Samba: Difference between revisions

From Q
Jump to navigation Jump to search
← Older edit
Tgurr (talk | contribs)
1,619 edits
No edit summary
Tgurr (talk | contribs)
1,619 edits
No edit summary
 
(31 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Description ==
This is a short howto about connecting a Linux machine via Samba to an Windows ADS Domain.
== Dependencies ==
== USE-Flags ==
== USE-Flags ==
{{Box File|/etc/portage/package.use|
{{File|/etc/portage/package.use|
<pre>
<pre>
net-fs/samba -cups acl ads ldap winbind
net-nds/openldap kerberos samba
net-nds/openldap kerberos samba
net-fs/samba -cups addns ads ldap winbind
</pre>
</pre>
}}
}}


== Packages ==
== Installation ==
{{Box Code|emerge samba -pv|
{{Root|emerge samba}}
<pre>
[ebuild  N    ] app-crypt/mit-krb5-1.6.3-r1  USE="ipv6 -doc -krb4 -tcl" 11,636 kB
[ebuild  N    ] net-nds/openldap-2.3.41  USE="berkdb crypt gdbm ipv6 kerberos perl samba ssl tcpd -debug -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd" 3,712 kB
[ebuild  N    ] sys-apps/attr-2.4.41  USE="nls" 112 kB
[ebuild  N    ] sys-apps/acl-2.2.47  USE="nls (-nfs)" 152 kB
[ebuild  N    ] net-fs/samba-3.0.28a  USE="acl ads ipv6 ldap pam python readline winbind -async -automount -caps -cups -doc -examples -fam -quotas (-selinux) -swat -syslog" LINGUAS="-ja -pl" 17,747 kB
</pre>
}}


{{Codeline|# emerge samba}}
== Configuration ==
See [[kerberos]] for the required kerberos configuration.


{{Box File|/etc/krb5.conf|
{{File|/etc/conf.d/samba|
Only needed when not using systemd (e.g. Gentoo sysvinit/baselayout)
<pre>
<pre>
[libdefaults]
daemon_list="smbd nmbd winbind"
        ticket_lifetime = 600
        default_realm = YOURDOMAIN.LOCAL
 
[realms]
        YOURDOMAIN.LOCAL = {
        kdc = domaincontroller.yourdomain.local:88
        admin_server = domaincontroller.yourdomain.local:464
        }
 
[domain_realm]
        .yourdomain.local = YOURDOMAIN.LOCAL
 
[kdc]
        profile = /etc/krb5kdc/kdc.conf
 
[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
</pre>
</pre>
}}
}}


{{Box File|/etc/conf.d/samba|
<pre>
daemon_list="smbd nmbd winbind"
</pre>
}}


{{Box File|/etc/samba/smb.conf|
{{File|/etc/samba/smb.conf|
<pre>
<pre>
[global]
[global]
Line 61: Line 35:
         security = ADS
         security = ADS
         encrypt passwords = yes
         encrypt passwords = yes
        password server = domaincontroller.yourdomain.local
         client use spnego = yes
         client use spnego = yes
         idmap uid = 15000-20000
         idmap config * : backend = tdb
         idmap gid = 15000-20000
        idmap config * : range = 1000000 - 1999999
        idmap config YOURDOMAIN : backend = rid
         idmap config YOURDOMAIN : range = 15000 - 49999
         winbind use default domain = yes
         winbind use default domain = yes
         wins server = xxx.xxx.xxx.xxx
         wins server = xxx.xxx.xxx.xxx
         dos charset = 850
         dos charset = 850
         unix charset = UTF-8
         unix charset = UTF-8
        log level = 3
        min protocol = SMB2
        client max protocol = SMB3
        rpc_server:epmapper = daemon
        domain master = no
        local master = no
        preferred master = no
        os level = 0
        # printing disabled
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes
        # printing enabled
        load printers = yes
        printing = cups
        printcap name = cups
        disable spoolss = no


include = /etc/samba/shares.conf
include = /etc/samba/shares.conf
Line 74: Line 68:
}}
}}


{{Box File|/etc/samba/smb.conf|
You only need this when not using [[SSSD]].
{{File|/etc/nsswitch.conf|
<pre>
<pre>
[testshare]
passwd:      compat winbind
        comment = Testshare
shadow:      compat winbind
        path = /mnt/testshare
group:      compat winbind
        read only = yes
        browseable = yes
        valid users = YOURDOMAIN\username
</pre>
</pre>
}}
}}


{{Box File|/etc/nsswitch.conf|
== Join the ADS Domain ==
{{Root|net ads join -U Administrator}} and enter the domain-administrator password.
 
