configure Samba 4 AD DC for the SOHO business.

Introduction
It is always beneficial to have a central authentication and authorization service in place. Even for the SOHO business. With this you gather all users accounts of the company in one place and control them from there. As your company grows, the identity provider grows vertically. To reduce the risc of bottle necks, you expand horisontally with more servers.
 
Samba 4 AD DC is a Microsoft AD DS equivalent. This open source program suite allows you to emulate a Microsoft Active Directory 2008 R2 with, of course, group policy objects, all group variants and more. It is powerful and enterprise ready.
 
Below I am going to show you how to configure Samba 4 AD DC to act as a authentication and authorization provider and a file server, as well, with Folder Redirection and Offline Folders. This complex guarantees you that you always have a copy of your important files on the server and makes it a good enough start to provide you with a up-to-date copy of your files in case of something happens to your laptop.
 
Installing Samba 4 AD DS
Install all the required development packages needed for compiling Samba 4. Add libpam0g-dev, acl, git to the list of packages to install. Then build it and install. This takes some time. Meanwhile you create the startup script and add the path to Samba-binaries to the path by editing /etc/environment. Prepend existing paths with "/usr/local/samba/sbin:/usr/local/samba/bin:".
 
Add "acl,user_xattr,barrier=1" to the partition hosting the Samba 4 AD DC database and "acl,user_xattr" to /home and other data partitions that you are about to share with Samba.
 
Reboot the server.
 
Provision the domain
The kerberos component of both the Samba 4 suite and Windows- and Linuxclients are depent of accurate time. Make sure that the server always is on time. Windowsclients will ask the PDC-emulator component of the Samba 4 AD DC for time. Edit etc/cron.daily/ntpdate and add time servers for your region "0.se.pool.ntp.org 1.se.pool.ntp.org 2.se.pool.ntp.org 3.se.pool.ntp.org".
 
Continue with provision the domain by typing: samba-tool domain provision --domain=DATADILIKATESSER --adminpass=Pa$$w0rd --dns-backend=SAMBA_INTERNAL --server-role=dc --function-level=2008_R2 --use-xattr=yes --use-rfc2307 --realm=datadilikatesser.se
 
 --domain= the NetBIOS-name of the domain in question. It is customary to use the leftmost part of the dns domain name as the NetBIOS-name. For example: vusir.se = VUSIR, sweden.example.org = SWEDEN.
--adminpass= the password that the Domain Administrator will be assigned. Don't forget that all domain accounts expire after 41 days per default.
--dns-backend= Active Directory depends just as heavily on a correct DNS as correct time. Using the built-in name server ensures both accuracy, ease of use and dynamic updates. No fuzz!
--server-role= As we are provisioning a domain controller, we use that parameter value.
--function-level= All variants of Active Directory is of course versioned and has its functions. Don't settle with less then the highest level that Samba offers.
--use-xattr= If your file system supports extended attributes, activating this ensures that you can store NT ACLs on the file system. No huzzle!
--use-rfc2307 POSIX uses other ways of enumerating users and groups. This is a no-cost activation which will be beneficial in a mixed Windows/Linux-environment. Don't forget to install the libpam0g-dev package and activate Winbind for autoenumeration of users and groups in the domain.
--realm= the FQDN of the Kerberos-realm (and dns domain name).
 
This procedure is quick. A few minutes later you have got a fully functional Samba 4 AD that emulates a Microsoft Windows 2008 R2 AD very, very good.
 
Overwrite existing /etc/krb5.conf with the one produced by Samba during domain provision: cp /usr/local/samba/private/krb5.conf /etc/krb5.conf.
 
Start Samba by typing: "/etc/init.d/samba start" and test the installation. There is a whole section written about testing on the Samba 4 wiki.
 
