Samba 4 file server as an Active Directory member server

What:

SUSE Linux Enterprise 12 with Samba v4.1.7

Challenge:

Setup and configure Samba file server working properly with Windows ACL's

Solution:

Most of the configuration you can do using Yast, so join your server to the existing domain and make sure it works as it should.

Configure your shares

vi /etc/samba/smb.conf

Paste below content and save file.

[global]
        security = ADS
        workgroup = cloud
        realm = domain.CLOUD
        netbios name = FS01
        encrypt passwords = yes
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
        usershare allow guests = No
        usershare owner only = false
        kerberos method = secrets and keytab
        passdb backend = tdbsam
        usershare max shares = 100
        wins support = no
        template homedir = /home/%D/%U
        template shell = /bin/bash
        idmap config cloud:backend = ad
        idmap config cloud:schema_mode = rfc2307
        idmap config cloud:range = 3000000-4000000
        winbind nss info = rfc2307
        winbind trusted domains only = no
 # below adds "domain/" to username automatically, so it's ommited
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        winbind refresh tickets = yes
# prevent flodding log with "failed to retrieve printer list" message
        printcap name = /dev/null
        load printers = no
# browseable set to No here, to hide homes
        browseable=No
#winbind:ignore domains = BUILTIN FS01
[homes]
        comment = Home Directories
        path = /srv/FileData/UserData/%S
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
[FileData]
        comment = Network Profiles Service
        path = /srv/FileData
        read only = No
        browseable = Yes
        inherit acls = Yes
        inherit permissions = Yes

Create your directory structure:

mkdir -p /srv/FileData/UserData/{administrator,test}

systemctl restart nmb.service smb.service

Troubleshooting

Make sure you can list groups

wbinfo -b

and users

wbinfo -u

Now get more detailed information about few different users, don't perform your tests only on an administrator

wbinfo -i administrator

Output should be similar to the below

administrator:*:3000500:3000513::/home/cloud/administrator:/bin/bash

If you get the following error

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator

Test with id and getent

id administrator

No results

getent passwd

Lists only local users.

To fix it edit smb.conf file.

vi /etc/samba/smb.conf

Change backend to use rid instead ad:

idmap config cloud:backend = rid

Clear cache

net cache flush

Restart  samba

systemctl restart nmb.service smb.service

Test again starting from the top of Troubleshooting.

Remove all ACL's and set them from now on only from Windows machine.

setfacl -b /srv/FileData/
setfacl -b /srv/FileData/*

Issues

1. Make sure not to use spaces in your share paths.
2. I had some issues with Apparmor, unfortunately default samba rules made samba crash, and I was not able to do any changes under Windows security tab. After disabling Apparmor everything worked perfectly.

I added following Apparmor rules:

capability  chown,
capability  dac_override,
capability  dac_read_search,
capability  fowner,
capability  setgid,
capability  setuid,
capability  sys_resource,

/run/nscd/passwd r,
/run/nscd/group r,

/var/log/samba/** rw,

Which seemed to work well, but during the night (I suspect a cron job) shares were becoming unavailable, so I disabled Apparmor completely.

If anyone knows why shares become unavailable please share in comments.


Source 1 Source 2 Source 3