Samba
Contents
-
Samba
- About
- Installation
-
Configure
- Test and show configuration and their defaults
- Logging
- Flexiblity
- Interfaces
- Ports
- Server aliases
- Security
- Backends
- Accounts
- AD DC DNS
- Username map
- Shares
- FSMO
- Distributed File System (DFS)
- GUIs
- Local Master Browser
- Domain Master Browser
- WINS
- Name Resolve Order
- Print Server
- Registry configuration
- RODC
- DHCP server
- Tools Samba3
- Tools Samba 4
- ctdb
- About
- Clustered Samba
- Kerberos
- Acronyms
About
Samba is the standard Windows interoperability suite of programs for Linux and Unix.
Samba is Free Software licensed under the GNU General Public License, the Samba project is a member of the Software Freedom Conservancy.
Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others.
Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.
-- Citation from the Samba homepage.
I tried to provide a little list for all the fancy #Acronyms.
The name was filtered from a dictonary.
Links
Why Samba
- Free libre open-source software (GNU GPL)
- No Microsoft licenses for the windows operating system and for client access (CALs) to the machine necessary
- Simple and flexible
- Many compatibility options
- e.g. 2 Samba-Versions on the same machine
- CLI administration
- Configuration in a file (easy backup/restore/migration)
- Every client has its own process
- Stability (only one process dies)
- Scales well on multi-core systems
- Good hardware abstraction with linux or unix
- log-files better to read than event-log
Alternatives
- Bare LDAP
- FreeIPA
- Univention Corporate Server (essentially Samba in a appliance)
- Freedombox for small deployments
Releases
The regular Samba release cycle intends a new release series
- six months fully supported,
- another six months in the maintenance mode,
- six months in the security fixes only mode.
In total, each series is maintained for a period of approximately 18 months.
So there are three minor releases in active maintenance by the Samba Team:
- x.y+1 - next upcoming release series
x.y - current stable release
x.y-1 - maintenance mode - fixing security and severe bugs
x.y-2 - security fixes only
- x.y-3 - Discontinued (EOL)
Security fixes may also be back-ported by the distributions to their frozen versions.
You better stick with the pace.
Your old OpenWRT router is probably out of bug-fixes.
Samba versions and features
Samba is changing rapidly with huge differences between versions. It's important to know, which features are necessary to select a version to install minimally to carry your setup.
Too keep track you may read
3.5
- Experimental SMB2.0 support
3.6
- Full SMB2.1 support
4.0
- AD DC support
- Ships with built-in
- LDAP server
- Kerberos KDC (can generate PAC)
- Introduction of the
supervisor process samba
cli-management tool samba-tool
- Introduction of 2 DNS-solutions
- Built-in DNS
- BIND9-plugin (with DLZ)
4.2
- SMB3 support
4.3
- SMB3.1.1 support
4.7
- MIT-Kerberos support
- The dynamic port range for RPC services has been changed from the old default value "1024-1300" to "49152-65535".
- Self-signed certs with SHA256
4.8
- Domain member setups require winbindd
- No simple downgrade (GUID index)
- Time Machine Support with vfs_fruit
- Support for RODC setups
4.10
- MIT-Kerberos support disabled (at compile time)
- Python 3 support
4.11
- SMB1 is disabled by default
- Default schema updated to 2012_R2
4.13
- Samba 4.13 deprecates Samba's original domain controller mode.
Please also take a look at the protocol support at SMB versions
3 Daemons and a supervisor
nmbd - NetBIOS name server to provide NetBIOS over IP naming services to clients
smbd - server to provide SMB/CIFS services to clients
winbindd
- Name Service Switch daemon for resolving names from NT servers
- Idmapping Unix - Samba
samba
Requirements
- At least 2 domain controllers
- Improvement of maintenance and availability
- Resources:
- CPU: 4
- RAM: 8GiB
- Storage: 20GiB
- Separated file servers
- Resources:
- CPU: 4
- RAM: 8GiB
- Storage: according to your demands,
but > 128GiB makes sense …
- Resources:
- Knowlegde about corporate structure to map the company on the LDAP directory.
Ports
Protocol |
Port |
Purpose |
Daemon |
icmp |
only required by Windows XP and Windows Server 2003 |
||
tcp |
53 |
DNS |
|
udp |
53 |
DNS |
|
udp |
67 |
DHCP-Server |
|
udp |
68 |
DHCP-Client |
|
tcp |
88 |
Kerberos |
|
udp |
88 |
Kerberos |
|
tcp |
135 |
RPC, WMI |
|
udp |
137 |
MS Cluster Administrator |
|
udp |
137 |
NetBIOS Name Resolution |
|
tcp |
137 |
RPC/named pipes (NP) |
|
udp |
138 |
NetBIOS Datagram Service |
|
udp |
138 |
RPC/named pipes (NP) |
|
tcp |
139 |
NetBIOS Session Service |
smbd |
tcp |
139 |
RPC/named pipes (NP) |
smbd |
tcp |
389 |
ldap |
|
udp |
389 |
ldap |
|
tcp |
445 |
File and printer shares via SMB |
smbd |
tcp |
464 |
Kerberos Password V5 |
|
udp |
464 |
Kerberos Password V5 |
|
tcp |
593 |
RPC over HTTPS |
|
tcp |
636 |
ldaps |
|
tcp |
3268 |
MS Global Catalog ###TO_PROOF |
|
tcp |
3269 |
MS Global Catalog over TLS ###TO_PROOF |
|
tcp |
3343 |
Cluster Service (necessary for node join) |
|
udp |
3343 |
with DTLS Cluster Service |
|
tcp |
3389 |
RDP |
|
tcp |
5722 |
RPC for DFS Replication |
|
tcp |
6600 |
Hyper-V Live Migration |
|
tcp |
9389 |
Active Directory Web Services (ADWS) |
|
tcp |
9389 |
Active Directory Management Gateway Service |
|
tcp |
1024 - 5000 |
RPC randomly allocated high TCP ports on |
|
tcp |
1024 - 65535 |
RPC randomly allocated high TCP ports for CertSRV, ClusSvc, DFS on |
|
tcp |
49152 - 65535 |
RPC randomly allocated high TCP ports on |
See also:
Microsoft Docs - Service overview and network port requirements for Windows
Microsoft Docs - How to configure a firewall for Active Directory domains and trusts
SRV records
Always check SRV records on each domain controller
Definitions
docs.microsoft.com - Understanding the Active Directory Logical Model
docs.microsoft.com - [MS-ADTS]: Active Directory Technical Specification
Active Directory forest
German: Gesamtstruktur
A forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). Domains in the same forest are automatically linked with two-way, transitive trust relationships.
Active Directory domain
A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. In addition, the domain supports a number of other core functions related to administration, including:
Network-wide user identity. Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. Domain controllers that make up a domain are used to store user accounts and user credentials (such as passwords or certificates) securely.
Authentication. Domain controllers provide authentication services for users and supply additional authorization data such as user group memberships, which can be used to control access to resources on the network.
Trust relationships. Domains can extend authentication services to users in domains outside their own forest by means of trusts.
Replication. The domain defines a partition of the directory that contains sufficient data to provide domain services and then replicates it between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a unit.
Active Directory organizational units
OUs can be used to form a hierarchy of containers within a domain. OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks.
