Samba 4 Install

Ronald

Samba 4

First we need to install bind9 and edit the named.conf.option file to forward queries to DNS server.

apt-get install bind9 resolvconf dnsutils

Edit the fle:

/etc/bind/named.conf.options
 forwarders { 
10.1.1.1; 
};

Comment out this line.

//dnssec-validation auto; # Commented this line 
forward only;

Now configure your server to use bind for DNS resolution by editing /etc/network/interfaces. Enter 127.0.0.1 as the only DNS nameserver.

Now do an ‘ifconfig eth0 down’ and an ‘ifconfig eth0 up’ and check the contents of the /etc/resolv.conf file, it should have 127.0.0.1 as the only nameserver.

Restart bind and check that you can resolve DNS names (such as nservices.bict.lab) from the Debian server using dig. Dig should report that it used 127.0.0.1 at the bottom of its output.

Restart bind to save the changes and also add this line into

/etc/networking/interfaces:
 
dns-nameserver 127.0.0.1

Now restart the interfaces using this command ifdown –a and ifup –a and now if you look at the /etc/resolv.conf file you will notice the changes are made.

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search patan.t311

Now you will see something similar to this.

After completing this tasks we are ready to install samba first do netstat –nap | grep 389 to check if samba port isn’t being used by any other program if it is need to resolve this before proceeding.

Make sure that the server is up-to date and has the latest versions by issuing the following commands

apt-get update
apt-get upgrade
 

Now to start with downloading and installing the latest samba 4 version, make sure wget is used to download the file in the main home directory.

wget http://www.samba.org/samba/ftp/stable/samba-4.1.9.tar.gz

We now need to verify that the file you have downloaded has not been altered or corrupted. Follow the steps outlined in the download webpage (URL above).  Note you will need to change samba-version to samba-latest.

gpg --import samba-pubkey.asc 
gunzip samba-latest.tar.gz 
gpg --verify samba-release.tar.asc
 

Extract the tar file using the command:

tar -xvf samba-latest.tar.gz

Now install other essential software to make samba installation successful.

apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev libbsd-dev attr krb5-user docbook-xsl libcups2-dev samba4-clients

Now change directory and go to the extracted latest samba directory as shown below

cd samba-4.1.7

Do the following commands.

./configure --enable-debug --enable-selftest
Make

NOTE: the make step will take a while to compile Samba4.

make install

 You will have to add the PATH variable for Samba4 in your machine.

export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin

Save this path inside .bash_profile so that you do not need to export it every time you login after reboot

Or the other option you can run is :

/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive --use-ntvfs

Now everything is ready, time to run the provision command 

samba-tool domain provision

If you get the error for file system doesn’t support ext4 use this command:

/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive --use-ntvfs

After the error are fixed , the domain can be now provisioned with the command

samba-tool domain provision or /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive --use-ntvfs

The ‘domain provision’ tool should pick defaults for you automatically. Change to your configurations if it doesn’t suit your needs:

Realm [MYDOMAIN.COM]: PATAN.T311 
Domain [MYDOMAIN]: RONALD 
Server Role (dc, member, standalone) [dc]: dc 
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE 
Administrator password: 
Retype password:


If above was successful, should see something like this:


Creating CN=Administrators,CN=Users,DC=patan,DC=t311


Creating DomainDnsZones and ForestDnsZones partitions 


Populating DomainDnsZones and ForestDnsZones partitions 


Setting up sam.ldb rootDSE marking as synchronized 


Fixing provision GUIDs


Kerberos config file is generated at:


“/usr/local/samba/private/krb5.conf”


Server Role: active directory domain controller


Hostname: ronaldp


NetBIOS Domain: ronald


DNS Domain: patan.t311 


DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx


Note: Your domain provision might fail with errors,you need to delete the smb.conf which is located /usr/local/samba/etc/smb.conf. Run this command to fix errors: 


/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive --use-ntvfs


If that doesn’t fix the errors you may need to reinstall samba by doing make uninstall and going to the directory and deleting samba folder. Do a make and make install, follow the steps again to re-provision.


Edit the file /etc/bind/named.conf.local and add this line near the top:


include "/usr/local/samba/private/named.conf";


Restart bind9 using the command:


service bind9 restart


After bind9 restarts, check the end of /var/log/syslog to verify that samba_dlz has started for your realm.


You can also check that the realm’s zone is working by querying for the records that appear in it, for example:


host -t SRV _ldap._tcp.patan.T311 


Should return some numbers and the name of your Samba 4 server.


_ldap._tcp.patan.T311 has SRV record 0 100 389 ronald.patan.t311.


Start Samba 4 using:


/usr/local/samba/sbin/samba restart


Run


smbclient –L localhost -U%  


This should return list of shares.


