TUTORIAL SAMBA 4

SAMBA 4: IMPLEMENT ACTIVE

TUTORIAL
DIRECTORY DOMAIN SERVICES
Master your Windows domain from the comfortable
JOHN LANE
familiarity of your Linux server.

S
amba is an open source implementation of the provisioning will fail (it writes a new one and wont
WHY DO THIS? protocols for user and resource management overwrite an existing one):
Administer Windows in a Windows network. It allows Unix-like $ rm /etc/samba/smb.conf
machines on a network operating systems such as Linux and OS X to share You should also ensure that your server is
without having to files and printers, and to authenticate and manage configured with a static IP address and has itself
abandon your Linux
working environment. users and resources in a Windows network. listed as its primary name server. If you need help
Learn one of the most The venerable version 3 series had long satisfied configuring this, our Network Configuration box
important features in the file sharing needs of many Linux systems, until explains what to do.
Samba 4. Microsoft introduced its Active Directory user and Interactive provisioning prompts for you to enter
resource management infrastructure. But version 4 the required information but offers default values
of Samba resolves this, because it is fully-compatible that are usually acceptable. The first question asks
with it. In this tutorial, well install the Samba Version 4 for a Realm, which is the domain suffix that Active
server and configure it as an Active Directory Domain Directory will apply to all hosts that join the domain.
Controller. Up-to-date distros should have updated The default value is the default search domain for
their Samba version, but you can always download your network, as defined in /etc/resolv.conf and
the latest sources from the samba.org website. Well converted to upper case letters (eg EXAMPLE.COM)
PRO TIP use the Trusty Tahr Ubuntu Server, version 14.04, as and its fine to accept this suggestion.
Implementing Samba its a long term support release that includes Samba You will also be asked to choose a DNS Backend.
requires root privileges.
sudo -i gives you a root 4.1.6 in its repositories. This makes installation Samba requires a DNS server and implements one
prompt. straightforward as root: internally if you accept the default SAMBA_INTERNAL
$ apt-get install samba smbclient option. This should be suitable for most uses but you
We also installed smbclient, the command line can use an external BIND DNS server if you prefer.
Samba client. Well use it to help test our server. The provisioning tool asks two questions that
Ubuntus Samba package automatically starts the require non-default answers. You need to supply:
daemons upon installation. Were about to reconfigure The DNS Forwarder Address: the IP address of
it, so stop them now: another DNS on your network, such as another
$ stop smbd name server defined in /etc/resolv.conf;
$ stop nmbd An Administrator Password of your choosing that is
Sambas main administration tool, samba-tool, is suitably complex it needs to have least eight
A new server hasnt got used to provision (set up) a new domain controller. characters containing three of these four kinds:
much to share, but theres You need to remove the pre-installed default Samba lower-case letters, upper-case letters, digits and
no harm in looking. configuration file before you begin otherwise symbols. Well use Pa$$w0rd in this tutorial; you
should use something different.
Provisioning can be as simple as:
$ samba-tool domain provision --interactive
however, its best to add some optional arguments to
gain some additional benefits:
$ samba-tool domain provision --interactive --use-rfc2307
--use-xattrs=yes
The --use-rfc2307 argument configures Active
Directory so that it can store Unix user attributes, and
this makes it possible to authenticate Linux users
with Samba. The second argument allows Samba
to support access control lists. These are lists of
permissions that augment the basic user, group and
others entitlements. Windows makes extensive use
of them.
To support access control lists, the Linux kernel
and any filesystem that you want to use with Samba