Active Directory global catalog
A unified partial view of multiple naming contexts (NCs) in a distributed partitioned directory. The Active Directory directory service GC is implemented by GC servers. The definition of global catalog is specified in [MS-ADTS] section 3.1.1.1.8.
In AD DS, the global catalog (GC) is a partial view of a forest's NCs, with these properties:
- The GC view includes all domain NCs, the config NC, and the schema NC.
- The GC view is partial. It includes all objects in the included NCs, but only those attributes defined as members of the partial attribute set in the schema NC (as specified in section 3.1.1.2). If the GC is an RODC, the attribute list is further restricted to those attributes not present in the filtered attribute set in the schema NC (as specified in section 3.1.1.2).
- The GC view is read-only.
The GC has no state model impact outside the schema NC, which defines the forest's partial attribute set. The implementation of the GC (that is, actually providing the specified view to LDAP clients) does have impact, explained in section 3.1.1.1.9.
In AD LDS there is no support for the GC.
NOTES
- In opposite to the Microsoft implementation the Samba 'Administrator' password expires, too. This behavour may be changed with.
ntpd >= 4.2.6 to support signing, which is required by Active Directory
- In Samba every DC is global catalog
- With Samba4 data should not be saved on a AD DC, since they use their own ID-mapping. Dedicated fileservers should be used to provide data instead.
- Always document your GPOs.
Installation
Server
NT4
Bare Samba
Samba with #ctdb
Samba with ldap
AD DC
Integrated DNS
With Bind9 DLZ
Due to collision with ntp, systemd-timesyncd will be removed.
AD fileserver
Install a AD fileserver
Due to collision with ntp, systemd-timesyncd will be removed.
Client
# TODO
Configure
Test and show configuration and their defaults
Of cause all defaults are documented in
man 5 smb.conf
But there is a more comfortable way to find out bulks of defaults.
Please see #testparm
Logging
Defaults compiled in (Debian)
Default configuration (Debian)
The logfile may not work, when using SMB over tcp/445.
The log level is even more flexible. For more information please see
man -P "less -p 'log level \(G\)'" 5 smb.conf
A high log level may impact system performance.
You may change the log level of a running smbd instance with #smbcontrol
Flexiblity
macros
The Samba configuration can be very dynamic. There are several macros which may be used, to achieve e.g. interface-IP- %i, client-IP- %I or protocol-version-specific %R configurations. Even environment variables (dereferenced to their value) may be used as a macro %$(envvar).
man -P "less -p '^VARIABLE SUBSTITUTIONS'" 5 smb.conf
Be careful: Netbios macros are not resolved, when using SMB over tcp/445 %m, %L.
Include
Other files may be included into smb.conf.
Macros may be combined with the include statement.
Dedicated resources
Some resources cannot not be shared between two samba instance:
interfaces, lock directory, netbios name, pid directory, workgroup
Some resources may/should not be shared between two samba instance:
passdb backend, log file
Interfaces
Bind only to specified interfaces
Ports
Prohibit NetBIOS on tcp/445 and disable SMB over NetBIOS over tcp/139
NetBIOS Macros like %L are not resolved with SMB over tcp/445.
Server aliases
Consolidate multiple servers to a single node
Security
Security modes
share level "tree connect"
- every authenticated user can read the share
- not recommended
- removed with Samba 4.0
server
- Samba 2.0 option, still supported in Samba 3.0
- high load
- problematic
- removed with Samba 4.0
user level -> "session setup"
- Permissions based on user name
domain
- like user but auth backend is domain logon server
adc methods may be disabled with
winbind rpc only = yes
adc
- auth backend is domain logon server with kerberos
system clocks must be in sync (tΔ < 5min)
- DNS-Server required (NetBIOS and DNS-Name must be identical)
realm and domain are defined in smb.conf
Backends
Please also see #Actions on backends
Backend smbpasswd
- deprecated
- plaintext
/etc/samba/smbpasswd
- 6 columns
username
Unix UID
LANMGR-hash
NT-hash
account flag
mtime
- most simple
- no additional attributes (like HOME directory, …)
/etc/samba/smb.conf
Backend tdbsam
- trivial database Security Accounts Manager (SAM)
Default and recommended for normal usage
- binary
- offers concurrency and locking
path in private dir name passdb.tdb
- long cache times, not always in sync with disk
backup at runtime with #tdbbackup
- Do backups!
See also #ctdb
/etc/samba/smb.conf
Backend ldapsam
- bigger networks
- replication backbone of PDCs and BDCs
- tools to modify ldap and unix databases necessary
like smbldap-tools
/etc/samba/smb.conf
1 [global]
2 ### DEFAULT: localhost
3 passdb backend = ldapsam
4 #passdb backend = ldapsam:"ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com"
5 #passdb backend = ldapsam:"ldaps://ldap1.example.com ldaps://ldap2.example.com ldaps://ldap3.example.com"
6 ### PLEASE DON'T USE ROOTDN
7 ldap admin dn = cn=samba,dc=rockstable,dc=it
8 ldap suffix = dc=rockstable,dc=it
9 ldap user suffix = ou=users
10 ldap group suffix = ou=groups
11 ldap machine suffix = ou=computers
12 ldap idmap suffix = ou=idmaps
13 ### SECURE BACKEND LDAP CONNECTION OF RPC CALLS (MIND THE SPACE)
14 ldap ssl = start tls
15 ### SECURE BACKEND LDAP CONNECTION OF ADC CALLS (MIND THE SPACE)
16 ldap ssl adc = start tls
ldap ssl should be set explicitly, because the defaults may vary, and depend on the configuration at compile time.
It is subsequently necessary to #Set ldap password
When local system is attached to ldap via NSS and the information in ldap is sufficient to qualify the system. Local NSS may be bypassed and samba built-in optimized ldap-queries used instead to read information stored in the ldap-tree (users, groups, …) directly. During the bootstrapping of the ldap-tree, NSS is configured after preparing the ldap-tree for/by/with samba, of cause.
Please see
man -P "less -p '^\s*ldapsam:trusted \(G\)'" 5 smb.conf
The write path may also be optimized using direct write access to the ldap-tree (without using scripts). In this scenario windbindd allocates uids/gids and has therefor to be installed on the Samba-DC. Furthermore the id ranges have to be defined for windbind.
Please make sure samba has sufficient access to the ldap-tree.
Now the ldap-tree needs to be structured as defined in smb.conf. This may be achieved using a hand crafted ldif-file or a script from the smbldap-tools called smbldap-populate, which is quite flexible.
Futhermore some essential accounts need to be created, which can be achieved with
1 net sam provision
For NSS name resolution over ldap a package has to be installed.
1 apt install libnss-ldap
/etc/nsswitch.conf
1 # /etc/nsswitch.conf
2 #
3 # Example configuration of GNU Name Service Switch functionality.
4 # If you have the `glibc-doc-reference' and `info' packages installed, try:
5 # `info libc "Name Service Switch"' for information about this file.
6
7 passwd: compat systemd ldap
8 group: compat systemd ldap
9 shadow: compat
10 gshadow: files
11
12 hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname mymachines
13 networks: files
14
15 protocols: db files
16 services: db files
17 ethers: db files
18 rpc: db files
19
20 netgroup: nis
During the test you may stop then name service caching daemon (nscd), to always get fresh (but much more expensive) results.
