So here’s what I did:
Prerequisite
You must a Samba 4 Active Directory Domain Controller running just fine already. Or a normal Windows-y one if you must run a Windows one for some nonsense reason.
You must have a Debian (or possibly Ubuntu) server ready to go with only the minimal stuff installed – like the SSH server. That’s because it’s proper. And you will be proper. Another distribution is fine of course, just don’t complain to me.
Don’t use Debian Wheezy’s version of Samba 4. It’s not ripe yet. And don’t use Samba 3. It’s overripe. (Simply too many notes) Either roll your own Samba 4 from source or enable the Debian backportsrepository and go with that version of Samba 4, there.
If you follow the instructions to roll your own, skip the samba-tool domain-provision step and the Cold, Cruel Kerberos sections!It makes your new Samba 4 server have delusions of grandeur and it won’t want to listen to your already-existing AD/DC.
If you go with Debian backports, this is what you’ll need:
# apt-get -t wheezy-backports install samba samba-doc samba-testsuite winbind libnss-winbind # apt-get install acl
Setting Up the Samba 4 Domain Member
The smb.conf [global] section
If you’re using the Debian version of the /etc/samba/smb.conf from backports, throw away everything in it, because it’s garbage Samba 3 stuff and they haven’t bothered tidying anything up.
For a simple Samba file server, you just need your [global] section and your share definition. I’ll highlight some of the stuff in it, after this example listing (that works just great). Be certain that your filesystem that serves out the stuff is mounted to support xattr and acl’s. (in your /etc/fstab put the mount options “user_xattr,acl” in place of “defaults”).
Anyway, here’s that /etc/samba/smb.conf file:
[global] netbios name = <servername> workgroup = <win domain> security = ADS realm = <kerberos realm> encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config <win domain>:backend = ad idmap config <win domain>:schema_mode = rfc2307 idmap config <win domain>:range = 3000000-4000000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes
That’s it, really. I love Samba 4 for this. Consider me gushing and oozing again, all over the Samba development team again for doing such a damn fine job pulling so much together. Very well done.
No comments:
Post a Comment