Setting up a Samba File Server on Debian

Note

This documentation is based on the Debian Buster 64bits distribution.

The version of the Samba-AD package in the Debian Buster distribution is up-to-date enough to provide optimal file service. Therefore, there is no need to recompile Samba from source.

Note

In this documentation, it is assumed:

  • That you have installed the system base of your fileserver by following the Debian base installation documentation and that your server is called srvfiles.

  • That the IP address of your domain controller is 192.168.1.11.

  • That the domain is called mydomain.lan.

Preparing the host

Prepare the network configuration of the machine by following the same documentation as for a new domain controller. Remember to configure the Active Directory server as DNS server in the file /etc/resolv.conf.

Hint

Add domain mydomain.lan in the /etc/resolv.conf file is necessary because in the smb.conf, the winbind default domain = yes option relies on it. If this is not done, it causes the following problems:

  • Problem with the command net ads testjoin that says it can’t find the domain controller.

  • The command chown userad1 myfile does not work.

  • A wbinfo -u / -g / -i does not return a result.

Installing the dependencies

apt-get update
export DEBIAN_FRONTEND=noninteractive
apt-get install samba winbind krb5-user libnss-winbind
unset DEBIAN_FRONTEND

Joining the file server to the domain

  • Edit the /etc/krb5.conf file and replace the whole file by the lines below:

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = MYDOMAIN.LAN
  • Ensure that the DNS configuration in /etc/nsswitch.conf has not been modified by installing any package. If the host line looks like the line below, change it to look like the line just after:

    hosts: files dns mdns4_minimal [NOTFOUND=return] mdns    # BAD!!!
    hosts: files dns                                         # GOOD
    
  • Ensure that kerberos is well configured (administrator is the default account created by Samba-AD, if you want to use the administrateur account, do not forget to change it);

    kinit administrator
    klist
    

Configuration of the smb.conf

Depending on the type of schema used (RFC2307 / AD), the file will not be similar!

  • Create the samba configuration file /etc/samba/smb.conf.

  • Replace the name MYDOMAIN.LAN by your kerberos kingdom.

RID based operation

You will usually use the RID configuration if you have migrated from an MS-AD or if you have created a new Samba-AD domain. You will usually use the RFC2307 configuration if you migrated from samba-NT4 to samba-AD. For more information, see the explanations on IDMapping.

Configuration of /etc/samba/smb.conf

RID mode

RFC2307 mode

[global]
  workgroup = MYDOMAIN
  security = ADS
  realm = MYDOMAIN.LAN
  winbind separator = +
  idmap config *:backend = tdb
  idmap config *:range = 700001-800000
  idmap config MYDOMAIN:backend  = rid
  idmap config MYDOMAIN:range  = 10000-700000
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  template homedir = /home/homes/%U

[shares]
  path = /home/shares
  read only = no

[homes]
  path = /home/homes/%U
  read only = no

[profiles]
  path = /home/profiles
  read only = no
[global]
  workgroup = MYDOMAIN
  security = ADS
  realm = MYDOMAIN.LAN
  idmap config *:backend = tdb
  idmap config *:range = 700001-800000
  idmap config MYDOMAIN:backend = ad
  idmap config MYDOMAIN:schema_mode = rfc2307
  idmap config MYDOMAIN:range = 500-700000
  winbind nss info = rfc2307
  vfs objects = acl_xattr
  map acl inherit = Yes
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/homes/%U

[shares]
  path = /home/shares
  read only = no

[homes]
  path = /home/homes/%U
  read only = no

[profiles]
  path = /home/profiles
  read only = no

Note

If you do not want to use your file server as a print service, add the following options in the global section of the file /etc/samba/smb.conf.

printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd

Joining the file server to the domain

net ads join -U administrator
  • Configure the /etc/nsswitch.conf file, modify the following three lines to match the documentation:

    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat winbind
    
  • Reboot with a reboot command in order to empty the nsswitch caches:

    reboot
    
  • Check the correct connection to the domain:

    • The following 3 commands should return users, groups and AD account informations as received by winbindd:

      wbinfo -u
      wbinfo -g
      wbinfo -i administrator
      
    • The 2 following commands should return users and groups with their uidNumber as interpreted by the Linux system. Make sure that you can see the users of the AD: administrator, krbtgt, etc:

    getent passwd administrator
    

Creating shares

mkdir /home/shares
chown administrator:"domain users" /home/shares
chmod 770 /home/shares