Accounts
NT4 Accounts
Before adding the samba account make sure a corresponding Unix account (for its UID-number) exists.
The Unix user does not need to have a existing home directory. The home may even be /dev/null
User with UID 0 on DC is domain admin, when created in Samba.
The Unix and the Samba password do not need to match.
AD DC accounts
Samba user no longer need a Unix account to be created before. The Samba ID-mapping is sufficient.
AD DC DNS
BIND9_DLZ
Bind9 has a richer feature set, than the internal DNS-service. For example it allows load-balancing using round robin, which is not supported with SAMBA_INTERNAL.
Adjust forwarders and Kerberos keytab in Bind9 configuration.
/etc/bind9/named.conf.options
Include the configuration generated by Samba in Bind9
/etc/bind9/named.conf.options
1 include "/var/lib/samba/bind-dns/named.conf"
Bind9 must be able to read both files (via group permissions)
Make sure SELinux or Apparmor do not interfere.
Username map
Map Samba users to unix accounts
Acts differently in different security modes.
Therefor read the docs
man -P "less -p '^\s*username map \(G\)'" 5 smb.conf
/etc/samba/smb.conf
/etc/samba/username.map
Shares
Options
Are suffixed with (S) in man 5 smb.conf
Unix groups are prefixed by @
Example
Default shares
There are some default share definitions in
/etc/samba/smb.conf
homes
Unix home directory exported for a user.
The default value of the path to the home directory
The directory for the domain should already be created for Samba4 to be able to create user home directories.
Home directories
1 #======================= Share Definitions =======================
2
3 [homes]
4 comment = Home Directories
5 browseable = no
6
7 # By default, the home directories are exported read-only. Change the
8 # next parameter to 'no' if you want to be able to write to them.
9 read only = no
10
11 # File creation mask is set to 0700 for security reasons. If you want to
12 # create files with group=rw permissions, set next parameter to 0775.
13 create mask = 0700
14
15 # Directory creation mask is set to 0700 for security reasons. If you want to
16 # create dirs. with group=rw permissions, set next parameter to 0775.
17 directory mask = 0700
18
19 # By default, \\server\username shares can be connected to by anyone
20 # with access to the samba server.
21 # The following parameter makes sure that only "username" can connect
22 # to \\server\username
23 # This might need tweaking when using external authentication schemes
24 valid users = %S
netlogon
The logon scripts of a domain controller are stored here.
profiles
Store roaming profile, which is downloaded on logon and uploaded on logout. This feature requires a fast network and sufficient disk-IO especially in the peak time.
1 # Un-comment the following and create the profiles directory to store
2 # users profiles (see the "logon path" option above)
3 # (you need to configure Samba to act as a domain controller too.)
4 # The path below should be writable by all users so that their
5 # profile directory may be created the first time they log on
6 ;[profiles]
7 ; comment = Users profiles
8 ; path = /home/samba/profiles
9 ; guest ok = no
10 ; browseable = no
11 ; create mask = 0600
12 ; directory mask = 0700
printers
Manage printers
Manage printer drivers
1 # Windows clients look for this share name as a source of downloadable
2 # printer drivers
3 [print$]
4 comment = Printer Drivers
5 path = /var/lib/samba/printers
6 browseable = yes
7 read only = yes
8 guest ok = no
9 # Uncomment to allow remote administration of Windows print drivers.
10 # You may need to replace 'lpadmin' with the name of the group your
11 # admin users are members of.
12 # Please note that you also need to set appropriate Unix permissions
13 # to the drivers directory for these users to have write rights in it
14 ; write list = root, @lpadmin
sysvol
# WIP
Store group policy objects (GPOs).
The content of the share sysvol must be the same on all DCs, but the synchronization is not managed by Samba. It does not need to be stricly synchronized, it's sufficient to use rsync or another custom script based approach. (Please don't use a unencrypted rsync daemon module over tcp consider the rsync features of utilizing a remote shell like ssh.) But you may have to designate a primary server, who acts as a replication source. A good choice could be the server with the #FSMO-role "PDCEmulationMaster". This server must then always be used to change GPOs. RSAT can be pointed specifically to this primary server.
- Open RSAT Group Policy Management
- Right click on domain
- Change domain controller
- Chose "Domain-Controller with the token for PDC-Emulation"
The replication may than be triggered by
- a cron-job
- a systemd-timer or
- inotify
Another possibility is to use a distributed filesystem like GlusterFS to share the directory.
Guest shares
May also be combined with
#Username map
Do not combine valid users = with guest ok = yes or guest won't be able to connect.
/etc/samba/smb.conf
1 [global]
2 security = user
3 ### DEFAULT GUEST ACCOUNT
4 guest account = nobody
5 ### MAP USERS, THAT ARE NOT MAPPABLE TO A UNIX ACCOUNT,
6 ### E.G. THEY DON'T EXIST, TO THE GUEST ACCOUNT
7 map to guest = Bad User
8
9 ### PUBLIC READ-ONLY SHARE
10 [DVD-ROM]
11 comment = DVD-Drive
12 path = /media/sr0
13 guest ok = yes
14
15 ### PUBLIC WRITEABLE SHARE
16 ### UNIX PERMISSIONS CONTROL WRITING
17 [tmp]
18 comment = Insecure temporary share.
19 path = /mnt/sda2/tmp
20 read only = no
21 guest ok = yes
22 create mask = 664
23 directory mask = 775
24 browseable = yes
For the mount please see
#Mount as guest
Usershares
man -P "less -p '^USERSHARES'" 5 smb.conf
Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete their own share definitions has been added. This capability is called usershares and is controlled by a set of parameters in the [global] section of the smb.conf.
Usershare options with their defaults on Debian 10.
Authorization to the creation of usershares is managed by filesystem permissions to /var/lib/samba/usershares.
The group and the directory usually exist, because the installation takes care of it. But in case it doesn't, this is how to create it.
The directory usershares is sticky and can only be written to by root and the group sambashare.
ls -ld /var/lib/samba/usershares
1 drwxrwx--T 1 root sambashare 0 12. Nov 2017 /var/lib/samba/usershares
So the group sambashare controls access to the managemant of user shares and should not be reused to grant access to other branches on the filesystem-tree. Just create a separate group for this purpose.
Add a user to the group sambashare
1 adduser "$USERNAME" sambashare
Now shares can be managed by a user.
If you are using KDE Plasma, make sure some packages are installed
1 aptitude install samba kdenetwork kdenetwork-filesharing
A directory can now be shared via filesystem browser (like dolphin or konqueror). Just navigate to the directory, open the properties and chose the tab "share".
Or just use the cli with #net usershare.
DOS-Attributes
DOS-Attributes are
- SYSTEM
- HIDDEN
- ARCHIVE
- READ-ONLY
DOS attributes are mapped to UNIX-Attributes prior to evaluating Unix-permissions. When store dos attributes is set to true the mappings to Unix-permissions are simply ignored. Please see
man -P "less -p 'store dos attributes \(S\)'" 5 smb.conf
Defaults
On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.
Control filesystem permissions
In somewhat simpler setups utilizing the SET-UID/GID-BIT may be sufficient.
Samba has some nice filesystem permission semantics, that help in controlling access to the share.
