Setting up a Samba File Server on Debian
Note
This documentation is based on the Debian distribution.
The version of the Samba-AD package in the Debian distribution is up-to-date enough to provide optimal file service. Therefore, there is no need to recompile Samba from source.
Note
In this documentation, it is assumed:
That you have installed the system base of your fileserver by following the Debian base installation documentation and that your server is called srvfiles.
That the IP address of your domain controller is 192.168.1.11.
That the domain is called mydomain.lan.
Preparing the host
Prepare the network configuration of the machine by following the same documentation as for a new domain controller.
Remember to configure the Active Directory server as DNS server in the file /etc/resolv.conf
.
Hint
Add domain
mydomain.lan
in the /etc/resolv.conf
file is necessary because in the smb.conf
, the winbind default domain
= yes option relies on it.
If this is not done, it causes the following problems:
Problem with the command net ads testjoin that says it can’t find the domain controller.
The command chown userad1 myfile does not work.
A wbinfo -u / -g / -i does not return a result.
Installing the dependencies
apt-get update
export DEBIAN_FRONTEND=noninteractive
apt-get install samba winbind krb5-user libnss-winbind
unset DEBIAN_FRONTEND
Joining the file server to the domain
Edit the
/etc/krb5.conf
file and replace the whole file by the lines below:
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = MYDOMAIN.LAN
Ensure that the DNS configuration in
/etc/nsswitch.conf
has not been modified by installing any package. If the host line looks like the line below, change it to look like the line just after:hosts: files dns mdns4_minimal [NOTFOUND=return] mdns # BAD!!! hosts: files dns # GOOD
Ensure that kerberos is well configured (administrator is the default account created by Samba-AD, if you want to use the administrateur account, do not forget to change it);
kinit administrator klist
Configuration of the smb.conf
Depending on the type of schema used (RFC2307 / AD), the file will not be similar!
Create the samba configuration file
/etc/samba/smb.conf
.Replace the name MYDOMAIN.LAN by your kerberos kingdom.
RID based operation
You will usually use the RID configuration if you have migrated from an MS-AD or if you have created a new Samba-AD domain. You will usually use the RFC2307 configuration if you migrated from samba-NT4 to samba-AD. For more information, see the explanations on IDMapping.
RID mode |
RFC2307 mode |
---|---|
[global]
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.LAN
winbind separator = +
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 10000-700000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
template homedir = /home/homes/%U
[shares]
path = /home/shares
read only = no
[homes]
path = /home/homes/%U
read only = no
[profiles]
path = /home/profiles
read only = no
|
[global]
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.LAN
idmap config *:backend = tdb
idmap config *:range = 700001-800000
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 500-700000
winbind nss info = rfc2307
vfs objects = acl_xattr
map acl inherit = Yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/homes/%U
[shares]
path = /home/shares
read only = no
[homes]
path = /home/homes/%U
read only = no
[profiles]
path = /home/profiles
read only = no
|
Note
If you do not want to use your file server as a print service, add the following options in the global
section of the file /etc/samba/smb.conf
.
printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd
Joining the file server to the domain
net ads join -U administrator
Configure the
/etc/nsswitch.conf
file, modify the following three lines to match the documentation:passwd: compat winbind group: compat winbind shadow: compat winbind
Reboot with a reboot command in order to empty the nsswitch caches:
reboot
Check the correct connection to the domain:
The following 3 commands should return users, groups and AD account informations as received by winbindd:
wbinfo -u wbinfo -g wbinfo -i administrator
The 2 following commands should return users and groups with their uidNumber as interpreted by the Linux system. Make sure that you can see the users of the AD: administrator, krbtgt, etc:
getent passwd administrator