Samba 4

Steps history Description
1 ping www.163.com check internet connection
2 apt-get install openssh-serverinstall openssh-server in samba server
3 passwd rootset the root password
4 wget http://www.samba.org/samba/ftp/stable/samba-4.1.4.tar.gzdownload samba's current stable version
5 apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev install all compilations required packages. 1)build-essential package:tool for making the package; 2)libacl1-dev package:Access control list static libraries and headers; 3)libblkid-dev:Extended attribute static libraries and headers package;4)libgnutls-dev package:GNU TLS library - development files;5)libreadline-dev package:GNU readline and history libraries, development files;6)python-dev package:header files and a static library for Python ;7)python-dnspython package:DNS toolkit for Python;8)gdb pkg-config package; 9)libpopt-dev package:lib for parsing cmdline parameters - development files; 10)libldap2-dev package:This package allows development of LDAP applications using the OpenLDAP libraries. It includes headers, libraries and links to allow static and dynamic linking
6 cd /root change to root directory
7 ls list its content
8 tar xvfz samba-4.1.4.tar.gz decompressing the tar file of the samba~ package
9 cd samba-4.1.4/ change into the directory of your uncompressing downloaded files
10 ./configure –enable-debug the configure command does the initial work: configure paths, detects the shell used, checks the dependencies etc.. This command is an automatically generated script and after being executed, generates the Makefile with the specific settings of your system. This saves a lot of work from the developer, given the wide variety of dependencies that may exist in the grand universe of Unix-like systems. which is a script to make sure that the program can be compiled on your computer.This command will check to see if you've got all the programs needed to install the program — in most cases you will not, and it will error out with a message about needing a program.
11 make The “make” takes care of the heavy lifting, making the compilation itself. It relies on the information left by “./Configure” to find the components you need. which does the actual building (compiling) of the program
12 make install set up, default installation path /usr/local/samba
13 /usr/local/samba/bin/samba-tool domain provision Setting up a new domain
14 cd /etc/init.d/ enter to
15 ls list directory contents – no samba4
16 vim /etc/init.d/samba4Create a script file
17 ls have samba4 now
18 vim /etc/init.d/samba4 just for confirm the content is complete
19 chmod 755 /etc/init.d/samba4 make it can execute
20 ls already change the executed color
21 update-rc.d samba4 defaults After creating the script, set to start at system boot
22 reboot reboot the machine
23 /usr/local/samba/bin/smbclient -L localhost -U%test the function of the SMB domain and see if all the shares requied for a functional directorates activities are working
24 vim /etc/resolv.conf Verify that the primary dns Linux server is th ip of your local interface
25 vim /etc/network/interfaces change to fix IP and add your dns-nameservers
26 reboot reboot the server
27 ping johny.local
28 vi /etc/hostname
29 vi /etc/hosts
30 vi /etc/resolv.conf
31 netstat -ln less
32 host -t SRV _kerberos._udp.johny.local.verify that name resolution is working properly qualified name for the lab1.johny.local
33 host -t SRV _kerberos._tcp.johny.local.test some basic DNS queries and see if they return a valid response
34 host -t A lab1.johny.local prove DNS can resolve the A record
35 init 0shutdown the server
36 history review
37 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.socreate your symbolic links to the appropriate libraries
38 ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
39 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
40 ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
41 vim /etc/nsswitch.conf to initially resolve user and group information from /etc/passwd and /etc/group/ and then from the Windows NT server.To setup winbindd for user and group lookups plus authentication from a domain controller use something like the following setup in nsswitch.conf file ⇒ passwd: files winbind ⇒group: files winbind to instruct the system to use the nss winbind library when searching for users or groups(to allow user and group entries to be visible from the winbindd daemon)
42 ldconfig -v | grep winbindThe libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually.This makes libnss_winbind available to winbindd and reports the current search path that is used by the dynamic link loader. The use of the grep filters the output of the ldconfig command so that we may see proof that this library is indeed recognized by the dynamic link loader. confirm the library is loaded
43 /usr/local/samba/bin/wbinfo -p test if winbind is “pingable”
44 /usr/local/samba/bin/wbinfo -u test of Winbind is able to provide user list
45 getent passwdIt returns as a password file with the entries for the domain users
46 id AdministratorThe identification command returns information about the user
47 apt-get install acl install acl package
48 vim /etc/fstab set acl to desired partition to enable ACL
49 mount check if ACL is ok for your partition
50 reboot force ACL work for your ACL partition
51 mount confirm acl is enabled
52 vim /usr/local/samba/etc/smb.conf have a look the default smb.conf
53 cd /usr/local/samba/etc/ enter to its directory
54 mv smb.conf smb.conf.bak backup the default smb.conf file
55 ls confirm it's OK
56 vim /usr/local/samba/etc/smb.conf create simple sharing or scp smb.conf file from other server to edit it
57 help locate the problem in smb.conf
58/etc/init.d/samba4 restart
59 cd /homeenter to share folder directory
60 ls check the current situation
61 mkdir /home/it /home/hr /home/commercial create the share folder as smb.conf
62 mkdir public
63 ls
64 chmod 777 public/ give full permission to everybody
65 chmod 770 it/ hr/ commercial/give the folder owner and group owner full permission
66 reboot reboot the server
67 cd /home/
69 ls
70 ls -lha
71 getfacl johny/
72 setfacl -m g:it:rwx /home/it set folder acl, modify group “it” have full permission to folder /home/it
73
74
75 mkdir /home/recycle
76 chmod 777 /home/recycle/
77 smbstatus check at any time which users and which machines are accessing shares on the server
78 setfacl -m u:pauly:r-x /home/hr/ set user johny only read permission on a particular folder
79 getfacl /home/hr