1 [operations]
2 path = /srv/samba/operations
3 ### ANONYMIZE WRITING USER OR
4 ### MANAGE VIA USER PERMISSIONS
5 #force user = operator
6 ### ENFORCE ENTITY TO BE OWNED BY GROUP
7 force group = operations
8 ### LIMIT ACCESS TO GROUPS AND SINGLE USERS
9 valid users = @operations, @management, ceo, cto
10 ### ONLY MEMBERS OF GROUP OPERATIONS MAY WRITE
11 write list = @operations
12 ### SET FILE CREATE MASK
13 ### (BIT-WISE "AND"ED WITH REQUEST)
14 ### DEFAULT: 0744
15 create mask = 0740
16 ### FORCE FILE PERMISSION
17 ### (BIT-WISE "OR"ED WITH REQUEST)
18 ### DEFAULT: 0000
19 force create mode = 0020
20 ### SET DIR CREATE MASK
21 ### (BIT-WISE "AND"ED WITH REQUEST)
22 ### DEFAULT: 0755
23 directory mask = 0770
24 ### FORCE DIR PERMISSION
25 ### (BIT-WISE "OR"ED WITH REQUEST)
26 ### DEFAULT: 0000
27 force directory mode = 0020
It's also possible to use POSIX-ACLs within the filesystem achieve even more flexible permissions. But this raises the bar quite a bit, because this requires kernel support, mount-options, vfs objects and a adapted backup strategy, which secures the additional info.
Templating
The share [operations] from #Control filesytem permissions has become quite complex. It could be a challage to manage a higher number of these shares.
Luckily other shares can be used as templates. Only specifically mentioned directives are overridden everything else is copied.
VFS modules
man -P "less -p 'vfs objects \(S\)'" 5 smb.conf
- vfs objects (S)
- This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects. Be aware that the definition of this parameter will overwrite a possible previous definition of the vfs objects parameter.
This modules are stackable.
This modules are installed with packge samba-vfs-modules as a recommendation by package samba. The VFS modules are stored in
/usr/lib/x86_64-linux-gnu/samba/vfs
VFS modules of Samba 4.13.3-Debian
vfs_acl_tdb - Save NTFS-ACLs in a tdb file
vfs_acl_xattr - Save NTFS-ACLs in Extended Attributes (EAs)
vfs_aio_fork - implement async I/O in Samba vfs
vfs_aio_pthread - implement async open in Samba vfs using a pthread pool
vfs_audit - record selected Samba VFS operations in the system log
vfs_btrfs - Utilize features provided by the Btrfs filesystem
vfs_cap - CAP encode filenames
vfs_catia - translate illegal characters in Catia filenames
vfs_ceph - Utilize features provided by CephFS
vfs_ceph_snapshots - Expose CephFS snapshots as shadow-copies
vfs_commit - flush dirty data at specified intervals
vfs_crossrename - server side rename files across filesystem boundaries
vfs_default_quota - store default quota records for Windows clients
vfs_dirsort - Sort directory contents
vfs_extd_audit - record selected Samba VFS operations
vfs_fake_perms - enable read only Roaming Profiles
vfs_fileid - Generates file_id structs with unique device id values for cluster setups
vfs_fruit - Enhanced OS X and Netatalk interoperability
vfs_full_audit - record Samba VFS operations in the system log
vfs_glusterfs - Utilize features provided by GlusterFS
vfs_glusterfs_fuse - Utilize features provided by GlusterFS
vfs_gpfs - gpfs specific samba extensions like acls
vfs_io_uring - Implement async io in Samba vfs using io_uring of Linux (>= 5.1).
vfs_linux_xfs_sgid - Workaround XFS sgid bit not inherited
vfs_media_harmony - Allow multiple Avid clients to share a network drive.
vfs_nfs4acl_xattr - Save NTFS-ACLs as NFS4 encoded blobs in extended attributes
vfs_offline - Mark all files as offline
vfs_preopen - Hide read latencies for applications reading numbered files
vfs_readahead - pre-load the kernel buffer cache
vfs_readonly - make a Samba share read only for a specified time period
vfs_recycle - Samba VFS recycle bin
vfs_shadow_copy - Expose snapshots to Windows clients as shadow copies.
vfs_shadow_copy2 - Expose snapshots to Windows clients as shadow copies.
vfs_shell_snap - Shell script callouts for snapshot creation and deletion
vfs_snapper - Expose snapshots managed by snapper as shadow-copies
vfs_streams_depot - EXPERIMENTAL module to store alternate data streams in a central directory.
vfs_streams_xattr - Store alternate data streams in posix xattrs
vfs_syncops - Ensure meta data operations are performed synchronously.
vfs_time_audit - samba vfs module to log slow VFS operations
vfs_unityed_media - Allow multiple Avid clients to share a network drive.
vfs_virusfilter - On access virus scanner
vfs_widelinks - make a Samba share ignore filesystem symbolic links inside a share
vfs_worm - disallows writes for older file
vfs_xattr_tdb - Save Extended Attributes (EAs) in a tdb file
Example share
1 [purchasing]
2 copy = operations
3 path = /srv/samba/purchasing
4 force group = purchasing
5 valid users = @purchasing, @management, ceo, cto
6 write list = @purchasing
7 vfs objects = btrfs recycle virusfilter
8 ### KEEP TREE HIERARCHY
9 recycle = keeptree=True
10 ### DON'T RECYCLE FILES GREATER 8GiB
11 recycle = maxsize=8589934592
FSMO
Flexible Single Master Operations roles
- SchemaMaster
- Unique in AD forest
- Should also be global catalog
Should be held together with DomainNamingMaster
- Definition/Authority of LDAP schema
- DomainNamingMaster
- Unique in AD forest
Should be held together with SchemaMaster
- Authority of assignment of domain names.
- InfrastructureMaster
- Unique in AD domain
- Manages referential integrity in a domain
- If IM-role server holds a global catalog, all DCs need a GC. If a DC does not hood a GC, IM-role must not be a GC.
- RidAllocationMaster
- Unique in AD domain
Should be held together with PdcEmulationMaster
- Allocates pools of IDs to the DC, to make sure IDs are unique in the domain
- PdcEmulationMaster
- Unique in AD domain
Should be held together with RidAllocationMaster
- Manage password-changes (t_replication_ ≤ 20min)
- DomainDnsZonesMaster
- Unique in AD domain
- Management of DNS structure of a domain
- ForstDnsZonesMaster
- Unique in AD forest
- Responsible for DNS structure of the AD forest
Distributed File System (DFS)
wiki.samba.org - Distributed File System (DFS)
Set up the DFS root directory
1 DFS_ROOT="/srv/samba/dfs-root"
2 ### MAKE SURE TO HAVE CORRECT UNIX_PERMISSIONS
3 chown 0.0 "$DFS_ROOT"
4 chmod 664 "$DFS_ROOT"
5 cd "$DFS_ROOT"
6 ### CREATE LINKS TO THE SHARES
7 ### ALL LOWERCASE CHARACTERS
8 ln -s msdfs:server1.domain.tld\\share1 share1
9 ln -s msdfs:server2.domain.tld\\share2 share2
10 ln -s msdfs:server3.domain.tld\\share3 share3
11 ### READ-ONLY LINK WITH COMMA-SEPARATED REDUNDANT SOURCE "SERVERS\SHARES"
12 ln -s msdfs:server5.domain.tld\\share5,server6.domain.tld\\share5 share5
GUIs
gadmin-samba
The activity of this project is in question.
