Difference between revisions of "Advanced Samba"

From SME Server
Jump to navigationJump to search
(Undo revision 39939 by Unnilennium (talk))
Tag: Undo
 
(64 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
{{Languages}}
 
{{Languages}}
 +
{{usefulnote}}
 +
==Advanced Samba Modifications==
 +
{{Level|Advanced}}
 +
 
===Maintainer===
 
===Maintainer===
Greg J. Zartman (greg@leiinc.com)
+
[mailto:greg@leiinc.com Greg J. Zartman]
 +
=== Version ===
  
===Description===
+
{{ #smeversion: smeserver-adv-samba }}
  
Advanced Samba is a SME Contrib to extend SME's Samba functionality to support all standard Windows Server Roles.  Out-of-the-box, SME Server supports Workgroup and Primary Domain Controller Server Roles.  These, out-of-the-box, Server Roles address many Windows Network needs, but they do not provide all of the functionality available to todays typical Windows Server.
 
  
This document provides procedural and SME specific RPM(s) to configure SME Server to function in all mainstream Windows Server Roles:
 
  
1. '''Domain Member''':  In this Server Role, SME will present Ibays to a Domain as Windows Network Shares, relying on a separate Domain Controller for client/user authentication.  That is, authenticated Windows Network users can access ibays on the SME Domain Member machine without needing a local user account.
+
===Description===
  
2.  '''Backup Domain Controller''':  In this Server Role, SME will provide all functionality available as a Domain Member, but it can also take over the role as the Domain Controller if certain network conditions existAs with the Domain Member Server Role, it is not necessary for the Network Administrator to create user accounts on the SME Backup Domain Controller machine.  SME, in this Server Role, will maintain (or replicate) a local copy of user/client authentication information from the Primary Domain Controller in the event that it needs to take on the role of Domain Controller.
+
Advanced Samba is a SME Server contrib to extend SME Servers Samba functionality to support all standard Windows server rolesOut-of-the-box, SME Server supports workgroup and primary domain controller (PDC) server roles. These, out-of-the-box, server roles address many Windows Network needs, but they do not provide all of the functionality available to todays typical Windows Server.
  
3.  '''Active Directory Domain Controller''':  This Server Role is very similar to the out-of-the-box SME Server Role Primary Domain Controller (PDC).  In addition to those functions provided by the PDC, the SME Active Directory Domain Controller will maintain a directory of Windows Active Directory Services.
+
This document provides procedural and SME Server specific RPM(s) to configure SME Server to function in all mainstream Windows server roles:
  
4'''Active Directory Domain Member''':  This Server Role is nearly identical to the Domain Member Server Role except that in this Server Role, SME will have access to Active Directory Services provided by a n Active Directory Server.
+
====Workgroup server====
 +
In this server role, SME Server will act as a typical Windows NT, 2000, XP, or Vista machine in a windows peer-to-peer networkAccess to network shares on the SME Server requires a local user account with appropriate network privileges.
  
It should be noted that this Contrib is a work in progress.  Preliminary is provided for all Server Roles and full support for a selection of them, as detailed below.  In time, all Server Roles listed here in will be fully supported by this Contrib.
+
====Primary domain controller====
 +
In this server role, SME Server will function as a Windows NT4 style domain controller, providing client/user authentication, WINS, windows user profile management, and print services.
  
===Prerequisites===
+
====Domain member====
 +
In this server role, SME Server will present ibays to a domain as Windows network shares, relying on a separate domain controller for client/user authentication.  That is, authenticated Windows network users can access ibays on SME Server domain member machines without needing a local user account.
  
The current releases of SME do not support Samba Server Roles directlyModification of several core SME packages is required to support Samba Server Roles, therefore it is not possible to provide Advanced Samba functions with a typical Contrib RPM.
+
====Backup domain controller====
 +
In this server role, SME Server will provide all functionality available as a domain member, but it can also take over the role as the domain controller if certain network conditions existAs with the domain member server role, it is not necessary for the network administrator to create user accounts on the SME Server backup domain controller machine. SME Server, in this server role, will maintain (or replicate) a local copy of user/client authentication information from the primary domain controller in the event that it needs to take on the role of primary domain controller.
  