Add Winbind support
Create a directory under /home with the same name as you used with the --domain parameter during domain provision and follow these steps by the dot to add PAM Winbind support. Have a look att Iabsis' instructions as well. Iabsis provides a neat configuration file on their website. If you prefer having the home directories directly under /home add the parameter 'template homedir = /home/%ACCOUNTNAME%' to the [global]-section of smb.conf. As mentioned earlier; this configuration is easy and autoenumerates domain accounts with uIDnumbers. As of writing (20130728) there is a bug that crashes winbind when listing data directories used by Samba. Not just sysvol but also /home. Therefore I have chosen to use SSSD.
 
Add SSSD support
The Linux Costa Blanca blogger 'steve' has written a nice piece on configuring SSSD. What he doesn't mention is that you need a keytab-file for this to work. It's not hard, just type 'samba-tool domain exportkeytab /etc/sssd/sssd.keytab --principal=<SERVERNAME$>' and change the entry 'ldap_krb5_keytab = /etc/krb5.keytab' to point to your keytab-file.

While testing use 'service sssd stop; rm /var/lib/sss/db/*; service sssd start' to clear SSSD database directory.
 
SSSD does not enumerate uIDnumber automatically as Winbind does. You have to set the attributes loginshell, gIDnumber, uIDnumber and unixHomeDirectory manually. And a quick test gives you this in return:
root@server# getent passwd davor
davor:*:101106:100513:Davor Vusir:/home/davor:/bin/bash
root@server#
 
Edit smb.conf
A good source for parameters is here. The changes to /usr/local/samba/etc/smb.conf I did are as follows:
# Global parameters
[global]
        .
        .
        .

        winbind use default domain = yes
        disable spoolss = yes

[home]
        path = /home
        comment = "Home directories"
        writeable = yes
        browsable = yes

        map archive = yes
        map hidden = yes
        map system = yes

        nt acl support = yes
        inherit acls = yes
        inherit permissions = yes
        store dos attributes = yes

        vfs objects = acl_xattr recycle
        acl_xattr:ignore system acl = no
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:maxsize = 1073741824
       
        csc policy = programs
 
 
Join a Windows computer to the Domain
Joining a Windows computer to an Active Directory hasn't change, so here's an old goodie. Or why not do it command line style? You're doing the rest of the configuration on the command line...
 
Download and install RSAT.
 
Adjust ACLs and such on the 'home'-share
Start Active Directory Users and Computers and add a user and group that is used for fileaccess purposes. I often use the syntax <Company|Department|Other>-FileAcc<Sharename> to easily see what access this group will handle.
 
There is a standard set of permissions that hasn't changed since Windows XP. Microsoft has got an excellent guide on their website. The part on Folder Redirection is particularly intresting.
 
With Samba 4 you can edit ACLs and such from Windows. Start 'Computer Management' and connect to the server. Remove the standard settings and replace them with a list matching your needs. Mine is as follows:
 
Share level:
Authenicated users: Full control.
 
NTFS:
VUSIR\Administrators: Full control - This folder, subfolders and files.
CREATOR OWNER: Full control - Subfolders and files only.
SYSTEM: Full control - This folder, subfolders and files.
VUSIR\Familjen-FileAcc: Traverse folder/execute file, List folder/read data, Create folders/append data - This folder only.
 
Create home directories and assign proper permissions
Just create a directory through Windows GUI and add the user account with 'Full control' permissions and make sure to make it the owner as well.
 
Test the Linux login:
root@server# ssh davor@localhost
davor@localhost's password:
Welcome to Ubuntu 12.04.2 LTS

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Jul 28 07:47:17 CEST 2013

  System load:    0.41               Processes:          202
  Usage of /home: 2.1% of 196.86GB   Users logged in:    1
  Memory usage:   20%                IP address for br0: 192.168.1.3
  Swap usage:     0%

  Graph this data and manage this system at https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun Jul 28 07:26:10 2013 from localhost
davor@server:~$ pwd
/home/davor
davor@server:~$ ls -al
total 32
drwxrwx---+  2 davor root         4096 Jul 27 07:39 .
drwxrwx---+ 10 root  root         4096 Jul 27 07:52 ..
-rw-------+  1 davor Domain Users  213 Jul 28 07:27 .bash_history
-rw-rw----+  1 davor Domain Users  698 Jul 27 07:39 .viminfo
davor@server:~$

Test to login on Windows, mount the home directory and create a file, delete it, create a new one and add some text. Edit the same file from Linux.
 