- website down :-/
- was not able to find the source repo
Probably you should not use this nat all anymore.
Install the graphical frontend
1 gadmin-samba
Be careful with this tool!
Try it elsewhere, but not in production.
If you let it overwrite your config, it will disrupt your service.
gadmin-samba will on startup and with your permission perform some changes to your configuration.
- Create users
- Unix user "smbguest"
- Samba users "root" and "smbguest"
- Create unix group "sambamachines"
- Backup your old config
Create a file /etc/samba/smbusers with username mappings between unix and samba
- Overwite the config with
- no comments
- Set NetBIOS name to "Samba24"
- Overwrite current workgroup with "Workgroup"
- Allow the wrong networks ("127. 192.168.0")
- Bind to interfaces that doesn't exist 192.168.0")
- …
When (after the inital setup) configuration options are given, that gadmin-samba does not support, they are not discarded.
It's definitely worth a look for the configuration it performs especially for older Samba versions.
But i won't use it, because it's not up to date.
SWAT
Swat is no longer available with Samba 4.1.
Samba 4 mailing list - PROPOSAL: Remove SWAT in Samba 4.1
Install internet super-deamon
1 aptitude install xinetd
Add a service to
/etc/services
1 swat 901/tcp # Samba Web Administration Tool
/etc/xinetd/swat
netdomjoin-gui
A gui for domain joins in the Samba source code. Located in source/lib/netapi/examples.
Local Master Browser
- Is the base of the Windows Networking (Netzwerkumgebung)
Is handled by nmbd
Writes state to /var/lib/samba/browse.dat
- Services have to register with a LMB.
- Should be stable (with "long" uptime)
- Is limited to a subnet.
- There is a LMB in every subnet.
- LMB ist elected
- Criteria:
- protocol version
- OS
- uptime
- name in alphabetic order
- Criteria:
- Election
- can be started by every participant
- is based on broadcasts
Samba OS Levels
OS |
Level |
Windows for Workgroups |
0 |
Windows 95/98 |
1 |
Windows NT Workstation |
16 |
Samba |
20 (default) |
Windows NT Server |
32 |
Configure election
Start on boot and win the election
You may also prevent participation in LMB elections.
Please be careful!
By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes.
--- man -P "less -p 'os level \(G\)'" 5 smb.conf
Domain Master Browser
- Synchronizes the info from LMBs and thus allows seeing nodes in other subnets in the Windows networking browser on the clients.
- Is a passive node, the LMB initiates the sync process.
- In a given subnet the roles LMB and DMB are distinguished from each other and must not reside on the same machine.
DMB is looked up via WINS domain<1b>. The connection to WINS is essential.
- On the LMB the info, which was
- discovered locally marked as local and relevant, because it was dicovered by broadcasts
- synchronized from DMB is marked as such and is subject to upstreaming
- This system is very sluggish and only has "antique" info.
Host announcement and its timeout
- The host announcement interval is 12min.
- If 3 host announcements are missed, the LMB considers the host dead.
Therefor dead hosts stay visible in the windows networking browser for 36min.
MSBROWSE - Browsing other workgroups
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
The dots are ASCII 0x01 (StartOfHeading) and 0x02 (StartOfText).
Every LMB in a subnet (but of different workgroups) signals its existence to this NetBIOS group. These list is maintained by all LMBs in a subnet.
If a DMB is used and there are workgroups in the Browser, which do not exist anymore, but are still visible in Windows networking browser, then in Samba set
1 enhanced browsing = no
WINS
For the protocol please see
networking#WINS
WINS is a Highlander. There can only be one in the entire network.
WINS Client
Configure Samba server as a WINS client.
1 wins server = IP.AD.DR.ES
WINS Server
Enable WINS support in Samba
1 wins support = yes
Now WINS clients may be configured to register their names with the Samba server.
On Samba the dynamically maintained database is stored persistently across reboots in /var/lib/samba/wins.dat, which is written in regular intervals.
wins.dat may be synced with
1 killall -HUP nmbd
/var/lib/samba/wins.tdb is only a cache.
WINS Proxy
Enable WINS proxy in Samba
Should only be a intermediate solution.
Name Resolve Order
host means resolution with DNS
Print Server
Some defaults
The share [$print] serves printer drivers.
1 # Windows clients look for this share name as a source of downloadable
2 # printer drivers
3 [print$]
4 comment = Printer Drivers
5 path = /var/lib/samba/printers
6 browseable = yes
7 read only = yes
8 guest ok = no
9 # Uncomment to allow remote administration of Windows print drivers.
10 # You may need to replace 'lpadmin' with the name of the group your
11 # admin users are members of.
12 # Please note that you also need to set appropriate Unix permissions
13 # to the drivers directory for these users to have write rights in it
14 ; write list = root, @lpadmin
Drivers are sorted by architecture
ls -l /var/lib/samba/printers
1 insgesamt 0
2 drwxr-xr-x 1 root root 0 9. Jun 2018 color
3 drwxr-xr-x 1 root root 0 26. Oct 2017 COLOR
4 drwxr-xr-x 1 root root 0 26. Oct 2017 IA64
5 drwxr-xr-x 1 root root 0 26. Oct 2017 W32ALPHA
6 drwxr-xr-x 1 root root 0 26. Oct 2017 W32MIPS
7 drwxr-xr-x 1 root root 0 26. Oct 2017 W32PPC
8 drwxr-xr-x 1 root root 6 9. Jun 2018 W32X86
9 drwxr-xr-x 1 root root 0 26. Oct 2017 WIN40
10 drwxr-xr-x 1 root root 6 9. Jun 2018 x64
The share [printers] provides access to the printers.
Registry configuration
smb.conf stays initial configuration and has precedence.
The file /var/lib/samba/registry.tdb may be spread automatically to other cluster nodes using #ctdb.
Registry may be edited using the WINREG-RPC-Service, which is provided by Samba.
Key: HKLM\Software\Samba\smbconf
Please see also
Shares from registry
/etc/samba/smb.conf
- Shares are loaded on demand
- Reduced memory footprint
- Faster operation
Shares in smb.conf also provided
- On duplicate definition
smb.conf has precedence over registry
- On duplicate definition
Configuration only from registry
/etc/samba/smb.conf
- Whole configuration is stored in registry
registry shares = yes is implicitly set
Configuration from file and registry
/etc/samba/smb.conf
- The include semantics are still active.
- Registry may override earlier definitions as well as
- Registry may be overridden by later definitions.
registry shares = yes is implicitly set with this option
RODC
On sites with a lower level of security (e.g. DMZ) it's generally a better idea to use a RODC.
- No passwords are safed on a RODC.
- Users or groups, that should be able to authenticate to a RODC, have to be specified explicitly
With Samba RODC setups are possible starting with version 4.8.
