Samba: Difference between revisions
Line 68: | Line 68: | ||
And add these lines in /etc/samba/smb.conf: | And add these lines in /etc/samba/smb.conf: | ||
<pre>tls enabled = yes | <pre>tls enabled = yes | ||
tls keyfile = /var/lib/samba/private/tls/key.pem | tls keyfile = /var/lib/samba/private/tls/samba-key.pem | ||
tls certfile = /var/lib/samba/private/tls/cert.pem | tls certfile = /var/lib/samba/private/tls/samba-cert.pem | ||
tls cafile =</pre> | tls cafile =</pre> | ||
Revision as of 13:13, 13 June 2017
Notes
Samba Installation
Prerequisites
Set a static IP
# vi /etc/network/interfaces
should look something like this:
auto enp0s3 iface enp0s3 inet static address 192.168.1.121 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 192.168.1.121 dns-search example.local
Note: Don't use real world TLDs like example.com
Installation
Installing the package:
# apt-get install samba ntp winbind
Stop samba and empty /etc/samba/smb.conf:
# service samba-ad-dc stop # > /etc/samba/smb.conf
For a DC continue as below, for a fileserver go to #Creating a samba fileserver
# samba-tool domain provision --interactive --use-rfc2307
For Realm put your desired realm e.g. example.local or a TLD you control absolutely, for DNS forwarder IP address put your main DNS server IP address (whether you have a multiple domain bind setup or just using a DNS service on your router) and for the others you can just press enter.
If you get an error about ldb, make sure packages samba-dsdb-modules and samba-vfs-modules are installed, if not install them:
apt-get install samba-dsdb-modules samba-vfs-modules
Now start the samba DC service:
# service samba-ad-dc start
If you end up with multiple domain controllers in your domain, edit your /etc/network/interfaces file and remove the nameserver reference, then add, on each DC, all of them to the resolvconf template:
# vi /etc/resolvconf/tail nameserver ip.addr.a.dc nameserver ip.addr.b.dc nameserver ip.addr.c.dc
Don't forget to update resolv.conf afterwards
# resolvconf -u
SSL Certificate
If you want to use LDAPS you can create a self-signed certificate
openssl req -newkey rsa:2048 -keyout /var/lib/samba/private/tls/samba-key.pem -nodes -x509 -days 3650 -out /var/lib/samba/private/tls/samba-cert.pem
Change permissions for the key
chmod 600 /var/lib/samba/private/tls/samba-key.pem
And add these lines in /etc/samba/smb.conf:
tls enabled = yes tls keyfile = /var/lib/samba/private/tls/samba-key.pem tls certfile = /var/lib/samba/private/tls/samba-cert.pem tls cafile =
Restart samba
service samba-ad-dc restart
Note well: when using a self-signed certificate most applications would not trust them by default, you have to add it as a trusted certificate.
Samba & LDAP
Authenticating LDAP user
Standard LDAP config in Samba (& elsewhere) is to require a connection to be authenticated before other access granted. This can often be disabled, but it's better practice (and as easy) to create an account for the service that needs access, and use that for connection. The base string for the authenticating user will be of the form:
cn=<username>,cn=<userbasegroup>,dc=<firstpartofADdomainname>,dc=<secondpartofADdomainname>
Base DN
Will vary on setup, but simple base DN is likely to be of the form:
dc=<firstpartofADdomainname>,dc=<secondpartofADdomainname>
Where AD domain name (realm) was of the form
firstpart.secondpart
. If the domain name has more parts you will need those parts expressed as separate DCs.
Secure LDAP quick workaround
Not recommended in production if LDAP authing outside a firewall.
