Had to install dotproject on Ubuntu 14.04 for a client this morning I used THIS site and modified the steps slightly:
I used a newly installed Ubuntu 14.04 x64 servier for this install.
Make sure that the server was up to date:
apt-get update && apt-get upgrade -y
Install Prerequisits:
aptitude install mysql-server mysql-client
php5 php5-mysql unzip libphp-jpgraph libgd-tools
Downloaded the latest version of Dotproject from THIS site:
wget http://sourceforge.net/projects/dotproject/files/latest/download
Enable GD support for php5:
apt-get install php5-gd
Enable LDAP support for php5:
apt-get install php5-ldap
FIXING error on install of dotproject 2.1.5:
When I installed dotproject 2.1.5 on Ubuntu 14.04 (the same version as my original dotproject) I got the following error:
DB setup incomplete - the following errors occured:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(14) NOT NULL, `note_modified_by` int(10) unsigned NOT NULL default '0', PRI' at line 15
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE = MyISAM' at line 10
I found THIS site that had the fix:
I had the same error. I edited the commands that create the user_access_log table in the dotproject.sql file as follows:
was:
) TYPE=MyISAM
Now:
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
I also got a SQL syntax error a few lines up in the code block that creates the 'common_notes' table.
Was:
`note_modified` timestamp(14) NOT NULL,
Now:
`note_modified` timestamp NOT NULL,
I was doing a clean install so I deleted the incomplete database that was set up on my first try as well as the dotproject directory on my server. I re-extracted the zip file, edited the dotproject.sql file as described above, and ran the installation again. No more errors!
I have not noticed any problems with the installation but I am not a SQL guru so I don't know if the changes I made will have any adverse effects, particularly if you are upgrading from a previous installation.
Monday, 25 May 2015
Monday, 18 May 2015
Ubuntu 14.04 How to Enable php5-imap and php5-ldap for GLPI
Had a problem with Ubuntu 14.04 and php5-ldap and php5-imap after upgrading GLPI to version 0.85.4 last week.
Found the solution on THIS site.
Found the solution on THIS site.
sudo apt-get install php5-imap php5-ldap
sudo php5enmod imap ldap
sudo service apache2 restart
Friday, 15 May 2015
COMPILING SAMBA 4 ON DEBIAN WHEEZY
Decided to ditch Ubuntu for my DC and try the daddy Debian instead. Found THIS blog about how to setup the DC. I then changed it up a bit to use GIT instead of manually downloading the packages as it makes it easier to upgrade in the future. The modified proceedures are below:
During the install, I chose the most minimal installation package option with the addition of an SSH server.
Of course, this will probably work just as well with other distributions if you get your library dependencies right. Ubuntu may work with no modification, but I’m not sure.
Kerberos is very finicky about time. You will need an ntp server to keep your clock well synchronized.
apt-get install ntp
Also, generally I like to assign my servers static IP’s. And it also seems like the AD stuff does not like changing IP addresses once it’s been set up. Seriously. It’s probably an ingredient in the unholy glue.
edit /etc/network/interfaces
Change your “dhcp” flag to “static” and give yourself your proper address and routing info.
auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
Unless you’re right on top of your DNS zone information, including PTR records, you should probably edit your /etc/hosts file too, to include the machine name you’re going to use:
edit /etc/hosts
I’m not really sure about the 127.0.1.1 entry here, but it freakishly seemed to work for me. And I’m not sure why I did it. And it may not be necessary. I think it must not be.
127.0.0.1 localhost 127.0.1.1 samba4.mydomain.com samba 192.168.1.2 samba4.mydomain.com samba # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
As for DNS, you can use Bind9 just fine with Samba 4 — but Samba 4 also has its own built-in DNS server that does that filthy injection. If you want to use Bind9 as your backend DNS server, you can, but you will need to allow the Samba 4 server to dynamically update the zone for your domain with Kerberos. There are howto’s on that. I chose to just let Samba 4 use its own built-in DNS server. Because I’m lazy. And I’m just playing for now. And I don’t like a “domain controller” being able to update my real DNS zone file.