Configure /etc/hosts
- Configure DNS on the existing DCs
- Create new DNS zones (forward/reverse)
- Create A/PTR records in the AD for the RODC
- Allow Bind9 to accept queries from other subnets
- Open firewall
- Kerberos, DNS, …
- Install the packages like on a regular DC
Copy /etc/krb5.conf to RODC
- Join the domain as RODC
Configure a read-only Bind9 setup on the RODC (e.g. copy configuration from another DC)
Configure Systemd to enable samba-ad-dc.service
RODCs are never listed in SRV records. DCs can also be identified via /var/lib/samba/private/dns_update_list.
DHCP server
There is a very good description in
Samba Wiki - Configure DHCP to update DNS records with BIND9
Tools Samba3
smbstatus
1 smbstatus --help
2 smbstatus
3 Samba version 4.13.2-Debian
4 PID Username Group Machine Protocol Version Encryption Signing
5 -----------------------------------------------------------------------------
6
7 Service pid Machine Connected at Encryption Signing
8 -----------------------------------------------------------------------------
9
10 No locked files
smbclient
Show list of shares
1 % smbclient -L libertas
2 Enter DUNGEON\tobias's password:
3
4 Sharename Type Comment
5 --------- ---- -------
6 print$ Disk Printer Drivers
7 IPC$ IPC IPC Service (Samba 4.13.2-Debian)
8 tobias Disk Home Directories
9 gargantua_HP_Color_LaserJet Printer gargantua_HP_Color_LaserJet
10 gargantua_HP_Color_LaserJet@gargantua.local Printer gargantua_HP_Color_LaserJet@gargantua.local
11 PDF Printer PDF
12 SMB1 disabled -- no workgroup available
smbcontrol
Since smbd runs a process for ever client, it is possible to the change log level for a single remote host, while process is running.
This comes in very handy.
net
net uses positional parameters. Fill missing arguments with the empty string "".
net ads
Join AD-Domain, the computer account will be created automatically.
1 net adc join -U Administrator
net groupmap
List group mappings
1 net groupmap list
Add a group mapping manually
Modify group mapping manually
net getlocalsid
Export sid of domain SAMBA
1 net getlocalsid SAMBA
This may be used for a backup or to set the sid on a NT4 BDC.
net setlocalsid
All domain controllers need the same SID.
The SID may be set like this e.g. on a NT4 BDC.
1 net setlocalsid S-1-5-21-x-y-z
net conf
An cli API for registry operations
1 net conf
2 Usage:
3 net conf list Dump the complete configuration in smb.conf like format.
4 ### USEFUL DURING MIGRATIONS - BE CAREFUL
5 ### OVERWRITES ALL VALUES AND REMOVES MISSING FROM REGISTRY
6 net conf import Import configuration from file in smb.conf format.
7 net conf listshares List the share names.
8 ### BE CAREFUL
9 net conf drop Delete the complete configuration.
10 net conf showshare Show the definition of a share.
11 net conf addshare Create a new share.
12 net conf delshare Delete a share.
13 net conf setparm Store a parameter.
14 net conf getparm Retrieve the value of a parameter.
15 net conf delparm Delete a parameter.
16 net conf getincludes Show the includes of a share definition.
17 net conf setincludes Set includes for a share.
18 net conf delincludes Delete includes from a share definition.
Export modify and reimport registry
To simplify complex changes
net dom
- Sync times
- DNS must work
- DNS must resolve to fqdn
Join a remote client to domain and optionally reboot the machiine
There is also a GUI called #netdomjoin-gui
net registry
Please see also #net conf
List registry keys
net rpc
List users
1 net rpc user
List groups
1 net rpc group
Join domain, the computer account will be created automatically.
1 net rpc join -U Administrator
net rpc rights
Grant the right to show and edit the Samba configuration stored in registry to a user.
1 net rpc rights grant root SeDiskOperatorPrivilege -U root
From windows
Special privileges
Right |
Description |
SeMachineAccountPrivilege |
Allows to create machine account and join domain |
SeTakeOwnershipPrivilege |
Allows to take ownership of objects like directories and files |
SeBackupPrivilege |
Allows to backup directories and files |
SeRestorePrivilege |
Allows to restore directories and files |
SeRemoteShutdownPrivilege |
Allows to shutdown a remote system |
SeOperatorPrivilege |
Allows to manage printers |
SeAddUsersPrivilege |
Allows to add users and groups |
SeDiskOperatorPrivilege |
Allows to manage registry and therefor shares |
net rpc trustdom
List Interdomain trust relationships
- NT4: directed (one-sided)
- ADC: symmetric, transient
List trusts
Samba as trusting domain
Add a unix account trusted$ and create "domain machine account" "TRUSTED" for the trusted domain.
Delete domain account for trust
Remove a domain machine account (by the trusting domain)
1 net rpc trustdom del TRUSTED
Samba as trusted domain
1 net rpc trustdom establish TRUSTED
Leave domain trust
Revoke a domain trust (by the trusted domain)
1 net rpc trustdom del TRUSTED
net rpc vampire
Tool to migrate MS Windows NT4 domains to Samba.
- Prepare the Samba configuration
- BDC setup {{{#highlight ini
[global] workgroup = NT4DOMAIN domain master = no domain logons = yes }}}
- backends (ldap/tdb)
- scripts like (add user script, …)
- Stop smbd
- Join the Domain as a BDC
- Create a copy of the NT4-Domain.
1 net rpc vampire -S nt4pdc -U administrator
List and check result with pdbedit -L
- Prepare ID-mapping with winbind
- Check and manually correct the mappping of NT groups to unixgroups
Please see #net groupmap
- Migrate profiles and policies
You may use convmv, which is available in the Debian repos to change the character encoding of the filenames.
1 convmv -f cp850 -t utf8 -r /media/samba
net sam
since 3.0.23
Modify local user-database
Only root is allowed to use net sam.
- Samba server does not need to run.
winbindd must run to use group-mapping.
net usershare
A full round
1 # net usershare add Tobias_Public /home/tobias/Ă–ffentlich "Tobias public share" 'Everyone:r,LIBERTAS\tobias:f' guest_ok=y
2 # net usershare list
3 Tobias_Public
4 # net usershare info
5 [Tobias_Ă–ffentlich]
6 path=/home/tobias/Ă–ffentlich
7 comment=Tobias public share
8 usershare_acl=Everyone:R,LIBERTAS\tobias:F,
9 guest_ok=y
10 ### LIST USERSHARES OF ALL USERS
11 # net usershare info -l
12 #net usershare delete Tobias_Public
13
smbldap-tools
smbpasswd
smbpasswd also synchronizes the unix password in opposite to pdbedit, if unix password sync is set in smb.conf.
Add user account
Before adding a account make sure a corresponding unix-account does exist. Please also take look on the notes to #Accounts
- Create a unix account.
1 useradd username
- Create the corresponding samba account.
1 smbpasswd -a username
- Enable the samba account
1 smbpasswd -e username
Add machine account
- Create a unix machine account,
which is suffixed by a $ sign.
1 useradd -d /dev/null -s /bin/false machine$
- Create the corresponding samba machine account.
The $ sign is appended automatically when using -m.
1 smbpasswd -a -m machine
- Enable the samba account
1 smbpasswd -e machine
You may now join the domain.
Set ldap password
Set the password for ldap access
1 smbpasswd -W
Domain-SID, ldap admin credentials and computer-account to join domain are stored in a file secrets.tdb in the private directory usually
/var/lib/samba/private/secrets.tdb
Other actions
Change password
1 smbpasswd username
Disable user
1 smbpasswd -d username
Delete user
1 smbpasswd -x username
pdbedit
Tool to modify, back-up and migrate passdb.
