Samba4 provisioning

Hi,  it’s in the bag !! as JPS teach us.

After compile samba4 on SL now we need to “create” a domain and then join  Windows machies and more that we need is to have also UNIX account on the same AD backend

1) as always read  the “Samba AD DC HOWTO

My configuration is :

Server Hostname: red.example.com
DNS Domain Name: smbdom.example.com
realm:smbdom.example.com
ip host 192.168.100.2
NT4 Domain Name: smbdom
Server Role: DC

The configuration file smb.conf will be:

[global]
workgroup = SMBDOM
realm = smbdom.example.com
netbios name = RED
server role = active directory domain controller
dns forwarder = 8.8.8.8
security = AUTO
template shell = /bin/bash
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/smbdom.example.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[disco1]
path = /disco1
comment = Test Share
read only = no

[disco2]
path = /disco2
comment = Test Share
read only = no

2) PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin

3) add  “MANPATH /usr/local/samba/share/man” into /etc/man.config

4) man samba-tool

5) Provisioning domain SMBDOM

[root@red ~]# samba-tool domain provision --realm=smbdom.example.com --domain=smbdom --adminpass=Penguin123 --server-role="domain controller" --host-name=red --host-ip=192.168.100.2

6) check /etc/krb5.conf

 

[root@red ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SMBDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

7) try to start samba 

[root@red ~]# samba -i -M single -d3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
samba version 4.1.0pre1-GIT-10b96e3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
PROCESS_MODEL 'standard' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
ldb_wrap open of privilege.ldb
samba: using 'single' process model
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
dreplsrv_partition[CN=Configuration,DC=smbdom,DC=example,DC=com] loaded
dreplsrv_partition[CN=Schema,CN=Configuration,DC=smbdom,DC=example,DC=com] loaded
dreplsrv_partition[DC=smbdom,DC=example,DC=com] loaded
dreplsrv_partition[DC=DomainDnsZones,DC=smbdom,DC=example,DC=com] loaded
dreplsrv_partition[DC=ForestDnsZones,DC=smbdom,DC=example,DC=com] loaded
ldb_wrap open of secrets.ldb
ldb_wrap open of idmap.ldb
kccsrv_partition[DC=smbdom,DC=example,DC=com] loaded
kccsrv_partition[CN=Configuration,DC=smbdom,DC=example,DC=com] loaded
kccsrv_partition[CN=Schema,CN=Configuration,DC=smbdom,DC=example,DC=com] loaded
kccsrv_partition[DC=DomainDnsZones,DC=smbdom,DC=example,DC=com] loaded
kccsrv_partition[DC=ForestDnsZones,DC=smbdom,DC=example,DC=com] loaded
Calling DNS name update script
Calling SPN name update script
/usr/local/samba/sbin/smbd: smbd version 4.1.0pre1-GIT-10b96e3 started.
/usr/local/samba/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2013
Defending name RED on 255.255.255.255 against 192.168.56.101
Defending name RED on 255.255.255.255 against 192.168.56.101
Defending name RED on 255.255.255.255 against 192.168.56.101
Name registration conflict from 10.0.2.2 for RED with ip 10.0.2.15 - rcode 6
Error registering RED with 10.0.2.15 on interface 10.0.2.255 - NT_STATUS_CONFLICTING_ADDRESSES
Name registration conflict from 10.0.2.2 for RED with ip 10.0.2.15 - rcode 6
Error registering RED with 10.0.2.15 on interface 10.0.2.255 - NT_STATUS_CONFLICTING_ADDRESSES
Name registration conflict from 10.0.2.2 for RED with ip 10.0.2.15 - rcode 6
Error registering RED with 10.0.2.15 on interface 10.0.2.255 - NT_STATUS_CONFLICTING_ADDRESSES
Defending name SMBDOM on 255.255.255.255 against 192.168.56.101
Name registration conflict from 10.0.2.2 for SMBDOM with ip 10.0.2.15 - rcode 6
Error registering SMBDOM with 10.0.2.15 on interface 10.0.2.255 - NT_STATUS_CONFLICTING_ADDRESSES
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/RED
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/RED
schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/RED
schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/RED
Could not determine hostname for target computer, cannot use kerberos
Got NTLMSSP neg_flags=0x60088235
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Got user=[RED$] domain=[SMBDOM] workstation=[RED] len1=24 len2=162
auth_check_password_send: Checking password for unmapped user [SMBDOM]\[RED$]@[RED]
auth_check_password_send: mapped user is: [SMBDOM]\[RED$]@[RED]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Could not determine hostname for target computer, cannot use kerberos
Got NTLMSSP neg_flags=0x60088235
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Got user=[RED$] domain=[SMBDOM] workstation=[RED] len1=24 len2=162
auth_check_password_send: Checking password for unmapped user [SMBDOM]\[RED$]@[RED]
auth_check_password_send: mapped user is: [SMBDOM]\[RED$]@[RED]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
Registered RED with 192.168.100.2 on interface 192.168.100.255
Registered RED with 192.168.56.102 on interface 192.168.56.255
Registered RED with 192.168.100.2 on interface 192.168.100.255
Registered RED with 192.168.56.102 on interface 192.168.56.255
Registered RED with 192.168.100.2 on interface 192.168.100.255
Registered RED with 192.168.56.102 on interface 192.168.56.255
Registered SMBDOM with 192.168.100.2 on interface 192.168.100.255
Registered SMBDOM with 192.168.56.102 on interface 192.168.56.255
Registered SMBDOM with 10.0.2.15 on interface 10.0.2.255
Registered SMBDOM with 192.168.100.2 on interface 192.168.100.255
Registered SMBDOM with 192.168.56.102 on interface 192.168.56.255
Registered SMBDOM with 10.0.2.15 on interface 10.0.2.255
Registered SMBDOM with 192.168.100.2 on interface 192.168.100.255
Registered SMBDOM with 192.168.56.102 on interface 192.168.56.255
Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success
Completed SPN update check OK
Child /usr/local/samba/sbin/samba_dnsupdate exited with status 0 - Success
Completed DNS update check OK