This leads to an interesting, and by that I mean boring and unnecessary, discussion of how you should name your Active Directory “domain”. There are a few schools of thought on it, and even Microsoft has changed their tune over time on the subject. I have chosen to name my Samba 4 “domain” as a “subdomain” of my root domain – that way the Active Directory stuff doesn’t have to be authoritative for my whole domain, and I don’t have to make up a fake domain either.
And leave it to Microsoft to terribly confuse everyone by “making it easy”. By domain they do not mean a DNS domain. It’s a hybrid abomination of DNS and what is known in Kerberos as a “realm”.
So yes, well, I made Samba 4 be the DNS server, but it will also do sensible lookups to the real DNS information from my proper DNS server when it doesn’t know a name. That’s why I named it as a DNS “subdomain” (host) rather than the whole domain. For resolution:
edit /etc/resolv.conf
Now, in Ubuntu you’re going to have to do some special editing of configs to keep Network-Manager from overwriting your resolv.conf file after you make these changes.
domain mydomain.com search mydomain.com nameserver 192.168.100.2 nameserver 192.168.100.1
The first should be your Samba 4 installation IP. The second should be your real DNS server.
Probably quick & dirtiest to reboot after all this, if you like that sort of thing. BTW – make sure your /etc/hostname matches your DNS hostname. I don’t know if it’s necessary, but how can you stand it otherwise??
Debian Requirements to Compile Samba 4
I should mention, if you plan on having your Samba 4 server also be a filesharing server, and for the Active Directory stuff to manage the users and permissions for you, you need to make sure that whatever filesystem you’re going to be serving out is supporting ACL’s and extended attributes. In Debian this is a normal part of their ext4 mounts, and I think their ext3 ones as well. So you’re set!
But still, might be good to put it in, in your /etc/fstab, just as a reminder. Do, of course, use your own partition’s UUID. And whatever mountpoint you want to share.
UUID=b99750a8-9c39-11e3-82f1-525400990c6c /home ext4 user_xattr,acl 0 2
Many docs also want you to specify barrier=1 as a mount option, to make sure stuff doesn’t get corrupt in a power failure. This is enabled by default in ext4, but you may want to in ext3. And if you’re using LVM volumes, this is passed through and respected now. Ah, the wonders of the modern world.
Now, what you really want to know: which Debian packages do I need to install when compiling Samba 4? Well, how about these?
aptitude install build-essential pkg-config libacl1 acl libacl1-dev libblkid-dev libblkid1 attr libattr1 libattr1-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb libpopt-dev libldap2-dev dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev libncurses-dev libpam0g-dev libdm0-dev libfam0 fam libfam-dev xsltproc libnss3-dev docbook-xsl-doc-html docbook-xsl-ns
If you don’t have other Kerberos servers, well, I just used this server as my kerberos ones, and it works just fine. The initial realm, where it defaults to your domain name in upper-case — I made that the FQDN in upper-case as well. Apparently the realm likes to be upper-case.
Maybe you’ll want to reboot again, after the acl stuff. Maybe not. Maybe you didn’t reboot a few minutes ago, so it will only be this one reboot. Or none. I don’t care.
Compile Samba 4
The version of Samba I grabbed was their latest at the time, listed below. They may have a newer version when you read this, so always check the Samba site for the version you want.
I like compiling in /usr/src — and I’m letting Samba 4 install to its default location, which I know is a horrific violation of Debian policy. But I’m naughty.
cd /usr/src wget http://www.samba.org/samba/ftp/stable/samba-4.1.4.tar.gz tar -xzf samba-4.1.4.tar.gz cd samba-4.1.4 ./configure && make && make install
Oh, the places we’ll go.
