />
''mmcrfs /dev/sambagpfs -F nsd.txt -A yes -B 256K -n 2 -M 2 -r1 -R2 -T /sambagpfs''<br />
<br />
Add the second disk to the filesystem :<br />
<br />
''mmadddisk sambagpfs -F nsd2.txt''<br />
<br />
<br />
Use the mmlsnsd to verify that the two disk have been added to the cluster file system . You should see something similar to the following :<br />
<br />
<br />
File system Disk name NSD servers<br />
---------------------------------------------------------------------------<br />
sambagpfs test01 sambagpfs1,sambagpfs2<br />
sambagpfs test02 sambagpfs2,sambagpfs1<br />
<br />
<br />
<br />
We only have 2 nods in our GPFS Cluster so we need to set a tie breaker disk . Shut down GPFS to add the tie breaker disk.<br />
<br />
''mmshutdown -a''<br />
<br />
''mmchconfig tiebreakerdisks=test01''<br />
<br />
<br />
To ensure recent versions of Microsoft Excel work correctly over SMB2 we also need to set the following configuration in GPFS (Many thanks to Dan Cohen at IBM - XIV for this tip).<br />
<br />
''mmchconfig cifsBypassShareLocksOnRename=yes -i''<br />
<br />
Start up our GPFS Cluster again :<br />
<br />
''mmstartup -a''<br />
<br />
Mount the GPFS filesystem :<br />
<br />
''mmmount sambagpfs -a''<br />
<br />
<br />
At this point you should see the GPFS file system mounted at /sambagpfs on both of our servers. Congratulations !. Take a break, stand up and walk around for a bit.<br />
<br />
== Install and Configure Samba and CTDB ==<br />
<br />
<br />
I use the SerNet Samba 4 RPM’s from http://enterprisesamba.com/ . You have to register at the site (free) to download the RPM’s. There appears to be a problem with Windows 7 (which uses SMB2 if available on the server) on the latest release 4.0.10 so I am currently using the 4.0.9 release . I have yet to test with 4.1. Once you register you can find the 4.0.9 rpm’s at https://download.sernet.de/packages/samba/old/4.0/rpm/4.0.9-5/centos/6/x86_64/<br />
<br />
You need to download the following rpm’s :<br />
<br />
sernet-samba-libwbclient0-4.0.9-5.el6.x86_64<br />
sernet-samba-libsmbclient0-4.0.9-5.el6.x86_64<br />
sernet-samba-4.0.9-5.el6.x86_64<br />
sernet-samba-common-4.0.9-5.el6.x86_64<br />
sernet-samba-libs-4.0.9-5.el6.x86_64<br />
sernet-samba-client-4.0.9-5.el6.x86_64<br />
sernet-samba-winbind-4.0.9-5.el6.x86_64<br />
<br />
First we need to install a couple of dependencies :<br />
<br />
''yum install redhat-lsb-core cups-libs''<br />
<br />
Then install the samba packages :<br />
<br />
''rpm -Uvh sernet-samba-*''<br />
<br />
<br />
We want to control samba from CTDB so stop the samba daemons from starting on boot on our servers :<br />
<br />
''chkconfig sernet-samba-nmbd off''<br />
''chkconfig sernet-samba-smbd off''<br />
''chkconfig sernet-samba-smbd off''<br />
<br />
===Install and configure CTDB===<br />
<br />
Download the latest CTDB sources (2.4 at time of writing) onto the sambagpfs1 server from ftp://ftp.samba.org/pub/ctdb/ctdb-2.4.tar.gz .<br />
Extract the tar.gz to the gpfs file system /sambagpfs and on the sambagpfs1 server run<br />
<br />
''yum install autoconf''<br />
<br />
''./autogen.sh''<br />
<br />
''./configure''<br />
<br />
''make''<br />
<br />
''make install''<br />
<br />
Now run make install on the sambagpfs2 also.<br />
<br />
Create ''/etc/sysconfig/ctdb'' with the following contents<br />
<br />
CTDB_RECOVERY_LOCK=/sambagpfs/recovery.lck<br />
CTDB_PUBLIC_INTERFACE=eth0<br />
CTDB_PUBLIC_ADDRESSES=/usr/local/etc/ctdb/public_addresses<br />
CTDB_MANAGES_SAMBA=yes<br />
CTDB_MANAGES_WINBIND=yes<br />
CTDB_NODES=/usr/local/etc/ctdb/nodes<br />
CTDB_SERVICE_WINBIND=sernet-samba-winbindd<br />
CTDB_SERVICE_SMB=sernet-samba-smbd<br />
CTDB_SERVICE_NMB=sernet-samba-nmbd<br />
<br />
<br />
Next create the directory /usr/local/var<br />
<br />
''mkdir /usr/local/var''<br />
<br />
Then change directory to /usr/local/etc/ctdb/ and create the following files containing the following data<br />
<br />
''nodes''<br />
<br />
192.168.1.11<br />
192.168.1.12<br />
<br />
<br />
''public_addresses''<br />
<br />
10.10.23.48/24 eth0<br />
10.10.23.49/24 eth0<br />
<br />
Also create a shared recovery file :<br />
<br />
''touch /sambagpfs/recovery.lck''<br />
<br />
===Configuring Samba===<br />
<br />
Edit the /etc/default/sernet-samba file and set the following parameter :<br />
<br />
SAMBA_START_MODE="classic"<br />
<br />
<br />
Now we need to create our smb.conf in /etc/samba. I have copied the contents of my smb.conf file below for reference :<br />
<br />
#===== Global Settings ============<br />
[global]<br />
netbios name = smbgpfscluster<br />
server string = Samba Version %v on $h<br />
workgroup = HOHO<br />
security = ADS<br />
realm = HOHO.BALE.COM<br />
<br />
# These were useful for debugging my initial setup but are probably too verbose for general use<br />
log level = 3 passdb:3 auth:3 winbind:10 idmap:10<br />
idmap config *:backend = tdb2<br />
idmap config *:range = 1000-90000<br />
winbind use default domain = yes<br />
<br />
# Set these to no as it doesn't work well when you have thousands of users in your domain<br />
winbind enum users = no<br />
winbind enum groups = no<br />
winbind cache time = 900<br />
winbind normalize names = no<br />
<br />
clustering = yes<br />
unix extensions = no<br />
mangled names = no<br />
ea support = yes<br />
store dos attributes = yes<br />
map readonly = no<br />
map archive = no<br />
map system = no<br />
force unknown acl user = yes<br />
<br />
# Stuff necessary for guest logins to work where required<br />
guest account = nobody<br />
map to guest = bad user<br />
<br />
#============ Share Definitions ============<br />
[gpfstest]<br />
comment = GPFS Cluster on %h using %R protocol<br />
path = /sambagpfs<br />
writeable = yes<br />
create mask = 0770<br />
force create mode = 0770<br />
locking = yes<br />
vfs objects = gpfs fileid<br />
<br />
# vfs_gpfs settings<br />
gpfs:sharemodes = yes<br />
gpfs:winattr = yes<br />
nfs4:mode = special<br />
nfs4:chown = yes<br />
nfs4:acedup = merge <br />
<br />
#some vfs related to clustering<br />
fileid:algorithm = fsname<br />
<br />
<br />
===Notes on Samba config===<br />
<br />
This is a configuration for a AD domain member server. I did not have the necessary privileges on our AD to install RFC2307/SFU schema extensions . If you have such access then this would be a better way to proceed as you would have consistent UID/GID allocation between clusters. <br />
<br />
<br />
Edit ''/etc/nsswitch.conf''<br />
<br />
passwd: files winbind<br />
shadow: files<br />
group: files winbind<br />
<br />
<br />
In /etc/krb5.conf file set your default realm <br />
<br />
default_realm = HOHO.BALE.COM<br />
<br />
<br />
Now start the CTDB daemon on both servers.<br />
<br />
''ctdbd --syslog --debug=3''<br />
<br />
''run ctdb status''<br />
<br />
At this stage the nodes will report as unhealthy as winbind will not start as we have not joined the domain. So lets join the domain.<br />
<br />
<br />
''net ads join -U <some account with the necessary privileges> -d5''<br />
<br />
<br />
All going well you have successfully joined the domain if not the debug information will assist you in finding the issue.<br />
<br />
winbind will not have started successfully when we first started CTDB so we can start it manually now.<br />
<br />
''service sernet-samba-winbindd start''<br />
<br />
Check the winbind daemon has started :<br />
<br />
''wbinfo -p''<br />
<br />
and verify you have successfully joined the domain :<br />
<br />
''wbinfo -t''<br />
<br />
and can authenticate a user against the domain :<br />
<br />
''wbinfo -a <avaliddomainusername>''<br />
<br />
In addition the following command should return valid user information.<br />
<br />
''id <vaildomainusername>''<br />
<br />
<br />
The wbinfo -u command should list the users on your domain . Our domain has 10’s of thousands of users so this may take some time. You may even have to to run run wbinfo a couple of times to get valid results.<br />
<br />
The ''ctdb ip'' command should report the current assignment of our cluster ip’s .<br />
<br />
Now try to access the shares from windows. For some reason that I could not fathom I was getting an access denied when I tried to access that shares at this point. I rebooted both servers and this appeared to resolve the issue :).<br />
<br />
== Setting Some ACL’s ==<br />
<br />
You may or may not need ACL's depending on you enviornment.<br />
<br />
You can use the ''mmputacl'' command to set ACL;s on the share . Create a text file perms.txt<br />
<br />
#owner:root<br />
#group:root<br />
user::rwxc<br />
group::rwx-<br />
other::rwx-<br />
mask::rwxc<br />
user:root:rwx-<br />
user:joebloggs:rwx-<br />
group:root:rwx-<br />
group:infosystems:rwx-<br />
<br />
To apply these permissions :<br />
<br />
''mmputacl -i ~/perms.txt -i sambagpfs''<br />
<br />
or set the default permissions on a folder :<br />
<br />
''mmputacl -d -i ~/perms.txt /sambagpfs/folder''<br />
<br />
To test you permissions create a file in on the share from a windows machine. Now check the permissions of the file using mmgetacl newfile.txt command on the server.<br />
<br />
===Configure your DNS Server===<br />
<br />
You need to create a DNS alias that redirects requests to your samba cluster in a round robin fashion. So in our setup we need to create an alias the resolves to both 10.10.23.48 and 10.10.23.49 .<br />
<br />
<br />
== Closing notes ==<br />
<br />
<br />
So there you have it. I hope this guide has been useful. Any constructive feedback is welcome to improve the guide, particularly from anybody who is running such a system in a production enviornment.<br />
<br />
For a complete open source solution you could replace GPFS for GlusterFS (which appears to be maturing nicely) or possibly OCFS2. Perhaps i will have time to test this some day but thats another days work.</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB&diff=8178TDB2013-10-21T11:39:45Z<p>BBaumbach: fix dead link to samba howto collection</p>
<hr />
<div>Samba stores its data in TDB files. TDB stands for "Trivial database" and was first introduced in Samba as a way to store information quickly and effectively. Its interface is very similar to that of GDBM, but in contradiction to GDBM it supports multiple writers and readers simultaneously.<br />
<br />
Refer to the [[TDB_Locations|TDB Locations]] page for detailed information about the purpose of the various TDB files.<br />
<br />
There is also section [http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html#tdbdocs TDB Database Information] in the Samba HOWTO Collection with details on what the purpose of the various TDB files employed by Samba 3 is.</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB&diff=8176TDB2013-10-21T11:38:44Z<p>BBaumbach: Add referral to TDB Locations article</p>
<hr />
<div>Samba stores its data in TDB files. TDB stands for "Trivial database" and was first introduced in Samba as a way to store information quickly and effectively. Its interface is very similar to that of GDBM, but in contradiction to GDBM it supports multiple writers and readers simultaneously.<br />
<br />
Refer to the [[TDB_Locations|TDB Locations]] page for detailed information about the purpose of the various TDB files.<br />
<br />
There is also section [http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html#tdbdocs TDB Database Information] in the Samba HOWTO Collection with details on what the purpose of the various TDB files employed by Samba 3 is.</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=7519TDB Locations2013-03-28T09:42:28Z<p>BBaumbach: fix</p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location|| Info || Description<br />
|-<br />
|account_policy.tdb || dbwrap || state || || Samba/NT account policy settings, includes password expiration settings.<br />
|-<br />
|autorid.tdb || dbwrap || state || || Mappings of which domain is mapped to which range. <br />
|-<br />
|brlock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Byte-range locking information.<br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || A temporary cache for current connection information used to enforce max connections.<br />
|-<br />
|eventlog/*.tdb || tdb || state || || Records of eventlog entries. In most circumstances this is just a cache of system logs.<br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Global locking information.<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* || Generic caching database for dead WINS servers and trusted domain data.<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST || <br />
|-<br />
|group_mapping.tdb || dbwrap || state || || Mapping table from Windows groups/SID to UNIX groups.<br />
|-<br />
|idmap2.tdb || dbwrap || private || ||<br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|login_cache.tdb || tdb || cache || || A temporary cache for login information, in particular bad password attempts.<br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST || Temporary storage of messages being processed by smbd.<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || ||<br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST* || Caches user net_info_3 structure data from net_samlogon requests (as a domain member).<br />
|-<br />
|notify.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|ntdrivers.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed driver information.<br />
|-<br />
|ntforms.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed forms information.<br />
|-<br />
|ntprinters.tdb || tdb || state || || Removed in 3.6. Stores the per-printer devmode configuration settings.<br />
|-<br />
|passdb.tdb || dbwrap || private || || Exists only when the tdbsam passwd backend is used. This file stores the SambaSAMAccount information. Note: This file requires that user POSIX account information is available from either the /etc/passwd file, or from an alternative system source. <br />
|-<br />
|perfmon/data.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|perfmon/names.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|printer_list.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|printing/*.tdb || tdb || cache || || Cached output from lpq command created on a per-print-service basis.<br />
|-<br />
|registry.tdb || dbwrap || state || || Read-only Samba database of a Windows registry skeleton that provides support for exporting various database tables via the winreg RPCs. <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST || A confidential file, stored in the PRIVATE_DIR, containing crytographic connection information so that clients that have temporarily disconnected can reconnect without needing to renegotiate the connection setup process. <br />
|-<br />
|secrets.tdb || dbwrap || private || || This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and a further collection of critical environmental data that is necessary for Samba to operate correctly. This file contains very sensitive information that must be protected. It is stored in the PRIVATE_DIR directory. <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Temporary cache for miscellaneous session information and for utmp handling.<br />
|-<br />
|share_info.tdb || dbwrap || state || || Stores per-share ACL information.<br />
|-<br />
|unexpected.tdb || tdb || lock || TDB_CLEAR_IF_FIRST || Removed in 3.6. Stores packets received for which no process is actively listening.<br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST* || Cache of Identity information received from an NT4 domain or from ADS. Includes user lists, etc.<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || || Winbindd's local IDMAP database.<br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|xattr.tdb || dbwrap || state || ||<br />
|-<br />
| || || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB ||<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB ||<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB ||<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned (truncated) if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=Capture_Packets&diff=7491Capture Packets2013-03-05T10:23:44Z<p>BBaumbach: add snoop to list of capture tools and add examples</p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a packet capture (or trace).<br />
<br />
== Which tool to use ? ==<br />
The best way to do this depends on the tools available on your system. It is often easiest to run the capture tool from the command-line, unless debugging a problem that requires complex capture filters to be set (to reduce the network trace).<br />
<br />
For more complex tasks the GUI based network tools, such as wireshark, may be easier for beginners to use. <br />
<br />
== Where the tracing should be done ? ==<br />
If your problem concerns file exchange then tracing can be done on the client or on the server. On the other hand if it concerns things related to authentication or Active Directory protocols it's often better to do the tracing from the server as most of the time we will need packets exchanged during the boot of the computer or during user's logon.<br />
<br />
If tracing on the server puts too much load on the server system to reproduce the problem or results in a network trace that is too large, tracing from the client can be attempted instead. <br />
<br />
== Tracing ==<br />
From the command line of the operating system type: (note: in the table below, replace ''FILENAME'' with a more descriptive file name): <br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME </pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -n -w FILENAME</pre><br />
|-<br />
|| snoop || <pre>snoop -q -o FILENAME</pre><br />
|}<br />
<br />
If you're sure the problem is only related to SMB, you can filter the traffic based on the ports:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME port 445 or port 139</pre><br />
|-<br />
|| snoop || <pre>snoop -q -o FILENAME port 445 or port 139</pre><br />
|}<br />
<br />
If you know the ip address of the client you can use the following to reduce the volume of the trace:<br />
<br />
{|<br />
! Tool !! Commandline<br />
|-<br />
||wireshark || <pre>tshark -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| ethereal || <pre>tethereal -p -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| tcpdump || <pre>tcpdump -p -s 0 -w FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|-<br />
|| snoop || <pre>snoop -q -o FILENAME host IP_ADDRESS_OF_THE_CLIENT</pre><br />
|}<br />
<br />
Where ''IP_ADDRESS_OF_THE_CLIENT'' is the IP of the client, something like 192.168.1.2 or 2001:db8:0:85a3::ac1f:8001.<br />
<br />
== How to use graphical user interface ==<br />
In many cases the process is as simple as the following, from your client (e.g. Windows workstation):<br />
<br />
* Download and install [http://www.wireshark.org/download.html Wireshark].<br />
* Launch Wireshark from the Windows "All Programs" menu list<br />
* Start the capture<br />
* Do the operation that causes trouble<br />
* Stop the capture<br />
* Save the trace and send the trace to the developer working on your problem (or attach it or a URL to the saved trace file location to the bugzilla bug). <br />
<br />
== Additional remarks ==<br />
=== For SMB/SMB2 related problems ===<br />
For some type of problems it is also important that we see the beginning of the SMB connection.<br />
You can cause the Windows client to reconnect if you first kill the Samba server's smbd process which is servicing your client before starting the trace. You do not have to restart all of Samba.<br />
<br />
You can find out the smbd responsible for your client by running the tool smbstatus on the server.<br />
<br />
=== For authentication, LDAP, GPO related problems ===<br />
If the problem didn't occur at login or is reproducible while the user is logged, the tracing should be started just before the operation that fails. Nevertheless most of the time part of the traffic will be encrypted, and in order for the trace to be exploitable you will need the initial key exchange.<br />
<br />
The best way to do it is to force Windows to discard all your Kerberos tickets, so that when you'll repeat the operation in error Windows will also re-ask for Kerberos tickets and so the trace will contain all the needed information for the developer.<br />
<br />
To force Windows to discard your Kerberos tickets:<br />
* On Windows XP or Windows Server 2003<br />
You will need the program called ''kerbtray.exe'' in ''C:\Program Files\Windows Resource Kits\Tools'' you can get it from the [http://www.microsoft.com/download/en/details.aspx?id=17657 resource kit]. Once started you'll see a green ticket in the systay, to purge right click on the icon and select purge ticket as show on the capture below.<br />
<br />
[[File:Kerbtray.png]]<br />
<br />
* On Windows Vista and newer or Windows Server 2008 and newer<br />