8) There are some example scripts (for RedHat/Fedora, Debian and Ubuntu) on the Samba4/InitScript page ,  just some “litte change”

[root@red ~]# cat /etc/init.d/samba4

==============

#!/bin/bash
#
# SAMBA4                This shell script takes care of starting and stopping
#
# chkconfig: - 58 74
# description: samba is the share daemon. \

### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named ntpdate
# Should-Stop: $syslog $named
# Short-Description: start and stop  samba4
# Description:  share to world
### END INIT INFO

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

prog=/usr/local/samba/sbin/samba

start() {
        [ "$EUID" != "0" ] && exit 4
        [ "$NETWORKING" = "no" ] && exit 1
        [ -x /usr/local/samba/sbin/samba ] || exit 5
        [ -f /etc/sysconfig/samba4 ] || exit 6
        . /etc/sysconfig/samba4

        # Start daemons.
        echo -n $"Starting $prog: "
        daemon $prog $OPTIONS
        RETVAL=$?
        echo
        return $RETVAL
}

stop() {
        echo -n $"Shutting down $prog: "
        [ "$EUID" != "0" ] && exit 4
        killproc    $prog
        RETVAL=$?
        echo
        return $RETVAL
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status $prog -b
        ;;
  restart)
        stop
        start
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart}"
        exit 2
esac
[root@red ~]# cat /etc/sysconfig/samba4
OPTIONS="-D -d3"

9) Kerberos is working ?

[root@red ~]# kinit administrator
Password for administrator@SMBDOM.EXAMPLE.COM:
Warning: Your password will expire in 36 days on Fri Apr  5 17:46:56 2013
[root@red ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SMBDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
02/28/13 12:02:56  02/28/13 22:02:56  krbtgt/SMBDOM.EXAMPLE.COM@SMBDOM.EXAMPLE.COM
renew until 03/07/13 12:02:49
[root@red ~]#
[root@red ~]# samba -V
Version 4.1.0pre1-GIT-10b96e3

[root@red ~]# /usr/local/samba/bin/smbclient --version
Version 4.1.0pre1-GIT-10b96e3

[root@red ~]#  /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[SMBDOM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-10b96e3]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        disco1          Disk      Test Share
        disco2          Disk      Test Share
        IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-10b96e3)
Domain=[SMBDOM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-10b96e3]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

10) Setup file share

[root@red ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sat Feb 16 08:37:04 2013
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/VolGroup-lv_root /                       ext4    defaults        1 1
UUID=b46fa92f-a27d-42e4-9b5a-3672e3ae8abe /boot                   ext4    defaults        1 2
/dev/mapper/VolGroup-lv_swap swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

UUID="0642d78f-dd5c-4615-be2e-7b50734f3fbb" /disco1  ext4    user_xattr,acl,barrier=1        1 1
UUID="684560cc-7a69-4568-926b-73b05f9a3685" /disco2  ext4    user_xattr,acl,barrier=1        1 1

11) Setup UID/GUI like winbind 

Please take care if you have a 64bit you need link to /lib64 !!!!
so on 32 bit

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

and on 64 bit

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ln -s /lib4/libnss_winbind.so /lib64/libnss_winbind.so.2

also with PAM

# ln -s /usr/local/samba/lib/security/pam_winbind.so /lib64/security

12) config /etc/nsswitch.conf

[root@red ~]# grep win /etc/nsswitch.conf
passwd:     files compat winbind
group:      files compat winbind
[root@red ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt

avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
SMBDOM\Administrator:*:0:100::/home/SMBDOM/Administrator:/bin/bash
SMBDOM\Guest:*:3000011:3000012::/home/SMBDOM/Guest:/bin/bash
SMBDOM\krbtgt:*:3000022:100::/home/SMBDOM/krbtgt:/bin/bash
[root@red ~]# id Administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000004(Group Policy Creator Owners),3000006(Enterprise Admins),3000008(Domain Admins),3000007(Schema Admins)
[root@red ~]#

13) network config on Windows client

IP=192.168.100.100
NETMASK=255.255.255.255.0
GATEWAY=192.168.100.1
DNS=192.168.100.2

WIN8

 

as usual now you can add pcwin8 into SMBDOM domain

WIN8DOM

 

14) Install  RSAT on windows client  so log in as Administrator

WIN8

and

WIN8

and

WIN8DESKTOP

 

at  last

WIN8RSAT

 

 

And on Linux server

 

[SMBDOM\demo2@red ~]$ id
uid=3000019(SMBDOM\demo2) gid=100(users) groups=100(users),3000020(docenti)
[SMBDOM\demo2@red ~]$

The end is that you can also set a  STARTUP.BAT and you can see:

[root@red scripts]# pwd
/usr/local/samba/var/locks/sysvol/smbdom.example.com/scripts
[root@red scripts]# ls -al
total 24
drwxrwx---+ 2 root 3000000 4096 Feb 28 17:55 .
drwxrwx---+ 4 root 3000000 4096 Feb 22 16:46 ..
-rw-rw----+ 1 root root      35 Feb 28 17:58 STARTUP.BAT

[root@red scripts]# cat STARTUP.BAT
echo on

NET TIME \\RED /SET /YES

 

STARTUP:BAT

 

 

This is also a success story …. because is working at Bari University to share  document and to login WIN8 users and as backend to PLONE site.

 

 

Comments are closed.