92 www.linuxvoice.com
 SAMBA 4 TUTORIAL

need to have extended attribute (abbreviated to

xattr) support. You should be fine with the ext4 What is Active Directory?
filesystem, but options for various other filesystems Active Directory, or its more complete and is managed by a Directory System Agent (DSA)
are explained at https://wiki.samba.org/index.php/ up-to-date name, Active Directory Domain and can be accessed using the Lightweight
OS_Requirements. Youll also need the attr and acl Services, (ADDS) is a scalable, secure, and Directory Access Protocol (LDAP); there are
packages. Ubuntu 14.04 includes all of this by default. manageable infrastructure for user and also ADSI, MAPI and Security Accounts
You can start Samba when provisioning completes; resource management. Manager (SAM) interfaces. The objects are
A server that provides ADDS has the ADDS either resources or security principals,
the Ubuntu-specifc way to do this is to use Upstart: Server Role and is called a domain controller. the latter having unique Security Identifiers
$ start samba-ad-dc Its responsibilities include authentication (SIDs). Unlike the earlier Windows NT domain
but you can instead run the daemon directly, a and authorisation of users and computers controllers, its possible for there to be multiple
distro-agnostic approach that is also useful when in a Windows network, the assignment and servers with the ADDS role, all accepting read/
testing: to run it in the foreground with debug logging enforcement of security policies and installing write operations and replicating changes to
and updating software. The directory part remain in sync.
you can use: refers to a listing of objects. Its a database that ADDS uses Kerberos for authentication.
$ samba -i -d 2 -M single
These, and many other, command line options are
documented on the daemons manual page (man 8 Default principal: [email protected]
samba).
With Samba running, you can exercise the DNS to Valid starting Expires Service principal
ensure it returns the expected results: 16/09/14 12:42:07 16/09/14 22:42:07 krbtgt/EXAMPLE.COM@
$ host -t SRV _ldap._tcp.example.com EXAMPLE.COM
_ldap._tcp.example.com has SRV record 0 100 389 samba. renew until 17/09/14 12:41:56
example.com. We can use the Samba client tool to browse our
$ host -t SRV _kerberos._udp.example.com domains shares. We can list them and connect to
PRO TIP
_kerberos._udp.example.com has SRV record 0 100 88 samba. them to see their contents (youll need to enter the
If you want to use less
example.com. password that you chose during provisioning). secure passwords:
$ host -t A samba.example.com $ smbclient -L localhost -U% samba-tool domain
samba.example.com has address 10.0.100.1 $ smbclient //localhost/sysvol -UAdministrator%Pa$$w0rd -c ls passwordsettings set
--complexity=off
You may have seen the notification when the Another way to access shares is to mount them
provisioning completed that a Kerberos configuration using the cifs filesystem:
suitable for Samba 4 has been generated. Kerberos $ mount -t cifs -o username=Administrator,password=Pa$$w0
is the authentication protocol used by Active Directory rd //samba/sysvol /mnt
and the generated configuration allows you to interact
with Sambas Kerberos services. Doing so is optional Serving time
but useful for testing. If you want to use it, copy it into Participants in an Active Directory domain work best
place and install the Kerberos client utilities: when they have synchronised time clocks because PRO TIP
$ cp /var/lib/samba/private/krb5.conf /etc Active Directory uses Kerberos for authentication, and Borked install? Just
delete /etc/samba/smb.
$ apt-get install krb5-user this is extremely time-sensitive. There is an allowed conf and /var/lib/samba/
You can then run some basic Kerberos tests (the tolerance of five minutes and any more than this will private and start over.
Samba server needs to be running): result in denied access. Its also essential if you have
# kinit [email protected] multiple servers because directory replication relies on
Password for [email protected]: synchronised clocks. Implementing a time server will
# klist allow clients attempting to connect to our server to
Ticket cache: FILE:/tmp/krb5cc_0 synchronise their clocks from it.
Microsoft uses an extension to the standard
Network Time Protocol that uses signed timestamps.
It calls this the Windows Time Service. The standard
ntpd time server can provide such times by having
Samba sign its timestamps. Install the daemon from
the repository:
$ apt-get install ntp
Modify the configuration file so that ntpd asks
Samba to sign its timestamps. You need to define
the socket where the signing agent listens and add
a server restriction so that requests get signed by
default. If youre using a virtual server, such as LXC,
you can replace the whole /etc/ntp.conf with the
following example, otherwise amend your existing
configuration so that it includes the last two lines.
Installing RSAT is not enough: you must also use Turn Restart the daemon after making your changes
Windows Features On Or Off to enable it. (service ntp restart).