The tool ''ktutil.exe'' is shipped with this version of Windows, to purge ticket just do the following:<br />
<code>ktutil purge</code></div>BBaumbachhttps://wiki.samba.org/index.php?title=Samba&diff=7466Samba2013-02-19T12:15:04Z<p>BBaumbach: remove duplicate link</p>
<hr />
<div>==Current Status== <br />
'''Current Version: 4.0.3''' <br />
'''[http://www.samba.org/samba/ftp/stable/samba-4.0.3.tar.gz Download]'''<br />
'''[http://www.samba.org/samba/history/samba-4.0.3.html Release Notes]'''<br />
<br />
<br />
'''The official press release of Samba 4 can be found on the [https://www.samba.org/samba/news/releases/4.0.0.html Samba website].'''<br />
<br />
Full Active Directory support has been incorporated into the Samba suite with Samba 4.x.x. With Samba 4, you can join a Windows (all recent releases should be supported) machine to a Samba Active Directory domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable. Samba 4 is now at a point where it can begin replacing existing production deployments, and users are encouraged to try out Samba 4 in a test environment before implementing it in a work environment!<br />
<br />
Except for a small number of deprecated features, Samba continues to provide all the features and functionality found in Samba 3.6, and as such is an excellent file server and domain member as well.<br />
<br />
= General Documentation on Samba =<br />
<br />
* [[Release_Planning_for_Samba_4.0|Release planning for Samba 4.0]]<br />
<br />
* [[BuildsystemUseAndWhy|Building Samba 4.0]]<br />
<br />
* [[CTDB_Project|CTDB Project]]<br />
<br />
* [https://bugzilla.samba.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=Samba+4.0 Open Bug Reports on Samba 4.0]<br />
<br />
* [[Samba4/FAQ|Samba 4 FAQ]]<br />
<br />
<br />
<br />
<br />
<br />
= Samba as a Active Directory Domain Controller =<br />
<br />
'''Here you can find everything to setup a Samba Active Directory Domain Controller and all that is related to this topic.'''<br />
<br />
* [[Samba_AD_DC_HOWTO|Samba Active Directory HOWTO]]: Contains everything for setting up a basic Samba Active Directory Controller<br />
<br />
* [[Samba4/samba-tool/domain/classicupgrade/HOWTO|Migrating a Samba 3 PDC to a Samba Active Directory Domain Controller]]: If you are running a Samba 3 NT4-style environment and want to move to Active Directory, this is the documentation that contains all the necessary information<br />
<br />
* [[Samba_AD_DC_HOWTO#Step_11:_Permissions.2C_SELinux_Labeling_and_Policy|Permissions, SELinux Labeling and Policy]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Viewing_Samba_4_Active_Directory_object_from_Windows|Samba Remote Administration Using the Typical Windows Tools]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Managing_Samba_4_Active_Directory_From_a_Windows_Client|Samba User Management/Administration]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Setting_Up_Roaming_Profiles|Roaming Profiles with Samba]]<br />
<br />
* [[Samba_AD_DC_HOWTO/AD_Delegation|Delegating administrative jobs to non-admin-accounts]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Adding_Organization_Units_.28OU.29_Into_a_Samba__Domain|Working with Organization Units]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Implementing_Group_Policies_.28GPO.29_in_A_Samba_Domain|Using Group Policies with a Samba AD DC]]<br />
<br />
* [[Samba4/HOWTO/Join_a_domain_as_a_DC|Joining Samba as additinal DC to the AD]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Joining_a_Windows_Domain_Controller_as_an_Additional_DC_in_a_Domain|Joining a Windows Domain Controller as an Additional DC in a Domain]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Configure_a_Windows_Client_to_join_a_Samba_4_Active_Directory|Joining Windows Clients to the Samba Active Directory Domain]]<br />
<br />
* [[DNS|Internal DNS and Bind DLZ module]]<br />
<br />
* [[Samba4/beyond|Beyond Samba]]: Connecting other Services/Daemons to your Samba Active Directory (e. g. authentication, etc.)<br />
<br />
* [[Samba4/Schema_extenstions|Samba Active Directory Schema Extensions]]<br />
<br />
* [[Samba4/Smart_Card_Login|Samba Smart Card Login HowTo]]<br />
<br />
* [[Samba4/HOWTO/Virtual_Private_Network|Creating a Single Sign On VPN with Samba AD]]<br />
<br />
* [[Samba4/videos|Samba 4 Demonstration Videos]]<br />
<br />
= Samba as a Domain Member Server =<br />
<br />
* [[Samba4/Domain_Member|Samba Member Server setup in an Active Directory environment]]: This HOWTO is based on Samba 4 (Recommended)<br />
<br />
* [[Samba_%26_Active_Directory|Samba and Active Directory]]: Samba 3 and AD<br />
<br />
<br />
<br />
<br />
<br />
= Miscellaneous Configuration Topics =<br />
<br />
'''Here you'll find all configuration/setup topics that can't be associated directly to an ADC or member server'''<br />
<br />
* [[Samba_AD_DC_HOWTO#Step_12:_Setup_a_File_Share|Setting up a File Share]]<br />
<br />
* [[Samba_AD_DC_HOWTO#Step_13:_Setup_a_Printer_share|Samba Print Server]]<br />
<br />
* [[Backup_and_Recovery|Backup and Recovery]]<br />
<br />
<br />
<br />
<br />
<br />
= Developing Samba =<br />
<br />
* GitWeb<br />
<br />
:* [http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test v4-0-test] (branch for next 4.0.x release)<br />
<br />
:* [http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-stable v4-0-stable] (branch for current 4.0.x release)<br />
<br />
:* [http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master master] (current Samba development for future releases)<br />
<br />
: For more info on available branches, as well how to obtain the sources via a Git client, see the [http://www.samba.org/samba/devel samba.org devel page].<br />
<br />
* [[Writing_Torture_Tests|Writing Torture Tests]]<br />
<br />
* [[Waf|Using waf to Build Samba]]<br />
<br />
* [[Samba4/Debian|Building Debian Packages of Samba 4]]<br />
<br />
<br />
<br />
<br />
<br />
= Historical Documentation on the Development of Samba4 =<br />
<br />
* [[Samba4/DRS_TODO_List|Samba4 DRS ToDo List]]<br />
<br />
* [[Samba4/Status|Samba 4 Status]]<br />
<br />
* [[Franky|Franky]]: A Hybrid Samba Active Directory Controller (outdated!)<br />
<br />
* [[Samba4/s3fs|An Explanation of the s3fs Architecture for Using smbd in the AD Server]]<br />
<br />
* [[Development Resources]]<br />
<br />
* [[Samba4/Tests|Test Status]]<br />
<br />
* [[SambaGtk|Gtk+ Frontends]]<br />
<br />
* [[Samba4/ActiveDirectory|Active Directory Plans]]<br />
<br />
* [[Samba4/Domain_Member|Domain Member plans]]<br />
<br />
* [[Samba4/LDAP_Backend|LDAP Directory Server Backend History Notes]]<br />
<br />
* [[Samba4 AD Plugfest 2010 TODO list|Samba 4 AD Plugfest 2010 TODO List]]<br />
<br />
* [ftp://ftp.samba.org/pub/samba/samba4/ Development Releases of Samba4 (technology previews, alphas, betas, release candidates)]</div>BBaumbachhttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=7465Setting up Samba as an Active Directory Domain Controller2013-02-19T12:11:23Z<p>BBaumbach: fix build instructions: use the toplevel build</p>
<hr />
<div>= HOWTO to set up Samba as an Active Directory compatible Domain Controller =<br />
<br />
This document explains how to setup a simple Samba<br />
server as a Domain Controller compatible with Microsoft's Active Directory, for use particularly by Microsoft Windows clients that are joined to the Active Directory Domain, for services such as Domain Logon. We refer to this capability as being an AD DC for short. <br />
<br />
== Video Demonstrations of This HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of the contents of this HOWTO.<br />
<br />
== A Note on Versions ==<br />
<br />
Samba is developing rapidly. This HOWTO is frequently updated to reflect the latest changes in the Samba git repository. Please see the [[Release_Planning_for_Samba_4.0|Samba 4.0 Release Planning]] for more specifics on the release planning.<br />
<br />
== Server Information ==<br />
For the rest of this tutorial, we will be using the following configuration for our example AD DC configuration. <br />
<br />
Installation Directory: /usr/local/samba<br />
Server Hostname: samba<br />
DNS Domain Name: samdom.example.com<br />
NT4 Domain Name: samdom<br />
IP Address: 192.168.1.2<br />
Server Role: DC <br />
<br />
== Samba OS Requirements ==<br />
<br />
Because of the constantly changing and ever expanding nature of Linux, the '''OS Requirements for Samba 4 have been moved''' from Step 2, to [[Samba_4/OS_Requirements]].<br />
This not only includes the required packages for a successful Samba AD DC deployment, but also the required file system features. Please consider that page as a prerequisite to a successful Samba AD DC setup.<br />
<br />
== Step 1: Download Samba ==<br />
<br />
Currently, there are three methods to download the current Samba sources, either as a tarball of the latest stable release, or a development version via git or rsync. If you hope to work with the team on a development version to resolve issues you may hit via code changes, we recommend using the git method for downloading Samba, as it makes getting updates easier, and also allows you to integrate test patches from Samba developers more easily in case of problems. <br />
<br />
In the following examples we will assume that your top-level source is named <tt>samba4</tt>. If you downloaded a tarball this will instead be based on the name of the tarball downloaded (e.g. <tt>samba-4.0.0</tt> for the tarball samba-4.0.0.tar.gz). Also note that in the <tt>master</tt> branch the<br />
Samba 4 code in our current git tree is now located in the top level directory.<br />
<br />
=== Downloading a tarball ===<br />
<br />
If you wish to use a released version of Samba 4.0, you can download the latest Samba 4.0 tarball from [http://ftp.samba.org/pub/samba/ the Samba website]<br />
<br />
=== Downloading via git ===<br />
<br />
Git allows you to download the source tree via either the <tt>git</tt> or <tt>http</tt>protocols. In general, the <tt>git</tt> protocol is the preferred choice since it compresses the data being transferred. To download the source tree via <tt>git</tt>, run the following command:<br />
<br />
$ git clone git://git.samba.org/samba.git samba4<br />
<br />
Alternatively, if you prefer to use the <tt>http</tt> protocol, run the following command:<br />
<br />
$ git clone http://gitweb.samba.org/samba.git samba4<br />
<br />
Either command will create a directory called <tt>samba4</tt> in the current<br />
directory. This directory will hold a checkout of the branch you choose to download (master, test, or stable).<br />
<br />
'''If you are using the checkout for a production installation you should use the following git branches:'''<br />
* 'v4-0-stable' (which contains the lastest stable 4.0.x release)<br />
$ git clone -b v4-0-stable git://git.samba.org/samba.git samba4<br />
'''or'''<br />
* 'v4-0-test' (which contains the patches scheduled for the next stable 4.0.x release)<br />
$ git clone -b v4-0-test git://git.samba.org/samba.git samba4<br />
<br />
==== Updating via git ====<br />
<br />
If you already have downloaded the source tree via <tt>git</tt> and want to update the tree to the latest version, run the following command in your <tt>samba4</tt> directory:<br />
<br />
$ git pull<br />
<br />
If you get an error like this:<br />
fatal: Unable to create '[...]/samba_master/.git/index.lock': File exists.<br />
Run the command below to reset your tree.<br />
<br />
If you are having trouble compiling the source, it may be due to stale files. You can reset your <tt>git</tt> tree to correct these errors. To reset your <tt>git</tt> tree, run the following command in your <tt>samba4</tt> directory:<br />
<br />
$ git clean -x -f -d<br />
<br />
== Step 2: Compile Samba ==<br />
<br />
To build Samba, run the following commands in your Samba source directory:<br />
<br />
$ ./configure --enable-debug --enable-selftest<br />
$ make<br />
<br />
The above command will setup Samba to install in <tt>/usr/local/samba</tt>. If you want Samba to install in a different directory, then you should use the <tt>--prefix</tt> option to <tt>configure</tt>.<br />
<br />
The reason we recommend using <tt>--enable-debug --enable-selftest</tt> for Samba is that it will include extra debug information that will help us diagnose problems in case of failures, and will also allow you to run our selftest <tt>make test</tt> to validate that Samba can behave correctly on your platform. Both of these are however, entirely '''optional'''.<br />
<br />
'''Profiling with google-perftools'''<br />
<br />
If you want to enable profiling support, change the configure command above to the following:<br />
$ LDFLAGS="-ltcmalloc -lprofiler" ./configure.developer<br />
:''(This also works for CFLAGS)''<br />
<br />
== Step 3: Install Samba ==<br />
<br />
To install Samba, run the following command in your Samba source directory:<br />
<br />
$ make install<br />
<br />
Note that this must be run as a user who has permission to write to the install directory, which defaults to <tt>/usr/local/samba</tt>. See [[#Step 2: Compile Samba4|Step 2: Compile Samba ]] for instructions on how to change the install directory.<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba in the default location. All future Samba commands will stem from the <tt>/usr/local/samba/sbin</tt> and <tt>/usr/local/samba/bin</tt> directories.<br />
<br />
Please review the [[Samba4#Previous_Releases|Release Notes]] for the version you have installed, it may contain important information not yet reflected in this HOWTO.<br />
<br />
=== Upgrading ===<br />
<br />
If you are upgrading from a previous release of Samba 4.x, be sure to review all the [[Samba4#Previous_Releases|Release Notes]] for the new version, as well as the notes for all the interim versions.<br />
<br />
To upgrade to the latest Samba 4.x version from a previous Samba 4.x release, you must first download the latest tarball or git tree. If using git, you may either do a full download of the latest git tree as described in the [http://wiki.samba.org/index.php/Samba4/HOWTO#Downloading_via_git Downloading via git] section, or you may upgrade your current git tree as described in the [http://wiki.samba.org/index.php/Samba4/HOWTO#Updating_via_git Updating via git] section. Once you have obtained the latest version, simply run the following commands.<br />
<br />
$ ./configure --enable-debug --enable-selftest<br />
$ make<br />
$ make install<br />
<br />
For more information on the commands above and their associated options, please refer to [http://wiki.samba.org/index.php/Samba4/HOWTO#Step_2:_Compile_Samba Step 2]<br />
<br />
== Step 4: Provision Samba ==<br />
<br />
The provision step sets up a basic user database, and is used when you are setting up your Samba<br />
server in its own domain. If you instead want to setup your Samba server as an additional domain controller<br />
in an existing domain, then please see the [[#Joining a Windows Domain Controller as an Additional DC in a Domain|Joining a Windows Domain Controller as an Additional DC in a Domain]] section on this page. If you want to migrate an existing Samba 3.x domain to Samba 4.0 as an AD DC, see the [[#Migrating an Existing Samba3 Domain to Samba4|Migrating an Existing Samba 3 Domain to Samba 4]] section on this page.<br />
<br />
The provision step must be run as a user with permission to write to the install directory.<br />
<br />
# /usr/local/samba/bin/samba-tool domain provision<br />
<br />
This will run the provision tool interactively. For realm use something like <tt>samdom.example.com</tt>, for domain (it should suggest this) use <tt>samdom</tt>.<br />
<br />
If you run the previous command with a user who does not have write permission to the install directory, you will get an error similar to this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
<br />
You can pass options to <tt>samba-tool domain provision</tt> command. You can run it with the <tt>--help</tt> option to see a list of them.<br />
<br />
* Note: As of September 11, 2012 (Samba 4.0.0 RC1) the provision command now uses Samba's internal DNS server, if you would like the older behavior, add <tt>--dns-backend=BIND9_DLZ</tt> to the above provision command.<br />
* Note: You may need to remove the <tt>/usr/local/samba/etc/smb.conf</tt> file if you are re-running the provision command.<br />
* Note: If you use the --adminpass='password' switch, be aware that there are password complexity requirements, so if you are getting some odd error with provision, try a more complex password ie. 'Pa$$w0rd'<br />
* Note: If you have a "password complexity" failure during domain provisionsing - read the following! <br>[I think the requirement is: at least one uppercase letter, and one number, and at least eight characters long.]<br>If you don't use a complex enough password, the provision script will bomb and re-running it will also bomb - because it doesn't know how to handle a partially provisioned setup.<br>A solution is: delete the ../samba directory. [Deleting only the smb.conf wasn't doing it, in my case.]<br>Thus, if you installed samba to the "default" location, do the following: rm /usr/local/samba/ -rf <br> Then run [make install] again to re-install the files. <br> Finally, run the domain provision again - with a better password.<br />
<br />
== Step 5: Starting Samba as an AD DC ==<br />
<br />
If you are planning to run Samba as a production server, then just run the <tt>samba</tt> binary as root<br />
<br />
# /usr/local/samba/sbin/samba<br />
<br />
That will run Samba in 'standard' mode, which is suitable for<br />
production use. Samba doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult. There are some example scripts (for RedHat/Fedora, Debian and Ubuntu) on the [[Samba4/InitScript]] page.<br />
<br />
If you are running Samba as a developer you may find<br />
the following more useful:<br />
<br />
# /usr/local/samba/sbin/samba -i -M single<br />
<br />
This will start <tt>samba</tt> with all log messages printed to stdout, and restricting it to a<br />
single process. That mode of operation makes debugging <tt>samba</tt> with <tt>gdb</tt><br />
easier. If you want to launch it under <tt>gdb</tt>, run <tt>samba</tt> as follows:<br />
<br />
# gdb --args /usr/local/samba/sbin/samba -i -M single<br />
<br />
Note that if you are running any Samba 3 <tt>smbd</tt> or <tt>nmbd</tt> processes<br />
they need to be stopped before starting <tt>samba</tt> from Samba 4.<br />
<br />
Take care when running Samba commands if you also have a previous version of Samba installed. To avoid inadvertently running the wrong version, you should consider putting the <tt>/usr/local/samba/bin</tt> and <tt>/usr/local/samba/sbin</tt> directories in the beginning of your <tt>PATH</tt> variable.<br />
<br />
You can see what version of Samba, if any, is in your <tt>PATH</tt> variable by running the following:<br />
# samba -V<br />
<br />
== Step 6: Testing Samba as an AD DC ==<br />
<br />
First check you have the right version of <tt>smbclient</tt> by running the following command:<br />
<br />
$ /usr/local/samba/bin/smbclient --version<br />
<br />
This should show you a version starting with "Version 4.0.XXXXX". <br />
<br />
Now run this command to list the shares on your Samba server:<br />
<br />
$ /usr/local/samba/bin/smbclient -L localhost -U%<br />
<br />
The output of the command should be similar to what is shown below:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0)<br />
<br />
The <tt>netlogon</tt> and <tt>sysvol</tt> shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
If the command failed, restart samba by running the following:<br />
<br />
# killall samba<br />
# rm -v -- /usr/local/samba/var/run/smbd-fileserver.conf.pid<br />
# /usr/local/samba/sbin/samba<br />
<br />
To test that authentication is working, you should try to connect to the <tt>netlogon</tt> share<br />
using the Administrator password you set earlier:<br />
<br />
$ smbclient //localhost/netlogon -UAdministrator%'p4$$word' -c 'ls'<br />
<br />
The output of the command should be similar to what is shown below:<br />
<br />
Domain=[SAMDOM] OS=[Unix] Server=[Samba 4.0.0beta9-GIT-e4677e3]<br />
. D 0 Wed Sep 12 21:00:36 2012<br />
.. D 0 Wed Sep 12 21:02:28 2012<br />
<br />
== Step 7: Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba. Without the right DNS entries, Kerberos won't work, which in<br />
turn means that many of the basic features of Samba won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is correct, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
=== DNS Server ===<br />
==== Samba's Internal DNS Server ====<br />
<br />
If you specified <tt>--dns-backend=SAMBA_INTERNAL</TT> or did not specify any backend at all when you provisioned, there is no further setup required for the DNS server. However, you still need to configure your <tt>/etc/resolv.conf</tt> as shown in [[#Configure /etc/resolv.conf|Configure /etc/resolv.conf]]<br />
