Installing Samba4 (4.1) on Ubuntu 12.04 LTS
Filed Under (Samba 4, Ubuntu, Windows Networking)
It has been several months now since the Samba 4.1 release is available for download; A version I’ve been looking forward to for a long time now. But the installation documentation and blog posts of users actually installing it are still limited, outdated, to general or incomplete. But I’m very interested to see how this new version works and how well it installs, so I’ll give it a go.
For this setup we will use a basic Ubuntu 12.04.1 LTS (Precise Pangolin) install and the most recent version of Samba 4.1 (GIT source).
Throughout this document i will be using the following information, which you can replace with your own settings:
Servername: SAMBA
DNS Domain name: mydomain.local
NETBIOS Domain name: MYDOMAIN
IP number: 192.168.1.10 with subnetmask 255.255.255.0
Default gateway: 192.168.1.1
Installing Ubuntu 12.04 LTS
For this test we installed Ubuntu 12.04.1 LTS x64 in a VMWare ESXi virtual machine. This will be a standard install with no extra software or packages selected during the initial installation. I will not go in to the installation of Ubuntu in to much detail, as it is very straightforward. We used a 32GB disk which was automatically partitioned. If you know what you’re doing, you can can select a manual partition schema and disk size that suites your wishes.
After the install of Ubuntu is complete and the first boot of the OS has finished, we need to address some minor configurations tasks. First we need to make sure we are up to date on the latest patches and hotfixes:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get upgrade
Install a SSH server.
To make the copy/paste from this guide easier (VMWare console lacks a good copy/paste support) we will install SSH. Besides the ease of copy/paste this is a useful way to manage your server remotely.
sudo apt-get install openssh-server
sudo reboot now
sudo reboot now
Reboot the server. Use Putty or other SSH client to connect.
Change the root password
Change the password for your root account and make sure you use a password with a solid complexity.
sudo passwd root
Configure a fixed IP for your new server.
Edit /etc/network/interfaces and change the config to set a static IP. Please use your own IP information where applicable:
sudo nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.10 8.8.8.8
dns-search mydomain.local
then we need to configure our /etc/hosts file like so:
save and close
then run
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.10 8.8.8.8
dns-search mydomain.local
then we need to configure our /etc/hosts file like so:
Code:
127.0.0.1 localhost.localdomain localhost 192.168.1.10 mydomain.local mydomain
then run
Code:
sudo echo dcserver > /etc/hostname /etc/init.d/hostname restart
Now reboot the server
sudo reboot now
After the reboot has finished and you logged on to the server, you can check if the new IP configuration has been applied:
ifconfig
Install a NTP service to sync the time.
Active Directory and Kerberos rely on a correct time and date settings.
sudo apt-get install ntp
Edit /etc/ntp.conf and replace the server with a Time server of your own or use one fromhttp://www.pool.ntp.org/en/. if you are not familiar with this, you can leave the default server (0.ubuntu.pool.ntp.org) as is.
Example:
sudo nano /etc/ntp.conf
and change:
server 0.north-america.pool.ntp.org
To set the time for a first time, do:
sudo service ntp stop
sudo ntpdate -B (replace with preferred timeserver)
example: sudo ntpdate -B server 0.north-america.pool.ntp.org
sudo service ntp start
sudo ntpdate -B (replace with preferred timeserver)
example: sudo ntpdate -B server 0.north-america.pool.ntp.org
sudo service ntp start
To check if all went well, do:
ntpq -p
Installing Samba 4 (4.1)
Before we can begin installing Samba, we need to install some prerequisites:
sudo apt-get install build-essential libacl1-dev python-dev libldap2-dev pkg-config gdb libgnutls-dev libblkid-dev libreadline-dev libattr1-dev python-dnspython libpopt-dev libbsd-dev attr docbook-xsl libcups2-dev acl git
We will be installing Samba 4, most current release, from the GIT repository, Samba 4.1.0pre1-GIT-0a4a4baat the time of writing:
sudo git clone git://git.samba.org/samba.git /usr/src/samba4/
Make sure port 9418 is open on your firewall. GIT uses this port. You will know when you’re in trouble if you get this error: errno=Connection timed out
cd /usr/src/samba4
Use the following line only if you want to fix the install to version 4.1.0, instead of the most recent build. If you want to use 4.1.0 stable, please use the following command:
sudo git checkout tags/samba-4.1.0
Now we continue the installation of Samba:
sudo ./configure --enable-debug
sudo make
sudo make
You will receive a lot of subcontext() and pointer messages. From what is was able to find so far is that all these warnings can be discarded. That is what i did.
sudo make install
After the install we will add the path to the bin and sbin directory of Samba:
sudo nano /etc/sudoers
and add the following to the end of the Defaults secure_path= before the closing “:
:/usr/local/samba/sbin:/usr/local/samba/bin
and write the changes and exit nano.