www.linuxvoice.com 93
 TUTORIAL SAMBA 4

server, say within a few seconds, otherwise errors

Network configuration may be reported that bear no relationship to the real
Your Samba server needs a static IP address there are various ways to do this. One way on problem and you will not be able to authenticate.
and it should be configured to use Samba as Ubuntu is to add it to /etc/resolvconf/resolv. The Windows time service will keep the clocks
its primary DNS name server. You can use a conf.d.head like this: synchronised once the client becomes a domain
static IP configuration to achieve this by nameserver 10.0.100.1
member. Well assume you know how to make these
editing /etc/network/interfaces.d/eth0.cfg You should also set a host name in /etc/
so that it reads like this: hostname and its fully-qualified domain tweaks or know a Windows tech who does.
auto eth0 name in /etc/hosts. Were using samba. Now, to add the client to the domain, go to Start
iface eth0 inet static example.com so our /etc/hostname file > Computer > Right-click > Properties > Change
address 10.0.100.1 contains just the host name, like this: Settings. This will display the System Properties
netmask 255.0.0.0 samba
dialog, where you should click on the Change
gateway 10.0.0.138 and our /etc/hosts file contains a line like
dns-nameservers 10.0.100.1 10.0.0.138 this: button and then select Domain in the Member Of
dns-search example.com 127.0.1.1 samba.example.com samba section and enter the Samba domain name before
Youll need to use values appropriate to The easiest way to ensure your network pressing OK. This should request the administrator
your own network. Our servers interface settings take effect is to reboot after making account credentials (the username is Administrator
is eth0 but yours may be different and you them so that the \etc\resolv.conf file that
and password is Pa$$w0rd if youve followed our
should use your own domain name and an IP DNS relies on is updated. You can then
address appropriate to your network. confirm your settings: example settings). It should finish by welcoming you
You can use DHCP if you prefer but you $ hostname to the domain and asking you to restart the computer.
will need to make sure that your DHCP samba Log in as your domain administrator, (EXAMPLE\
server always assigns the same IP address $ hostname -f Administrator), when Windows restarts. You can
to your network interface. You can get your samba.example.com
now test NTP. Open a command prompt window as
networks interface (MAC address) by doing: $ cat /etc/resolv.conf
$ cat /sys/class/net/eth0/address nameserver 10.0.100.1
the Administrator (click the Start button, type cmd
Youll need to prepend the settings supplied nameserver 10.0.0.138 and then right-click the cmd icon that appears in the
by DHCP with the local DNS server entry and search example.com search results to select Run As Administrator) and
then:
C:\> w32tm /resync
server 127.127.1.0 Sending resync command to local computer
fudge 127.127.1.0 stratum 12 The command completed successfully.
ntpsigndsocket /var/lib/samba/ntp_signd/ So, we now have Active Directory Domain Services
restrict default mssntp and have joined a client to the domain. What does
Our example uses 127.127.1.0 as a time server that give us? Well, we can now use Windows tools to
PRO TIP address. This is a pseudo-address that NTP administer our domain, but you need to download the
Reload Sambas config recognises as its own local clock and synchronises Remote Server Administration Tools and install them.
without restarting:
with itself. This is sufficient inside a virtual server Do this while youre still logged in to your Windows
smbcontrol all reload-
config. Sanity check it whose clock is controlled by the VPS host. desktop see http://bit.ly/ms-rsat.
with testparm. The ntpsigndsocket entry defines the path to the The Remote Server Administration Tools include
directory where Samba places the socket file on a tool called Active Directory Users And Computers
which it will listen for signing requests. The path is that you can use for your admin tasks. Run this, as an
determined by Sambas configuration and you can administrator, via the Start button: search for dsa.msc
confirm the correct path with: (this is the name of the relevant executable file that
$ samba-tool testparm --verbose --suppress-prompt | grep ntp you need to run). The Action menu lists the various
signd socket directory administrative actions that you can perform, such as
ntp signd socket directory = /var/lib/samba/ adding a new user.
ntp_signd You can also perform these tasks using the Samba
PRO TIP Samba creates the socket directory but you should command line tools if you prefer that way of doing
ntp_signd is a compile- ensure that it is writeable by the ntpd daemon, which things. The Samba administration utility is called
time option. If signed
requests do not work you usually runs as ntp:ntp. You should change the
may need to rebuild ntpd directorys group to match:
from source. This isnt the $ chgrp ntp /var/lib/samba/ntp_signd
case with Ubuntu 14.04.
Unfortunately there is no tool to test NTP
authentication from Linux but we can do so when we
connect our first Windows client to our Samba server.
The following examples assume that you have a
clean install of Windows 7, and bear in mind that you
cant join a domain from the Starter or Home editions
although youll still be able to access shares.
There are a couple of prerequisites before a client
can join the domain. The first is that it must use the Whatever your preference, you can get your admin done:
Samba servers DNS. The second requirement is for you can use the native Windows tools or the various Linux
its clock to be reasonably consistent with the Samba command line alternatives.