An effort to update the necessary Core SME packages is being tracked in the following SME bug report:
+
====Active Directory domain controller====
http://bugs.contribs.org/show_bug.cgi?id=4172
+
This server role is very similar to the out-of-the-box SME server role primary domain controller.  In addition to those functions provided by the PDC, the SME Server Active Directory domain controller will maintain a directory of Windows Active Directory services.
  
It is the Maintainers opinion that these changes will ultimately be included in the core SME packages.    When this occurs, it is very likely that this section of this contrib will go away.
+
====Active Directory domain member====
 +
This server role is nearly identical to the domain member server role except that in this server role, SME Server will have access to Active Directory services provided by an Active Directory server.
  
Until these changes are incorporated into the core packages, patched versions of the current release SME packages will be provided as part of this contrib.  It is necessary that users install these "patched" core packages to take advantage of Samba Server Roles.  EVERY effort is made to provide this additional functionality without changing standard SME functionality.  In other words, the patched core SME packages will not change they way SME currently functions -- the modified core packages simply provide the additional Server Role functionality.
+
It should be noted that this contrib is a work in progressPreliminary support is provided for all Server Roles and full support for a selection of them, as detailed below.  In time, all server roles listed here in will be fully supported by this contrib.
  
 +
===Prerequisites===
 +
{{Warning box|this part seems related to SME7}}
  
'''''INSTALL NECESSARY PATCHED PACKAGES''''':
+
The current releases of SME Server do not support Samba server roles directly, but updated packages have been developed and are in the testing repos.  It is just a matter of installing them. 
  
1. Download the patched Server Role RPMs from my contribs repository to your local machine: http://mirror.contribs.org/contribs/gzartman/Contribs/7/Samba/
+
====Update e-smith-samba====
  
2. Install the patched rpms:
+
1. Install from testing repo:
  yum localinstall *.rpm
+
  yum update --enablerepo=smeupdates-testing e-smith-samba
  
3. Reconfigure and reboot machine:   
+
2. Reconfigure and reboot machine:   
  signal-event post-upgrade; signal-event reboot.
+
  signal-event post-upgrade; signal-event reboot
  
Thats is!
+
===Install Advanced Samba RPM===
  
===Install Advanced Samba RPMS===
+
It is necessary to install one additional RPM prior to configuring SME Server in advanced server roles. This package provides necessary Samba functionality that may not be available in Core SME Server packages:
  
It is necessary to install one addition RPM prior to configuring SME Server in advanced server roles. This package provides necessary Samba functionality that may not be available in Core SME packages:
+
1. Install the latest advanced samba rpm from the contribs repos:
 +
  yum install --enablerepo=smecontribs smeserver-adv-samba
  
1. Download smeserver-adv-samba package to your local machine:
+
2. Reconfigure machine:
  wget http://mirror.contribs.org/releases/7/smecontribs/i386/RPMS/smeserver-adv-samba-0.1.0-2.el4.sme.noarch.rpm
+
  signal-event post-upgrade; signal-event reboot
  
2. Install package:  
+
=== Configure server roles ===
  yum local install smeserver-adv-samba*
+
As most of those familiar with SME Server know, much of the configuration (management) of the SME Server can be done through the server-manager web interface.  The current SME Server server-manager includes a panel, Workgroup, which provides the Administrator the ability to configure SME Server as either a workgroup server of a primary domain controllerNothing presented in this contrib (software or documentation) will change this. We have worked to provide seamless integration of new functionality with the current SME Server -- nothing will change if you desire to stick with the standard options.
  
3. Reconfigure machine: 
+
However, further functionality with respect to Samba server roles is provided via shell command line options
signal-event post-upgrade; signal-event reboot
 
  
=== Configure Server Roles ===
+
{{Note box|It is this authors desire to add further functionality to the server-manager with respect to server roles -- perhaps it will happen one day.}}
As most of those familiar with SME Server know, much of configuration (management) of the SME Server can be done through the Server Manager.  The current SME Server Manager provides a panel, Workgroup, which provides the Administrator the ability to configure SME Server as either a Workgroup Server of a Primary Domain Controller.  NOTHING presented in this Contrib (software or documentation) will change this.  We have worked to provide seamless integration of new functionality with the current SME Server -- nothing will change if you desire to stick with the standard options.
 