<br />
If you want the internal DNS server to forward requests it isn't responsible for, then add the following to your smb.conf:<br />
dns forwarder = {IP-Address of the DNS you want to forward to}<br />
<br />
'''Warning:''' If you are running X windows on your machine, networkmanager could be spawning dnsmasq, check the logs for lines like:<br />
<br />
Failed to bind to 0.0.0.0:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED<br />
<br />
If you need to disable this you can open <tt>/etc/NetworkManager/NetworkManager.conf</tt> in your favorite editor as root, and comment out the line <tt>dns=dnsmasq</tt>, then <tt>restart network-manager</tt><br />
<br />
==== Bind 9.8.0 or newer ====<br />
<br />
If using BIND, the next step to get a working DNS setup for Samba is to start<br />
with the DNS configuration file that is created by the<br />
[[#Step 4: Provision Samba4|provision step]] or if you are using any of the other samba-tool options (classicupgrade for example) you can specify --dns-backend=BIND9_DLZ or --dns-backend=BIND9_FLATFILE.<br />
<br />
You can<br />
activate the configuration that the provision has created by including this configuration file in bind's named configuration file. This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system. Once located, add the following line to the configuration file:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
Edit that file to uncomment the correct dlz plugin line, based on your version of bind. Open the <tt>/usr/local/samba/private/named.conf</tt> file in a text editor and follow the instructions inside.<br />
<br />
After adding that line you should restart your Bind server and check<br />
in the system logs for any problems. If available, you can run <tt>named-checkconf</tt> to help you fix any problems with your named configuration.<br />
<br />
==== Bind 9.7.x ====<br />
<br />
Users of bind-9.7.x are strongly encouraged to upgrade to bind-9.8 or bind-9.9. If this is not possible, refer to the section [[#Step 9: Configure Kerberos DNS Dynamic Updates|Configure Kerberos DNS Dynamic Updates]] for instructions on configuring bind-9.7.<br />
<br />
==== Bind (All Versions) ====<br />
<br />
A common problem you may encounter is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to Bind for your the <tt>named.conf</tt> and zone files created in<br />
the provision. If your Bind logs show that Bind is getting a access<br />
denied error accessing these files, please see your local system<br />
documentation for how to enable access to these files in Bind (hint:<br />
for Apparmor systems such as Ubuntu, the command <tt>aa-logprof</tt> may be<br />
useful).<br />
<br />
*Note: On Debian systems, the zone auto-generation might detect and use <tt>127.0.1.1</tt> as the domain controller's IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust <tt>/usr/local/samba/private/named.conf</tt> by changing <tt>127.0.1.1</tt> to reflect the actual IP address of the server you're setting up.<br />
*Note: On Debian SID (bind9 package), <tt>/etc/bind/named.conf.options</tt> is missing and this will cause the <tt>named</tt> daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in <tt>/etc/bind/named.conf</tt>. See your syslog messages for more information.<br />
<br />
=== Configure /etc/resolv.conf ===<br />
<br />
For all the local DNS lookups to resolve correctly, we need to modify the server's <tt>/etc/resolv.conf</tt> file. The following example should be sufficient to have DNS resolve properly:<br />
<br />
domain samdom.example.com<br />
nameserver 192.168.1.2<br />
<br />
*Note: Remember to change the IP Address to your Samba server's IP Address<br />
*Note: If your server is set up to receive its IP configuration via DHCP, the <tt>/etc/resolv.conf</tt> file might be automatically updated. Refer to your distribution's documentation on how to stop this behavior.<br />
<br />
=== Testing DNS ===<br />
<br />
To test that DNS is working properly, run the following commands and compare the output to what is shown:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
The answers you get should be similar to the ones above (adjusted for your DNS domain name and hostname). If you get any errors, <br />
carefully check your system logs to locate the problem.<br />
<br />
== Step 8: Configure Kerberos ==<br />
<br />
Kerberos configuration is handled by the <tt>krb.conf</tt> file. This file is typically located in the <tt>/etc</tt> directory, please refer to your distribution documentation for the location of this file on your system. Replace the existing file, if any, with the sample from <tt>/usr/local/samba/share/setup/krb5.conf</tt>. Edit the file and replace <tt>${REALM}</tt> with the value you chose for the <tt>--realm</tt> parameter of the provision command above, make sure to enter the realm in '''uppercase letters''':<br />
*Note: If you've already forgotten <gasp!> what Realm you supplied, you can find it in the smb.conf file. [for default installs that's /usr/local/samba/etc/smb.conf]<br />
[libdefaults]<br />
default_realm = SAMDOM.EXAMPLE.COM<br />
dns_lookup_realm = false<br />
dns_lookup_kdc = true<br />
<br />
=== Testing Kerberos ===<br />
<br />
The simplest test is to use the <tt>kinit</tt> command as follows:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
*Note: You must specify your domain realm <tt>SAMDOM.EXAMPLE.COM</tt> in '''uppercase letters'''<br />
<br />
<tt>kinit</tt> will not give you any output. [It may give you a password expiration notice.] To verify that Kerberos is working, and that you received a ticket, run the following:<br />
<br />
<br />
$ klist<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
<br />
If either <tt>kinit</tt> or <tt>klist</tt> do not exist on your system, refer to [[Samba_4_OS_Requirements]] on how to install the necessary packages.<br />
<br />
You can also test Kerberos form a remote client, but you must first configure the client's <tt>krb5.conf</tt> and <tt>resolve.conf</tt> as shown previously.<br />
<br />
*Note: If you are using a client behind NAT then you have to add the following to the <tt>krb5.conf</tt> on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
*Note: If provision generated you a password and you forgot it or didn't get it saved in some way, you can use "samba-tool user setpassword administrator" as root to reset it.<br />
<br />
== Step 9: Configure DNS Dynamic Updates via Kerberos ==<br />
<br />
Samba has the capability to automatically update the bind zone files via Kerberos. While this step is optional, it is highly recommended. If you are using Samba's internal DNS server, no configuration is needed, and you can skip this step.<br />
<br />
To setup dynamic DNS updates you need to have a recent version of bind installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.<br />
<br />
You can tell what version of bind you have using the command <tt>/usr/sbin/named -V</tt>. If your OS does not have bind-9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind).<br />
<br />
=== Bind 9.8.0 or Later ===<br />
<br />
When using bind-9.8.0 or later you need to add the following to the options section of your bind config:<br />
options {<br />
[...]<br />
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";<br />
[...]<br />
};<br />
<br />
This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system.<br />
<br />
=== Bind 9.7.x ===<br />
<br />
If you have bind-9.7.x (specifically 9.7.2 or later), then first determine if you can <br />
at all possibly run bind-9.8. You will have far fewer problems. Otherwise, follow these instructions.<br />
<br />
The Samba provision will have created a custom <tt>/usr/local/samba/private/named.conf.update</tt> configuration file. You need to include this file in your master <tt>named.conf</tt> to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables when using bind-9.7.x:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind. On Debian based<br />
systems (including Ubuntu) this is in <tt>/etc/default/bind9</tt>. On RedHat and SUSE derived systems it is<br />
in <tt>/etc/sysconfig/named</tt>, please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking you only either need<br />
<tt>KEYTAB_FILE</tt> or <tt>KRB5_KTNAME</tt>, but which you need depends on your distribution,<br />
so it's easier to just set both.<br />
<br />
The <tt>dns.keytab</tt> must be readable by the bind server process. Generally, this is accomplished by executing:<br />
$ chown named:named /usr/local/samba/private/dns.keytab<br />
<br />
(the provision should have setup these permissions for you automatically).<br />
<br />
Finally, you need to add the following to the options section of your bind config:<br />
options {<br />
[...]<br />
tkey-gssapi-credential "DNS/server.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
[...]<br />
};<br />
<br />
The last part of the credential in the first line must match the dns name of the server you have set up. This file is typically located in the <tt>/etc/bind</tt> directory, please refer to your distribution documentation for the location of this file on your system.<br />
<br />
=== Testing/Debugging Dynamic DNS Updates ===<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file <tt>/usr/local/samba/private/dns_update_list</tt>, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter using <tt>samba_dnsupdate</tt> utility.<br />
Updates will only happen if the DNS entries do not already exist.<br />
Remember that you need <tt>nsupdate</tt> utility from bind the distribution<br />
for all these to work.<br />
<br />
If you want to test or debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names<br />
<br />
The command line options specified will force an update of all records in the <tt>dns_update_list</tt>, as well as output detailed information on what is being done.<br />
<br />
=== Interaction With Apparmor or SELinux ===<br />
<br />
If you are using Apparmor or SELinux, you have to ensure that the bind process has read access to the <tt>/usr/local/samba/private/dns.keytab</tt> file, the<br />
<tt>/usr/local/samba/private/named.conf</tt> file as well as read-write access to the <tt>/usr/local/samba/private/dns</tt> directory and it's own zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the <tt>aa-logprof</tt> command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind for the first time after configuring them.<br />
<br />
Please refer to [[#Step 11: Permissions, SELinux Labeling and Policy|Step 11: Permissions, SELinux Labeling and Policy]] for more information.<br />
<br />
== Step 10: Configure NTP (Optional) ==<br />
<br />
You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are to old. The Ntpd of Debian Squeeze supports signed ntp.<br />
<br />
1. Download ntpd from ntp.org (verify md5 sum) and compile it (add additionals ./configure parameters, if needed):<br />
<br />
$ tar -zxvf ntp-4.x.x.tar.gz<br />
$ cd ntp-4.x.x<br />
$ ./configure --enable-ntp-signd<br />
$ make<br />
$ make install<br />
<br />
2a. If you already have a supported ntpd version and ntp.conf, you have to add/adjust only the following lines for minimal:<br />
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/<br />
restrict default mssntp<br />
<br />
2b. If a minimal/simple ntp.conf is fine for you, then fill the file with the following:<br />
server 127.127.1.0<br />
fudge 127.127.1.0 stratum 12<br />
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/<br />
restrict default mssntp<br />
<br />
2c. A more complex ntp.conf is the following:<br />
server 127.127.1.0<br />
fudge 127.127.1.0 stratum 10<br />
server 0.pool.ntp.org iburst prefer<br />
server 1.pool.ntp.org iburst prefer<br />
driftfile /var/lib/ntp/ntp.drift<br />
logfile /var/log/ntp<br />
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/<br />
restrict default kod nomodify notrap nopeer mssntp<br />
restrict 127.0.0.1<br />
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery<br />
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery<br />
For explanation: This config allows clients to receive time from this NTP host, localhost<br />
doesn't have any restrictions, and the servers we receive the time from ,are not allowed<br />
to do anything else than providing the time to us. For mor information about ntpd<br />
access controll, see<br />
http://support.ntp.org/bin/view/Support/AccessRestrictions<br />
<br />
3. On members of the domain you don't have to configure anything. Per default they will receive<br />
the time from the DC that has the FSMO role PDC.<br />
<br />
== Step 11: Permissions, SELinux Labeling and Policy ==<br />
<br />
These instructions are intended for RedHat 6.X, but may serve as a guide for other distributions/versions.<br />
<br />
There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be<br />
able to have everything working '''without''' disabling SELinux.<br />
<br />
For all the commands below, make sure you have set the following environment variable:<br />
MYREALM="samdom.example.com"<br />
<br />
=== Bind ===<br />
<br />
Set Permissions:<br />
chown named:named /usr/local/samba/private/dns<br />
chgrp named /usr/local/samba/private/dns.keytab<br />
chmod g+r /usr/local/samba/private/dns.keytab<br />
chmod 775 /usr/local/samba/private/dns<br />
<br />
Label files:<br />
chcon -t named_conf_t /usr/local/samba/private/dns.keytab<br />
chcon -t named_conf_t /usr/local/samba/private/named.conf.update<br />
chcon -t named_var_run_t /usr/local/samba/private/dns<br />
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
<br />
Set Label Persistence:<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf<br />
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone<br />
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl<br />
semanage fcontext -a -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
<br />
=== NTP ===<br />
Set Permissions:<br />
$ chgrp ntp /usr/local/samba/var/lib/ntp_signd<br />
<br />
Multiple attempts to set the context for ntp failed so the below policy was needed for windows clients time sync after joining the DOMAIN.<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/<br />
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket<br />
<br />
<tt>samba4.te</tt> policy:<br />
module samba4 1.0;<br />
<br />
<br />
require {<br />
type ntpd_t;<br />
type usr_t;<br />
type initrc_t;<br />
class sock_file write;<br />
class unix_stream_socket connectto;<br />
}<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t usr_t:sock_file write;<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t initrc_t:unix_stream_socket connectto;<br />
<br />
Check and load policy:<br />
$ checkmodule -M -m -o samba4.mod samba4.te <br />
$ semodule_package -o samba4.pp -m samba4.mod<br />
$ semodule -i samba4.pp<br />
<br />
== Step 12: Setup a File Share ==<br />
<br />
The provisioning will create a very simple <tt>/usr/local/samba/etc/smb.conf</tt> file with no non-system shares by<br />
default. For the server to be useful you, will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
comment = Test Share<br />
read only = no<br />
<br />
*Note: In older alpha versions of Samba 4, you need to restart Samba to make new shares visible.<br />
<br />
== Step 13: Setup a Printer share ==<br />
<br />
You can share any printers already configured with CUPS, keep in mind that Samba communicates with CUPS via sockets, so you don't need to set any configure any special permissions beyond a listen directive for the CUPS socket.<br />
<br />
=== Basic Print Sharing ===<br />
<br />
# Create a print spool directory, and set the permissions properly. This is where Samba will store temporary files related to print documents:<br />
mkdir /usr/local/samba/var/spool<br />
chmod 1777 /usr/local/samba/var/spool<br />
<br />
# Configure samba to use it, by adding the following to <tt>/usr/local/samba/etc/smb.conf</tt>:<br />
<br />
[printers]<br />
comment = All Printers<br />
path = /usr/local/samba/var/spool<br />
browseable = Yes<br />
read only = No<br />
printable = Yes<br />
<br />
=== Point and Print Drivers ===<br />
<br />
For the sake of convenience, Windows clients can query the server that is sharing a printer for a print driver. To enable this functionality in Samba, we have to create a special <tt>print$</tt> file share.<br />
<br />
# Create the print file share directory, and architecture sub-directories:<br />
<br />
mkdir -p /usr/local/samba/var/print/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}<br />
<br />
# Configure samba to use it, by adding the following to <tt>/usr/local/samba/etc/smb.conf</tt>:<br />
<br />
[print$]<br />
comment = Point and Print Printer Drivers<br />
path = /usr/local/samba/var/print<br />
read only = No<br />
<br />
# Log in as a Domain Administrator on a client computer<br />
# Click Start -> Run '\\samba\'<br />
# In the list of shares, Double-Click 'Printers and Faxes'<br />
# Click File -> Server Properties<br />
# On the Drivers Tab, Click 'Add...', then 'Next'<br />
#:[[Image:SambaServerDrivers.jpg]]<br />
# In the following prompts, choose the driver you would like to install, and click 'Next'<br />
#:[[Image:SambaServerChooseDriver.jpg]]<br />
# Choose the architectures you are installing the drivers for. Be aware if you choose an architecture that the client computer does not have the driver for you will be prompted to provide a disk with the drivers.<br />
#:[[Image:SambaServerChooseArch.jpg]]<br />
# Close the Server Driver Dialog box<br />
# Right-click on the printer the driver is for and choose Properties<br />
# On the Advanced tab, change the Driver drop-down box to the driver you just installed<br />
<br />
== Note: Filesystem Support ==<br />
<br />
This information has been included in the [[Samba_4_OS_Requirements#File_System_Support]]<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an Administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, Windows Vista Business Edition, and Windows 7 Professional (and up) effectively. To test the real Samba capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Settings<br />
# Configuring Date & Time and Time Zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS settings, verify that you are able to ping the server's IP address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places, Select Properties<br />
# Right Click Local Area Network, Select Properties<br />
# Double click TCP/IP<br />
# Use a static DNS server, add the Samba server's IP address inside the Primary DNS Server Column.<br />
#:[[Image:Samba4dnsclient.jpg]]<br />
# Press OK on all opened windows.<br />
# Open a command prompt, type 'ping samdom.example.com' (as per your provision).<br />
<br />
If you get replies, then it means that your Windows settings are correct for DNS, and the Samba server's DNS service is working as well.<br />
<br />
== Step 2: Configure Date & Time and Time Zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason.<br />
<br />
=== Configure the Date & Time ===<br />
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.<br />
# Change the Date and Time so the client matches the server to the minute, and click OK<br />
#:[[Image:Samba4time.jpg]]<br />
<br />
=== Configure the Time Zone ===<br />
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.<br />
# Click on the Time Zone Tab<br />
# Change the Time Zone to match the Time Zone on the server.<br />
#:[[Image:Samba4timezone.jpg]]<br />
<br />
== Step 3: Joining Windows Clients to the Domain ==<br />
<br />
Now your Windows computer is ready to join the Active Directory (AD) domain,<br />
<br />
As an Administrator:<br />
<br />
# Right Click My Computer -> Properties<br />
# Choose the Computer Name tab, click Change...<br />
# Click option 'Domain', insert SAMDOM.EXAMPLE.COM. If this fails, try SAMDOM.<br />
#:[[Image:Samba4joindomain.jpg]]<br />
# When it requests a username and password, type '''Administrator''' as the username, and '''p4$$word''' as the password.<br />
# You should get a message box stating "Welcome to the SAMDOM.EXAMPLE.COM domain."<br />
# Click OK on this message box and the Properties window, and you will be instructed to restart your computer.<br />
# After restarting, you should be presented with the normal logon dialog.<br />
# Change the domain to SAMDOM and type '''Administrator''' as the username, and '''p4$$word''' as the password.<br />
#:[[Image:Samba4logindomain.jpg]]<br />
<br />
= Viewing Samba 4 Active Directory object from Windows =<br />
<br />
We need install Windows 2003 Adminpak into Windows XP in order to use<br />
GUI tools to manage the domain. Before you begin, make sure that the domain<br />
administrators have administrative rights to control your computer.(To<br />
give any user administrative rights in Windows XP Pro, right click My<br />