94 www.linuxvoice.com
 SAMBA 4 TUTORIAL

samba-tool, and you can use it to add users like this: Roaming profiles link
$ samba-tool user create myuser to the [profiles] share
This creates a user but doesnt enrich it with configured in smb.conf.
The \%U in the path will
supplementary data that can be stored in Active
be replaced with the
Directory, such as their name and phone number, but
username.
you can use the pdbedit command line tool for that:
$ pdbedit --username myuser --modify --fullname My User
You can edit common user attributes with pdbedit
but there are many more attributes in the directory
that you can access. Youll need a basic grasp of how
LDAP stores data and youll need the LDAP Database
Tools to access it. Install the tools and try some
queries:
$ apt-get install ldb-tools
$ ldbsearch -H /var/lib/samba/private/sam.ldb -b CN=myuser,CN
=Users,DC=example,DC=com
$ ldbsearch -H /var/lib/samba/private/sam.ldb -b
CN=Users,DC=example,DC=com samaccountname=myuser $ id myuser
The first argument points at Sambas database uid=3000021(EXAMPLE\myuser) gid=100(users)
your Active Directory. The second argument is the groups=100(users)
Distinguished Name (DN) to search within (a DN is Domain users have high-numbered UIDs that are
what uniquely identifies a record in LDAP and the base assigned by Active Directory. You can modify this (or
DN specifies where to start the search). What follows any other LDAP attribute) using ldbedit but theyre
the arguments is an expression that selects records kept separately from the main directory. You need a
from the database and fields from those records. If users Security Identifier, or SID, to find them. The SID
the expression is omitted then everything beneath the is another way that Active Directory uniquely identifies
base DN is returned. See man ldapsearch for more. a user. The commands you need are:
PRO TIP
Use your preferred method to try adding a user now, $ wbinfo --name-to-sid myuser
If you have Apparmor on
well make use of myuser in the following examples. If S-1-5-21-3373576103-2381685468-725138442-1109 your server, check that
you need to edit your users record then ldbedit gives SID_USER (1) its configuration allows
you direct edit access to the directory. Be careful not $ ldbedit -H /var/lib/samba/private/idmap.ldb cn=S-1-5-21- access to the Samba
socket (it does on
to alter any internal Active Directory data. You can edit 3373576103-2381685468-725138442-1109 Ubuntu 14.04). See
a user like this: The field that you need to change is xidNumber; /etc/apparmor.d/usr.sbin.
$ ldbedit -H /var/lib/samba/private/sam.ldb -b you can set this to the desired uid value. You only ntpd.
CN=Users,DC=example,DC=com samaccountname=myuser really need to do this when moving existing users
from /etc/passwd into the directory.
Linux login You can try logging in as the user you created
We recommended adding a --use-rfc2307 option earlier, for example:
when provisioning the Samba server. RFC2307 is an $ ssh myuser@my_linux_box
internet standard that Active Directory implements so
that it can store Unix attributes like usernames and When in Roam
PRO TIP
passwords in a standard way. The provisioning option File and print sharing works exactly as it does when
From a Windows
instructs Samba to do similarly and this allows us to Samba is used in the classic, non-Active Directory, command line, use
use Samba to authenticate users that log in to our way by writing stanzas in smb.conf. One thing that a ipconfig /all to check
Linux machines. Microsofts Active Directory domain controller adds to this is Roaming Profiles. network settings such
as DNS.
implementation calls this Identity Management for This feature enables your domain users to log in to
UNIX. If you want to authenticate users in this way, Windows clients and download their user profile
their computers need winbind, a daemon that looks directory. Think about your users habits before
up usernames and passwords in Active Directory. You enabling roaming profiles. Because they are
need to install it, along with libraries that link it into the downloaded and uploaded inefficiently, users storing
authentication process: large amounts of data in their profile can put undue
$ apt-get winbind libnss-winbind libpam-winbind pressure on your Samba server.
NSS is the Name Service Switch and you need to Theres much more to Active Directory than weve
configure it to use winbind as a data source by adding covered here, but you should be able to get your first
it after the options already in place. Our modified server up and running and save yourself from one
Ubuntu /etc/nsswitch.conf looks like this: more proprietary server.
passwd: compat winbind
group: compat winbind
John Lane provides technical solutions to business
You can test these using getent passwd and getent
problems. He has yet to find anything that Linux cant solve.
group, and you can look up your user with id:

www.linuxvoice.com 95