  
However, further functionality with respect to Samba Server Roles is provided via shell command line options (Note: It is this authors desire to add further functionality to the Server Manager with respect to Server Roles -- perhaps it will happen one day.  I do understand the Development Teams desire to take a conservative stance on functionality)
+
Samba server role support is provided as follows:
  
Advanced Samba Server Role Support is provided as follows:
+
==== Workgroup server ====
 +
This server role configures SME Server to function as a member of a Microsoft Windows peer-to-peer network. In order to access network shares on the SME Server machine when it is configured in this server role, users/clients must have local user accounts on the SME Server machine.  This is the simplest of Microsoft network configurations.  In this server role, SME Server will act as a typical Windows client (e.g., Win 95, Win XP, Win 2000, etc.) 
  
==== Workgroup Server ====
+
=====Configuration=====
This Server Role configures SME Server to function as a member of a MS Windows Peer-To-Peer network.  In order to access network shares on the SME machine when it is configured in this Server Role, users/clients must have local user accounts on the SME machine.  This is the simplest of MS Network configurations.  In this Server Role, SME will act as a typical Windows Client (e.g., Win 95, Win XP, Win 2000, etc.) 
 
  
'''''--Configuration:'''''
+
''Currently supported via the standard Server Manager Panel''
  
  Currently supported via the standard Server Manager Panel
+
==== Primary domain controller ====
 +
This server role configures SME Server to function as a Windows NT4 type domain controller.  
  
==== Primary Domain Controller ====
+
=====Configuration=====
  
==== Domain Member ====
+
''Currently supported via the standard server-manager panel''
In this Server Mode, SME Server will act as a File and/or Print Server to an existing Windows Network Domain. User/Client accounts on the local machine are not required to access Domain Member resources (shares).  Ibays created will be presented as standard Windows shares.
 
  
'''''--Configuration:'''''
+
==== Domain member ====
 +
In this server role, SME Server will act as a file and/or print server to an existing Windows network domain. User/client accounts on the local machine are not required to access domain member resources (shares).  Ibays created will be presented as standard Windows shares.
  
1. Open a shell (bash) session and log into your SME box with root access.
+
=====Configuration=====
  
3. At the bash prompt:  config setprop smb ServerName machine_name_for_domain_member_box
+
1. Open a SME Server shell session and log into your SME Server box with root access.
  
4. At the bash prompt:  config setprop smb ServerRole DM
+
2. At the SME Server prompt:
 +
  config setprop smb ServerName machine_name_of_domain_member_box
  
5. At the bash prompt:  config setprop smb WINSServer ip_address_of_domain_PDC
+
3. At the SME Server prompt:
 +
  config setprop smb Workgroup workgroup_or_domain_name
  
6. Verify settings. config show smb.  You should get similar output to the following.
+
4. At the SME Server prompt:
 +
config setprop smb ServerRole DM
  
[root@testbed ~]# config show smb
+
5. At the SME Server prompt:
 +
config setprop smb WINSServer ip_address_of_domain_PDC
  
 +
6. Verify settings:
 +
config show smb 
 +
Should show you an output similar to this:
 +
[root@testbed ~]# config show smb
 
  smb=service
 
  smb=service
 
     DeadTime=10080
 
     DeadTime=10080
Line 107: Line 125:
 
     status=enabled
 
     status=enabled
  
7. At bash prompt:  signal-event workgroup-update
+
7. At SME Server prompt:
 
+
  signal-event workgroup-update
8. At the bash prompt:  net rpc join -U admin%pdc_admin_password
 
  
 +
8. At the SME Server prompt:
 +
net rpc join -U pdc_admin_username%pdc_admin_password
 +
Output:
 
  [root@testbed2 ~]# net rpc join -U admin%pdc_admin_password
 
  [root@testbed2 ~]# net rpc join -U admin%pdc_admin_password
 
  Joined domain LEI-SALEM.
 
  Joined domain LEI-SALEM.
 