smb.conf

Configuration Description
# Global parameters the file is divided into sections
[global] the first is always the “[global]” section, which contains the general server options
workgroup = JOHNY the name of the workgroup
realm = JOHNY.LOCAL
netbios name = LAB5 server name
server role = active directory domain controller the server was configured as a AD and DC
dns forwarder = 8.8.8.8
vfs objects = recycle, full_auditVFS module records selected client operations to the system log
recycle:keeptree = yesSpecifies whether the directory structure should be preserved or whether the files in a directory that is being deleted should be kept separately in the repository
recycle:versions = yesIf this option is True, two files with the same name that are deleted will both be kept in the repository. Newer deleted versions of a file will be called “Copy #x of filename”.
recycle:repository = /home/recyclePath of the directory where deleted files should be moved
recycle:exclude = *.tmp, *.log, ~*.*, *.bak, *.isoList of files that should not be put into the repository when deleted, but deleted in the normal way. Wildcards such as * and ? are supported.
recycle::exclude_dir = tmp, cacheList of directories whose files should not be put into the repository when deleted, but deleted in the normal way. Wildcards such as * and ? are supported
full_audit:facility = local5all this audit logs are going to system log(/var/log/syslog)
full_audit:priority = notice
full_audit:prefix = %u%I%s adds additional useful information to audit log file.%u – User; %I – User IP address; %S – Server share name
full_audit:sucess = open, write, rename, rmdir, mkdir, chmod, chown
full_audit:failure = nonedo not give a list of VFS operations that should be recorded if they failed
log level = 5
[netlogon] indicates the name of sharing,describes a shared resource (known as a “share”).
path = /usr/local/samba/var/locks/sysvol/johny.local/scriptsshare folder path
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[public] name of the share folder
path = /home/publicpath of the share folder
comment = Pasta Publiccodescription of the share folder
browseable = yesThis controls whether this share is seen in the list of available shares in a net view and in the browse list.
create mask = 0777This setting tells samba what permissions to mask against the DOS/Windows assigned permissions for a new file when it is created from a Windows/DOS client
writeable = yes
directory mask = 0777
force directory mode = 0777
map acl inherit = yesThis parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories

[it]

    path = /home/it
    comment = Pasta IT
    browseable = yes
    create mask = 0770
    writeable = yes
    directory mask = 0770
    force directory mode = 0770
    map acl inherit = yes

[hr]

    path = /home/hr
    comment = Pasta HR
    browseable = yes
    create mask = 0770
    writeable = yes
    directory mask = 0770
    force directory mode = 0770
    map acl inherit = yes

[commercial]

    path = /home/commercial
    comment = Pasta Commercial
    browseable = yes
    create mask = 0770
    writeable = yes
    directory mask = 0770
    force directory mode = 0770
    map acl inherit = yes

Basic Concept

Name Function Description
winbindd The service provided by winbindd is called `winbind' and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module. Name Service Switch daemon for resolving names from NT servers The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system.

Useful command

Description Command
Reboot the machine root@lab1:/# reboot
Turn off the machine root@lab1:/# init 0
Check listening ports root@lab1:/# netstat -ln | less
Restart Samba root@lab1:/# /etc/init.d/samba4 restart or service samba4 restart
Restart the network root@lab1:/# /etc/init.d/networking restart or service networking restart
Set root password root@lab1:/# passwd root
Unzip a fileroot@lab1:/# tar xvfz samba-4.1.4.tar.gz
Check Samba /usr/local/samba/bin/smbclient -L localhost -U%

Important Configuring file path and their service command

Description configuring file path Start up Script
Network /etc/hosts; /etc/resolv.conf; /etc/network/interfaces /etc/init.d/networking restart
Samba /usr/local/samba/etc/smb.conf;/etc/inite.d/samba4 /etc/init.d/samba4 restart
Winbind /etc/nsswitch.conf

