Samba-dc
 | |
| samba-dc logo | |
| Maintainer | maintainer |
|---|---|
| Url | https://wiki.koozali.org |
| Category | |
| Tags | File, this, with, a, list, of, tags |
Maintainer
initial work of Bunkobugsy
Version
Description
This package provides templates for samba Active Directory support. More details found here.
It will replace upstream samba packages with AD enabled ones from SIG/FastTrack repo. More details found here.
A secondary samba service will use separate samba data directories, set up via a distinct samba configuration.
This ensures that samba-dc instance won't interfere with normal filesharing samba services provided by SME core.
User accounts created in SME will be kept in sync with the LDAP service provided by samba Active Directory. More details here.
Users logged in to domain joined Windows PCs will have access to SME's samba shares via their namesake usernames and matching passwords. https://wiki.koozali.org/Client_Authentication:Windows#Login_to_shared_resources
In an Active Directory Kerberos requires an accurate time synchronization so make sure to set up NTP for all client computers.
Installation
dnf --enablerepo=smetest update smeserver-base
Before continuing make sure you have at least smeserver-base-11.0.0-15.el8.sme (UPDATE!!).
/sbin/e-smith/db yum_repositories set fasttrack-updates repository \ Name 'Rocky Linux 8.10 - SIG FastTrack Updates' \ BaseURL 'http://dl.rockylinux.org/$sigcontentdir/$releasever/fasttrack/$basearch/fasttrack-updates/' \ EnableGroups no \ GPGCheck no \ Visible yes \ Priority 9 \ status enabled
signal-event dnf-modify
dnf --enablerepo=smecontribs install smeserver-samba-dc
Configuration
you can list the available configuration with the following command :
config show samba
Some of the properties are not shown, but are defaulted in a template or a script. Here is a list with default and expected values :
| property | default | values |
|---|---|---|
| SambaIP | undefined | numeric |
| Password | undefined | string |
| status | disabled | enabled,disabled |
Add samba virtual interface
Samba in AD mode provides services that need a separate virtual interface.
A free static IP address needs to be chosen from the same range as SME's local network that is outside the DHCP pool.
/sbin/e-smith/db configuration setprop samba SambaIP a.b.c.d signal-event console-save
Confirm that the samba virtual interface is working
ifconfig
It can be disabled anytime ONLY if domain is not operational.
/sbin/e-smith/db configuration delprop samba SambaIP signal-event console-save
WARNING: changing this IP address after the domain is provisioned can cause problems and is not supported.
Set domain administrator password
Provisioning will fail unless a password is chosen that matches the complexity requirements. More details found here.
Random Strong Password Generator can be used.
WARNING: make sure to keep a copy of this password and do not modify this key after the domain is provisioned.
/sbin/e-smith/db configuration setprop samba Password Blu3Onyx!
Provisioning will also reserve the administrator user in SME for domain administrator, make sure it is not already used.
Provisioning
By default provisioning will use for realm current Windows workgroup name (default: sme-server) and append .INTERNAL to it.
Active Directory DC locating algorithm relies on DNS resolution, samba internal DNS back end will handle this via SME's domain-remote feature.
Make sure realm does not match any secondary domain set up or it will be overwritten.
WARNING: make sure to change Windows workgroup name before provisioning because domain rename is not supported.
WARNING: domain rename is only possible for now with complete domain reset and loss of all machine accounts.
provision
Testing
After a successful provisioning you can confirm the domain functionality
systemctl status samba samba-tool domain info a.b.c.d #SambaIP set above realm -v discover SME-SERVER.INTERNAL #in this example kinit -V administrator klist sambatool user list sambatool computer list smbstatus --configfile=/etc/samba/samba.conf samba-tool processes --configfile=/etc/samba/samba.conf
If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password.
Before first login all users and admin must change their passwords from https://SME-IP/user-password portal.
WARNING: disabling samba service is not supported as user accounts and passwords will get out of sync.
Restoring missing user accounts can be done, additional passwords might also need to be reset.
syncadusers
Password policies
For now password changing via Ctrl-Alt-Delete is not be supported and will be disabled via password policies.
Password changing will only be possible from https://SME-IP/user-password or Server Manager - Collaboration - Users.
To prevent passwords from getting out of sync Password contrib will be installed and password aging will be activated.
Backup and database check
samba-tool domain backup offline --targetdir=/root --configfile=/etc/samba/samba.conf
samba-tool dbcheck --cross-ncs --configfile=/etc/samba/samba.conf samba-tool dbcheck --cross-ncs --fix --yes --configfile=/etc/samba/samba.conf
Uninstall
/sbin/e-smith/db yum_repositories delete fasttrack-updates signal-event dnf-modify
dnf remove smeserver-samba-dc
/sbin/e-smith/db domains delete sme-server.internal #in this example signal-event domain-modify
Bugs
Please raise bugs under the SME-Contribs section in bugzilla
and select the smeserver-samba-dc component or use this link
Below is an overview of the current issues for this contrib:
Changelog
Only released version in smecontrib are listed here.