The extended attributes are only supported, if passdb backend is not set to smbpasswd, which only contains username ans hash. SO always check if changes are committed.
smbpasswd also synchronizes the unix password in opposite to pdbedit, if unix password sync is set in smb.conf.
Before adding a account make sure a corresponding unix-account does exist. Please also take look on the notes to #Accounts
Add user
1 pdbedit -a username -f 'Test User' -h '\\SERVER\test'
Delete user
1 pdbedit -x username
List users
1 pdbedit -L
List user attributes (verbosely)
1 pdbedit -Lv username
Actions on backends
Convert passdb
Another backup method
1 pdbedit -e tdbsam:/var/backups/samba/passdb_$(date +%F).tdb
NetBIOS
For the protocol take a look at
networking#NetBIOS
nmblookup
Has a lot of options
man nmblookup
1 ### LOOKUP HOST
2 # nmblookup -v libertas
3 192.168.182.16 libertas<00>
4 ### LOOKUP HOST AND QUERY NODE STATUS
5 # nmblookup -S libertas
6 192.168.182.16 libertas<00>
7 Looking up status of 192.168.182.16
8 LIBERTAS <00> - B <ACTIVE>
9 LIBERTAS <03> - B <ACTIVE>
10 LIBERTAS <20> - B <ACTIVE>
11 DUNGEON <00> - <GROUP> B <ACTIVE>
12 DUNGEON <1e> - <GROUP> B <ACTIVE>
13
14 MAC Address = 00-00-00-00-00-00
15 ### LOOKUP IP ADDRESS AND QUERY ITS NODE STATUS
16 # nmblookup -A 192.168.182.16
17 Looking up status of 192.168.182.16
18 LIBERTAS <00> - B <ACTIVE>
19 LIBERTAS <03> - B <ACTIVE>
20 LIBERTAS <20> - B <ACTIVE>
21 ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
22 DUNGEON <00> - <GROUP> B <ACTIVE>
23 DUNGEON <1d> - B <ACTIVE>
24 DUNGEON <1e> - <GROUP> B <ACTIVE>
25
26 MAC Address = 00-00-00-00-00-00
Query WINS server for a label
nbtstat in Windows
Windows users would use nbtstat (NetBios over Tcp STATus).
With an empty cache you may force a query with
1 net view \\SERVER
smbtorture
Package: samba-testsuite
Query 2 SMB-servers with random requests and compare the responses. This may be helpful in migration scenarios.
1 smbtorture
tdbbackup
Backup (creates a bak-file next to original)
1 tdbbackup /var/lib/samba/private/passdb.tdb
Backup with custom suffix
Verify against custom suffix
tdbdump
1 tdbdump /var/lib/samba/private/passdb.tdb
mount.cifs
Do not use smbfs.
It's obsolete and is not in development anymore!!!
man 8 mount.cifs
Quick mount from shell
Mount from shell with credentials file
Mount from shell with credentials file and some more control on the filesystem permissions on unix.
Mount as guest
Mount as a guest without password
Trouble Shooting
It may be necessary to specify the SMB-version.
1 ### WITHOUT VERSION THE SHARE IS NOT FOUND
2 # mount.cifs -o guest,uid=113 '//quasar/music' /media/quasar
3 mount error(2): No such file or directory
4 Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
5 ### WITH VERSION YOU GET PERMISSION DENIED, ONE STEP AHEAD ;-)
6 # mount.cifs -o guest,uid=113,vers=1.0 '//quasar/music' /media/quasar
7 mount error(13): Permission denied
8 Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
/etc/fstab
This may alternativly be achieved with autofs.
1 rpcclient
1 smbacls
wbinfo
With a large number of entries in your directory, this commands can be quite demanding to your domain infrastructure.
Query winbindd the NSSwitch
testparm
Check current configuration (with implict defaults -v)
1 testparm -v |less
Compiled in configuration (with empty smb.conf)
1 testparm -v -s /dev/null |less
Tools Samba 4
Most of the Samba 3 Tools still exist and continue being useful. But Samba 4.0 indroduced a new suite of tools, that is designated to inherit the old legacy tooling.
Common Samba4 management utilities
#samba-tool is the primary tool for administration
Microsoft Remote Server Administration Tools (RSAT) for Windows
RSAT
DNS-Manager
After creation of a new DNS-zone and if the backend is
- the Samba internal DNS-service, the Samba service has to be restarted.
- Bind9-DLZ, a restart is not necessary.
samba_dnsupdate
1 samba_dnsupdate
samba_downgrade_db
1 samba_downgrade_db
samba-gpupdate
1 samba-gpupdate
samba_kcc
1 samba_kcc
samba-regedit
ncurses frontend to the registry
1 samba-regedit
samba_spnupdate
1 samba_spnupdate
samba-tool
With Samba 4.0 the new tool samba-tool was introduced, to unify the command line interface.
samba-tool kerberos
samba-tool has Kerberos integration, which must be activated using options --kerberos=yes or short -k yes.
A ticket granting ticket has to be requested before.
1 kinit administrator
samba-tool dns
Add a new DNS zone
Create records in the DNS zone
samba-tool domain demote
Prior to removing a DC from a domain all roles should have been transfered to another DC.
Then you may remove the DC from the domain
1 samba-tool domain demote -UAdministrator
When the DC is dead
Such a failed and forcefully removed node must never be reattached to the domain.
samba-tool domain info
1 samba-tool domain info 192.168.1.12
samba-tool domain join
Make sure the DNS-resolver is set correctly (to the existing DC).
Join the domain as domain controller
On the joining DC a /etc/samba/smb.conf is generated, but the settings dns forwarder have to be specified manually.
The resolver of a domain controller should point to itself. Make sure the DC is listed first in /etc/resolv.conf.
Join a domain as RODC, optionally specifiy --site=SITE.
samba-tool domain provision
- Stop all daemons
Make sure there is no /etc/samba/smb.conf, e.g. from the defaults or a previous attempt.
Determine a first site name for the option --site DC1. "Default-First-Site-Name" is not really "satisfying".
- If Unix UIDs/GIDs should be saved in AD,
specifiy with -use-rfc2307
- Provision the domain
1 samba-tool domain provision
samba-tool domain passwordsettings
Show domain password settings
1 samba-tool domain passwordsettings show
Manage Password Settings Objects (PSOs)
1 samba-tool domain passwordsettings pso list
samba-tool drs
Check Directory Replication Services (DRS) optionally specify a user to authenticate as from the group "domain admins" -Uadministrator
1 samba-tool drs showrepl
This check should be performed on every DC after a domain join.
Now trigger a knowledge consistency center run
1 samba-tool drs kcc -k yes
samba-tool fsmo
Manage Flexible Single Master Operations (FSMO).