User Manager Commmand

User and Group manager command
Add a user test /usr/local/samba/bin/samba-tools user add test
Add group level1 /usr/local/samba/bin/samba-tool group add level1
Add user1 to group level1 /usr/local/samba/bin/samba-tool group addmembers “level1” user1
Remove user1 from group level1 /usr/local/samba/bin/samba-tool group removemembers “level1” user1
List the current group /usr/local/samba/bin/samba-tool group list
List the current user /usr/local/samba/bin/samba-tool user list
Add a user test /usr/local/samba/bin/samba-tool user create test
Delete a user test /usr/local/samba/bin/samba-tool user delete test
Delete a group test /usr/local/samba/bin/samba-tool group delete test
Add a user test to ou yanling /usr/local/samba/bin/samba-tools user add test –userou=OU=yanling
Add a user group to ou yanling /usr/local/samba/bin/samba-tools group add grouptest –groupou=OU=yanling
ACL permission command
Set user “pauly” have read-only permission to the other department's share foldersetfacl -R -m u:pauly:r-x /home/hr/
Set group “pauly” have read-only permission to the other department's share foldersetfacl -m g:pauly:r-x /home/hr/
Removed user “pauly” access permission share foldersetfacl -x u:pauly /home/hr/
Removed group “pauly” access permission share foldersetfacl -x g:pauly /home/hr/
Set user “pauly” be default user of share foldersetfacl -d –set u:pauly:rx /home/hr/
Set group “pauly” be default group of share foldersetfacl -d –set g:pauly:rx /home/hr/
Removed all group and user access permission of share foldersetfacl -b /home/hr/
Add “Domain Users” to ACLsetfacl -m g:Domain\ Users:rwx /home/public/

netlogon script for map network drivers

1) Copy the bat files to \\sambaserver\netlogon folder

below is its samba path

2) add the bat file to user by “Active Directory Users and Computers”

Samba4 as a replica Active Directory Domain Controller

Step History Description
2 passwd root
4 apt-get install openssh-server
5 ping lab1
6 ping lab1.johny.local
7 ifconfig
8 vim /etc/network/interfaces Setup a fix IP
9 reboot
12 ifconfig
13 ping lab1
14 ping johny.local
15 vi /etc/resolv.conf
17 vi /etc/hosts correct the hostname and add two line
26 reboot
27 ifconfig
34 apt-get remove –purge krb5-config
35 apt-get install krb5-config
36 kinit administrator@johny.local
38 apt-get remove –purge krb5-config
39 wget http://www.samba.org/samba/ftp/stable/samba-4.1.4.tar.gz better copy it from another samba server
40 apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev
41 cd /root/
42 ls
43 tar zxvf samba-4.1.4.tar.gz
44 cd samba-4.1.4/
45 ./configure –enable-debug
47 make
48 make install
49 vim /etc/hostname
50 vim /etc/resolv.conf
51 ping lab1
52 cd /usr/local/samba/etc/
53 ls
54 cd
55 apt-get install krb5-user
56 kinit administrator@JOHNY.LOCAL
57 klist
58 host -t dc lab2.johny.local of course will failed
59 cd /usr/local/samba/bin/
60 ls
63 cd /
64 /usr/local/samba/bin/samba-tool domain join johny.local DC -Uadministrator –realm=johny.local
65 host -t A lab2.johny.local
66 /usr/local/samba/bin/samba-tool dns add 192.168.202.57 johny.local lab2 A 192.168.202.53 -Uadministrator
67 host -t A lab2.johny.local
68 /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' –cross-ncs objectguid
69 host -t CNAME d40ea8d6-5e70-4b8b-ba3c-8ca20fe4451f._msdcs.demo.local
70 host -t CNAME d40ea8d6-5e70-4b8b-ba3c-8ca20fe4451f._msdcs.johny.local
71 cd /usr/local/samba/etc/
72 ls
73 vim smb.conf it already created a smb.conf file
74 cd..
75 cd ..
76 cd bin/
77 ls
78 cd
79 host -t dc lab2.johny.local
82 cd /etc/init.d/scp samba4 from other samba server
83 ls
84 ls samba4
86 /etc/init.d/samba4 restart
88 cd
89 getent passwd
90 ping lab1
98
99 ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
100 vim /etc/nsswitch.conf
101 ldconfig -v grep winbind
102 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
103 ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
104 ldconfig -v grep winbind
105 /usr/local/samba/bin/wbinfo -p
106 /usr/local/samba/bin/wbinfo -u
107 getent passwd

