Thursday, 12 February 2015

Samba 4 file server as an Active Directory member server


SUSE Linux Enterprise 12 with Samba v4.1.7


Setup and configure Samba file server working properly with Windows ACL's


Most of the configuration you can do using Yast, so join your server to the existing domain and make sure it works as it should.

Configure your shares

vi /etc/samba/smb.conf

Paste below content and save file.

        security = ADS
        workgroup = cloud
        realm = domain.CLOUD
        netbios name = FS01
        encrypt passwords = yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        usershare allow guests = No
        usershare owner only = false
        kerberos method = secrets and keytab
        passdb backend = tdbsam
        usershare max shares = 100
        wins support = no
        template homedir = /home/%D/%U
        template shell = /bin/bash
        idmap config cloud:backend = ad
        idmap config cloud:schema_mode = rfc2307
        idmap config cloud:range = 3000000-4000000
        winbind nss info = rfc2307
        winbind trusted domains only = no
 # below adds "domain/" to username automatically, so it's ommited
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        winbind refresh tickets = yes
# prevent flodding log with "failed to retrieve printer list" message
        printcap name = /dev/null
        load printers = no
# browseable set to No here, to hide homes
#winbind:ignore domains = BUILTIN FS01
        comment = Home Directories
        path = /srv/FileData/UserData/%S
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        comment = Network Profiles Service
        path = /srv/FileData
        read only = No
        browseable = Yes
        inherit acls = Yes
        inherit permissions = Yes

Create your directory structure:
mkdir -p /srv/FileData/UserData/{administrator,test}

systemctl restart nmb.service smb.service


Make sure you can list groups
wbinfo -b
and users
wbinfo -u
Now get more detailed information about few different users, don't perform your tests only on an administrator
wbinfo -i administrator
Output should be similar to the below

If you get the following error
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
Test with id and getent
id administrator
No results
getent passwd
Lists only local users.

To fix it edit smb.conf file.

vi /etc/samba/smb.conf
Change backend to use rid instead ad:
idmap config cloud:backend = rid
Clear cache
net cache flush
Restart  samba
systemctl restart nmb.service smb.service
Test again starting from the top of Troubleshooting.

Remove all ACL's and set them from now on only from Windows machine.
setfacl -b /srv/FileData/
setfacl -b /srv/FileData/*


1. Make sure not to use spaces in your share paths.
2. I had some issues with Apparmor, unfortunately default samba rules made samba crash, and I was not able to do any changes under Windows security tab. After disabling Apparmor everything worked perfectly.

I added following Apparmor rules:
capability  chown,
capability  dac_override,
capability  dac_read_search,
capability  fowner,
capability  setgid,
capability  setuid,
capability  sys_resource,

/run/nscd/passwd r,
/run/nscd/group r,

/var/log/samba/** rw,
Which seemed to work well, but during the night (I suspect a cron job) shares were becoming unavailable, so I disabled Apparmor completely.

If anyone knows why shares become unavailable please share in comments.

Source 1 Source 2 Source 3

No comments:

Post a Comment