== Finalize ==
{{Root|/etc/init.d/samba start}}
 
{{Root|rc-update add samba default}}
 
== Testing ==
Show information about the domain.
{{Root|net ads info}}
Show online status of the domain.
{{Root|wbinfo --online-status}}
Show current DC.
{{Root|wbinfo --getdcname YOURDOMAIN.LOCAL}}
Verify that the workstation trust account is working.
{{Root|wbinfo -t}}
List domain users.
{{Root|wbinfo -u}}
List domain groups.
{{Root|wbinfo -g}}
 
== Creating a share ==
{{File|/etc/samba/shares.conf|
<pre>
<pre>
passwd:      files winbind
[testshare]
shadow:      files winbind
        comment = Testshare
group:      files winbind
        path = /mnt/storage/testshare
        valid users = YOURDOMAIN\username, @YOURDOMAIN\groupname
        write list = @YOURDOMAIN\groupname
        writeable = No
        guest ok = Yes
        browseable = Yes
        force create mode = 0775
        force directory mode = 0775
</pre>
</pre>
}}
}}


{{Codeline|# net ads join -U Administrator}} and enter the domain-administrator password.
{{Root|cd /mnt/storage/}}
 
{{Root|chown root:domain-users testshare}}
{{Codeline|# /etc/init.d/samba start}}
{{Root|chmod chmod 0775 testshare}}


{{Codeline|# rc-update add samba default}}
== Further Reading ==
*[[Squid]] - Authenticate Squid users against ADS
*[[kerberos]] - Kerberos configuration for authenticating users against ADS
*[[SSSD]] - Authenticate system users against ADS

Latest revision as of 11:49, 29 June 2017

Description

This is a short howto about connecting a Linux machine via Samba to an Windows ADS Domain.

Dependencies

USE-Flags

File: /etc/portage/package.use
net-nds/openldap kerberos samba
net-fs/samba -cups addns ads ldap winbind

Installation

# emerge samba

Configuration

See kerberos for the required kerberos configuration.

File: /etc/conf.d/samba

Only needed when not using systemd (e.g. Gentoo sysvinit/baselayout) 

daemon_list="smbd nmbd winbind"


File: /etc/samba/smb.conf
[global]
        workgroup = YOURDOMAIN
        netbios name = HOSTNAME
        server string = HOSTNAME
        realm = YOURDOMAIN.LOCAL
        security = ADS
        encrypt passwords = yes
        client use spnego = yes
        idmap config * : backend = tdb
        idmap config * : range = 1000000 - 1999999
        idmap config YOURDOMAIN : backend = rid
        idmap config YOURDOMAIN : range = 15000 - 49999
        winbind use default domain = yes
        wins server = xxx.xxx.xxx.xxx
        dos charset = 850
        unix charset = UTF-8
        log level = 3
        min protocol = SMB2
        client max protocol = SMB3
        rpc_server:epmapper = daemon
        domain master = no
        local master = no
        preferred master = no
        os level = 0

        # printing disabled
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

        # printing enabled
        load printers = yes
        printing = cups
        printcap name = cups
        disable spoolss = no

include = /etc/samba/shares.conf

You only need this when not using SSSD.

File: /etc/nsswitch.conf
passwd:      compat winbind
shadow:      compat winbind
group:       compat winbind

Join the ADS Domain

# net ads join -U Administrator

and enter the domain-administrator password.

Finalize

# /etc/init.d/samba start
# rc-update add samba default

Testing

Show information about the domain.

# net ads info

Show online status of the domain.

# wbinfo --online-status

Show current DC.

# wbinfo --getdcname YOURDOMAIN.LOCAL

Verify that the workstation trust account is working.

# wbinfo -t

List domain users.

# wbinfo -u

List domain groups.

# wbinfo -g

Creating a share

File: /etc/samba/shares.conf
[testshare]
        comment = Testshare
        path = /mnt/storage/testshare
        valid users = YOURDOMAIN\username, @YOURDOMAIN\groupname
        write list = @YOURDOMAIN\groupname
        writeable = No
        guest ok = Yes
        browseable = Yes
        force create mode = 0775
        force directory mode = 0775
# cd /mnt/storage/
# chown root:domain-users testshare
# chmod chmod 0775 testshare

Further Reading

  • Squid - Authenticate Squid users against ADS
  • kerberos - Kerberos configuration for authenticating users against ADS
  • SSSD - Authenticate system users against ADS
Retrieved from "https://q-old.deltaquadrant.org/index.php?title=Samba&oldid=4159"