Computer, select Manage-> choose Groups-> double click Administrators<br />
and add members from domain into the member list. When you add<br />
members from Active Directory, it will prompt you to enter an<br />
Active Directory username and password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
=== Windows 8/7/Vista ===<br />
<br />
#Download the Windows Remote Administration Tools from:<br />
#* http://www.microsoft.com/download/details.aspx?id=28972 (Windows 8)<br />
#* http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en (Vista)<br />
#* http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en (Windows 7)<br />
#Follow the "Install RSAT" instructions ''(Just a note: After installing, you have to enable the features in "Turn Windows features on or off" in "Programs" of the Control Panel!)''.<br />
<br />
=== Windows XP Pro ===<br />
<br />
==== Administration Tools Pack & Support Tools ====<br />
# Download adminpak and supporttools from:<br />
#* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95<br />
#* http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
#:If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
==== Group Policy Management Console ====<br />
# You may also find the Group Policy Management Console useful. You can download it from<br />
#* http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
#:This is primarily useful when you have larger installs and are managing many machines. You may need to download the .NET Framework first.<br />
<br />
== Step 2: Viewing Samba Active Directory Content ==<br />
<br />
# When logged on as a Domain Administrator, start the Active Directory Users and Computers Snap-In, either by clicking Start -> Programs\Administrative Tools\Active Directory Users and Computers, or by clicking Start -> Run 'dsa.msc'<br />
# Expand the samdom.example.com tree to see existing objects in the domain.<br />
#:[[Image:Samba4dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From a Windows Client =<br />
One of Samba 4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding Users into Samba 4 Active Directory ==<br />
Unlike Samba 3, Samba 4 does not require a local Unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the following command:<br />
<br />
/usr/local/samba/bin/samba-tool user add USERNAME<br />
<br />
To inspect the allocated user ID and SID, use the following command:<br />
<br />
$ /usr/local/samba/bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ /usr/local/samba/bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use <tt>ldbedit<tt> on the <tt>/usr/local/samba/private/idmap.ldb</tt>, as shown:<br />
<br />
$ ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
*Note: You can replace <tt>emacs</tt> with your editor of choice.<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the <tt>xidNumber</tt> attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
*Note: You can also manage users using the normal Windows AD user management tools.<br />
<br />
= Setting Up Roaming Profiles =<br />
<br />
1. You will need to create a share for the profiles, typically named <tt>profiles</tt>. Edit the <tt>/usr/local/samba/etc/smb.conf</tt> to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. In Windows, start ''Active Directory Users and Computers'', select all the users, right click, and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'', type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
*Note: An excellent walk-through on configuring Roaming Profiles and Folder Redirection is available [http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/ here.]<br />
<br />
= Adding Organization Units (OU) Into a Samba Domain = <br />
<br />
The Organizational Unit (OU) is a powerful feature in Active<br />
Directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several types of group policies to an OU, and the settings<br />
will push out to all users/computers that sit under the OU. Withing a single domain,<br />
you can have as many OUs and sub-OUs as you'd like. The result is that<br />
it can greatly reduce administrative overhead since you are able to<br />
manage everything via an OU. The implementation of Group Policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what one looks like. By default<br />
we can see a sample OU called 'Domain Controllers', which uses a different<br />
icon in the Windows management tools than the 'users' and 'computers'<br />
containers. We can deploy Group Policy to the users or the computers container.<br />
<br />
# To create an OU as the Domain Administrator, click Start -> Run -> dsa.msc<br />
# Right click your domain.<br />
# Select New -> Organizational Unit<br />
# Type 'OU Demo'<br />
# You will see a new OU appear, with the name 'OU Demo'.<br />
# You can drag the user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!).<br />
# Right click 'OU Demo', A sub-OU can be created with New -> Organizational Unit.<br />
<br />
Normally OUs are created according to the department setup of your<br />
organization. Be careful not to confuse Groups and OUs. Groups are<br />
used to control permissions, OUs are used for deploying settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in A Samba Domain =<br />
<br />
Samba Active Directory has support for Goup Plicies, and can create<br />
the Goup Plicy on the fly. The basic idea of Goup Plicies is:-<br />
<br />
# Group Policies have two kinds of settings: computers and users.<br />
# Computer settings apply to computers, while user settings apply to users.<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
# To add a group policy, right click 'OU Demo' OU->properties.<br />
# Choose group policy.<br />
# Press new, and name it as 'GP Demo'.<br />
# Press edit to modify the policy.<br />
# Here will demonstrate how to block users from access to the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'Control Panel'.<br />
# Double click on 'Prohibit access to the Control Panel'.<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure that the user 'demo' is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'.<br />
# You'll find user demo is not able to access control panel.<br />
<br />
== Notes ==<br />
:User configuration will take effect once you logout and login.<br />
:Computer configuration will take effect when you restart the computer.<br />
:GPO Password Policies are not read by Samba when assigning passwords, to change the policy that Samba uses you must use '''samba-tool domain passwordsettings'''<br />
<br />
To learn more about managing and implementing organizational units, group policies, and Active Directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
= Joining a Windows Domain Controller as an Additional DC in a Domain =<br />
<br />
Once you have a Samba domain controller set up, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domain,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not check the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
= Migrating an Existing Samba Domain to Samba =<br />
<br />
It is very likely that you already have a running Samba3 domain on your network. The question is, how do you migrate that domain and all of its users and machines over to a new Samba 4 based domain without having to move every user profile and machine to the new domain? The answer is the [[Samba4/samba-tool/domain/classicupgrade/HOWTO|samba-tool domain classicupgrade]] function.<br />
<br />
= Connecting other services to your new/migrated Active Directory =<br />
<br />
If you finished setting up or migrating to Samba 4, you maybe want to connect other services<br />
to your new Active Directory. Have a look at the [[Samba4/beyond|Beyond Samba]] page.<br />
<br />
= Report Your Success/Failure! =<br />
<br />
Samba, as a replicating domain controller, is still developing rapidly.<br />
We'd like to hear from users about their successes and<br />
failures. We would encourage you to report both your successes and failures<br />
to the [mailto:samba-technical@lists.samba.org samba-technical] mailing list on http://lists.samba.org</div>BBaumbachhttps://wiki.samba.org/index.php?title=WinTest&diff=7087WinTest2012-11-21T11:47:51Z<p>BBaumbach: </p>
<hr />
<div>== Testing against Windows with WinTest ==<br />
<br />
WinTest is a framework for testing Samba against Windows virtual machines. It aims to provide a reliable, repeatable test system that any Samba developer can setup.<br />
<br />
The core of WinTest is based on [http://www.noah.org/wiki/pexpect pexpect], a python expect system that provides a flexible way of controlling command line tools.<br />
<br />
Some background information on WinTest is available in [http://blog.tridgell.net/?p=91 this blog post]<br />
<br />
== Setting up your environment for WinTest ==<br />
<br />
To run WinTest, you need a Linux host that can control Windows VMs. Any scriptable VM system that supports snapshots should work. There are currently four example config files for WinTest.<br />
If you build a config for a different VM system, please contribute an example config file.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/tridge.conf tridge.conf] for using VirtualBox.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/abartlet.conf abartlet.conf] for using virsh to control KVM.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/zahari-esxi.conf zahari-esxi.conf] using VMware ESXi via ssh.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/bbaumbach.conf bbaumbach.conf] using VirtualBox in headless mode, since some systems have problems running VMs with "su" in default GUI mode.<br />
<br />
The current [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/test-s4-howto.py test script] can use and test the following VMs:<br />
* Windows7<br />
* WindowsXP<br />
* Windows2003<br />
* Windows2008<br />
* Windows2008R2<br />
<br />
You don't need to setup all of these VMs to run the test. The script will look for what VMs you have defined in your config file and will only run tests against those VMs.<br />
<br />
=== Setting up a VM ===<br />
<br />
Each of the VMs needs to be setup with the following properties:<br />
<br />
* The Telnet server needs to be enabled.<br />
* netdom.exe needs to be installed for VMs that will join Samba as a workstation.<br />
* dcdiag.exe needs to be installed for VMs that are DCs.<br />
* The machine needs to have a snapshot with it fully booted.<br />
<br />
It is also a good idea to do the following:<br />
* Ensure that in the snapshot the machine is activated, and windows update is disabled.<br />
* Disable the firewall, although the script will try to do that if Telnet is working.<br />
<br />
Make sure that you test that you can Telnet into the machine. You may need to add "Authenticated Users" to the [http://support.microsoft.com/kb/250908 TelnetClients group].<br />
<br />
== Running The Tests ==<br />
<br />
You need to run the tests as root. After you have created a config file (based on one of the examples), you should run it like this:<br />
<br />
sudo wintest/test-s4-howto.py --conf wintest/conf/tridge.conf --rebase<br />
<br />
This will run the full set of tests, using the parameters from your config file. See the config file for details on where it gets the source tree from and where it builds it. On my laptop the full test suite currently takes about 30 minutes.<br />
<br />
Your may find this [http://samba.org/tridge/wintest-output.txt sample output] useful to see what happens when you run WinTest.<br />
<br />
== DNS Setup ==<br />
<br />
Without setting a special DNS backend, the test will setup Bind9 with the DLZ backend for dynamic updates. In newer versions, the Samba internal DNS can be used by running Wintest with --dns-backend=SAMBA_INTERNAL.<br />
<br />
The tests aim to run Samba in a manner as close to real production use as possible. To make this possible, it will modify your /etc/resolv.conf file to point at the DNS server starts. The DNS server config is setup to automatically forward DNS requests for non-WinTest hosts to your original nameserver, so it should not impact on normal usage of your machine. The test restores your resolv.conf to its original value when it is complete.<br />
<br />
== Network Setup ==<br />
<br />
The script will create an IP alias on whatever network interface you set up in your config file. Samba and the DNS server will be setup to listen on that IP alias. The Windows VMs will be automatically modified to set up their networking to point at the IP alias.<br />
<br />
The idea behind this arrangement is that you can run this script on your primary development workstation (eg. your laptop), and you will be able to keep using the machine for normal work while the test is running.<br />
<br />
== What is Tested? ==<br />
<br />
The main things that are tested are:<br />
* Joining Windows XP and Windows 7 to a Samba4 domain as member servers<br />
* Joining Windows 2003, Windows 2008, and Windows 2008R2 as DCs in a Samba domain<br />
* Joining Windows 2008R2 as a RODC to a Samba domain<br />
* Joining Samba as a DC in a Windows 2003, Windows 2008, and Windows 2008R2 domain<br />
* Joining Samba as a RODC in a Windows 2008R2 domain<br />
* DRS replication between Windows and Samba for all the above DC arrangements<br />
* Dynamic DNS with TSIG/GSS, using bind9 or the internal DNS<br />
* Dynamic DNS<br />
<br />
The list of tests is likely to grow rapidly as WinTest is developed further.<br />
<br />
== Samba3 Testing ==<br />
<br />
There is a skeleton of a [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/test-s3.py Samba3 test] in WinTest, but it needs to be developed further. It would be great if someone could volunteer to expand it to be a useful test of Samba3 against Windows.<br />
<br />
== Buildfarm Integration ==<br />
<br />
We hope in the future to integrate WinTest with [http://build.samba.org the build farm], providing web based access to regular testing of Samba against Windows. The main thing that needs to be done is to convert WinTest to use the subunit python testing framework that the build farm uses.</div>BBaumbachhttps://wiki.samba.org/index.php?title=WinTest&diff=7086WinTest2012-11-21T10:03:20Z<p>BBaumbach: we do have signed dns updates</p>
<hr />
<div>== Testing against Windows with WinTest ==<br />
<br />
WinTest is a framework for testing Samba against Windows virtual machines. It aims to provide a reliable, repeatable test system that any Samba developer can setup.<br />
<br />
The core of WinTest is based on [http://www.noah.org/wiki/pexpect pexpect], a python expect system that provides a flexible way of controlling command line tools.<br />
<br />
Some background information on WinTest is available in [http://blog.tridgell.net/?p=91 this blog post]<br />
<br />
== Setting up your environment for WinTest ==<br />
<br />
To run WinTest, you need a Linux host that can control Windows VMs. Any scriptable VM system that supports snapshots should work. There are currently four example config files for WinTest.<br />
If you build a config for a different VM system, please contribute an example config file.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/tridge.conf tridge.conf] for using VirtualBox.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/abartlet.conf abartlet.conf] for using virsh to control KVM.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/zahari-esxi.conf zahari-esxi.conf] using VMware ESXi via ssh.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/bbaumbach.conf bbaumbach.conf] using VirtualBox in headless mode, since some systems have problems running VMs with "su" in default GUI mode.<br />
<br />
The current [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/test-s4-howto.py test script] can use and test the following VMs:<br />
* Windows7<br />
* WindowsXP<br />
* Windows2003<br />
* Windows2008<br />
* Windows2008R2<br />
<br />
You don't need to setup all of these VMs to run the test. The script will look for what VMs you have defined in your config file and will only run tests against those VMs.<br />
<br />
=== Setting up a VM ===<br />
<br />
Each of the VMs needs to be setup with the following properties:<br />
<br />
* The Telnet server needs to be enabled.<br />
* netdom.exe needs to be installed for VMs that will join Samba as a workstation.<br />
* dcdiag.exe needs to be installed for VMs that are DCs.<br />
* The machine needs to have a snapshot with it fully booted.<br />
<br />
It is also a good idea to do the following:<br />
* Ensure that in the snapshot the machine is activated, and windows update is disabled.<br />
* Disable the firewall, although the script will try to do that if Telnet is working.<br />
<br />
Make sure that you test that you can Telnet into the machine. You may need to add "Authenticated Users" to the [http://support.microsoft.com/kb/250908 TelnetClients group].<br />
<br />
== Running The Tests ==<br />
<br />
You need to run the tests as root. After you have created a config file (based on one of the examples), you should run it like this:<br />
<br />
sudo wintest/test-s4-howto.py --conf wintest/conf/tridge.conf --rebase<br />
<br />
This will run the full set of tests, using the parameters from your config file. See the config file for details on where it gets the source tree from and where it builds it. On my laptop the full test suite currently takes about 30 minutes.<br />
<br />
Your may find this [http://samba.org/tridge/wintest-output.txt sample output] useful to see what happens when you run WinTest.<br />
<br />
== DNS Setup ==<br />
<br />
Without setting a special DNS backend, the test will setup Bind9 with the DLZ backend for dynamic updates. In newer versions, the Samba internal DNS can be used by running Wintest with --dns-backend=SAMBA_INTERNAL.<br />
<br />
The tests aim to run Samba in a manner as close to real production use as possible. To make this possible, it will modify your /etc/resolv.conf file to point at the DNS server starts. The DNS server config is setup to automatically forward DNS requests for non-WinTest hosts to your original nameserver, so it should not impact on normal usage of your machine. The test restores your resolv.conf to its original value when it is complete.<br />
<br />
== Network Setup ==<br />
<br />
The script will create an IP alias on whatever network interface you set up in your config file. Samba and the DNS server will be setup to listen on that IP alias. The Windows VMs will be automatically modified to set up their networking to point at the IP alias.<br />
<br />
The idea behind this arrangement is that you can run this script on your primary development workstation (eg. your laptop), and you will be able to keep using the machine for normal work while the test is running.<br />
<br />
== What is Tested? ==<br />
<br />
The main things that are tested are:<br />
* Joining Windows XP and Windows 7 to a Samba4 domain as member servers<br />
* Joining Windows 2003, Windows 2008, and Windows 2008R2 as DCs in a Samba domain<br />
* Joining Windows 2008R2 as a RODC to a Samba domain<br />
* Joining Samba as a DC in a Windows 2003, Windows 2008, and Windows 2008R2 domain<br />
* Joining Samba as a RODC in a Windows 2008R2 domain<br />
* DRS replication between Windows and Samba for all the above DC arrangements<br />
* Dynamic DNS with b, using bind9 or the internal DNS<br />
* Dynamic DNS<br />
<br />
The list of tests is likely to grow rapidly as WinTest is developed further.<br />
<br />
== Samba3 Testing ==<br />
<br />
There is a skeleton of a [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/test-s3.py Samba3 test] in WinTest, but it needs to be developed further. It would be great if someone could volunteer to expand it to be a useful test of Samba3 against Windows.<br />
<br />
== Buildfarm Integration ==<br />
<br />
We hope in the future to integrate WinTest with [http://build.samba.org the build farm], providing web based access to regular testing of Samba against Windows. The main thing that needs to be done is to convert WinTest to use the subunit python testing framework that the build farm uses.</div>BBaumbachhttps://wiki.samba.org/index.php?title=WinTest&diff=6721WinTest2012-07-20T13:35:14Z<p>BBaumbach: mention and describe new config files and option to use the internal dns server</p>
<hr />
<div>== Testing against Windows with wintest ==<br />
<br />
wintest is a framework for testing Samba against Windows virtual machines. It aims to provide a reliable, repeatable test system that any Samba developer can setup.<br />
<br />
The core of wintest is based on [http://www.noah.org/wiki/pexpect pexpect], a python expect system that provides a flexible way of controlling command line tools.<br />
<br />
Some background information on wintest is available in [http://blog.tridgell.net/?p=91 this blog post]<br />
<br />
== Setting up your environment for wintest ==<br />
<br />