  [root@testbed2 ~]#
 
  [root@testbed2 ~]#
 +
{{Note box|You will need the admin password from your PDC to complete this step. 
 +
Also, take specific note of the format of the net command above.  The admin username and password MUST follow the -U flag, otherwise the command will fail.  This is due to a bug in the net command in the current version of samba.}}
 +
 +
9.  At the SME Server prompt:
 +
signal-event workgroup-update
 +
 +
Your SME Server domain member shares should now be accessible from authenticated windows network clients.
  
Note: You will need the admin password from your PDC to complete this step.
+
==== Backup domain controller ====
 +
{{Warning box|Preliminary support for this server role only.  Do '''not''' attempt to deploy this server role on SME Server unless you are very experienced with SME Server.
 +
SME Server support for this server role is coming soon.}}
  
9At the bash prompt:  signal-event workgroup-update.
+
==== Active Directory domain controller ====
 +
{{Warning box|Preliminary support for this server role onlyDo '''not''' attempt to deploy this server role on SME Server unless you are very experienced with SME Server.
 +
SME Server support for this server role is coming soon.}}
  
Your SME Domain Client box shares should now be accessable.
+
==== Active Directory domain member ====
 +
{{Warning box|Preliminary support for this server role only.  Do '''not''' attempt to deploy this server role on SME Server unless you are very experienced with SME Server.
 +
SME Server support for this server role is coming soon.}}
  
==== Backup Domain Controller ====
+
=== Known issues===
To remove the package issue the following command on the SME Server shell:
 
==== Active Directory Domain Controller ====
 
To remove the package issue the following command on the SME Server shell:
 
==== Active Directory Domain Member ====
 
To remove the package issue the following command on the SME Server shell:
 
  
 +
====Domain Users and Groups, SME Server as a domain member====
  
To remove mysql database and user, both are wordpress, see [[MySQL#Remove a database]] and [[MySQL#Remove a user]]. There is no need to reboot.
+
It is not currently possible to restrict access to network resources by username or groupname when SME Server is functioning as a domain member.  This is because SME Server as a domain member relies on the domain controller for authentication.  Therefore, local authentication databases (e.g., passwd, groups) do not contain the user and group names of domain users accessing the SME Server domain member box.
  
=== Support Status ===
+
Access control to network resources is specified in the SME server-manager web interface, which only recognizes local groups, not domain groups.  To maintain current SME Server functionality, this contrib treats all authenticated users as if they are members of the local group assigned to the network resource in the server-manager interface.  At some point in the future, this contrib may provide functionality that would allow the administrator to restrict access to network resources based on domain groups.
  
=== Known Issues ===
+
Adding a Samba server to a Windows network can cause issues with Netbios browsing for the Windows workstations.  The computers on the network will compete to win the (Netbios) 'browser election' with the system that wins in charge of maintaining the list of local network computers.  The system that wins the election is controlled by OS Level setting.  The default OS Level within the SME Samba configuration is 35. The default OS Level for a Windows 2003 server is 32.  The higher number wins.  Change the Samba (smb.conf) setting to allow whichever system is required to maintain the Netbios browse list to win the election.
 +
 
 +
====Active Directory====
 +
 
 +
NONE of the currently supported server roles will fully integrate with an Active Directory network environment.  The currently supported server roles will work with NT4 network or windows workgroup environments only.  Specifically, those who desire to deploy the Domain Member server role need to be aware that this server role WILL NOT provide domain membership in a Active Directory domain, only a NT4 domain.
  
 
=== Bugs ===
 
=== Bugs ===
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-wordpress component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-wordpress|title=this link}}.
+
Please raise bugs under the SME Contribs section in {{BugzillaFileBug|product=|component=smeserver-adv-samba|title=bugzilla}}.
 +
 
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-adv-samba|noresultsmessage="No open bugs found."}}
 +
 
  
 +
=== Changelog ===
 +
Only released version in smecontrib are listed here.
  
 +
{{#smechangelog: smeserver-adv-samba}}
 +
----
 
[[Category: Contrib]]
 
[[Category: Contrib]]
[[Category: Webapps]]
+
[[Category: Administration]]

Latest revision as of 16:52, 18 April 2021


Is this article helpful to you?
Please consider donating or volunteering
Thank you!