Redirect User and Computer containers
It is not possible to link a GPO to either User or Computer containers and If you don't want to edit the Default Domain Policy you have to redirect the containers. Microsoft provides good instructions.
 
I'm creating four new OU; vusir.se and under that I create the OU Computer, Groups and Users. Then I redirect the User and Computer containers:
C:\Users\Administrator>redirusr ou=Users,ou=vusir.se,dc=vusir,dc=se
Redirection was successful.

C:\Users\Administrator>redircmp ou=Computers,ou=vusir.se,dc=vusir,dc=se
Redirection was successful.

C:\Users\Administrator>
 
Create the 'Standard Computer' GPO
Computer Configuration / Policies / Windows Settings / Security Settings /
  Local Policies / Security Options
    Interactive Logon: Do not display last user name - Enabled
    Shutdown:Allow system to be shut down without having to log on - Enabled
                   Clear virtual memory pagefile - Enabled
 
  Restricted Groups
    BUILTIN\Remote desktop Users - VUSIR\Familjen-RDP
 
  System Services / Remote Desktop Services: Startup mode - Automatic
 
  Administrative Templates
    Network / Offline Files
      Allow or disallow use of... - Enabled
      Event logging level - 1
    Printers
      Point and Print restrictions - Enabled
        Users can only point and print to these servers - Disabled
        Users can only point and print to machines in their forest - Disabled
        When installing drivers for a new connection - Do not show warning or...
        When installing drivers for an existing connection - Do not show warning or...
 
    System / Logon
      Always use classic logon - Enabled
      Always wait for the network... - Enabled
      Assign a default domain... VUSIR
      Don't diaplay the Getting Started... - Enabled
      Turn offf Windows startup... - Enabled
   
    System / Scripts
       Run logon scripts synchronously - Enabled
       Run startup script asynchronously - Disabled
       Run startup scrips visible - Enabled
 
   Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
       Empty Temporary Internet Files folder when... - Enabled
 
   Windows Components/Internet Explorer/Internet Control Panel/Security Page
       Intranet Sites: Include all network paths (UNCs) - Enabled
       Site to zone assignment list - Enabled, *.vusir.se 1
 
   Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
       Logon options - Automatic logon only in Intranet zone
       Turn on Protected Mode - disable
 
Create the 'Standard User' GPO
User Configuration / Policies / Windows Settings /
  Folder Redirection / Appdata
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Appdata
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Enabled
       Policy removal... . Leave contents
 
  Folder Redirection / Contacts
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Contacts
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Disabled
       Policy removal... . Leave contents
 
Folder Redirection / Desktop
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Desktop
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Enabled
       Policy removal... . Leave contents
 
Folder Redirection / Documents
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Documents
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Enabled
       Policy removal... . Leave contents
 
Folder Redirection / Favorites
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Favorites
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Disabled
       Policy removal... . Leave contents
 
Folder Redirection / Links
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Links
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Disabled
       Policy removal... . Leave contents
 
Folder Redirection / Music
    Setting: Follow the Documents folder.
 
Folder Redirection / Pictures
   Setting: Follow the Documents folder.
 
Folder Redirection / Videos
   Setting: Follow the Documents folder.
 