To run wintest you need a Linux host that can control Windows VMs. Any scriptable VM system that supports snapshots should work. There are currently four example config files for wintest.<br />
If you build a config for a different VM system, please contribute an example config file.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/tridge.conf tridge.conf] for using VirtualBox.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/abartlet.conf abartlet.conf] for using virsh to control KVM.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/zahari-esxi.conf zahari-esxi.conf] using VMware ESXi via ssh.<br />
* [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/conf/bbaumbach.conf bbaumbach.conf] using VirtualBox in headless mode, since some systems have problems running VMs with "su" in default gui mode.<br />
<br />
The current [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/test-s4-howto.py test script] can use and test the following VMs:<br />
* Windows7<br />
* WindowsXP<br />
* Windows2003<br />
* Windows2008<br />
* Windows2008R2<br />
<br />
You don't need to setup all of these VMs to run the test. The script will look for what VMs you have defined in your config file and will only run tests against those VMs.<br />
<br />
=== Setting up a VM ===<br />
<br />
Each of the VMs needs to be setup with the following properties:<br />
<br />
* the telnet server needs to be enabled<br />
* for VMs that will join Samba as a workstation, netdom.exe needs to be installed<br />
* for VMs that are DCs, dcdiag.exe needs to be installed<br />
* the machine needs to have a snapshot with it fully booted<br />
<br />
It is also a good idea to do the following:<br />
* ensure that in the snapshot the machine is activated, and windows update is disabled<br />
* it is a good idea to disable the firewall, although the script will try to do that if telnet is working<br />
<br />
Make sure you test that telnet into the machine works. You may need to add "Authenticated Users" to the [http://support.microsoft.com/kb/250908 TelnetClients group].<br />
<br />
== Running the tests ==<br />
<br />
You need to run the tests as root. After you have created a config file (based on one of the examples), you should run it like this:<br />
<br />
sudo wintest/test-s4-howto.py --conf wintest/conf/tridge.conf --rebase<br />
<br />
this will run the full set of tests, using the parameters from your config file. See the config file for details on where it gets the source tree from and where it builds it. On my laptop the full test suite currently takes about 30 minutes.<br />
<br />
Your may find this [http://samba.org/tridge/wintest-output.txt sample output] useful to see what happens when you run wintest.<br />
<br />
== DNS setup ==<br />
<br />
Without setting a special DNS backend the test will setup a bind9 with the dlz backend for dynamic updates. In newer versions the Samba internal DNS can be used by running wintest with --dns-backend=SAMBA_INTERNAL.<br />
<br />
The tests aim to run Samba in a manner as close to real production use as possible. To make this possible, it will modify your /etc/resolv.conf to point at the DNS server starts. The DNS server config is setup to automatically forward DNS requests for non-wintest hosts to your original nameserver, so it should not impact on normal usage of your machine. The test restores your resolv.conf to its original value when the test is complete.<br />
<br />
== Network setup ==<br />
<br />
The script will create an IP alias on whatever network interface you setup in your config file. Samba and the DNS server will be setup to listen on that IP alias, and the Windows VMs will be automatically modified to setup their networking to point at the IP alias.<br />
<br />
The idea behind this arrangement is that you can run this script on your primary development workstation (eg. your laptop), and you will be able to keep using the machine for normal work while the test is running.<br />
<br />
== What is tested? ==<br />
<br />
The main things that are tested are:<br />
* joining WinXP and Windows7 to a Samba4 domain as member servers<br />
* joining Windows2003, Windows2008 and Windows2008R2 as DCs in a Samba domain<br />
* joining Windows2008R2 as a RODC to a Samba domain<br />
* joining Samba as a DC in a Windows2003, Windows2008 and Windows2008R2 domain<br />
* joining Samba as a RODC in a Windows2008R2 domain<br />
* DRS replication between Windows and Samba for all the above DC arrangements<br />
* dynamic DNS with TSIG/GSS, using bind9<br />
* dynamic DNS (until now) without TSIG/GSS, using the internal DNS Server if selected<br />
<br />
The list of tests is likely to grow rapidly as wintest is developed further.<br />
<br />
== Samba3 testing ==<br />
<br />
There is a skeleton of a [http://samba.org/ftp/unpacked/samba_4_0_test/wintest/test-s3.py Samba3 test] in wintest, but it needs to be developed further. It would be great if someone could volunteer to expand it to be a useful test of Samba3 against Windows.<br />
<br />
== Buildfarm integration ==<br />
<br />
We hope in the future to integrate wintest with [http://build.samba.org the build farm], providing web based access to regular testing of Samba against Windows. The main thing that needs to be done is to convert wintest to use the subunit python testing framework that the build farm uses.</div>BBaumbachhttps://wiki.samba.org/index.php?title=Setting_up_Samba_as_an_Active_Directory_Domain_Controller&diff=6464Setting up Samba as an Active Directory Domain Controller2012-03-22T11:21:44Z<p>BBaumbach: </p>
<hr />
<div>= Samba4 HOWTO =<br />
<br />
This document explains how to setup a simple Samba4<br />
server. This is aimed at people who are already familiar with Samba3<br />
and wish to participate in Samba4 development or test the alpha<br />
releases of Samba4. This is not aimed at general production use of<br />
Samba4, although some brave sites are running Samba4 in production<br />
based on these instructions.<br />
<br />
== Video demonstrations of this HOWTO ==<br />
<br />
A set of [[samba4/videos|demonstration videos]] is available that<br />
may provide a useful overview of this contents of this HOWTO<br />
<br />
== A note on alpha versions ==<br />
<br />
Samba4 is developing very rapidly. This HOWTO is frequently updated to reflect the latest changes in the Samba git repository.<br />
<br />
== Step 1: Download Samba4 ==<br />
<br />
If you have downloaded the Samba4 code via a tarball released from the<br />
samba.org website, Step 1 has already been completed for you. For testing<br />
with the version released in the tarball, you may continue on to Step 2.<br />
<br />
Note that the references below to the top-level directory named<br />
"samba-master" will instead be based on the name of the tarball<br />
downloaded (e.g. "samba-4.0.0alpha13" for the tarball<br />
samba-4.0.0alpha13.tar.gz). Also note that in the "master" branch the<br />
samba4 code in our current git tree is now located in the top level<br />
directory.<br />
<br />
Otherwise there are two methods for downloading the current samba version:<br />
<br />
* via git<br />
* via rsync<br />
<br />
If you don't have rsync or git then install one of them, or stick to the latest tarball release.<br />
If you have a choice, we strongly recommend using the git method for<br />
downloading Samba, as it makes getting updates easier, and also allows<br />
you to integrate test patches from Samba developers more easily in<br />
case of problems.<br />
<br />
=== git ===<br />
<br />
$ git clone git://git.samba.org/samba.git samba-master; cd samba-master<br />
<br />
or via http:<br />
<br />
$ git clone http://gitweb.samba.org/samba.git samba-master; cd samba-master<br />
<br />
This will create a directory called "samba-master" in the current<br />
directory.<br />
<br />
If you want to update the tree to the latest version run:<br />
<br />
$ git pull<br />
<br />
=== rsync ===<br />
<br />
$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master<br />
<br />
Note that the above rsync command will give you a checked out git<br />
repository, but it needs some changes so that you can update it using git:<br />
<br />
$ cd samba-master/<br />
$ rm .git/refs/tags/*<br />
$ rm -r .git/refs/remotes/<br />
$ git config remote.origin.url git://git.samba.org/samba.git<br />
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)<br />
$ git fetch<br />
<br />
Note you can ignore this error from git fetch:<br />
error: refs/heads/master does not point to a valid object!<br />
<br />
You can update it to the latest version at some future date using:<br />
<br />
$ git pull<br />
<br />
If you get an error like this:<br />
fatal: Unable to create '[...]/samba_master/.git/index.lock': File exists.<br />
remove the lock file and try running "git pull" again.<br />
<br />
== Step 2: Compile Samba4 ==<br />
<br />
Required development libraries:<br />
*Python development libraries (python-dev in Debian/Ubuntu) required to compile<br />
<br />
Recommended optional development libraries:<br />
*acl and xattr development libraries (libattr1-dev package in Debian/Ubuntu)<br />
*blkid development libraries (libblkid-dev package in Debian/Ubuntu)<br />
*gnutls (libgnutls-dev package in Debian/Ubuntu)<br />
*readline (libreadline-dev package in Debian/Ubuntu)<br />
*openldap (openldap2-devel in openSUSE) is required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail.<br />
<br />
<br />
For Debian:<br />
$ apt-get install build-essential libattr1-dev libblkid-dev \<br />
libgnutls-dev libreadline-dev python-dev autoconf \<br />
python-dnspython gdb pkg-config bind9utils libpopt-dev<br />
<br />
For Fedora:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig<br />
<br />
For Red Hat Enterprise Linux 6.x or CentOS 6.x:<br />
<br />
$ yum install libacl-devel libblkid-devel gnutls-devel \<br />
readline-devel python-devel gdb pkgconfig<br />
$ yum install gtkhtml setroubleshoot-server \<br />
setroubleshoot-plugins policycoreutils-python \<br />
libsemange-python setools-libs-python setools-libs \<br />
popt-devel libpcap-devel sqlite-devel libidn-devel \<br />
libxml2-devel libacl-devel libsepol-devel libattr-devel \<br />
keyutils-libs-devel zlib-devel cyrus-sasl-devel<br />
<br />
For openSUSE 11.4 or openSUSE 12.1:<br />
<br />
$ zypper install libacl-devel python-selinux autoconf make \<br />
python-devel gdb sqlite3-devel libgnutls-devel binutils \<br />
policycoreutils-python setools-libs selinux-policy \<br />
setools-libs popt-devel libpcap-devel keyutils-devel \<br />
libidn-devel libxml2-devel libacl-devel libsepol-devel \<br />
libattr-devel zlib-devel cyrus-sasl-devel gcc \<br />
krb5-client openldap2-devel libopenssl-devel<br />
<br />
To build, run this:<br />
<br />
$ cd samba-master<br />
$ ./configure.developer<br />
$ make<br />
<br />
The above command will setup Samba4 to install in /usr/local/samba. If<br />
you want Samba to install somewhere else then you should use the<br />
--prefix option to configure.developer.<br />
<br />
The reason we recommend using configure.developer rather than<br />
configure for Samba4 alpha releases is that it will include extra<br />
debug information that will help us diagnose problems in case of<br />
failures. It will also allow you to run the various builtin automatic<br />
tests.<br />
<br />
== Step 3: Install Samba4 ==<br />
<br />
Run this as a user who have permission to write to the install<br />
directory (which defaults to /usr/local/samba). Use --prefix option to<br />
configure.developer above to change this.<br />
<br />
$ make install<br />
<br />
For the rest of this HOWTO we will assume that you have installed<br />
Samba4 in the default location, which is /usr/local/samba.<br />
<br />
== Step 4: Provision Samba4 ==<br />
<br />
The "provision" step sets up a basic user database, and is used when you are setting up your Samba4<br />
server in its own domain. If you instead want to setup your Samba4 server as an additional domain controller<br />
in an existing domain, then please see the separate page on [[Samba4 joining a domain]]. If you want to migrate an existing Samba3 domain to Samba4, see the [[#Migrating an Existing Samba3 Domain to Samba4|Migrating an Existing Samba3 Domain to Samba4]] section on this page.<br />
<br />
In the following examples we will assume your DNS domain name is<br />
'samdom.example.com' and your short (also known as NT4) domain name is<br />
'samdom'. We will assume that your Samba servers hostname is samba.<br />
<br />
It must be run as a user with permission to write to the install directory (which means you may need to run this command with sudo)<br />
<br />
# /usr/local/samba/sbin/provision \<br />
--realm=samdom.example.com --domain=SAMDOM \<br />
--adminpass=SOMEPASSWORD --server-role=dc<br />
<br />
If you get an error like this:<br />
tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied<br />
then you need to rerun with sudo<br />
<br />
Troubleshooting note:<br />
you may need to rm the smb.conf file if you failed to pass valid names and provision previously failed<br />
<br />
There are many other options you can pass to the 'provision' command, run it with the --help option to see a list of them.<br />
<br />
*Note: when using debian SID samba4 package, provision script and samba4 installation will abort if <tt>hostname -d</tt> is returning an empty string (domainname not found). Indeed debian4.config script get REALM as follow <tt>REALM=`hostname -d | tr 'a-z' 'A-Z'`</tt>. So check /etc/resolv.conf contains:<br />
domain ''samdom.example.com''<br />
<br />
== Step 5: Starting Samba4 ==<br />
<br />
If you are planning to run Samba4 as a production server, then just run the "samba" binary as root<br />
<br />
# samba<br />
<br />
That will run Samba4 in 'standard' mode, which is suitable for<br />
production use. Samba4 alpha13 doesn't yet have init scripts included<br />
for each platform, but making one for your platform should not be<br />
difficult.<br />
<br />
If you are running Samba4 as a developer you may find<br />
the following more useful:<br />
<br />
# samba -i -M single<br />
<br />
that means start "samba" with messages in stdout, and running a<br />
single process. That mode of operation makes debugging "samba" with gdb<br />
particularly easy. If you want to launch it under gdb, then the following<br />
example could be useful:<br />
<br />
$ sudo gdb --args bin/samba -i -M single<br />
<br />
Note that if you are running any Samba3 smbd or nmbd processes<br />
they need to be stopped before starting "samba" from Samba 4.<br />
<br />
Make sure you put the bin and sbin directories from your new install<br />
in your $PATH or you may end up running the wrong version. You can see what version <br />
you have by running "samba -V".<br />
<br />
Note: in older developer versions of samba4 "samba" was still called "smbd".<br />
<br />
== Step 6: Testing Samba4 ==<br />
<br />
=== smbclient ===<br />
<br />
First check you have the right version of smbclient in your $PATH<br />
<br />
$ smbclient --version<br />
<br />
This should show you a version starting with "Version 4.0.XXXXX". <br />
<br />
Now try this command:<br />
<br />
$ smbclient -L localhost -U%<br />
<br />
That should show you a list of shares available on your server. For example:<br />
<br />
Sharename Type Comment<br />
--------- ---- -------<br />
test Disk<br />
netlogon Disk<br />
sysvol Disk<br />
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-5e755e9)<br />
<br />
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server<br />
operation. <br />
<br />
To test that authentication is working, you should try to connect to the netlogon share<br />
using the administrator password you set earlier.<br />
<br />
$ smbclient //localhost/netlogon -Uadministrator%PASSWORD<br />
<br />
You should get a "smb>" prompt, and access to your netlogon directory.<br />
<br />
== Step 7 Create a share in smb.conf ==<br />
<br />
The provisioning will create a very simple smb.conf with no shares by<br />
default. For the server to be useful you will need to update it to<br />
have at least one share. For example:<br />
<br />
[test]<br />
path = /data/test<br />
read only = no<br />
<br />
Note that in current alpha versions of Samba4 you need to restart Samba<br />
to make new shares visible. This will be fixed in a future release.<br />
<br />
== Step 8 Configure DNS ==<br />
<br />
A working DNS setup is essential to the correct operation of<br />
Samba4. Without the right DNS entries, kerberos won't work, which in<br />
turn means that many of the basic features of Samba4 won't work.<br />
<br />
It is worth spending some extra time to ensure your DNS setup is just<br />
right, as debugging problems caused by mis-configured DNS can take a<br />
lot of time later on.<br />
<br />
The simplest way to get a working DNS setup for Samba4 is to start<br />
with the DNS zone and configuration files that are created by the<br />
'provision' step above. If you look in /usr/local/samba/private<br />
directory, you'll find a file called 'named.conf' and another one<br />
called samdom.example.com.zone in the dns subdirectory (adjusted for your real DNS domain name<br />
of course!).<br />
<br />
Assuming your have a bind9 DNS server installed, you can activate the<br />
configuration that the provision has created by adding a line like<br />
this to /etc/bind/named.conf.local:<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
After adding that line you should restart your bind server and check<br />
in the system logs for any problems.<br />
<br />
One common problem is that many modern Linux distributions activate<br />
'Apparmor' or 'SELinux' by default, and these may be configured to<br />
deny access to bind for your the named.conf and zone files created in<br />
the provision. If your bind logs show that bind is getting a access<br />
denied error accessing these files then please see your local system<br />
documentation for how to enable access to these files in bind (hint:<br />
for Apparmor systems such as Ubuntu, the command aa-logprof may be<br />
useful).<br />
<br />
Now you need to test that DNS is working correctly. Check that your<br />
/etc/resolv.conf is pointing correctly at your local DNS server, then<br />
run the following commands:<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.<br />
<br />
$ host -t SRV _kerberos._udp.samdom.example.com.<br />
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.<br />
<br />
$ host -t A samba.samdom.example.com.<br />
samba.samdom.example.com has address 10.0.0.1<br />
<br />
Check that you get answers similar to the ones above (adjusted for<br />
your DNS domain name and hostname). If you get any errors then<br />
carefully check your system logs to find and fix the problem.<br />
<br />
*Note: One of the problems I've had on Debian system is that the zone autogeneration always detects, and uses, 127.0.1.1 as the domain controller's IP address. That works fine until you 1) Don't have a 127.0.1.1 interface on the machine or 2) Go to join your first client to the domain. In /usr/local/samba/private/named.conf you might need to change 127.0.1.1 to reflect the actual IP address of the server you're setting up.<br />
*Note: On debian SID (bind9 package), /etc/bind/named.conf.options is missing and prevent named daemon to be started and installation to be completed (create an empty file or comment out corresponding line in /etc/bind/named.conf see syslog messages)<br />
<br />
== Step 9: Testing kerberos ==<br />
Once DNS is working, you should test that kerberos server builtin to<br />
Samba4 is working correctly.<br />
<br />
Before testing, first configure the krb.conf file (/etc/krb.conf on RHEL like systems), replace the existing one with the sample from /usr/local/samba/share/setup/krb5.conf.<br />
Edit the file and replace ${REALM} with you domain name.<br />
<br />
The easiest test is to use the kinit command like this:<br />
<br />
$ kinit administrator@SAMDOM.EXAMPLE.COM<br />
Password:<br />
<br />
''Note:''<br><br />
: You have to give your 'domain realm SAMDOM.EXAMPLE.COM' in <b>uppercase letters</b> to kinit.<br />
<br />
The kinit should completely successfully. After it completes you can<br />
examine the received ticket like this:<br />
<br />
$ klist -e<br />
Ticket cache: FILE:/tmp/krb5cc_1000<br />
Default principal: administrator@SAMDOM.EXAMPLE.COM<br />
<br />
Valid starting Expires Service principal<br />
02/10/10 19:39:48 02/11/10 19:39:46 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM<br />
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5<br />
<br />
If you find you don't have kinit or klist, you may need to install them. On debian based<br />
systems (such as Ubuntu) the packages are called krb5-config and krb5-user.<br />
<br />
You can also test kerberos form a remote client, just make sure you have configure the<br />