Domain=[PATAN] OS=[Unix] Server=[Samba 4.1.5]


 


        Sharename       Type      Comment


        ---------       ----      -------


        netlogon        Disk


        sysvol          Disk


        homes           Disk      Home Directories


        public          Disk      smb share


        Share           Disk      smb share


        IPC$            IPC       IPC Service


Domain=[PATAN] OS=[Unix] Server=[Samba 4.1.5]


 


        Server               Comment


        ---------            -------


 


        Workgroup            Master


        ---------            -------


You can run “netstat –nap | grep samba/389” to see samba running with process. 


You can check the samba version by running


 /usr/local/samba/sbin/samba –V


Active directory uses a modified version of the Kerberos protocol for authentication. The provision command has sorted all this out for you, you simply need to copy the Kerberos config file into the correct place to enable it:


 mv /etc/krb5.conf /etc/krb5.conf.bak
 cp /usr/local/samba/private/krb5.conf /etc/krb5.conf


Check the krb.conf file has the relevant details of your domain.


Kerberos can be checked by using the previously installed krb5-user package and then:


kinit administrator@PATAN.T311


(MYREALM needs to be in uppercase and match the one specified while provisioning your domain.) 


root@ronald:~# kinit administrator@PATAN.T311


Password for administrator@PATAN.T311:


Warning: Your password will expire in 34 days on Mon Aug  4 20:34:53 2014


Then


klist -e


Should return the details of a ticket.


Ticket cache: FILE:/tmp/krb5cc_0


Default principal: administrator@PATAN.T311


 


Valid starting     Expires            Service principal


01/07/14 14:07:00  02/07/14 00:07:00  krbtgt/PATAN.T311@PATAN.T311


        renew until 02/07/14 14:06:56, Etype (skey, tkt): arcfour-hmac, arcfour-hmac


 


Setting Up Samba Startup Script


Retrieve the init script using


wget "http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD" -O /etc/init.d/samba-ad-dc


The Debian package assumes that Samba is installed in /usr. If you’ve installed it in the default location (/usr/local/samba) instead, run:


sed -i 's|/usr/sbin|/usr/local/samba/sbin|g' /etc/init.d/samba-ad-dc


 


Likewise the Debian package assumes you’ll use /etc/samba/smb.conf for the configuration file. If you’re using the default location and build run:


sed -i 's|/etc/samba|/usr/local/samba/etc|g' /etc/init.d/samba-ad-dc


 Make the init script executable by running:


 chmod 755 /etc/init.d/samba4 


Enable the script at startup


update-rc.d samba4 defaults


Install NTP so that time synchronization between the clients and the DC(s). Use


apt-get install ntp


Edit /etc/ntp.conf and include ntp.bict.lab as an NTP server and restart ntp. Check the servers time; if it is incorrect wait couple of minutes and check again.


You should now complete the following checklist before proceeding to add a PC to your domain.






samba is the only process on port 389 (use netstat -nap | grep 389 to check)





The server uses 127.0.0.1 to resolve DNS queries (use dig to check)





The Windows 7 client uses your server to resolve DNS queries (use nslookup to check)





From Windows 7 client run nslookup gc._msdcs.MYREALM  – the returned IP address should be that of your Samba 4 server.





The time and date on the server are correct (use date to check)





The time and date on the Windows 7 client are correct







Join the Windows 7 client to the domain.


Right-click “My Computer” icon and choose “Properties”


From the left-side pane click “Advanced System Settings”


Choose the “Computer Name” tab and click “Change”


Select option “Domain”, and insert PATAN.T311


1


It requests a username and password type “Administrator” as the username and then enter your password. (The password you used when you ran the ‘samba-tool domain provision’ command)


You should get a message box stating ‘Welcome to the PATAN.T311 domain’


Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.


After restarting you should be presented with the normal login dialog. Click on ‘Switch User’ button.


Choose ‘Other user’ and then enter in the following:


2


Press Enter.


Enable ACL support for root ext4 file system


To enable this edit /etc/fstab file add the following line.


UUID=1665738c-8f14-49ab-a29c-cca45ae4a36f / ext4    user_xattr,acl,barrier=1     1 1


“Bolded part is the important part.”


Restart the system and changes will be applied.


Install remote admin tools


Head to Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools


3


The remote admin components you will need are; the AD DS Tools; the Group Policy Management Tools; the DNS Server Tools.


Create shares for Users


Go to /usr/local/samba/etc/smb.conf file and edit the file by adding lines to smb.conf.


[homes]


comment = Home Directories


browsable = no


read only = no


create mode = 0750


 


[public]


path = /media/storage/folder


public = yes


writable = yes


comment = smb share


printable = no


guest ok = yes


 


[Share]


path = /media/storage/folder


public = yes


writable = yes


create mode = 0755


directory mode = 0755


comment = smb share


printable = no


guest ok = yes


 


We need to create a folder in


/media/storage/folder


The two folders we created are storage and folder


Restart samba or the system to apply changes.


After the samba has restarted, on your Windows 7 go start and in the search bar type: \server ip and press enter.


This will show the new share we created.


5

			

		

	




	



		

		
Leave a Reply 
Your email address will not be published. Required fields are marked *