Make the same change to the system environment PATH variable:
sudo nano /etc/environment
and add the following to the end of the PATH, before the closing “:
:/usr/local/samba/sbin:/usr/local/samba/bin
and write the changes and exit nano.
1)Now that Samba is installed, we can start constructing a new domain using the samba-tool domain provision command:
sudo /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Pa$$word" --server-role=dc --dns-backend=SAMBA_INTERNAL
sudo /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local
2) The provision command will ask you for some information about your network. Use the following example as a guideline, but modify the info as needed for your network.
Realm [test.local]: MYDOMAIN.LOCAL
Domain [S4]: MYDOMAIN
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:SAMBA_INTERNAL
DNS forwarder IP address (write ‘none’ to disable forwarding) [192.168.2.1]: 8.8.8.8
Administrator password: Ex@mpleP@$$word
Retype password: Ex@mpleP@$$word
NB. Be sure to pick a strong password. The password complexity requirement is at least one uppercase letter, one number and at least eight characters long. If you have to rerun the command because the password was not strong enough or has failed for any other reason, first remove your partial config, otherwise a new provision will fail. you can do this by running this command: sudo rm /usr/local/samba/etc/smb.conf
If you receive this error:
"ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option"
There is much debate about the solution to solving this problem. Please educate and inform yourself, using google or other resource, on how to fix this problem. One common solution is to add
--use-ntvfs
to the end of the provision command to fix this error. But you will be using legacy file server technology, as Mark stated in his comment.
Setting DNS forwarding allows queries the server can’t resolve to be forwarded to another DNS that can. This is required to be able to browse the Internet or download updates during the rest of this post. We will also allow automatic DNS updates. Make the following adjustment to enable forwarding:
sudo nano /usr/local/samba/etc/smb.conf
add or change the following lines, where the IP of the forwarder is your router. If your router does not forward DNS request, use 8.8.8.8 (Google DNS):
dns forwarder = 192.168.1.1
allow dns updates = nonsecure and secure
allow dns updates = nonsecure and secure
Now reboot the server
sudo reboot now
Now we need to make this server point to it’s own DNS for resolving.
Modify resolv.conf and hosts File
1) Edit your resolv.conf file in nano
$ nano /etc/resolv.conf
2) The following info should be sufficient as long as this system is running only Samba4.
domain mydomain.local
nameserver 192.168.1.10 (samba server IP)
3) Ubuntu by default will overwrite the /etc/resolv.conf file with updated DHCP and other network services. To prevent this we make the resolv.conf file read only.
$ chattr +i /etc/resolv.conf
Note: This is not the most elegant solution, especially if you are running other services. Other solutions to this issue are out of the scope of this tutorial.
sudo nano /etc/network/interfaces
And remove the 8.8.8.8 from the dns-nameservers line. Afterwards it looks like this:
dns-nameservers 192.168.1.10 (samba server IP)
After you have finished the provisioning command successfully and made teh required changes for DNS forwarding, we are ready to start the Samba server and see if all works as expected.
sudo /usr/local/samba/sbin/samba start
If you are running Samba as a developer you may find the following more useful:
# /usr/local/samba/sbin/samba -i -M single
This will start Samba with all log messages printed to stdout, and restricting it to a single process. That mode of operation makes debugging Samba with gdb easier. To launch Samba under gdb, run as follows:
# gdb --args /usr/local/samba/sbin/samba -i -M single
A working DNS server is required for Samba or any Active Directory to function properly, specifically Kerberos will fail. We will be using the default DNS service that comes with Samba. If you specify --dns-backend=SAMBA_INTERNAL in the above mentioned provision command or didn’t specify this options at all, the internal DNS of Samba will be installed.
As our DNS server was already installed with Samba, we now need to test if the DNS is functioning properly. We will test a few basic DNS queries and see if they return a valid repsonse:
host -t SRV _ldap._tcp.mydomain.local.
Should return something like:
_ldap._tcp.mydomain.local has SRV record 0 100 389 samba.mydomain.local.
host -t SRV _kerberos._udp.mydomain.local.
Should return something like:
_kerberos._udp.mydomain.local has SRV record 0 100 88 samba.mydomain.local.
host -t A samba.mydomain.local.
Should return something like:
samba.mydomain.local has address 192.168.1.10
If you recieved something like "host mydomain.lan not found 3(NXDOMAIN)" your samba probabaly failed to start for some reason...
I pointed SAMBA to my router IP as a DNS name server. But this wasn't correct. So I pointed SAMBA to the server itself and then the problem was solved.
I pointed SAMBA to my router IP as a DNS name server. But this wasn't correct. So I pointed SAMBA to the server itself and then the problem was solved.