krb5.conf and the resolve.conf to point to the domain controller IP address.<br />
<br />
''Note:''<br><br />
: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:<br />
<br />
[kdc]<br />
check-ticket-addresses = false<br />
<br />
== Step 10 Configure kerberos DNS dynamic updates (optional) ==<br />
<br />
To setup dynamic DNS updates you need to have a recent version of bind9 installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible.<br />
<br />
For Debian Lenny:<br />
<br />
If you also want to use Dynamically Loadable Zones (DLZ) then you should add the corresponding option (dlopen) depending on your version of bind.<br />
If you are about to compile a downloaded tarball you might need these libraries: libkrb5-dev and libssl-dev<br />
<br />
$ apt-get install libkrb5-dev libssl-dev<br />
$ tar -zxvf bind9.x.x.tar.gz<br />
$ cd bind9.x.x<br />
<br />
Bind9.8.0<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlz-dlopen=yes<br />
<br />
Bind9.8.1<br />
<br />
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes<br />
<br />
$ make<br />
$ make install<br />
<br />
You can tell what version of bind9 you have using the command "/usr/sbin/named -V". If your OS does not have bind9 9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind9).<br />
<br />
=== Instructions for bind9 9.8.0 or later ===<br />
<br />
When using bind9 9.8.0 or later you should add a line like the following to the options section of your bind9 config:<br />
options {<br />
[...]<br />
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";<br />
[...]<br />
};<br />
<br />
On some systems (such as Ubuntu) this is located in /etc/bind/named.conf.options. Otherwise look for the "options {" part of your bind9 configuration.<br />
<br />
You also need an include line pointing at the named.conf in the private directory of your Samba install (this file is created by the provision command):<br />
<br />
include "/usr/local/samba/private/named.conf";<br />
<br />
On Debian based systems (such as Ubuntu) this include line is normally put in /etc/bind/named.conf.local. On RedHat based systems it goes in /etc/named.conf.<br />
<br />
=== Instructions for bind9 9.7.x ===<br />
<br />
If you have bind9 9.7.x (specifically 9.7.2 or later), then first determine if you can <br />
at all possibly run bind 9.8. You will have far fewer problems. Otherwise, follow these instructions.<br />
<br />
The Samba provision will have created a custom named.conf.update configuration file in the private directory of your Samba install. You need to include in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don't support it, Bind will fail to start.<br />
<br />
You additionally need to set two environment variables for bind9 when using bind9 version 9.7.x:<br />
<br />
KEYTAB_FILE="/usr/local/samba/private/dns.keytab"<br />
KRB5_KTNAME="/usr/local/samba/private/dns.keytab"<br />
export KEYTAB_FILE<br />
export KRB5_KTNAME<br />
<br />
These should be put in your settings file for bind9. On Debian based<br />
systems (including Ubuntu) this is in /etc/default/bind9. On RedHat and SUSE derived systems it is<br />
in /etc/sysconfig/named. Strictly speaking you only either need<br />
KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distro,<br />
so it's easier to just set both.<br />
<br />
The dns.keytab must be readable by the bind server user this could be accomplished by executing:<br />
$ chown named.named /usr/local/samba/private/dns.keytab<br />
<br />
(the provision should have setup these permissions for you automatically).<br />
<br />
Then in your /etc/bind/named.conf.options you need this:<br />
<br />
tkey-gssapi-credential "DNS/server.samdom.example.com";<br />
tkey-domain "SAMDOM.EXAMPLE.COM";<br />
<br />
The last part of the credential in the first line must match the dns name of the server you have set up.<br />
<br />
=== Debugging dynamic DNS updates ===<br />
<br />
The way the automatic DNS update in Samba works is that the provision<br />
will create a file /usr/local/samba/private/dns_update_list, which<br />
contains a list of DNS entries that Samba will try to dynamically<br />
update at startup and every 10 minutes thereafter. Updates will only<br />
happen if the DNS entries do not already exist.<br />
<br />
If you want to debug this process, then please run this as root:<br />
<br />
/usr/local/samba/sbin/samba_dnsupdate --verbose<br />
<br />
that will give you more information on the updates that Samba is doing<br />
at runtime, and show you any errors that are generated.<br />
<br />
=== Interaction with apparmor or SELinux ===<br />
<br />
Now you have to ensure that bind can read the dns.keytab file, the<br />
named.conf file and the zone file. It also needs to be able to write<br />
the zone file. The Samba provision tries to setup the permissions<br />
correctly for these files, but you may find you need to make changes<br />
in your Apparmor or SELinux configuration if you are running either of<br />
those. If you are using Apparmor then the aa-logprof command may help<br />
you add any missing permissions you need to add after you start Samba<br />
and bind9 for the first time after configuring them.<br />
<br />
You should also carefully check the permissions on the private/dns directory to ensure it is writeable by bind.<br />
<br />
== Step 11 Configure NTP (optional) ==<br />
<br />
RedHat 6.x:<br />
Redhat does not provide a recent NTP version to support signed ntp so a newer version is required.<br />
<br />
1. Download NTP =>4.2.6 release from ntp.org ( verify md5 sum )<br />
<br />
2. Download the Redhat 6.1 ntp source rpm file from RedHat and install.<br />
<br />
3. Edit the ntp.spec and remove all lines regarding patches and correct the version number.<br />
<br />
4. Here is a <b>partial</b> diff showing required edits then run <i>$ rpmbuild -ba ntp.spec</i><br />
218c115<br />
< --enable-linuxcaps<br />
---<br />
> --enable-linuxcaps --enable-ntp-signd<br />
327a225<br />
> %{_sbindir}/sntp<br />
345,346c243,244<br />
< %{_mandir}/man8/ntptime.8*<br />
< %{_mandir}/man8/tickadj.8*<br />
---<br />
> %{_mandir}/man8/ntpdtime.8*<br />
> #%{_mandir}/man8/tickadj.8*<br />
352c250<br />
< %{_mandir}/man8/ntp-wait.8*<br />
---<br />
> #%{_mandir}/man8/ntp-wait.8*<br />
<br />
For Debian/Ubuntu:<br />
<br />
Recent versions of Debian/Ubuntu already contain a version of ntp with support for signing. For older versions (Debian Squeeze, Ubuntu < 11.04), get a recent version of ntp:<br />
<br />
$ tar -zxvf ntp-4.x.x.tar.gz<br />
$ cd ntp-4.x.x<br />
$ ./configure --enable-ntp-signd<br />
$ make<br />
$ make install<br />
<br />
5. TODO ( add example ntp.conf changes )<br />
<br />
# A simple ntp.conf tested in Debian Lenny<br />
# Using the hardware clock<br />
server 127.127.1.1<br />
fudge 127.127.1.1 stratum 12<br />
ntpsigndsocket /usr/local/samba/var/run/ntp_signd/<br />
restrict default mssntp<br />
[...]<br />
<br />
== NOTES on permissions, SELinux labeling and policy ==<br />
<br />
RedHat 6.X:<br />
<br />
There is still more work TODO in regards of creating a Samba4 specific SELinux policy but for now you should be<br />
able to have everything working *without* disabling SELinux.<br />
<br />
Change permissions:<br />
$ chgrp named /usr/local/samba/private/dns<br />
$ chgrp named /usr/local/samba/private/dns.keytab<br />
$ chmod g+r /usr/local/samba/private/dns.keytab<br />
$ chmod 775 /usr/local/samba/private/dns<br />
<br />
Label files ( replace DOMAIN and REALM with proper vaules ):<br />
$ chcon -t named_conf_t /usr/local/samba/private/dns.keytab<br />
$ chcon -t named_conf_t /usr/local/samba/private/named.conf.update<br />
$ chcon -t named_var_run_t /usr/local/samba/private/dns<br />
$ chcon -t named_var_run_t /usr/local/samba/private/dns/DOMAIN.REALM.zone<br />
<br />
<br />
Add the below to ( replace DOMAIN and REALM with proper values ) the /etc/selinux/targeted/contexts/files/file_contexts.local file (If the file does not exist just create it)<br />
/usr/local/samba/private/dns.keytab system_u:object_r:named_conf_t:s0<br />
/usr/local/samba/private/named.conf system_u:object_r:named_conf_t:s0<br />
/usr/local/samba/private/named.conf.update system_u:object_r:named_conf_t:s0<br />
/usr/local/samba/private/dns system_u:object_r:named_var_run_t:s0<br />
/usr/local/samba/private/dns/DOMAIN.REALM.zone system_u:object_r:named_var_run_t:s0<br />
/usr/local/samba/var/run/ntp_signd system_u:object_r:ntpd_t:s0<br />
<br />
NOTE: Multiple attempts to set the context for ntp failed so (below) policy was needed for windows clients time sync after joining the DOMAIN.<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd<br />
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/<br />
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket<br />
<br />
samba4.te policy:<br />
module samba4 1.0;<br />
<br />
<br />
require {<br />
type ntpd_t;<br />
type usr_t;<br />
type initrc_t;<br />
class sock_file write;<br />
class unix_stream_socket connectto;<br />
}<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t usr_t:sock_file write;<br />
<br />
#============= ntpd_t ==============<br />
allow ntpd_t initrc_t:unix_stream_socket connectto;<br />
<br />
Check and load policy:<br />
$ checkmodule -M -m -o samba4.mod samba4.te <br />
$ semodule_package -o samba4.pp -m samba4.mod<br />
$ semodule -i samba4.pp<br />
<br />
== NOTE about filesystem support ==<br />
<br />
To use the advanced features of Samba4 you need a filesystem that<br />
supports both the "user" and "system" xattr namespaces.<br />
<br />
If you run Linux with a 2.6 kernel and ext3 this means you need to<br />
include the option "user_xattr" in your /etc/fstab. For example:<br />
<br />
/dev/hda3 /home ext3 user_xattr 1 1<br />
<br />
You also need to compile your kernel with the XATTR and SECURITY<br />
options for your filesystem. For ext3 that means you need:<br />
<br />
CONFIG_EXT3_FS_XATTR=y<br />
CONFIG_EXT3_FS_SECURITY=y<br />
<br />
If you are running a Linux 2.6 kernel with CONFIG_IKCONFIG_PROC<br />
defined you can check this with the following command:<br />
<br />
$ zgrep CONFIG_EXT3_FS /proc/config.gz<br />
<br />
If you don't have a filesystem with xattr support, then you can<br />
simulate it by using the option:<br />
<br />
posix:eadb = /usr/local/samba/eadb.tdb<br />
<br />
that will place all extra file attributes (NT ACLs, DOS EAs, streams<br />
etc), in that tdb. It is not efficient, and doesn't scale well, but at<br />
least it gives you a choice when you don't have a modern filesystem.<br />
<br />
=== Testing your filesystem ===<br />
<br />
To test your filesystem support, install the 'attr' package and run<br />
the following 4 commands as root:<br />
<br />
# touch test.txt<br />
# setfattr -n user.test -v test test.txt<br />
# setfattr -n security.test -v test2 test.txt<br />
# getfattr -d test.txt<br />
# getfattr -n security.test -d test.txt<br />
<br />
You should see output like this:<br />
<br />
# file: test.txt<br />
user.test="test"<br />
<br />
# file: test.txt<br />
security.test="test2"<br />
<br />
If you get any "Operation not supported" errors then it means your<br />
kernel is not configured correctly, or your filesystem is not mounted<br />
with the right options.<br />
<br />
If you get any "Operation not permitted" errors then it probably means<br />
you didn't try the test as root.<br />
<br />
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.<br />
<br />
== Profiling with google-perftools ==<br />
<br />
LDFLAGS="-ltcmalloc -lprofiler" ./configure --enable-developer ..... <br />
<br />
This also works for CFLAGS<br />
<br />
= Configure a Windows Client to join a Samba 4 Active Directory =<br />
<br />
Active Directory is a powerful administration service which enables an administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, and Windows Vista Business Edition effectively. To test the real Samba 4 capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).<br />
<br />
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.<br />
It involves:<br />
<br />
# Configuring DNS Setting<br />
# Configuring date/time and time zone<br />
# Joining the domain<br />
<br />
== Step 1: Configure DNS Setting for Windows ==<br />
<br />
Before we configure the DNS setting, verify that you are able to ping the Server's IP Address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.<br />
<br />
Once you have verified network connectivity between the Samba server and client,<br />
<br />
# Right Click My Network Places -> Properties<br />
# Double click local area network->Properties<br />
# Double click tcp/ip<br />
# Use static dns server, add the Samba 4 server's ip address inside the primary dns server column.<br />
#:[[Image:Samba4dnsclient.jpg]]<br />
# Press ok, ok, ok again until finished.<br />
# Open a command prompt, type 'ping servername.your.realm' (change to suit your custom realm per your provision)<br />
<br />
If you get replies, then it means your Windows XP settings are correct (for DNS) and Samba4 Server's DNS services is working as well.<br />
<br />
== Step 2: Configure date/time and time zone ==<br />
<br />
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clock on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, authentication will fail for apparently no reason.<br />
<br />
# Change the timezone in Windows XP Pro so that server and client using same time zone. In my computer, I use Asia/Kuala_Lumpur (I come from Malaysia).<br />
#:[[Image:Samba4timezone.jpg]]<br />
# Change the date/time so the client have same HH:MM with the server.<br />
#:[[Image:Samba4time.jpg]]<br />
<br />
== Step 3: Joining the Windows client into domain ==<br />
<br />
Now your Windows is ready to join the Active Directory (AD) domain,<br />
<br />
As administrator:-<br />
<br />
# Right Click my Computer-> Properties<br />
# Choose Computer Name, click change..<br />
# Click option 'Domain', insert YOUR.REALM (if you failed, try YOURDOM)([[Image:Samba4joindomain.jpg]]<br />
# When it request username/password, type '''administrator''' as username, '''SOMEPASSWORD''' as password (per your earlier provision).<br />
# It will tell you the Windows XP has successfully join into Active Directory Domain, and you need to restart.<br />
# After restart, you should get the normal domain logon dialog<br />
# Choose domain YOURDOM, insert username '''administrator''' as username, '''SOMEPASSWORD''' as password (again, per your earlier provision)<br />
# If you login successfully, then you able to enjoy samba 4 active directory services at next section.<br />
<br />
= Viewing Samba 4 Active Directory object from Windows =<br />
<br />
We need install windows 2003 adminpak into windows XP in order to use<br />
GUI tools to manage the domain. Before begin, make sure the domain<br />
administrator have administrative right to control your computer.(To<br />
give any user administrative right, in Windows XP Pro, right click my<br />
computer, press manage-> choose groups-> double click administrators<br />
and add members from domain into the member list. During you add<br />
member from active directory as member, it will prompt you to enter<br />
active directory username/password).<br />
<br />
== Step 1: Installing Windows Remote Administration Tools onto Windows ==<br />
<br />
=== Windows7 ===<br />
<br />
#Download the Windows Remote Administration Tools from<br />
#: http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en<br />
#and follow the "Install RSAT" instructions<br />
<br />
=== Vista ===<br />
<br />
Download the Windows Remote Administration Tools from<br />
* http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en<br />
<br />
and follow the "Install RSAT" instruction described at<br />
* http://support.microsoft.com/kb/941314<br />
<br />
=== Windows XP Pro ===<br />
<br />
# In Windows XP, download adminpak and supporttools from <br />
#* http://www.microsoft.com/downloads/en/details.aspx?FamilyID=86b71a4f-4122-44af-be79-3f101e533d95<br />
#* http://download.microsoft.com/download/3/e/4/3e438f5e-24ef-4637-abd1-981341d349c7/WindowsServer2003-KB892777-SupportTools-x86-ENU.exe<br />
#:If you installed an older version of the adminpak, you'll notice the dial-in tab is missing from property pages. Just follow the link above to get SP2 which does not have this issue.<br />
# Run through the installation.<br />
# Press start->run, type 'dsa.msc', if a window 'active directory users and computers' prompt up, it mean you had install adminpak it successfully. You can also find this at Start>Programs>Administrative Tools, which should have a lot more items now.<br />
# Go to c:\Program Files\Support Tools to check whether the support tools were installed correctly; if yes, then your XP workstation is ready to manage the Samba 4 Active Directory.<br />
<br />
== Step 2: Viewing samba 4 active directory content ==<br />
<br />
# Login as domain 'testing1.org' administrator, press start->run.<br />
# type dsa.msc<br />
#:[[Image:Samba4run.jpg ]]<br />
# Expand the testing1.org tree to see existing object in domain. [[Image:Samba4dsa.msc.jpg]]<br />
<br />
= Managing Samba 4 Active Directory From Windows XP Pro =<br />
One of Samba4's goals is to integrate with (and replace) Active Directory as a system. At this point, if everything has worked correctly you should have an "Administrative Tools" menu under Programs. If, under Administrative Tools you have "Active Directory Users and Computers", that is a very good sign. Most times, if there is a configuration or bug in Samba4, the AD Users & Computers (among other interfaces) won't show up as an option. You can run it by hand (Start->Run->dsa.msc) but it's unlikely to work correctly.<br />
<br />
<br />
== Step 1: Adding user into Samba 4 Active Directory ==<br />
Unlike Samba3, Samba4 does not require a local unix user for each Samba user that is created.<br />
<br />
To create a Samba user, use the command <br />
<br />
samba-tool user add USERNAME<br />
<br />
To inspect the allocated user ID and SID, use wbinfo<br />
<br />
$ bin/wbinfo --name-to-sid USERNAME<br />
S-1-5-21-4036476082-4153129556-3089177936-1005 SID_USER (1)<br />
<br />
$ bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1005<br />
3000011<br />
<br />
If you want to change this mapping, then use ldbedit on the idmap.idb,<br />
like this:<br />
<br />
$ bin/ldbedit -e emacs -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
You will find records that look like this:<br />
<br />
# record 1<br />
dn: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
cn: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
objectClass: sidMap<br />
objectSid: S-1-5-21-4036476082-4153129556-3089177936-1005<br />
type: ID_TYPE_BOTH<br />
xidNumber: 3000011<br />
distinguishedName: CN=S-1-5-21-4036476082-4153129556-3089177936-1005<br />
<br />
If you change the xidNumber attribute and save your editor then exit,<br />
then Samba will update the mapping to between the SID and the user<br />
ID. Updating group mappings works in the same way.<br />
<br />
You can also manage users using the normal Windows AD user management<br />
tools.<br />
<br />
= Setting Up Roaming Profiles (Windows 7) =<br />
<br />
1. You will need to create a share for the profiles, typically named '''profiles'''. Edit the ''/usr/local/samba/etc/smb.conf'' to include:<br />
<br />
[profiles]<br />
path = /usr/local/samba/var/profiles<br />
read only = no<br />
<br />
2. Create the directory above using:<br />
<br />
$ sudo mkdir /usr/local/samba/var/profiles<br />
<br />
3. On windows start the ''Active Directory Users and Computers'', select all the users, right click and hit properties<br />
<br />
4. Under the profile tab, in the ''Profile path'' type the path to your share along with %USERNAME% as follows:<br />
<br />
\\sambaserver.samdom.example.com\profiles\%USERNAME%<br />
<br />
5. click OK, logout and login as one of those users. When you logout again, you should see that the profile has been synced onto the samba server.<br />
<br />
= Adding organization unit (OU) into samba 4 domain =<br />
<br />
Organizational Unit (OU), is a powerful feature in active<br />
directory. This is a type of container which allows you to drag & drop<br />
users and/or computers into it.<br />
<br />
We can link several kind of group policy to an OU, and the settings<br />
will deploy to all users/computers under the OU. With a single domain<br />
we can have as many OU and sub OU as you like. So the result is that<br />
it can greatly reduce administrative overhead because you are able to<br />
manage everything via an OU. The implementation of group policy will<br />
be discussed in the next chapter.<br />
<br />
Before we create an OU, we must know what an OU looks like. By default<br />
we can see a sample OU 'Domain Controllers', which uses a different<br />