Folder Redirection / Searches
    Setting: Basic: Path: \\server.example.org\home\%USERNAME%\Searches
    Options:
       Grant user exclusive... - Disabled
       Move the contents... - Enabled
       Also apply redirection... - Disabled
       Policy removal... . Leave contents
 
Administrative Templates
  System / Scripts
    Run logoff scripts visible - Enabled
    Run logon scripts synchronously - Enabled
    Run logon scripts visible - Enabled
 
  Windows Components / Attachment Manager
    Notify antivirus programs... - Enabled
 
  Windows Components / Network Sharing
    Prevent users from sharing... - Enabled
 
  Internet Explorer Maintenance
    URLs/Important URLs - http://drdata.blogg.se/
 
  Shared Folders
    Allow shred folders to be published - disabled
 
  Start Menu and taskbar
    Remove the Action Center icon - Enabled
 
  System / Scripts
    Run logoff scripts visible - Enabled  
    Run logon scripts synchronously - Enabled  
    Run logon scripts visible - Enabled

  Windows Components/Attachment Manager
    Notify antivirus programs when opening attachments - Enabled  

  Windows Components/Network Sharing
    Prevent users from sharing files within their profile - Enabled
 
Preferences / windows Settings /Drive Maps
  Drive Map (Drive: Z)
    Z: (Order: 1)
     General
       Action Replace
       Properties
        Letter Z
        Location \\server.vusir.se\home\%USERNAME%\Documents
        Reconnect Enabled
        Label as Home Directory
        Use first available Disabled
        Hide/Show this drive No change
        Hide/Show all drives No change

    Common
      Options
        Stop processing items on this extension if an error occurs on this item - No
        Run in logged-on user's security context (user policy option) - Yes
        Remove this item when it is no longer applied - Yes


After you have logged in with the Folder Redirection GPO assigned, you'll see the automatically created folder structure from Linux:
davor@vastraaros:~$ ls -al
total 180
drwxrwx---+  9 davor root          4096 Jul 28 13:02 .
drwxrwx---+ 10 root  root          4096 Jul 28 09:36 ..
drwxrwx---+  2 davor Domain Users  4096 Jul 28 13:02 Appdata
-rw-------+  1 davor Domain Users   270 Jul 28 08:46 .bash_history
-rwxrwx---+  1 root  Domain Users 88782 Jul 28 12:35 Computer-StandardSettings.htm
drwxrwx---+  2 davor Domain Users  4096 Jul 28 13:02 Contacts
drwxrwx---+  2 davor Domain Users  4096 Jul 28 13:02 Desktop
drwxrwx---+  5 davor Domain Users  4096 Jul 28 13:02 Documents
drwxrwx---+  2 davor Domain Users  4096 Jul 28 13:02 Favorites
drwxrwx---+  2 davor Domain Users  4096 Jul 28 13:02 Links
drwxrwx---+  3 davor Domain Users  4096 Jul 28 13:03 Searches
-rw-rw----+  1 davor Domain Users    24 Jul 27 07:36 testfile.txt
-rw-rw----+  1 davor Domain Users   895 Jul 28 08:45 .viminfo
davor@vastraaros:~$

Now logout from both Linux and Windows and log in with administrator credentials on Windows and change the attribute unixHomeDirectory from /home/<username> to /home/<username>/Documents.
 
root@vastraaros:~# getent passwd davor
davor:*:101106:100513:Davor Vusir:/home/davor/Documents:/bin/bash
root@vastraaros:~#

And login to Linux again:
root@vastraaros:~# ssh davor@localhost
davor@localhost's password:

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun Jul 28 13:01:17 2013 from localhost
davor@vastraaros:~$ pwd
/home/davor/Documents
davor@vastraaros:~$ ls -al
total 48
drwxrwx---+ 6 davor Domain Users 4096 Jul 28 13:03 .
drwxrwx---+ 9 davor root         4096 Jul 28 13:02 ..
drwxrwx---+ 3 davor Domain Users 4096 Jul 28 13:03 My Music
drwxrwx---+ 3 davor Domain Users 4096 Jul 28 13:03 My Pictures
drwxrwx---+ 3 davor Domain Users 4096 Jul 28 13:03 My Videos
drwxrwx---+ 2 davor Domain Users 4096 Jul 28 13:03 $RECYCLE.BIN
davor@vastraaros:~$