Discover the roles in the domain
1 samba-tool fsmo show
Transfer all roles
1 samba-tool fsmo transfer --role=all -k yes
Seize role from failed DC, optionally with --force
1 samba-tool fsmo seize --role=naming -k yes
A DC whose roles have been seized has to be removed from the domain. Please see #samba-tool domain demote
samba-tool gpo
Manage Group Policy Objects
1 samba-tool gpo list listall
Check if GPO is effective for user
samba-tool group
List all groups
1 samba-tool group list
Add user to group
samba-tool ntacl
1 samba-tool ntacl sysvolcheck
samba-tool rodc
If a connection to a writeable DC cannot be asured, to authenticate a user on a RODC, you may preload the password to the RODC
samba-tool user
1 samba-tool user list
samba_upgradedns
1 samba_upgradedns
ctdb
See also #Backend tdbsam
About
cluster trivial database
CTDB is a cluster implementation of the TDB database used by Samba and other projects to store temporary data. If an application is already using TDB for temporary data it is very easy to convert that application to be cluster aware and use CTDB instead.
CTDB provides the same types of functions as TDB but in a clustered fashion, providing a TDB-style database that spans multiple physical hosts in a cluster.
Features include:
- CTDB provides a TDB that has consistent data and consistent locking across all nodes in a cluster.
- CTDB is very fast.
- In case of node failures, CTDB will automatically recover and repair all TDB databases that it manages.
- CTDB is the core component that provides pCIFS ("parallel CIFS") with Samba3/4.
- CTDB provides HA features such as node monitoring, node failover, and IP takeover.
- CTDB provides a reliable messaging transport to allow applications linked with CTDB to communicate to other instances of the application running on different nodes in the cluster.
- CTDB has pluggable transport backends. Currently implemented backends are TCP and Infiniband.
- CTDB supports a system of application specific management scripts, allowing applications that depend on network or filesystem resources to be managed in a highly available manner on a cluster.
Install
1 aptitude install ctdb
Debian locations
/etc/defaults/ctdb - defaults
- May not exist and be created to modify init-behaviour
ls -l /etc/ctdb - config
1 insgesamt 80 2 -rw-r--r-- 1 root root 555 9. Jul 11:33 ctdb.conf 3 -rwxr-xr-x 1 root root 682 9. Jul 11:33 ctdb-crash-cleanup.sh 4 -rw-r--r-- 1 root root 72 9. Jul 11:33 ctdb.tunables 5 -rwxr-xr-x 1 root root 1936 9. Jul 11:33 debug-hung-script.sh 6 -rwxr-xr-x 1 root root 3021 9. Jul 11:33 debug_locks.sh 7 drwxr-xr-x 1 root root 36 5. Jan 18:31 events 8 -rw-r--r-- 1 root root 24859 22. Nov 10:44 functions 9 drwxr-xr-x 1 root root 200 5. Jan 18:31 nfs-checks.d 10 -rwxr-xr-x 1 root root 8466 22. Nov 10:44 nfs-linux-kernel-callout 11 -rwxr-xr-x 1 root root 345 9. Jul 11:33 notify.sh 12 -rw-r--r-- 1 root root 273 9. Jul 11:33 script.options 13 -rwxr-xr-x 1 root root 8467 14. Aug 10:48 statd-callout
ls -l /var/lib/ctdb - home-directory
/var/log/ctdb - logs
Tools
ctdb - utility to view and manage a CTDB cluster.
ctdb_diagnostics - dump diagnostic information about CTDB/Samba installation
ctdb_local_daemons - Shell script
tdbtool - manipulate CTDB's local TDB files
onnode - run commands on CTDB cluster nodes
ping_pong - measures the ping-pong byte range lock latency
ctdb
swiss army knife
Backup
Create a backup
It can come in handy to also store the latest backup on the cluster file-system.
Restore procedure
1 onnode all service ctdb stop
2 onnode all 'rm /var/lib/ctdb/persistent/secrets.tdb'
3 ### TODO - DISABLE START OF SMBD/WINDBIND WITH CTDB
4 service ctdb start
5 ctdb restoredb \
6 /var/backups/samba/secrets_$(date +%F_%T).tdb.bak
7 service ctdb start
8 ### TODO - ENABLE START OF SMBD/WINDBIND WITH CTDB
9 onnode all service ctdb start
tdbtool
Show registry keys
1 tdbtool /var/lib/samba/registry.tdb keys
Clustered Samba
/etc/samba/smb.conf
or even simpler /etc/samba/smb.conf
Kerberos
About
Pros
- One of the strongest authentication methods
- Single Sign-On
- No passwords over the network
- Symmetrical crypto (and thus Kerberos) is fast
Cons
- Additional complexity
- Password have to be stored unhashed (but encrypted with Kerberos Master-Key)
Notes
The Kerberos realm is written in capital letters!
- Kerberos servers are identified by querying
DNS Kerberos SRVrecords.
- When using authentication via Kerberos, the FQDN of a server must be used.
- Default Samba configuration is for a Standalone-Server.
DNS SRV records for Kerberos
Please see DNS#SRV Kerberos
Configuration
/etc/krb5.conf
Univention Domain Join
Install univention keyring
Add Ubuntu PPA
/etc/apt/sources.list.d/univention.list
Install the utility
1 apt-get install univention-domain-join-cli python3-netifaces wget
With a little hack this may also be used with Debian
1 cp -p /usr/lib/python3/dist-packages/univention_domain_join/distributions/{ubuntu,debian}.py
Join the domain
Acronyms
Acronym |
Long version |
ACL |
Access Control List |
ADS |
Alternate Data Streams |
AS |
Authentication Service |
ASN |
Autonomous System Number |
BDC |
Backup Domain Controller |
BIOS |
Basic Input/Output System |
CIFS |
Common Internet File System |
CUPS |
Common Unix Prinitng System |
DC |
Domain Controller |
DFS |
Distributed File System |
DMB |
Domain Master Browser |
DNS |
Domain Name System |
DRS |
Directory Replication Services |
DLZ |
Dynamic Load Zone |
DTLS |
Datagram Transport Layer Security |
FSMO |
Flexible Single Master Operations |
GC |
global catalog |
GPO |
Group Policy Object |
I18N |
Internationalization |
IP |
Internet Protocol |
IPP |
Internet Printing Protocol |
IPX |
Internetwork Packet Exchange |
KCC |
Knowledge Consistency Center |
KDC |
Key Distribution Center |
LMB |
Local Master Browser |
LPD |
Line Prinitng Daemon |
NAT |
Network Address Translation |
NetBEUI |
NetBIOS Extended User Interface |
NetBIOS |
Network Basic Input/Output System |
NIS |
Network Information Server |
NFS |
Network File System |
NSS |
Name Service Switch |
NP |
Named Pipe |
OLE |
Object Linking and Embedding |
OU |
Organizational Unit |
PAC |
Privilege Attribute Certificate |
PAM |
Plugable Authentication Modules |
PSO |
Password Settings Object |
PDC |
Primary Domain Controller |
RODC |
Read-Only Domain Controller |
RPC |
Remote Procedure Call |
SAM |
Security Accounts Manager |
SID |
Security IDentifier |
SPN |
Service Principal Name (SPN) |
SSO |
Single Sign-On |
ST |
Service Ticket |
SWAT |
Samba Web Administration Tool |
TCP |
Transmission Control Protocol |
TGS |
Ticket Granting Service |
TGT |
Ticket Granting Ticket |
TLS |
Transport Layer Security |
UTF |
Unicode Transformation Format |
VFS |
Virtual File System |
WINS |
Windows Internet Name Service |