icon in the Windows management tools to the 'users' and 'computers'<br />
container. We can deploy group policy to users or computers container.<br />
<br />
# To create an OU, as the domain administrator, use start -> run -> dsa.msc<br />
# right click on your domain.<br />
# choose new -> organizational unit<br />
# type OU Demo'<br />
# Then you will see an new OU appear, with the name 'OU Demo'.<br />
# You can drag your user 'demo' into the new OU (Don't move other users! Unless you want to get stuck!)<br />
# Right Click the 'OU Demo', you can create a sub OU with New->Organizational.<br />
<br />
Normally we create OU based the departmental setup of your<br />
organization. Be careful not to confuse groups and OUs, groups are<br />
used to control permissions, OU are used for deployment settings to<br />
all users/computers within the OU.<br />
<br />
= Implementing Group Policies (GPO) in a Samba4 domain =<br />
<br />
Samba4 Active Directory has support for group policies, and can create<br />
the group policy on the fly. The basic idea of group policies is:-<br />
<br />
# Group Policies have 2 kind of settings, computers and users.<br />
# Computer settings apply to computers, user settings apply to users<br />
# We link the group policy to a particular OU, and the group policy will effect all computers/users under the OU.<br />
# To add a group policy, right click 'OU Demo' OU->properties<br />
# Choose group policy<br />
# Press new, name as 'GP Demo'<br />
# Press edit to edit the policy.<br />
# Here will demonstrate how to block user from access the control panel. Open the tree 'User Configuration'->'Administrative Templates'->'control panel'.<br />
# Double click on 'Prohibit access to the Control Panel'<br />
# Press enabled and then press OK. Now the all users under 'OU Demo' won't able to access to the control panel.<br />
# Make sure user demo is inside the 'OU Demo' (You can drag and drop it). <br />
# Logout and login as user 'demo'<br />
# You'll find user demo is not able to access control panel<br />
<br />
;Note :that user configuration will take effect once you logout and login.<br />
;Computer :configuration will take effect when you restart the computer<br />
<br />
To learn more about managing and implementing organizational units, group policy, and active directory, try a web search for Google in Windows 2003 Active Directory implementation.<br />
<br />
== Installing the Group Policy Management Console ==<br />
<br />
You may also find the Group Policy Management console useful. You can<br />
download it from:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en<br />
<br />
This is primarily useful for when you have larger installs and<br />
are managing many machines. You may need to download the .NET<br />
framework first.<br />
<br />
= Joining a Windows domain controller as an additional DC in a domain =<br />
<br />
Once you have a Samba domain controller setup, you can choose to join<br />
additional domain controllers to the domain, whether they be<br />
additional Samba domain controllers, or additional Windows domain<br />
controllers.<br />
<br />
If you wish to join an additional Samba domain controller to a domain,<br />
then please see the [[Samba4/HOWTO/Join a domain as a DC|Joining a domain as a DC]] page. The instructions<br />
on that page are the same for joining Samba to a Windows domain as<br />
they are for joining Samba to an existing Samba domain.<br />
<br />
If you wish to join a new Windows domain controller to a Samba domain,<br />
then you should use the 'dcpromo' tool on the Windows machine. Please<br />
see the normal instructions for installing dcpromo on Windows, with<br />
the exception that you should not tick the 'DNS server' option box<br />
when it is offered. Right now you should either use Windows for DNS,<br />
or use Samba and bind9 for DNS. Mixing the two can work, but it is an<br />
advanced topic that is beyond the scope of this howto.<br />
<br />
= Migrating an Existing Samba3 Domain to Samba4 =<br />
<br />
It is very likely that you already have a running Samba3 domain on your network. The question is, how do you migrate that domain and all of its users and machines over to a new Samba4 based domain, without needing to move every user profile and machine to the new domain? The answer is the [[Samba4/samba3upgrade/HOWTO|samba-tool samba3upgrade]] function.<br />
<br />
= Report your success/failure! =<br />
<br />
Samba4 as a replicating domain controller is still developing rapidly,<br />
and we like to hear from users about their successes and<br />
failures. While Samba4 is still in alpha release we would encourage<br />
you to report both your successes and failures to the samba-technical<br />
mailing list on http://lists.samba.org<br />
<br />
Please be aware that Samba4 is not complete, so you should deploy it<br />
carefully until it is ready for a non-alpha release.</div>BBaumbachhttps://wiki.samba.org/index.php?title=Client_specific_logging&diff=5793Client specific logging2011-03-22T11:02:13Z<p>BBaumbach: comments shifted</p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a level 10 log file.<br />
<br />
There are different reasons for creating client specific log files:<br />
* If the error appears only on specific clients and you won't change the config for all clients.<br />
* If you're running Samba with many clients level 10 logs can fill your disk space very fast and slow down your system.<br />
<br />
<br />
Create a new config file /etc/samba/smb.conf.client-debug<br />
[global]<br />
# no log file size limitation<br />
max log size = 0<br />
# specific log file name<br />
log file = /var/log/samba/log.%I<br />
# set the debug level<br />
log level = 10<br />
# add the pid to the log<br />
debug pid = yes<br />
# add microsecond resolution to timestamp<br />
debug hires timestamp = yes<br />
<br />
Add the following line to your smb.conf at the end of the global section<br />
include = /etc/samba/smb.conf.client-%I<br />
<br />
To activate level 10 logging for e.g. client 192.168.0.123 create a symbolic link:<br />
ln -s /etc/samba/smb.conf.client-debug /etc/samba/smb.conf.client-192.168.0.123<br />
<br />
You do not have to restart all of Samba. If the client 192.168.0.123 connects to your samba the smbd includes the /etc/samba/smb.conf.client-192.168.0.123 config file and writes the debug information to /var/log/samba/log.192.168.0.123.<br />
These changes will have no effect to other clients except 192.168.0.123. For additional clients you can simply create additional symlinks.<br />
<br />
<br />
<br />
For changing the log level temporary you can use smbcontrol runtime.<br />
# set debug level for all smbd<br />
smbcontrol smbd debug 10<br />
<br />
# set debug level for process with pid 12345<br />
smbcontrol 12345 debug 10<br />
<br />
# request debug level for process with pid 12345<br />
smbcontrol 12345 debuglevel</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5731TDB Locations2011-02-04T12:51:13Z<p>BBaumbach: descriptions added</p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location|| Info || Description<br />
|-<br />
|account_policy.tdb || dbwrap || state || || Samba/NT account policy settings, includes password expiration settings.<br />
|-<br />
|autorid.tdb || dbwrap || state || || Mappings of which domain is mapped to which range. <br />
|-<br />
|brlock.tdb || dbwrap || lock || || Byte-range locking information.<br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || A temporary cache for current connection information used to enforce max connections.<br />
|-<br />
|eventlog/*.tdb || tdb || state || || Records of eventlog entries. In most circumstances this is just a cache of system logs.<br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Global locking information.<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* || Generic caching database for dead WINS servers and trusted domain data.<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* || <br />
|-<br />
|group_mapping.tdb || dbwrap || state || || Mapping table from Windows groups/SID to UNIX groups.<br />
|-<br />
|idmap2.tdb || dbwrap || private || ||<br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|login_cache.tdb || tdb || cache || || A temporary cache for login information, in particular bad password attempts.<br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST || Temporary storage of messages being processed by smbd.<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || ||<br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST* || Caches user net_info_3 structure data from net_samlogon requests (as a domain member).<br />
|-<br />
|notify.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|ntdrivers.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed driver information.<br />
|-<br />
|ntforms.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed forms information.<br />
|-<br />
|ntprinters.tdb || tdb || state || || Removed in 3.6. Stores the per-printer devmode configuration settings.<br />
|-<br />
|passdb.tdb || dbwrap || private || || Exists only when the tdbsam passwd backend is used. This file stores the SambaSAMAccount information. Note: This file requires that user POSIX account information is available from either the /etc/passwd file, or from an alternative system source. <br />
|-<br />
|perfmon/data.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|perfmon/names.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|printer_list.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|printing/*.tdb || tdb || cache || || Cached output from lpq command created on a per-print-service basis.<br />
|-<br />
|registry.tdb || dbwrap || state || || Read-only Samba database of a Windows registry skeleton that provides support for exporting various database tables via the winreg RPCs. <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST || A confidential file, stored in the PRIVATE_DIR, containing crytographic connection information so that clients that have temporarily disconnected can reconnect without needing to renegotiate the connection setup process. <br />
|-<br />
|secrets.tdb || dbwrap || private || || This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and a further collection of critical environmental data that is necessary for Samba to operate correctly. This file contains very sensitive information that must be protected. It is stored in the PRIVATE_DIR directory. <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Temporary cache for miscellaneous session information and for utmp handling.<br />
|-<br />
|share_info.tdb || dbwrap || state || || Stores per-share ACL information.<br />
|-<br />
|unexpected.tdb || tdb || lock || TDB_CLEAR_IF_FIRST || Removed in 3.6. Stores packets received for which no process is actively listening.<br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST* || Cache of Identity information received from an NT4 domain or from ADS. Includes user lists, etc.<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || || Winbindd's local IDMAP database.<br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|xattr.tdb || dbwrap || state || ||<br />
|-<br />
| || || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB ||<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB ||<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB ||<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5730TDB Locations2011-02-04T11:59:35Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location|| Info || Description<br />
|-<br />
|account_policy.tdb || dbwrap || state || || Samba/NT account policy settings, includes password expiration settings.<br />
|-<br />
|autorid.tdb || dbwrap || state || || <br />
|-<br />
|brlock.tdb || dbwrap || lock || || Byte-range locking information.<br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || A temporary cache for current connection information used to enforce max connections.<br />
|-<br />
|eventlog/*.tdb || tdb || state || || Records of eventlog entries. In most circumstances this is just a cache of system logs.<br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* || Generic caching database for dead WINS servers and trusted domain data.<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* ||<br />
|-<br />
|group_mapping.tdb || dbwrap || state || || Mapping table from Windows groups/SID to UNIX groups.<br />
|-<br />
|idmap2.tdb || dbwrap || private || ||<br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|login_cache.tdb || tdb || cache || || A temporary cache for login information, in particular bad password attempts.<br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST || Temporary storage of messages being processed by smbd.<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || ||<br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST* || Caches user net_info_3 structure data from net_samlogon requests (as a domain member).<br />
|-<br />
|notify.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|ntdrivers.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed driver information.<br />
|-<br />
|ntforms.tdb || tdb || state || || Removed in 3.6. Stores per-printer installed forms information.<br />
|-<br />
|ntprinters.tdb || tdb || state || || Removed in 3.6. Stores the per-printer devmode configuration settings.<br />
|-<br />
|passdb.tdb || dbwrap || private || || Exists only when the tdbsam passwd backend is used. This file stores the SambaSAMAccount information. Note: This file requires that user POSIX account information is available from either the /etc/passwd file, or from an alternative system source. <br />
|-<br />
|perfmon/data.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|perfmon/names.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|printer_list.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|printing/*.tdb || tdb || cache || || Cached output from lpq command created on a per-print-service basis.<br />
|-<br />
|registry.tdb || dbwrap || state || || Read-only Samba database of a Windows registry skeleton that provides support for exporting various database tables via the winreg RPCs. <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST || A confidential file, stored in the PRIVATE_DIR, containing crytographic connection information so that clients that have temporarily disconnected can reconnect without needing to renegotiate the connection setup process. <br />
|-<br />
|secrets.tdb || dbwrap || private || || This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and a further collection of critical environmental data that is necessary for Samba to operate correctly. This file contains very sensitive information that must be protected. It is stored in the PRIVATE_DIR directory. <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Temporary cache for miscellaneous session information and for utmp handling.<br />
|-<br />
|share_info.tdb || dbwrap || state || || Stores per-share ACL information.<br />
|-<br />
|unexpected.tdb || tdb || lock || TDB_CLEAR_IF_FIRST || Removed in 3.6. Stores packets received for which no process is actively listening.<br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST* || Cache of Identity information received from an NT4 domain or from ADS. Includes user lists, etc.<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || || Winbindd's local IDMAP database.<br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|xattr.tdb || dbwrap || state || ||<br />
|-<br />
| || || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB ||<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB ||<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB ||<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5729TDB Locations2011-02-04T11:49:51Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location|| Info || Description<br />
|-<br />
|account_policy.tdb || dbwrap || state || || Samba/NT account policy settings, includes password expiration settings.<br />
|-<br />
|autorid.tdb || dbwrap || state || || <br />
|-<br />
|brlock.tdb || dbwrap || lock || || Byte-range locking information.<br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || A temporary cache for current connection information used to enforce max connections.<br />
|-<br />
|eventlog/*.tdb || tdb || state || || Records of eventlog entries. In most circumstances this is just a cache of system logs.<br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* || Generic caching database for dead WINS servers and trusted domain data.<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* ||<br />
|-<br />
|group_mapping.tdb || dbwrap || state || || Mapping table from Windows groups/SID to UNIX groups.<br />
|-<br />
|idmap2.tdb || dbwrap || private || ||<br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|login_cache.tdb || tdb || cache || || A temporary cache for login information, in particular bad password attempts.<br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST || Temporary storage of messages being processed by smbd.<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || ||<br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST* || Caches user net_info_3 structure data from net_samlogon requests (as a domain member).<br />
|-<br />
|notify.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|ntdrivers.tdb || tdb || state || removed in 3.6 || Stores per-printer installed driver information.<br />
|-<br />
|ntforms.tdb || tdb || state || removed in 3.6 || Stores per-printer installed forms information.<br />
|-<br />
|ntprinters.tdb || tdb || state || removed in 3.6 || Stores the per-printer devmode configuration settings.<br />
|-<br />
|passdb.tdb || dbwrap || private || || Exists only when the tdbsam passwd backend is used. This file stores the SambaSAMAccount information. Note: This file requires that user POSIX account information is available from either the /etc/passwd file, or from an alternative system source. <br />
|-<br />
|perfmon/data.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|perfmon/names.tdb || tdb || state || || Performance counter information.<br />
|-<br />
|printer_list.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|printing/*.tdb || tdb || cache || || Cached output from lpq command created on a per-print-service basis.<br />
|-<br />
|registry.tdb || dbwrap || state || || Read-only Samba database of a Windows registry skeleton that provides support for exporting various database tables via the winreg RPCs. <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST || A confidential file, stored in the PRIVATE_DIR, containing crytographic connection information so that clients that have temporarily disconnected can reconnect without needing to renegotiate the connection setup process. <br />
|-<br />
|secrets.tdb || dbwrap || private || || This file stores the Workgroup/Domain/Machine SID, the LDAP directory update password, and a further collection of critical environmental data that is necessary for Samba to operate correctly. This file contains very sensitive information that must be protected. It is stored in the PRIVATE_DIR directory. <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST || Temporary cache for miscellaneous session information and for utmp handling.<br />
|-<br />
|share_info.tdb || dbwrap || state || || Stores per-share ACL information.<br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST* || Cache of Identity information received from an NT4 domain or from ADS. Includes user lists, etc.<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || || Winbindd's local IDMAP database.<br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|xattr.tdb || dbwrap || state || ||<br />
|-<br />
| || || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB ||<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB ||<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB ||<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5728TDB Locations2011-02-04T09:16:53Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location|| Info || Description<br />
|-<br />
|account_policy.tdb || dbwrap || state || ||<br />
|-<br />
|autorid.tdb || dbwrap || state || ||<br />
|-<br />
|brlock.tdb || dbwrap || lock || ||<br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|eventlog/*.tdb || tdb || state || ||<br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* ||<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST* ||<br />
|-<br />
|group_mapping.tdb || dbwrap || state || ||<br />
|-<br />
|idmap2.tdb || dbwrap || private || ||<br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|login_cache.tdb || tdb || cache || ||<br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || ||<br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST* ||<br />
|-<br />
|notify.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|ntdrivers.tdb || tdb || state || removed in 3.6 ||<br />
|-<br />
|ntforms.tdb || tdb || state || removed in 3.6 ||<br />