Advanced Samba Modifications

PythonIcon.png Skill level: Advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


Maintainer

Greg J. Zartman

Version

Devel 10:
Contrib 9:
smeserver-adv-samba
The latest version of smeserver-adv-samba is available in the SME repository, click on the version number(s) for more information.



Description

Advanced Samba is a SME Server contrib to extend SME Servers Samba functionality to support all standard Windows server roles. Out-of-the-box, SME Server supports workgroup and primary domain controller (PDC) server roles. These, out-of-the-box, server roles address many Windows Network needs, but they do not provide all of the functionality available to todays typical Windows Server.

This document provides procedural and SME Server specific RPM(s) to configure SME Server to function in all mainstream Windows server roles:

Workgroup server

In this server role, SME Server will act as a typical Windows NT, 2000, XP, or Vista machine in a windows peer-to-peer network. Access to network shares on the SME Server requires a local user account with appropriate network privileges.

Primary domain controller

In this server role, SME Server will function as a Windows NT4 style domain controller, providing client/user authentication, WINS, windows user profile management, and print services.

Domain member

In this server role, SME Server will present ibays to a domain as Windows network shares, relying on a separate domain controller for client/user authentication. That is, authenticated Windows network users can access ibays on SME Server domain member machines without needing a local user account.

Backup domain controller

In this server role, SME Server will provide all functionality available as a domain member, but it can also take over the role as the domain controller if certain network conditions exist. As with the domain member server role, it is not necessary for the network administrator to create user accounts on the SME Server backup domain controller machine. SME Server, in this server role, will maintain (or replicate) a local copy of user/client authentication information from the primary domain controller in the event that it needs to take on the role of primary domain controller.

Active Directory domain controller

This server role is very similar to the out-of-the-box SME server role primary domain controller. In addition to those functions provided by the PDC, the SME Server Active Directory domain controller will maintain a directory of Windows Active Directory services.

Active Directory domain member

This server role is nearly identical to the domain member server role except that in this server role, SME Server will have access to Active Directory services provided by an Active Directory server.

It should be noted that this contrib is a work in progress. Preliminary support is provided for all Server Roles and full support for a selection of them, as detailed below. In time, all server roles listed here in will be fully supported by this contrib.

Prerequisites

Warning.png Warning:
this part seems related to SME7


The current releases of SME Server do not support Samba server roles directly, but updated packages have been developed and are in the testing repos. It is just a matter of installing them.

Update e-smith-samba

1. Install from testing repo:

yum update --enablerepo=smeupdates-testing e-smith-samba

2. Reconfigure and reboot machine:

signal-event post-upgrade; signal-event reboot

Install Advanced Samba RPM

It is necessary to install one additional RPM prior to configuring SME Server in advanced server roles. This package provides necessary Samba functionality that may not be available in Core SME Server packages:

1. Install the latest advanced samba rpm from the contribs repos:

yum install --enablerepo=smecontribs smeserver-adv-samba

2. Reconfigure machine:

signal-event post-upgrade; signal-event reboot

Configure server roles

As most of those familiar with SME Server know, much of the configuration (management) of the SME Server can be done through the server-manager web interface. The current SME Server server-manager includes a panel, Workgroup, which provides the Administrator the ability to configure SME Server as either a workgroup server of a primary domain controller. Nothing presented in this contrib (software or documentation) will change this. We have worked to provide seamless integration of new functionality with the current SME Server -- nothing will change if you desire to stick with the standard options.

However, further functionality with respect to Samba server roles is provided via shell command line options


Important.png Note:
It is this authors desire to add further functionality to the server-manager with respect to server roles -- perhaps it will happen one day.


Samba server role support is provided as follows:

Workgroup server

This server role configures SME Server to function as a member of a Microsoft Windows peer-to-peer network. In order to access network shares on the SME Server machine when it is configured in this server role, users/clients must have local user accounts on the SME Server machine. This is the simplest of Microsoft network configurations. In this server role, SME Server will act as a typical Windows client (e.g., Win 95, Win XP, Win 2000, etc.)