After that completes successfully the first try and love descends upon all humanity, you might want to put the install directory into your PATH environment variable so you can avoid over-stressing your poor little phalanges. Put this in your .bashrc
export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH
If you’re feeling particularly cavalier, trusting in the goodness of strangers that is. And source it! (or log out/in, open a new terminal, whatever)
I also symlinked my /usr/local/samba/etc to /etc/samba to make it less typing to edit configs:
ln -s /usr/local/samba/etc /etc/samba
Then you’ll want to make the Samba 4 stuff work. Right? First thing is to provision the so-called domain. I’m leaving it open to do some Un*x-side integration later here – that’s why the “rfc” switch.
samba-tool domain provision --use-rfc2307 --interactive
It will ask you some questions, and here’s where we get into the “domain” naming philosophy again. Just make it the same as your DNS decision above. In my example, the Realm I chose was SAMBA4.MYDOMAIN.COM
Do do the upper-case! Why? I don’t know!
And for the “Domain” I chose “MYDOMAIN” (without the .COM). It’s pretty much like your workgroup setting, is all I can figure.
If you do it this way, then all machines joining your Active Directory “domain” will get the right DNS information for your DNS zone — because the AD server will only consider itself authoritative for SAMBA4.MYDOMAIN.COM and “higher”, but not for all of MYDOMAIN.COM itself — and it will forward those DNS requests on to your proper DNS server when it doesn’t know about them.
So be sure to set your DNS forwarder here to your real DNS server.
Cold, Cruel Kerberos
I’ve never know it to be so easy. I’m leaping with joy inside. Or maybe that’s lasagna.
cd /etc cp krb5.conf krb5.conf.original cp /usr/local/samba/share/setup/krb5.conf .
Then edit your new /etc/krb5.conf and change the REALM variable to the realm you chose: SAMBA4.MYDOMAIN.COM
I know! Can you believe it! It’s here where I feel a twinge of almost… non-sickness about MS. Ok it may even be stronger than that. A little.
Reboot again. Hahaha!
You Can Dance
Now, just start Samba 4 by typing in “samba”
It will give minimal info in /var/log/syslog – mine complained about CUPS not being there, but it wasn’t enough trauma for it to die, thankfully.
Now you’ll want to set up your administrator auth-y stuff, yes?
kinit administrator@SAMBA4.MYDOMAIN.COM samba-tool user setexpiry administrator --noexpiry
Bad idea that no-expiry flag probably. But we’ve already established I’m naughty.
That’s about it! You can now fully administer it just like an Active Directory domain controller from Windows, using their remote server administration tools. Crazy, I know! That link is for Windows 8.1 download, BTW.
Also, the Samba website has a good howto on stuff like this.
The thing is, when you join a Windows machine into the “domain”, you have to make sure that you’re using your Samba 4 server as the DNS server for that machine, just like you would have to do with Microsoft’s Active Directory domain controllers. They need the filthy DNS injection.
Home Directories for Windows Users
If you want to have your Samba 4 server serve out home directories to your users, you accomplish that pretty easy. It just requires a “[home]” section in your smb.conf file.
That’s not a “[homes]” section like in Samba 3 by the way — just a singular “[home]”. It’s special. Apparently.
That section only requires a path and a not-read-only:
[home] path = /home/ read only = no
You don’t really need local accounts for your users. Samba 4 will create crazy high-numbered fictional users and groups to service your Windows throngs. Just make sure that mountpoint has the acl and xattr flags.
Oh, and your administrator account will need the “SeDiskOperatorPrivilege” I think:
net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
This will make it so that, if you use the Windows remote administration tools in Windows, you can create users that can have a drive automatically mapped to their Windows machine when they log in, and Samba 4 will create their home directory automatically.
The setup in Windows is a little convoluted. I’m no Windows person. But here’s a step by step that I followed and it worked great.
It should also be noted that the default setup seems to allow normal workgroup functioning to continue working as well. So even if you have Windows machines that aren’t the insanely more expensive “Pro” version of Windows, you can still map to the shares like you could to a workgroup.
But then again, that begs the question, why then bother with an Active Directory Domain Controller at all? Unless you want to spend a lot more money per seat on Windows.
Final Comments
I am impressed with Microsoft’s ability to impose a standardized way of implementing LDAP in conjunction with Kerberos. I am less impressed with their shameless violations of DNS to rope this in.
I haven’t tried it yet, but apparently you can pretty easily have your Linux boxes authenticate against Samba 4 as well. I think I may not be doing that. Well, maybe I will.