|-<br />
|ntprinters.tdb || tdb || state || removed in 3.6 ||<br />
|-<br />
|passdb.tdb || dbwrap || private || ||<br />
|-<br />
|perfmon/data.tdb || tdb || state || ||<br />
|-<br />
|perfmon/names.tdb || tdb || state || ||<br />
|-<br />
|printer_list.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|printing/*.tdb || tdb || cache || ||<br />
|-<br />
|registry.tdb || dbwrap || state || ||<br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|secrets.tdb || dbwrap || private || ||<br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|share_info.tdb || dbwrap || state || ||<br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST* ||<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || ||<br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST ||<br />
|-<br />
|xattr.tdb || dbwrap || state || ||<br />
|-<br />
| || || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB ||<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB ||<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB ||<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5726TDB Locations2011-02-03T12:50:14Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location || Info<br />
|-<br />
|account_policy.tdb || dbwrap || state || <br />
|-<br />
|autorid.tdb || dbwrap || state ||<br />
|-<br />
|brlock.tdb || dbwrap || lock || <br />
|-<br />
|connections.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|eventlog/*.tdb || tdb || state || <br />
|-<br />
|g_lock.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|group_mapping.tdb || dbwrap || state || <br />
|-<br />
|idmap2.tdb || dbwrap || private || <br />
|-<br />
|locking.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|login_cache.tdb || tdb || cache || <br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || <br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|notify.tdb || tdb_wrapn || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|notify_onelevel.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|ntdrivers.tdb || tdb || state || removed in 3.6<br />
|-<br />
|ntforms.tdb || tdb || state || removed in 3.6<br />
|-<br />
|ntprinters.tdb || tdb || state || removed in 3.6<br />
|-<br />
|passdb.tdb || dbwrap || private ||<br />
|-<br />
|perfmon/data.tdb || tdb || state || <br />
|-<br />
|perfmon/names.tdb || tdb || state || <br />
|-<br />
|printer_list.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|printing/*.tdb || tdb || cache || <br />
|-<br />
|registry.tdb || dbwrap || state || <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST<br />
|-<br />
|secrets.tdb || dbwrap || private || <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|sessionid.tdb || dbwrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|share_info.tdb || dbwrap || state || <br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || <br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST<br />
|-<br />
|xattr.tdb || dbwrap || state || <br />
|-<br />
| || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB<br />
|-<br />
|transtest.tdb || dbwrap || torture || Test TDB<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5725TDB Locations2011-02-03T12:28:42Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location || Info<br />
|-<br />
|account_policy.tdb || db || state || <br />
|-<br />
|autorid.tdb || db || state ||<br />
|-<br />
|brlock.tdb || db || lock || <br />
|-<br />
|connections.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|eventlog/*.tdb || tdb || state || <br />
|-<br />
|g_lock.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|group_mapping.tdb || db || state || <br />
|-<br />
|idmap2.tdb || db || private || <br />
|-<br />
|locking.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|login_cache.tdb || tdb || cache || <br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || <br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|notify.tdb || wrap_open || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|notify_onelevel.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|ntdrivers.tdb || tdb || state || removed in 3.6<br />
|-<br />
|ntforms.tdb || tdb || state || removed in 3.6<br />
|-<br />
|ntprinters.tdb || tdb || state || removed in 3.6<br />
|-<br />
|passdb.tdb || db || private ||<br />
|-<br />
|perfmon/data.tdb || tdb || state || <br />
|-<br />
|perfmon/names.tdb || tdb || state || <br />
|-<br />
|printer_list.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|printing/*.tdb || tdb || cache || <br />
|-<br />
|registry.tdb || db || state || <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST<br />
|-<br />
|secrets.tdb || db || private || <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|sessionid.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|share_info.tdb || db || state || <br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || <br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST<br />
|-<br />
|xattr.tdb || db || state || <br />
|-<br />
| || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB<br />
|-<br />
|transtest.tdb || db || torture || Test TDB<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5724TDB Locations2011-02-03T12:26:08Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location || Info<br />
|-<br />
|account_policy.tdb || db || state || <br />
|-<br />
|autorid.tdb || db || state ||<br />
|-<br />
|brlock.tdb || db || lock || <br />
|-<br />
|connections.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|eventlog/*.tdb || tdb || state || <br />
|-<br />
|g_lock.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|group_mapping.tdb || db || state || <br />
|-<br />
|idmap2.tdb || db || private || <br />
|-<br />
|locking.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|login_cache.tdb || tdb || cache || <br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || <br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|notify.tdb || wrap_open || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|notify_onelevel.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|ntdrivers.tdb || tdb || state || <br />
|-<br />
|ntforms.tdb || tdb || state || removed in 3.6<br />
|-<br />
|ntprinters.tdb || tdb || state || removed in 3.6<br />
|-<br />
|passdb.tdb || db || private || removed in 3.6<br />
|-<br />
|perfmon/data.tdb || tdb || state || <br />
|-<br />
|perfmon/names.tdb || tdb || state || <br />
|-<br />
|printer_list.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|printing/*.tdb || tdb || cache || <br />
|-<br />
|registry.tdb || db || state || <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST<br />
|-<br />
|secrets.tdb || db || private || <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|sessionid.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|share_info.tdb || db || state || <br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || <br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST<br />
|-<br />
|xattr.tdb || db || state || <br />
|-<br />
| || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB<br />
|-<br />
|transtest.tdb || db || torture || Test TDB<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5723TDB Locations2011-02-03T11:45:14Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location || Info<br />
|-<br />
|account_policy.tdb || db || state || <br />
|-<br />
|autorid.tdb || db || state ||<br />
|-<br />
|brlock.tdb || db || lock || <br />
|-<br />
|connections.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|eventlog/*.tdb || tdb || state || <br />
|-<br />
|g_lock.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|group_mapping.tdb || db || state || <br />
|-<br />
|idmap2.tdb || db || private || <br />
|-<br />
|locking.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|login_cache.tdb || tdb || cache || <br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || <br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|notify.tdb || wrap_open || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|notify_onelevel.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|ntdrivers.tdb || tdb || state || <br />
|-<br />
|ntforms.tdb || tdb || state || <br />
|-<br />
|ntprinters.tdb || tdb || state || <br />
|-<br />
|passdb.tdb || db || private || <br />
|-<br />
|perfmon/data.tdb || tdb || state || <br />
|-<br />
|perfmon/names.tdb || tdb || state || <br />
|-<br />
|printer_list.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|printing/*.tdb || tdb || cache || <br />
|-<br />
|registry.tdb || db || state || <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST<br />
|-<br />
|secrets.tdb || db || private || <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|sessionid.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|share_info.tdb || db || state || <br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || <br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST<br />
|-<br />
|xattr.tdb || db || state || <br />
|-<br />
| || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB<br />
|-<br />
|transtest.tdb || db || torture || Test TDB<br />
|}<br />
<br />
<br />
TDB_CLEAR_IF_FIRST means that Samba clears the TDB on each first open (for example after a reboot).<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=TDB_Locations&diff=5722TDB Locations2011-02-03T11:32:24Z<p>BBaumbach: </p>
<hr />
<div>List of Samba3 TDB files and their locations.<br />
<br />
{| class="sortable wikitable" border="1" cellpadding="5" cellspacing="0"<br />
|-style="background-color:#DCDCDC;"<br />
!TDB File || API || Location || Info<br />
|-<br />
|account_policy.tdb || db || state || <br />
|-<br />
|autorid.tdb || db || state ||<br />
|-<br />
|brlock.tdb || db || lock || <br />
|-<br />
|connections.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|eventlog/*.tdb || tdb || state || <br />
|-<br />
|g_lock.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|gencache.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|gencache_notrans.tdb || tdb || lock || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|group_mapping.tdb || db || state || <br />
|-<br />
|idmap2.tdb || db || private || <br />
|-<br />
|locking.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|login_cache.tdb || tdb || cache || <br />
|-<br />
|messages.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|mutex.tdb || tdb_wrap || lock || <br />
|-<br />
|netsamlogon_cache.tdb|| tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|notify.tdb || wrap_open || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|notify_onelevel.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|ntdrivers.tdb || tdb || state || <br />
|-<br />
|ntforms.tdb || tdb || state || <br />
|-<br />
|ntprinters.tdb || tdb || state || <br />
|-<br />
|passdb.tdb || db || private || <br />
|-<br />
|perfmon/data.tdb || tdb || state || <br />
|-<br />
|perfmon/names.tdb || tdb || state || <br />
|-<br />
|printer_list.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|printing/*.tdb || tdb || cache || <br />
|-<br />
|registry.tdb || db || state || <br />
|-<br />
|schannel_store.tdb || tdb_wrap || private || TDB_CLEAR_IF_FIRST<br />
|-<br />
|secrets.tdb || db || private || <br />
|-<br />
|serverid.tdb || tdb_wrap || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|sessionid.tdb || db || lock || TDB_CLEAR_IF_FIRST<br />
|-<br />
|share_info.tdb || db || state || <br />
|-<br />
|winbindd_cache.tdb || tdb || cache || TDB_CLEAR_IF_FIRST*<br />
|-<br />
|winbindd_idmap.tdb || tdb || state || <br />
|-<br />
|wins.tdb || tdb || state || TDB_CLEAR_IF_FIRST<br />
|-<br />
|xattr.tdb || db || state || <br />
|-<br />
| || || ||<br />
|-<br />
|torture.tdb || tdb || torture || Test TDB<br />
|-<br />
|test.tdb || tdb_wrap || torture || Test TDB<br />
|-<br />
|transtest.tdb || db || torture || Test TDB<br />
|}<br />
<br />
* will be only cleaned if file is corrupt</div>BBaumbachhttps://wiki.samba.org/index.php?title=Client_specific_logging&diff=5684Client specific logging2011-01-05T12:41:53Z<p>BBaumbach: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a level 10 log file.<br />
<br />
There are different reasons for creating client specific log files:<br />
* If the error appears only on specific clients and you won't change the config for all clients.<br />
* If you're running Samba with many clients level 10 logs can fill your disk space very fast and slow down your system.<br />
<br />
<br />
Create a new config file /etc/samba/smb.conf.client-debug<br />
[global]<br />
max log size = 0 # no log file size limitation<br />
log file = /var/log/samba/log.%I # specific log file name<br />
log level = 10 # set the debug level<br />
debug pid = yes # add the pid to the log<br />
debug hires timestamp = yes # add microsecond resolution to timestamp<br />
<br />
Add the following line to your smb.conf at the end of the global section<br />
include = /etc/samba/smb.conf.client-%I<br />
<br />
To activate level 10 logging for e.g. client 192.168.0.123 create a symbolic link:<br />
ln -s /etc/samba/smb.conf.client-debug /etc/samba/smb.conf.client-192.168.0.123<br />
<br />
You do not have to restart all of Samba. If the client 192.168.0.123 connects to your samba the smbd includes the /etc/samba/smb.conf.client-192.168.0.123 config file and writes the debug information to /var/log/samba/log.192.168.0.123.<br />
These changes will have no effect to other clients except 192.168.0.123. For additional clients you can simply create additional symlinks.<br />
<br />
<br />
<br />
For changing the log level temporary you can use smbcontrol runtime.<br />
# set debug level for all smbd<br />
smbcontrol smbd debug 10<br />
<br />
# set debug level for process with pid 12345<br />
smbcontrol 12345 debug 10<br />
<br />
# request debug level for process with pid 12345<br />
smbcontrol 12345 debuglevel</div>BBaumbachhttps://wiki.samba.org/index.php?title=Client_specific_logging&diff=5683Client specific logging2011-01-05T12:40:53Z<p>BBaumbach: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a level 10 log file.<br />
<br />
There are different reasons for creating client specific log files:<br />
* If the error appears only on specific clients and you won't change the config for all clients.<br />
* If you're running Samba with many clients level 10 logs can fill your disk space very fast and slow down your system.<br />
<br />
<br />
Create a new config file /etc/samba/smb.conf.client-debug<br />
[global]<br />
max log size = 0 # no log file size limitation<br />
log file = /var/log/samba/log.%I # specific log file name<br />
log level = 10 # set the debug level<br />
debug pid = yes # add the pid to the log<br />
debug hires timestamp = yes # add microsecond resolution to timestamp<br />
<br />
Add the following line to your smb.conf at the end of the global section<br />
include = /etc/samba/smb.conf.client-%I<br />
<br />
To activate level 10 logging for e.g. client 192.168.0.123 create a symbolic link:<br />
ln -s /etc/samba/smb.conf.client-debug /etc/samba/smb.conf.client-192.168.0.123<br />
<br />
You do not have to restart all of Samba. If the client 192.168.0.123 connects to your samba the smbd includes the /etc/samba/smb.conf.client-192.168.0.123 config file and writes the debug information to /var/log/samba/log.192.168.0.123.<br />
These changes will have no effect to other clients except 192.168.0.123. For additional clients you can simply create additional symlinks.<br />
<br />
<br />
<br />
For changing the log level temporary you can use smbcontrol runtime.<br />
#Set debug level for all smbd<br />
smbcontrol smbd debug 10<br />
<br />
#Set debug level for all process with pid 12345<br />
smbcontrol 12345 debug 10<br />
<br />
#Request debug level for process with pid 12345<br />
smbcontrol 12345 debuglevel</div>BBaumbachhttps://wiki.samba.org/index.php?title=Client_specific_logging&diff=5682Client specific logging2011-01-05T12:40:17Z<p>BBaumbach: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a level 10 log file.<br />
<br />
There are different reasons for creating client specific log files:<br />
* If the error appears only on specific clients and you won't change the config for all clients.<br />
* If you're running Samba with many clients level 10 logs can fill your disk space very fast and slow down your system.<br />
<br />
<br />
Create a new config file /etc/samba/smb.conf.client-debug<br />
[global]<br />
max log size = 0 # no log file size limitation<br />
log file = /var/log/samba/log.%I # specific log file name<br />
log level = 10 # set the debug level<br />
debug pid = yes # add the pid to the log<br />
debug hires timestamp = yes # add microsecond resolution to timestamp<br />
<br />
Add the following line to your smb.conf at the end of the global section<br />
include = /etc/samba/smb.conf.client-%I<br />
<br />
To activate level 10 logging for e.g. client 192.168.0.123 create a symbolic link:<br />
ln -s /etc/samba/smb.conf.client-debug /etc/samba/smb.conf.client-192.168.0.123<br />
<br />
You do not have to restart all of Samba. If the client 192.168.0.123 connects to your samba the smbd includes the /etc/samba/smb.conf.client-192.168.0.123 config file and writes the debug information to /var/log/samba/log.192.168.0.123.<br />
These changes will have no effect to other clients except 192.168.0.123. For additional clients you can simply create additional symlinks.<br />
<br />
<br />
<br />
For changing the log level temporary you can use smbcontrol runtime.<br />
#Set debug level for all smbd<br />
smbcontrol smbd debug 10<br />
<br />
#Set debug level for all process with pid 12345<br />
smbcontrol 12345 debug 10<br />
<br />
#Request debug level for process with pid 12345<br />
smbcontrol 12345 debuglevel</div>BBaumbachhttps://wiki.samba.org/index.php?title=Client_specific_logging&diff=5631Client specific logging2010-11-16T10:47:38Z<p>BBaumbach: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a level 10 log file.<br />
<br />
There are different reasons for creating client specific log files:<br />
* If the error appears only on specific clients and you won't change the config for all clients.<br />
* If you're running Samba with many clients level 10 logs can fill your disk space very fast and slow down your system.<br />
<br />
<br />
Create a new config file /etc/samba/smb.conf.client-debug<br />
[global]<br />
max log size = 0 # no log file size limitation<br />
log file = /var/log/samba/log.%I # specific log file name<br />
log level = 10 # set the debug level<br />
debug pid = yes # add the pid to the log<br />
debug hires timestamp = yes # add microsecond resolution to timestamp<br />
<br />
Add the following line to your smb.conf at the end of the global section<br />
include = /etc/samba/smb.conf.client-%I<br />
<br />
To activate level 10 logging for e.g. client 192.168.0.123 create a symbolic link:<br />
ln -s /etc/samba/smb.conf.client-debug /etc/samba/smb.conf.client-192.168.0.123<br />
<br />
You do not have to restart all of Samba. If the client 192.168.0.123 connects to your samba the smbd includes the /etc/samba/smb.conf.client-192.168.0.123 config file and writes the debug information to /var/log/samba/log.192.168.0.123.<br />
These changes will have no effect to other clients except 192.168.0.123. For additional clients you can simply create additional symlinks.</div>BBaumbachhttps://wiki.samba.org/index.php?title=Client_specific_logging&diff=5630Client specific logging2010-11-16T10:37:22Z<p>BBaumbach: </p>
<hr />
<div>When diagnosing a problem, Samba developers are likely to request a level 10 log file.<br />
<br />
There are different reasons for creating client specific log files:<br />
* If the error appears only on specific clients and you won't change the config for all clients.<br />
* If you're running Samba with many clients level 10 logs can fill your disk space very fast and slow down your system.<br />
<br />
<br />
Create a new config file /etc/samba/smb.conf.client-debug<br />
[global]<br />
max log size = 0 # no log file size limitation<br />
log file = /var/log/samba/log.%I # specific log file name<br />
log level = 10 # set the debug level<br />
debug pid = yes # add the pid to the log<br />
debug hires timestamp = yes # add microsecond resolution to timestamp<br />
<br />
Add the following line to your smb.conf<br />
include = /etc/samba/smb.conf.client-%I<br />
<br />
To activate level 10 logging for e.g. client 192.168.0.123 create a symbolic link:<br />
ln -s /etc/samba/smb.conf.client-debug /etc/samba/smb.conf.client-192.168.0.123<br />
<br />
You do not have to restart all of Samba. If the client 192.168.0.123 connects to your samba the smbd includes the /etc/samba/smb.conf.client-192.168.0.123 config file and writes the debug information to /var/log/samba/log.192.168.0.123.<br />
These changes will have no effect to other clients except 192.168.0.123. For additional clients you can simply create additional symlinks.</div>BBaumbach