Tuesday, 12 May 2015

Samba 4 adding Debian Server as Member server

Used THIS article to install my new Debian samba4 Fileserver:

So here’s what I did:

Prerequisite

You must a Samba 4 Active Directory Domain Controller running just fine already. Or a normal Windows-y one if you must run a Windows one for some nonsense reason.
You must have a Debian (or possibly Ubuntu) server ready to go with only the minimal stuff installed – like the SSH server. That’s because it’s proper. And you will be proper. Another distribution is fine of course, just don’t complain to me.
Don’t use Debian Wheezy’s version of Samba 4. It’s not ripe yet. And don’t use Samba 3. It’s overripe. (Simply too many notes) Either roll your own Samba 4 from source or enable the Debian backportsrepository and go with that version of Samba 4, there.
If you follow the instructions to roll your own, skip the samba-tool domain-provision step and the Cold, Cruel Kerberos sections!It makes your new Samba 4 server have delusions of grandeur and it won’t want to listen to your already-existing AD/DC.
If you go with Debian backports, this is what you’ll need:
# apt-get -t wheezy-backports install samba samba-doc samba-testsuite winbind libnss-winbind
# apt-get install acl

Setting Up the Samba 4 Domain Member

The smb.conf [global] section

If you’re using the Debian version of the /etc/samba/smb.conf from backports, throw away everything in it, because it’s garbage Samba 3 stuff and they haven’t bothered tidying anything up.
For a simple Samba file server, you just need your [global] section and your share definition. I’ll highlight some of the stuff in it, after this example listing (that works just great). Be certain that your filesystem that serves out the stuff is mounted to support xattr and acl’s. (in your /etc/fstab put the mount options “user_xattr,acl” in place of “defaults”).
Anyway, here’s that /etc/samba/smb.conf file:
[global]
  netbios name = <servername>
  workgroup = <win domain>
  security = ADS
  realm = <kerberos realm>
  encrypt passwords = yes

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config <win domain>:backend = ad
  idmap config <win domain>:schema_mode = rfc2307
  idmap config <win domain>:range = 3000000-4000000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
That’s it, really. I love Samba 4 for this. Consider me gushing and oozing again, all over the Samba development team again for doing such a damn fine job pulling so much together. Very well done.


No comments:

Post a Comment