It is really nice and compelling that it’s all tied together. And it’s not so bad since Samba 4’s been able to bring it into the light. I’m undecided. It seems to work well.
Anyway, I hope this helped someone. I was very daunted by the whole Active Directory integration mess at first. But these Samba guys really have done a great job. I’ll be showing them some love. Of the monetary type! Well, I suppose unless…
Thursday, 14 May 2015
Converting VirtualBox VMs to ESXi
This morning I had to convert a VirtualBox VM to ESXi. I tried using the VMware converter but it was going to take 2 days!!! I then Stumbled across THIS article which saved my week.
Import VirtualBox VMs in VMware ESXi
Recently we’ve had a bunch of VirtualBox 4.x VMs that we needed to import into VMware ESXi 4.1. There are various tutorials on the net on how to convert the VMs by editing the OVF or OVA files. Unfortunately this method didn’t really work for us, so here are a couple of simple steps that helped us convert the VMs without issues.
- We do not try to convert the whole VM but only the hard drives. The VM is created on the target ESXi host easy enough.
- On you VirtualBox host create a clone of the VMs hard disk like that:vboxmanage clonehd in.vdi out.vmdk –format VMDK –variant Fixed,ESX
- This creates two files. One with the actual data and the other holding a descriptor. If the virtual hard drive is not completely filled, zipping the image will dramatically reduce its size.
- On your ESXi host create a new VM without hard drive. Use the advanced mode to do so.
- Copy the hard drive image to your ESXi host by using scp (or similar). Place it (both files) into the directory of you newly created VM.
- Edit the settings of your new VM and add that hard drive.
That’s all. Using this method your virtual hard drive should now be a SCSI hard drive as expected by ESXi even if it was a SATA drive in VirtualBox before. Our Linux guests had no problem with this transition. Hopefully it works for other guests as well.
Wednesday, 13 May 2015
Ubuntu 14.04 installing Samba4 AD Server with GIT
I found THIS site with the following instructions:
/etc/init.d/cron restart
Active directory Domain controller on Ubuntu 14.04 (Samba Internal DNS)
Server Setup:
Hostname: dc1
Domain name: mydomain.local
O/S – Ubuntu 14.04 LTS
HDD: 20GB (Thin Provisioning) – LVM
No HDD Encryption
Memory: 4GB
Time Zone: Africa/Johannesburg
Networking:
IP 192.168.1.55
SM: 255.255.255.0
GW: 192.168.1.1
Installed Packages with initial installation: OpenSSH Server
Hostname: dc1
Domain name: mydomain.local
O/S – Ubuntu 14.04 LTS
HDD: 20GB (Thin Provisioning) – LVM
No HDD Encryption
Memory: 4GB
Time Zone: Africa/Johannesburg
Networking:
IP 192.168.1.55
SM: 255.255.255.0
GW: 192.168.1.1
Installed Packages with initial installation: OpenSSH Server
Once the installation was done, log in as the user you created on the server.
Now change the root password.
Now change the root password.
sudo passwd root
Enter your new root password.
now log in a root on the server.
By default Ubuntu 14.04 does not allow you to ssh using root on the server, so you will need to log onto the server and then su to root.
By default Ubuntu 14.04 does not allow you to ssh using root on the server, so you will need to log onto the server and then su to root.
digit@dc1:~$ su Password: root@dc1:/home/digit#
Now you will need to configure your network interface for static IP.
(we’ll use 192.168.1.55 as IP for this Domain Controller, dc1 for the name and MYDOMAIN.LOCAL as FQDN )
(we’ll use 192.168.1.55 as IP for this Domain Controller, dc1 for the name and MYDOMAIN.LOCAL as FQDN )
Edit your /etc/network/interfaces file.
vi /etc/network/interfaces
change iface eth0 inet dhcp to iface eth0 inet static
then add these lines:
address 192.168.1.55 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 8.8.8.8 dns-search mydomain.local
Save and close (:wq)
then we need to configure our /etc/hosts file like so:
127.0.0.1 localhost.localdomain localhost 192.168.1.55 dc1.mydomain.local dc1
save and close
then run
echo dc1.mydomain.local > /etc/hostname
now restart networking so that the changes are made
/etc/init.d/networking restart
now we need to install the prerequisites for samba kerberos etc….
apt-get update && apt-get upgrade -y
Now we install most of the packages that we will require (+/- 67MB t the time of writing)
apt-get install git build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev libpam0g-dev ntp -y
You’ll be asked for kerberos informations.
