Samba: Difference between revisions

From Q
Jump to navigation Jump to search
← Older edit
Tgurr (talk | contribs)
1,619 edits
No edit summary
Tgurr (talk | contribs)
1,619 edits
No edit summary
 
(19 intermediate revisions by the same user not shown)
Line 9: Line 9:
net-nds/openldap kerberos samba
net-nds/openldap kerberos samba
net-fs/samba -cups addns ads ldap winbind
net-fs/samba -cups addns ads ldap winbind
</pre>
}}
== Packages ==
{{Code|emerge samba -pv|
<pre>
[ebuild  N    ] dev-libs/iniparser-3.0b-r2  USE="-examples -static-libs" 26 kB
[ebuild  N    ] sys-apps/keyutils-1.4-r1  39 kB
[ebuild  N    ] dev-libs/libgpg-error-1.10  USE="nls -common-lisp -static-libs" 429 kB
[ebuild  N    ] app-text/build-docbook-catalog-1.6  4 kB
[ebuild  N    ] dev-libs/libgcrypt-1.5.0_beta1-r2  USE="-static-libs" 1,146 kB
[ebuild  N    ] app-text/docbook-xsl-stylesheets-1.76.1  3,597 kB
[ebuild  N    ] app-crypt/mit-krb5-1.9-r4  USE="keyutils pkinit threads -doc -openldap -test -xinetd" 11,610 kB
[ebuild  N    ] dev-libs/libxslt-1.1.26-r1  USE="crypt python -debug" 3,322 kB
[ebuild  N    ] virtual/krb5-0  0 kB
[ebuild  N    ] sys-libs/tdb-1.2.7-r1  USE="python -static-libs -tdbtest -tools" 443 kB
[ebuild  N    ] sys-libs/talloc-2.0.5  USE="python -compat" 357 kB
[ebuild  N    ] net-nds/openldap-2.4.24  USE="berkdb crypt ipv6 kerberos perl samba ssl tcpd -cxx -debug -experimental -gnutls -icu -iodbc -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd -syslog" 5,118 kB
[ebuild  N    ] net-fs/samba-3.5.8-r1  USE="acl addns ads aio client ldap netapi pam readline server smbclient winbind -avahi -caps -cluster -cups -debug -doc -examples -fam -ldb -quota -smbsharemodes -smbtav2 -swat -syslog" 30,014 kB
</pre>
</pre>
}}
}}
Line 35: Line 16:


== Configuration ==
== Configuration ==
{{File|/etc/krb5.conf|
See [[kerberos]] for the required kerberos configuration.
<pre>
[libdefaults]
        ticket_lifetime = 600
        default_realm = YOURDOMAIN.LOCAL
 
[realms]
        YOURDOMAIN.LOCAL = {
        kdc = domaincontroller.yourdomain.local:88
        admin_server = domaincontroller.yourdomain.local:464
        }
 
[domain_realm]
        .yourdomain.local = YOURDOMAIN.LOCAL
 
[kdc]
        profile = /etc/krb5kdc/kdc.conf
 
[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
</pre>
}}


{{File|/etc/conf.d/samba|
{{File|/etc/conf.d/samba|
Only needed when not using systemd (e.g. Gentoo sysvinit/baselayout)
<pre>
<pre>
daemon_list="smbd nmbd winbind"
daemon_list="smbd nmbd winbind"
</pre>
</pre>
}}
}}


{{File|/etc/samba/smb.conf|
{{File|/etc/samba/smb.conf|
Line 76: Line 35:
         security = ADS
         security = ADS
         encrypt passwords = yes
         encrypt passwords = yes
        password server = domaincontroller.yourdomain.local
         client use spnego = yes
         client use spnego = yes
         idmap uid = 15000-20000
         idmap config * : backend = tdb
         idmap gid = 15000-20000
        idmap config * : range = 1000000 - 1999999
        idmap config YOURDOMAIN : backend = rid
         idmap config YOURDOMAIN : range = 15000 - 49999
         winbind use default domain = yes
         winbind use default domain = yes
         wins server = xxx.xxx.xxx.xxx
         wins server = xxx.xxx.xxx.xxx
         dos charset = 850
         dos charset = 850
         unix charset = UTF-8
         unix charset = UTF-8
        log level = 3
        min protocol = SMB2
        client max protocol = SMB3
        rpc_server:epmapper = daemon
        domain master = no
        local master = no
        preferred master = no
        os level = 0
        # printing disabled
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes
        # printing enabled
        load printers = yes
        printing = cups
        printcap name = cups
        disable spoolss = no


include = /etc/samba/shares.conf
include = /etc/samba/shares.conf
Line 89: Line 68:
}}
}}