Test Recycle Bin:
Last login: Sun Jul 28 14:09:53 2013 from localhost
davor@vastraaros:~$ pwd
/home/davor/Documents
davor@vastraaros:~$ ls -al
total 64
drwxrwx---+ 6 davor Domain Users 4096 Jul 28 15:35 .
drwxrwx---+ 9 davor root         4096 Jul 28 13:02 ..
-rw-------+ 1 davor Domain Users  224 Jul 28 14:50 .bash_history
-rwxrwx---+ 1 davor Domain Users  402 Jul 27 07:34 desktop.ini
drwxrwx---+ 3 davor Domain Users 4096 Jul 28 15:34 My Music
drwxrwx---+ 3 davor Domain Users 4096 Jul 28 15:34 My Pictures
drwxrwx---+ 3 davor Domain Users 4096 Jul 28 15:34 My Videos
-rwxrwx---+ 1 davor Domain Users    0 Jul 28 15:34 New Text Document.txt
drwxrwx---+ 2 davor Domain Users 4096 Jul 28 15:35 $RECYCLE.BIN
davor@vastraaros:~$ ls -al \$RECYCLE.BIN/
total 24
drwxrwx---+ 2 davor Domain Users 4096 Jul 28 15:35 .
drwxrwx---+ 6 davor Domain Users 4096 Jul 28 15:35 ..
-rwxrwx---+ 1 davor Domain Users  129 Jul 28 13:03 desktop.ini
davor@vastraaros:~$

Create a file and trash it immediately. List Recycle Bin again:
davor@vastraaros:~$ ls -al \$RECYCLE.BIN/
total 36
drwxrwx---+ 2 davor Domain Users 4096 Jul 28 15:39 .
drwxrwx---+ 6 davor Domain Users 4096 Jul 28 15:39 ..
-rwxrwx---+ 1 davor Domain Users  129 Jul 28 13:03 desktop.ini
-rwxrwx---+ 1 davor Domain Users  544 Jul 28 15:39 $IYDOHFR.txt
-rwxrwx---+ 1 davor Domain Users    0 Jul 28 15:34 $RYDOHFR.txt
davor@vastraaros:~$

Restore the file and list Recycle Bin:
davor@vastraaros:~$ ls -al \$RECYCLE.BIN/
total 24
drwxrwx---+ 2 davor Domain Users 4096 Jul 28 15:40 .
drwxrwx---+ 6 davor Domain Users 4096 Jul 28 15:40 ..
-rwxrwx---+ 1 davor Domain Users  129 Jul 28 13:03 desktop.ini
davor@vastraaros:~$

 Done!
 
 
References:
http://www.samba.org/
https://wiki.samba.org/index.php/Samba_4_OS_Requirements
https://wiki.samba.org/index.php/Samba4/HOWTO#Step_2:_Compile_Samba4
https://wiki.samba.org/index.php/Samba4/InitScript
https://wiki.samba.org/index.php/Samba4/Winbind
http://www.samba.org/samba/docs/using_samba/ch08.html
http://docs.fedoraproject.org/en-US/Fedora/13/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html
http://iabsis.com/EN/article/35-4/Sogo-installation
http://technet.microsoft.com/en-us/library/cc781516%28v=ws.10%29.aspx
http://linuxcostablanca.blogspot.se/2013/04/sssd-in-samba-40.html
 
 
2013-07-30 @ 08:40:00 Homeserver Permalink

Kommentarer

Kommentera inlägget här:

Namn:
Kom ihåg mig?

E-postadress: (publiceras ej)

URL/Bloggadress:

Kommentar:

Trackback
Kategorier
Arkiv
RSS 2.0