Samba 4 LDAP is secure by default which makes it hard for some simpler LDAP auth systems. If no other solution or for initial testing purposes, secured LDAP can be disabled by adding the following line to smb.conf main section:
ldap server require strong auth = no
Setting an email for a user
When creating the user
samba-tool user add <username> --mail-address=<email>
For an existing user
Package ldap-utils is required so install it if not already:
apt-get install ldap-utils
Create a file entrymods.ldif:
dn: cn=<username>,cn=Users,dc=<firstpartofdomain>,dc=<secondpartofdomain> changetype: modify replace: mail mail: <email> -
Set the email with ldapmodify command using a samba user that belongs to "Account Operators" group:
ldapmodify -x -D "cn=<username>,cn=Users,dc=<firstpartofdomain>,dc=<secondpartofdomain>" -w <password> -H ldaps:// -f entrymods.ldif
Creating a samba fileserver
To make your samba installation into a fileserver. This assumes you already have a working DC or 2 and this server will be a member server for load balancing/egg separation purposes. In this scenario you should set your DNS forwarders to be any local or routable DCs for the domain you want the fileserver to be part of. This can be done by editing resolvconf's head file:
#vi /etc/resolvconf/resolv.conf.d/head
nameserver ip.addr.dc.1 nameserver ip.addr.dc.2
Then updating resolv.conf with
# resolvconf -u
Installation and configuration
Depending on how your base machine was created you may need to add the universe repository:
apt-get install software-properties-common add-apt-repository universe
Then install these additional packages:
# apt-get install libnss-winbind libpam-winbind acl libpam-krb5 krb5-user
And configure nsswitch to be able to use winbind:
# vi /etc/nsswitch.conf passwd: compat winbind group: compat winbind
Set up your shares
# vi /etc/samba/smb.conf
Add the following configuration to the top section
[global] workgroup = workgroupname server string = yourservername security = ads realm = WORKGROUPNAME.TLD # common to be .LOCAL socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config workgroupname : backend = rid idmap config workgroupname : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 deadtime = 45 read raw = Yes write raw = Yes server signing = mandatory # Network interfaces = ens3 # change to suit, ens3 is first interface if using a [http://docswiki.newro.co/index.php/Creation_of_a_new_VM VM built as per our approach] bind interfaces only = true log file = /var/log/samba/log.%m log level = 1 max log size = 1000 logging = syslog@0 file panic action = /usr/share/samba/panic-action
Example share definition allowing read/write for all domain users:
[sharename] comment = What this share is writeable = yes write list = @"Domain Users" path = /path/to/data/ force directory mode = 755 force group = Domain Users force create mode = 665 valid users = @"Domain Users" create mode = 665 directory mode = 775
Example read-only share definition
[sharename] comment = What this share is writeable = no read list = @"Domain Users" path = /path/to/readonlydata/
NB if your shared volume is coming from a network source like iscsi it is recommended you don't make your share and the mounted volumes directly match; rather shares should reference directories within the mounted volume i.e. if you have an iscsi mount at
/mnt/myiscsi
your samba share should be at
/mnt/myiscsi/myshare
or a further sub branch. This ensures that is the network source is not available, user data isn't written to (nor fills) your fileserver's / filesystem.
Restart the samba services
# systemctl restart winbind nmbd smbd
And then join the domain using a domain user that has appropriate privileges e.g. is a member of the Domain Admins group for that domain:
# net ads join user.name
NB which domain to join is determined from the configuration files.
Testing
Assuming you got no joining errors at the last step above (DNS update ones can be ignored for now), you can verify your server is seeing domain users correctly by
# getent passwd
This should return the normal contents of /etc/passwd, pause for a moment and then continue with all the domain users.
You can then test the availability of the shares you've created
# smbclient -L your.ip.add.ress -U adomain.username
This should ask for your password and if correctly entered return information of the form
Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Sharename Type Comment --------- ---- ------- sharename Disk What this share is IPC$ IPC IPC Service (yourservername) Domain=[EXAMPLE] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] Server Comment --------- ------- YOURSERVERNAME ANOTHERSERVER ADOMAINMEMBERPC Workgroup Master --------- ------- EXAMPLE ANOTHERSERVER
NB you may get different results depending whether you are testing from a machine in the domain or not - if it works from a machine in the domain but not in one from outside, check your that the relevant share configs have
browseable=yes
and the general section doesn't contain a
restrict anonymous
with a value higher than 0 (which is the default i.e. the line isn't needed unless you want to restrict unauthenticated browsing of share listings)
When working remotely without access to a GUI machine that can access the smb fileserver, a final test (e.g. checking users have correct permissions when they have the share mapper) can be performed by mounting the share from the command line. This requires the cifs-util package which can be installed with
apt-get install cifs-utils
and then running
mount -t cifs //server-ip/sharename /mountpoint -o user=user.name
where user.name is an SMB user. If the mount is successful you can check that user has the permissions you expect it to have in terms of file access/creation/deletion etc..
Adding samba users
#!/bin/bash if [ $# -eq 0 ] ; then printf "Username(format name.surname):" read username printf "Email:" read email printf "Fullname(format Name Surname):" read fullname samba-tool user add $username --mail-address=$email samba-tool user setexpiry $username --noexpiry pdbedit -u $username -f "$fullname" else while IFS='' read -r line || [[ -n "$line" ]]; do IFS=':' read -a userinfo <<< "$line" samba-tool user add ${userinfo[0]} ${userinfo[1]} --mail-address=${userinfo[2]} samba-tool user setexpiry ${userinfo[0]} --noexpiry pdbedit -u ${userinfo[0]} -f "${userinfo[3]}" done < "$1" fi
If the script is called with no argument, it asks the information for the user to be added, but it can be called with a file as an argument that contains a user list in the following format:
username1:Password1:mail1@example.com:Full Name username2:Password2:mail2@example.com:Full Name username3:Password3:mail3@example.com:Full Name