create the samba4 start script

1:vim /etc/init.d/samba4

  #! /bin/sh
  ### BEGIN INIT INFO
  # Provides: samba
  # Required-Start: $network $local_fs $remote_fs
  # Required-Stop: $network $local_fs $remote_fs
  # Default-Start: 2 3 4 5
  # Default-Stop: 0 1 6
  # Short-Description: start Samba daemons
  ### END INIT INFO
  #
  # Start/stops the Samba daemon (samba).
  # Adapted from the Samba 3 packages.
  #
  SAMBAPID=/var/run/samba/samba.pid
  # clear conflicting settings from the environment
  unset TMPDIR
  # See if the daemon and the config file are there
  test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0
  . /lib/lsb/init-functions
  case "$1" in
  start)
  log_daemon_msg "Starting Samba 4 daemon" "samba"
  if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
  log_end_msg 1
  exit 1
  fi
  log_end_msg 0
  ;;
  stop)
  log_daemon_msg "Stopping Samba 4 daemon" "samba"
  start-stop-daemon --stop --quiet --name samba $SAMBAPID
  # Wait a little and remove stale PID file
  sleep 1
  if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
  then
  # Stale PID file (samba was succesfully stopped),
  # remove it (should be removed by samba itself IMHO.)
  rm -f $SAMBAPID
  fi
  log_end_msg 0
  ;;
  restart|force-reload)
  $0 stop
  sleep 1
  $0 start
  ;;
  *)
  echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"
  exit 1
  ;;
  esac
  exit 0
  

2:chmod 755 /etc/init.d/samba4

3:update-rc.d samba4 defaults

Install remote administration tools in windows to manage the users and computers

1.login to your domain with administrator, search tools by google and download it to ftp then install it

Download: http://www.microsoft.com/zh-cn/download/details.aspx?id=7887

Install:

2.run administrative tools's Active Directory users and computers to add a OU and 3 uers and groups in it

Add OU

New OU

Add Group in johny OU

New Group – It;Commercial;Hr

Add Users

New User – johny

you also can create the user in Linux but it's not in your OU

/usr/local/samba/bin/samba-tools user add test

Accociate the users with the groups

create group policy

Goal

Control Domain(baidu.local) user martin.lee can't use Usb Removable Disk by Group policy.

How To

1: Runas ad administrator /Control Panel/Adminstative Tools/Group Policy Management

2:Right click OU, Create a GPO in this domain......

3:Give name to GPO

4:Right click the GPO, Edit

5:User configuration--Administrative templates......--System--Removable storage access. Enable option Removable disks: read and write.

6:Add domain user martin.lee to apply the GPO, step as below.

7: Finish:

Install ACL and setup it and confirm it works

apt-get install acl

setup ACL in fstab
vim /etc/fstab
Add acl behind "errors=remount-ro,"

Reboot and mount  (to confirm the acl work)

Smb.conf

Backup original smb.conf file and copy below to create a new smb.conf file

root@lab5:/home# vim /usr/local/samba/etc/smb.conf

# Global parameters

[global]
      workgroup = JOHNY
      realm = JOHNY.LOCAL
      netbios name = LAB5
      server role = active directory domain controller
      dns forwarder = 8.8.8.8
      vfs objects = recycle, full_audit
      recycle:keeptree = yes
      recycle:versions = yes
      recycle:repository = /home/recycle
      recycle:exclude = *.tmp, *.log, ~*.*, *.bak, *.iso
      recycle::exclude_dir = tmp, cache
      full_audit:facility = local5
      full_audit:priority = notice
      full_audit:prefix = %u|%I|%s
      full_audit:sucess = open, write, rename, rmdir, mkdir, chmod, chown
      full_audit:failure = none
      log level = 5
[netlogon]
      path = /usr/local/samba/var/locks/sysvol/johny.local/scripts
      read only = No
[sysvol]
      path = /usr/local/samba/var/locks/sysvol
      read only = No
[public]
      path = /home/public
      comment = Pasta Publicco
      browseable = yes
      create mask = 0777
      writeable = yes
      directory mask = 0777
      force directory mode = 0777
      map acl inherit = yes
[it]
      path = /home/it
      comment = Pasta IT
      browseable = yes
      create mask = 0770
      writeable = yes
      directory mask = 0770
      force directory mode = 0770
      map acl inherit = yes
[hr]
      path = /home/hr
      comment = Pasta HR
      browseable = yes
      create mask = 0770
      writeable = yes
      directory mask = 0770
      force directory mode = 0770
      map acl inherit = yes
[commercial]
      path = /home/commercial
      comment = Pasta Commercial
      browseable = yes
      create mask = 0770
      writeable = yes
      directory mask = 0770
      force directory mode = 0770
      map acl inherit = yes