When asked for the default realm etc, enter mydomain.local and DC01 as the host.
When asked for the default realm etc, enter mydomain.local and DC01 as the host.
Default Kerberos version 5 realm: MYDOMAIN.LOCAL <pre> <pre> Enter the hostnames of Kerberos servers in the MYDOMAIN.LOCAL Kerberos realm separated by spaces. Kerberos servers for your realm: dc1
Enter the hostname of the administrative (password changing) server for the MYDOMAIN.LOCAL Kerberos realm. Administrative server for your Kerberos realm: dc1
Restart your server
init 6
We will be installing Samba 4, most current release, from the GIT repository,
git clone git://git.samba.org/samba.git /usr/src/samba4/
Now lets start to compile and configure Samab
cd /usr/src/samba4/ ./configure --enable-debug --enable-selftest make make install
Note:
If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use –prefix option to specify different installation directory
Depending on your computer it may take a while ( 15-20 mins)
If you run the configure command without any extra parameter then samba will be installed by default inside /usr/local/samba or else use –prefix option to specify different installation directory
Depending on your computer it may take a while ( 15-20 mins)
Before running the provision step make sure the following things are in place
vi /etc/hosts
Make sure your host file looks something like this:
127.0.0.1 localhost 192.168.1.55 dc1.mydomain.local dc1
Make sure your hostname is correct
root@dc1:/usr/src/samba4# hostname dc1.mydomain.local root@dc1:/usr/src/samba4#
Set your DNS server to point to the local server
vi /etc/resolv.conf
nameserver 192.168.1.55 search mydomain.local
If the above steps complete without any error then you can move ahead for provisioning step
Add the new path location to your bash file for samba
Add the new path location to your bash file for samba
vi ~/.bashrc export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin
Now lets provision the new domain
For now, you will be using Samba’s Internal DNS, we cal always upgrade it later to bind
For now, you will be using Samba’s Internal DNS, we cal always upgrade it later to bind
/usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Passw0rd" --server-role=dc --dns-backend=SAMBA_INTERNAL
You should see something like this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/samba-tool domain provision --realm=mydomain.local --domain=MYDOMAIN --adminpass="Passw0rd" --server-role=dc --dns-backend=SAMBA_INTERNAL Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=mydomain,DC=local Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=local Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: dc1 NetBIOS Domain: MYDOMAIN DNS Domain: mydomain.local DOMAIN SID: S-1-5-21-3071701496-2123785088-2579521527 root@dc1:/usr/src/samba4#
Now lets start Samba
/usr/local/samba/sbin/samba
Check samba and smbclient version ( they should match )
root@dc1:/usr/src/samba4# /usr/local/samba/sbin/samba -V Version 4.2.0pre1-GIT-6da8126 root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient -V Version 4.2.0pre1-GIT-6da8126 root@dc1:/usr/src/samba4#
Listing administrative share will show you sysvol, netlogon shares etc…
/usr/local/samba/bin/smbclient -L localhost -U%
You should see something like this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.2.0pre1-GIT-6da8126) Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126] Server Comment --------- ------- Workgroup Master --------- ------- root@dc1:/usr/src/samba4#
Now we can check the authentication:
/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"Passw0rd" -c 'ls'
Response should be this:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%"Passw0rd" -c 'ls' Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-6da8126] . D 0 Wed Jun 11 13:55:54 2014 .. D 0 Wed Jun 11 13:56:04 2014 16116664 blocks of size 1024. 12670940 blocks available root@dc1:/usr/src/samba4#
**NOTE**: If you receive the following error:
session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE
Make sure that you DNS is connect in /etc/network/interfaces and in /etc/resolv.conf.