{{File|/etc/samba/shares.conf|
You only need this when not using [[SSSD]].
<pre>
[testshare]
        comment = Testshare
        path = /mnt/testshare
        valid users = YOURDOMAIN\username, @YOURDOMAIN\groupname
        writeable = No
        guest ok = Yes
        browseable = Yes
</pre>
}}
 
{{File|/etc/nsswitch.conf|
{{File|/etc/nsswitch.conf|
<pre>
<pre>
Line 116: Line 84:


{{Root|rc-update add samba default}}
{{Root|rc-update add samba default}}
== Testing ==
Show information about the domain.
{{Root|net ads info}}
Show online status of the domain.
{{Root|wbinfo --online-status}}
Show current DC.
{{Root|wbinfo --getdcname YOURDOMAIN.LOCAL}}
Verify that the workstation trust account is working.
{{Root|wbinfo -t}}
List domain users.
{{Root|wbinfo -u}}
List domain groups.
{{Root|wbinfo -g}}
== Creating a share ==
{{File|/etc/samba/shares.conf|
<pre>
[testshare]
        comment = Testshare
        path = /mnt/storage/testshare
        valid users = YOURDOMAIN\username, @YOURDOMAIN\groupname
        write list = @YOURDOMAIN\groupname
        writeable = No
        guest ok = Yes
        browseable = Yes
        force create mode = 0775
        force directory mode = 0775
</pre>
}}
{{Root|cd /mnt/storage/}}
{{Root|chown root:domain-users testshare}}
{{Root|chmod chmod 0775 testshare}}


== Further Reading ==
== Further Reading ==
*[[Squid]] - Authentificate Squid users against ADS
*[[Squid]] - Authenticate Squid users against ADS
*[[pam_krb5]] - Authentificate System users against ADS
*[[kerberos]] - Kerberos configuration for authenticating users against ADS
*[[not available yet]] - Manage your Samba shares in a MySQL database and administer them via a webinterface
*[[SSSD]] - Authenticate system users against ADS

Latest revision as of 11:49, 29 June 2017

Description

This is a short howto about connecting a Linux machine via Samba to an Windows ADS Domain.

Dependencies

USE-Flags

File: /etc/portage/package.use
net-nds/openldap kerberos samba
net-fs/samba -cups addns ads ldap winbind

Installation

# emerge samba

Configuration

See kerberos for the required kerberos configuration.

File: /etc/conf.d/samba

Only needed when not using systemd (e.g. Gentoo sysvinit/baselayout) 

daemon_list="smbd nmbd winbind"


File: /etc/samba/smb.conf
[global]
        workgroup = YOURDOMAIN
        netbios name = HOSTNAME
        server string = HOSTNAME
        realm = YOURDOMAIN.LOCAL
        security = ADS
        encrypt passwords = yes
        client use spnego = yes
        idmap config * : backend = tdb
        idmap config * : range = 1000000 - 1999999
        idmap config YOURDOMAIN : backend = rid
        idmap config YOURDOMAIN : range = 15000 - 49999
        winbind use default domain = yes
        wins server = xxx.xxx.xxx.xxx
        dos charset = 850
        unix charset = UTF-8
        log level = 3
        min protocol = SMB2
        client max protocol = SMB3
        rpc_server:epmapper = daemon
        domain master = no
        local master = no
        preferred master = no
        os level = 0

        # printing disabled
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

        # printing enabled
        load printers = yes
        printing = cups
        printcap name = cups
        disable spoolss = no

include = /etc/samba/shares.conf

You only need this when not using SSSD.

File: /etc/nsswitch.conf
passwd:      compat winbind
shadow:      compat winbind
group:       compat winbind

Join the ADS Domain

# net ads join -U Administrator

and enter the domain-administrator password.

Finalize

# /etc/init.d/samba start
# rc-update add samba default

Testing

Show information about the domain.

# net ads info

Show online status of the domain.

# wbinfo --online-status

Show current DC.

# wbinfo --getdcname YOURDOMAIN.LOCAL

Verify that the workstation trust account is working.

# wbinfo -t

List domain users.

# wbinfo -u

List domain groups.

# wbinfo -g

Creating a share

File: /etc/samba/shares.conf
[testshare]
        comment = Testshare
        path = /mnt/storage/testshare
        valid users = YOURDOMAIN\username, @YOURDOMAIN\groupname
        write list = @YOURDOMAIN\groupname
        writeable = No
        guest ok = Yes
        browseable = Yes
        force create mode = 0775
        force directory mode = 0775
# cd /mnt/storage/
# chown root:domain-users testshare
# chmod chmod 0775 testshare

Further Reading

  • Squid - Authenticate Squid users against ADS
  • kerberos - Kerberos configuration for authenticating users against ADS
  • SSSD - Authenticate system users against ADS
Retrieved from "https://q-old.deltaquadrant.org/index.php?title=Samba&oldid=4159"