… still fighting – means: try and error + under construction.
Sources:
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End
https://wiki.gentoo.org/wiki/Samba/Active_Directory_Guide
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
https://wiki.samba.org/index.php/Adding_users_with_samba_tool
https://wiki.samba.org/index.php?title=User_and_Group_management
https://wiki.samba.org/index.php/User_Home_Folders
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Configure NTP
emerge ntp rc-update add ntp-client default
Check /etc/hosts
# CHECK # 10.81.100.150 dc.test.local dc
Strategy
Use Sambas own Heimdal kerberos.
Using Sambas own internal DNS backend with DNS forwarder.
This machine is a dedicated ADDC. Files will be stored on a samba domain member file server.
ADDC’s IP is 10.81.100.150, host name is DC
Selecting Sambas USE flags
addc addns -system-mitkrb5 gnutls winbind gssapi quota fam ldap cups emerge samba
Create /etc/krb5.conf
[libdefaults] default_realm = SAMDOM.TEST.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Provisioning
Delete an existing /etc/samba/smb.conf – provisioning creates a brand new smb.conf
samba-tool domain provision --use-rfc2307 --interactive
REALM: SAMDOM.TEST.LOCAL
Domain: SAMDOM
Server role: dc
Use SAMBA_INTERNAL as DNS backend.
Select your companys internal (or external :] ) DNS resolver as DNS forwarder.
The resulting /etc/samba/smb.conf should be similar to
# Global parameters [global] netbios name = DC realm = SAMDOM.TEST.LOCAL workgroup = SAMDOM dns forwarder = [YOUR_COMPANYS_DNS_RESOLVER] server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samdom.test.irmedia/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
Your Active Directory Domain Controller machine should resolve all names against sambas internal DNS:
Edit /etc/resolv.conf
domain samdom.test.local nameserver 10.81.100.150 nameserver 8.8.8.8
ATTENTION: Do not use /etc/init.d/samba start, it will fail
Create a samba start script in /etc/local.d and make it excutable
# DANCING SAMBA test -d /run/samba || mkdir -p /run/samba test -d /var/log/samba || mkdir -p /var/log/samba /usr/sbin/samba if [ $? -eq 0 ]; then echo "SAMBA started." else echo "SAMBA failed." fi # END
Create a samba stop script in /etc/local.d and make it excutable
# THE LAST DANCE pkill samba if [ $? -eq 0 ]; then echo "SAMBA stopped." else echo "Stopping SAMBA failed." fi # END
####################################
Maintenance under Windows
Check this (!!!): https://wiki.samba.org/index.php/Installing_RSAT
Install RSAT-Tools (for Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=7887) on a Windows machine.
Start “Windows Programs and Features” and enable the required tools.
Run gpmc.msc or dsa.msc or ..
Maintenance under Linux
Check this (!!!): https://www.tecmint.com/manage-samba4-active-directory-linux-command-line/
list users and machines
pdbedit -L -w
delete users and machines
pdbedit -x COMPUTER$ pdbedit -x USER
Additional Info:
Have had to add the pid directory to the newly created smb.conf
Have had to create /var/run/samba directory
Tune password complexity
samba-tool domain passwordsettings show
samba-tool domain passwordsettings set --complexity=off samba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=0 samba-tool user setexpiry Administrator --noexpiry samba-tool domain passwordsettings set --min-pwd-length=0
HINTS:
xidNumber is the UNIX user Id (root -> 0)
Show and edit users properties:
# ldbedit -e mcedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=zuppiuser'
ATTENTION: Adding a user with samba-tool:
home-directory should be double quoted
home-drive needs trailing ‘:’ (like U:) – otherwise z: will be used.
HINT:
If you create corresponding local unix users additional to samba users and you give them a shell like /sbin/noshell, do not forget to add this shell to /etc/shells.
TESTING
…coming soon.
MAINTENANCE
…coming soon.
Nice Guide!
Got me going, but for some odd reason I can’t check smb share file/folder security permissions in windows 10.
Doing so crashes explorer/COM Surrogate, no idea what’s up.