Then run the command again.
Then run the command again.
Your DNS should point to the local machine.
Configure SAMBA INTERNAL DNS
echo "domain MYDOMAIN.LOCAL" >> /etc/resolv.conf
Now we will need to edit the smb.conf file and spesify the DNS Forwarder
Your ads will be inserted here by
Easy AdSense.
Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.
Paste your ad code OR
Suppress this ad slot.
vi /usr/local/samba/etc/smb.conf
add under the [global] option
dns forwarder = 8.8.8.8
save and close.
8.8.8.8 is Google’s Public DNS server
This is what my smb.conf file looks like:
# Global parameters [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 8.8.8.8 [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Now we need to test DNS. Issue the next commands.
host -t SRV _ldap._tcp.MYDOMAIN.LOCAL host -t SRV _kerberos._udp.MYDOMAIN.LOCAL host -t A dc1.mydomain.local
You should get results like this:
root@dc1:/usr/src/samba4# host -t SRV _ldap._tcp.MYDOMAIN.LOCAL _ldap._tcp.MYDOMAIN.LOCAL has SRV record 0 100 389 dc1.mydomain.local. root@dc1:/usr/src/samba4# host -t SRV _kerberos._udp.MYDOMAIN.LOCAL _kerberos._udp.MYDOMAIN.LOCAL has SRV record 0 100 88 dc1.mydomain.local. root@dc1:/usr/src/samba4# host -t A dc1.mydomain.local dc1.mydomain.local has address 192.168.1.55 root@dc1:/usr/src/samba4#
***NOTE***: If you recieved something like “host mydomain.local not found 3(NXDOMAIN)” your samba probabaly failed to start for some reason or it can be a DNS issue. Check the interfaces config file or the resolv.conf file.
Next, we need to configure and test Kerberos by editting the krb5.conf file and replace $(REALM) by MYDOMAIN.LOCAL
vi /usr/local/samba/share/setup/krb5.conf
[libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Now lets test it.
Please note that the domain name is in capitals
Please note that the domain name is in capitals
kinit administrator@MYDOMAIN.LOCAL
Result:
root@dc1:/usr/src/samba4# kinit administrator@MYDOMAIN.LOCAL Password for administrator@MYDOMAIN.LOCAL: Warning: Your password will expire in 41 days on Wed 23 Jul 2014 13:56:03 SAST root@dc1:/usr/src/samba4#
Display informations about the kerberos ticket you received
klist -e
Result:
root@dc1:/usr/src/samba4# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYDOMAIN.LOCAL Valid starting Expires Service principal 11/06/2014 14:12:51 12/06/2014 00:12:51 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 12/06/2014 14:12:46, Etype (skey, tkt): arcfour-hmac, arcfour-hmac root@dc1:/usr/src/samba4#
Active Directory also require a time server, so we need NTP server.
We will also set it to syncronize time from the Internet
Edit the ntp.conf file if you have your own time servers.
We will also set it to syncronize time from the Internet
Edit the ntp.conf file if you have your own time servers.
vi /etc/ntp.conf
I just left it as the default for now
[...] # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. server 0.ubuntu.pool.ntp.org server 1.ubuntu.pool.ntp.org server 2.ubuntu.pool.ntp.org server 3.ubuntu.pool.ntp.org # Use Ubuntu's ntp server as a fallback. server ntp.ubuntu.com [...]