Next, we need to configure and test Kerberos:
edit file /usr/local/samba/share/setup/krb5.conf
and replace $(REALM) by MYDOMAIN.LOCAL
and Also DNSupdates doesn't work:
/usr/local/samba/sbin/samba_dnsupdate --verbose
If the DNS works as expected, we will test if Kerberosis running correctly. First we install the Kerberos 5 utilities:
sudo apt-get install krb5-user
Once the Kerberos utilities are installed, we will try to log on to the domain using Kerberos. Be sure to log on using the password you specified in the provision command.
[libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
[realms] MYDOMAIN.LOCAL = { kdc = mydomain.local admin_server = mydomain.local }
- Note: If you have forgotten your realm, run samba-tool testparm --suppress-prompt | grep realm, to find it out.
kinit administrator
Should return something like:
Warning: Your password will expire in 41 days on Tue Mar 5 15:23:03 2013
You can check if a Kerberos ticket has been processed correctly using the following command:
klist
This should return something like:
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administrator@MYDOMAIN.LOCAL Valid starting Expires Service principal 23/01/2013 13:27 23/01/2013 23:27 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 24/01/2013 13:27
Finally we will test the SMB function of the domain and see if all shares required for a functional Active Directory are up and running. Especially the netlogon and sysvol share should be visible.
/usr/local/samba/bin/smbclient -L localhost -U%
sambasmbclient -L localhost -U%
smbclient //localhost/netlogon -U 'administrator'
Should return something like:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-0a4a4ba] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-0a4a4ba) Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-0a4a4ba] Server Comment --------- ------- Workgroup Master --------- -------
And finally we will check if the user administrator can log in using SMB:
/usr/local/samba/bin/smbclient //localhost/netlogon -U 'administrator'
Should return something like:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-0a4a4ba]
Type quit to exit the SMBClient prompt.
We are done! Congratulations, we have installed a Samba4 server on Ubuntu 12.04.
now the output I get from both commands is:
wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -u
Lists all users
wbinfo -g
Lists all groups
wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -u
Lists all users
wbinfo -g
Lists all groups
Init script for auto start
When rebooting the server, it would be nice if the Samba service would start automatically. The following init.d startup script will take care of that:
sudo nano /etc/init.d/samba4
and add the following:
#! /bin/sh
### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
SAMBAPID=/var/run/samba/samba.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Samba 4 daemon" "samba"
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping Samba 4 daemon" "samba"
start-stop-daemon --stop --quiet --name samba $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi
log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0
### BEGIN INIT INFO
# Provides: samba
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
SAMBAPID=/var/run/samba/samba.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Samba 4 daemon" "samba"
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping Samba 4 daemon" "samba"
start-stop-daemon --stop --quiet --name samba $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi
log_end_msg 0
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0
After you have created the file, be sure to change the permissions and set the script to autostart using update-rc.d:
sudo chmod 755 /etc/init.d/samba4
sudo update-rc.d samba4 defaults
sudo update-rc.d samba4 defaults
Homefolders for Acitve Directory users
First we need to create a folder where all the Home folders will reside:
sudo mkdir -m 770 /Users
sudo chmod g+s /Users
sudo chown root.users /Users
sudo chmod g+s /Users
sudo chown root.users /Users
Next we will add the the following to /usr/local/samba/etc/smb.conf:
[Users]
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents
directory_mode: parameter = 0700
read only = no
path = /Users
csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you'll have problems after 42 days)
Code:
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
You can either map that by using net use h: \\samba\Users\%USERNAME% or by adding the same path to the home folder paragraph under the profile tab of the AD user. The home folder will be created automatically if you use the last option.
Before you add a workstation to this new domain, be sure to point the DNS server on this client to the new domain controller. Now join the domain as you would with a Windows domain.
Extra tips:
- samba -b (shows paths to application and config files)
- Install the Windows Server 2003 Service Pack 2 Administration Tools Pack for x86 editions to manage the Active Directory server from a Windows client :
http://www.microsoft.com/en-us/download/details.aspx?id=6315 - If you want to debug your Samba server, please use the following command to start Samba in single user and debug mode. This will log all information to stdout and makes debugging easy.
gdb --args /usr/local/samba/sbin/samba -i -M single
- Use the command /usr/local/samba/sbin/samba -V to see what version of Samba you’re running, or try/usr/local/samba/bin/smbclient –version
Administration Tools (For Windows XP):http://www.microsoft.com/en-ca/downlo...
Remote Server Administration Tools (For Windows Vista, 7, or 8. **BE SURE TO READ THE INSTRUCTIONS ON THE WEBSITE!**):
Parts of the following online resources were used for this tutorial:
http://sector7e.com/setup-of-samba4-4-10-on-ubuntu-server-12-04-lts-and-13-10/
https://www.youtube.com/watch?v=Rf7Hk8qWt1Q
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
http://ubuntuforums.org/showthread.php?t=2146198
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
http://ubuntuforums.org/showthread.php?t=2146198
No comments:
Post a Comment