Now lets start the time server
service ntp restart
Syncronise the time server
ntpq -p
You might want to add users home folders or profile folders etc…
mkdir -m 770 /Users chmod g+s /Users chown root:users /Users
then edit smb.conf
and add the following lines:
vi /usr/local/samba/etc/smb.conf
[Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
Complete smb.conf so far:
# Global parameters [global] workgroup = MYDOMAIN realm = mydomain.local netbios name = DC1 server role = active directory domain controller dns forwarder = 8.8.8.8 [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
finally set no expiration flag fro your active directory administrator password (or you’ll have problems after 42 days)
/usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry
Result:
root@dc1:/usr/src/samba4# /usr/local/samba/bin/samba-tool user setexpiry administrator --noexpiry Expiry for user 'administrator' disabled. root@dc1:/usr/src/samba4#
Now lets create a init script so that it is easy to start & stop samba
vi /etc/init.d/samba4
Copy and paste the following into the file:
#! /bin/sh ### BEGIN INIT INFO # Provides: samba # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start Samba daemons ### END INIT INFO # # Start/stops the Samba daemon (samba). # Adapted from the Samba 3 packages. # SAMBAPID=/var/run/samba/samba.pid # clear conflicting settings from the environment unset TMPDIR # See if the daemon and the config file are there test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0 . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting Samba 4 daemon" "samba" if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then log_end_msg 1 exit 1 fi log_end_msg 0 ;; stop) log_daemon_msg "Stopping Samba 4 daemon" "samba" start-stop-daemon --stop --quiet --name samba $SAMBAPID # Wait a little and remove stale PID file sleep 1 if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null then # Stale PID file (samba was succesfully stopped), # remove it (should be removed by samba itself IMHO.) rm -f $SAMBAPID fi log_end_msg 0 ;; restart|force-reload) $0 stop sleep 1 $0 start ;; *) echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}" exit 1 ;; esac exit 0
After you have created the file, be sure to change the permissions and set the script to autostart using update-rc.d:
chmod 755 /etc/init.d/samba4 update-rc.d samba4 defaults
Result:
root@dc1:/usr/src/samba4# chmod 755 /etc/init.d/samba4 root@dc1:/usr/src/samba4# update-rc.d samba4 defaults Adding system startup for /etc/init.d/samba4 ... /etc/rc0.d/K20samba4 -> ../init.d/samba4 /etc/rc1.d/K20samba4 -> ../init.d/samba4 /etc/rc6.d/K20samba4 -> ../init.d/samba4 /etc/rc2.d/S20samba4 -> ../init.d/samba4 /etc/rc3.d/S20samba4 -> ../init.d/samba4 /etc/rc4.d/S20samba4 -> ../init.d/samba4 /etc/rc5.d/S20samba4 -> ../init.d/samba4 root@dc1:/usr/src/samba4#
Now lets retart the samba server using our new init script:
/etc/init.d/samba4 restart
Result:
root@dc1:/usr/src/samba4# /etc/init.d/samba4 restart * Stopping Samba 4 daemon samba [ OK ] * Starting Samba 4 daemon samba [ OK ] root@dc1:/usr/src/samba4#
Your Active Directory Domain Controller has been setup.
You can download the MS Windows Remote Server Admin Tools to administer your users and group policies.
*** Tutorial soon to follow… ***
You can download the MS Windows Remote Server Admin Tools to administer your users and group policies.
*** Tutorial soon to follow… ***
I had some issues on my network where if the users browsed the internet their browsers sometimes didnt open the web page. This was caused by DNS.
I resolved it by adding the following entries in my smb.conf file:
I resolved it by adding the following entries in my smb.conf file:
vi /usr/local/samba/etc/smb.conf
allow dns updates = nonsecure dns forwarder = 8.8.8.8 log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
And here is my complete smb.conf file
# Global parameters [global] time server = yes dos filetimes = yes fake directory create times = yes dos filetime resolution = yes delete readonly = yes workgroup = MYDOMAIN realm = mydomain.local netbios name = DC1 server role = active directory domain controller #dns forwarder = 8.8.8.8 allow dns updates = nonsecure dns forwarder = 8.8.8.8 log level = 3 server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns [netlogon] path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts read only = No preexec = echo %u is in %G >> /var/log/smbshares.log [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [Users] directory_mode: parameter = 0700 read only = no path = /Users csc policy = documents
I have another server running DHCP, and I had to create a DNS Update script so that it updates the DNS records for the DHCP Server leases.
Edit the crontab.
Edit the crontab.
vi /etc/crontab
Add the following:
01 * * * * root /usr/local/samba/sbin/samba_dnsupdate
save and close.
Restart cron tab
Restart cron tab
Subscribe to:
Posts (Atom)