Configuration

Currently supported via the standard Server Manager Panel

Primary domain controller

This server role configures SME Server to function as a Windows NT4 type domain controller.

Configuration

Currently supported via the standard server-manager panel

Domain member

In this server role, SME Server will act as a file and/or print server to an existing Windows network domain. User/client accounts on the local machine are not required to access domain member resources (shares). Ibays created will be presented as standard Windows shares.

Configuration

1. Open a SME Server shell session and log into your SME Server box with root access.

2. At the SME Server prompt:

config setprop smb ServerName machine_name_of_domain_member_box

3. At the SME Server prompt:

config setprop smb Workgroup workgroup_or_domain_name

4. At the SME Server prompt:

config setprop smb ServerRole DM

5. At the SME Server prompt:

config setprop smb WINSServer ip_address_of_domain_PDC

6. Verify settings:

config show smb  

Should show you an output similar to this:

[root@testbed ~]# config show smb
smb=service
   DeadTime=10080
   DomainMaster=no
   KeepVersions=disabled
   OpLocks=enabled
   OsLevel=35
   RecycleBin=disabled
   RoamingProfiles=no
   ServerName=testbed2
   ServerRole=DM
   ShadowCount=10
   ShadowDir=/home/e-smith/files/.shadow
   UnixCharSet=UTF8
   UseClientDriver=yes
   WINSServer=90.0.0.20
   Workgroup=lei-salem
   status=enabled

7. At SME Server prompt:

signal-event workgroup-update

8. At the SME Server prompt:

net rpc join -U pdc_admin_username%pdc_admin_password

Output:

[root@testbed2 ~]# net rpc join -U admin%pdc_admin_password
Joined domain LEI-SALEM.
[root@testbed2 ~]#
Important.png Note:
You will need the admin password from your PDC to complete this step.

Also, take specific note of the format of the net command above. The admin username and password MUST follow the -U flag, otherwise the command will fail. This is due to a bug in the net command in the current version of samba.


9. At the SME Server prompt:

signal-event workgroup-update

Your SME Server domain member shares should now be accessible from authenticated windows network clients.

Backup domain controller

Warning.png Warning:
Preliminary support for this server role only. Do not attempt to deploy this server role on SME Server unless you are very experienced with SME Server.

SME Server support for this server role is coming soon.


Active Directory domain controller

Warning.png Warning:
Preliminary support for this server role only. Do not attempt to deploy this server role on SME Server unless you are very experienced with SME Server.

SME Server support for this server role is coming soon.


Active Directory domain member

Warning.png Warning:
Preliminary support for this server role only. Do not attempt to deploy this server role on SME Server unless you are very experienced with SME Server.

SME Server support for this server role is coming soon.


Known issues

Domain Users and Groups, SME Server as a domain member

It is not currently possible to restrict access to network resources by username or groupname when SME Server is functioning as a domain member. This is because SME Server as a domain member relies on the domain controller for authentication. Therefore, local authentication databases (e.g., passwd, groups) do not contain the user and group names of domain users accessing the SME Server domain member box.

Access control to network resources is specified in the SME server-manager web interface, which only recognizes local groups, not domain groups. To maintain current SME Server functionality, this contrib treats all authenticated users as if they are members of the local group assigned to the network resource in the server-manager interface. At some point in the future, this contrib may provide functionality that would allow the administrator to restrict access to network resources based on domain groups.

Adding a Samba server to a Windows network can cause issues with Netbios browsing for the Windows workstations. The computers on the network will compete to win the (Netbios) 'browser election' with the system that wins in charge of maintaining the list of local network computers. The system that wins the election is controlled by OS Level setting. The default OS Level within the SME Samba configuration is 35. The default OS Level for a Windows 2003 server is 32. The higher number wins. Change the Samba (smb.conf) setting to allow whichever system is required to maintain the Netbios browse list to win the election.

Active Directory

NONE of the currently supported server roles will fully integrate with an Active Directory network environment. The currently supported server roles will work with NT4 network or windows workgroup environments only. Specifically, those who desire to deploy the Domain Member server role need to be aware that this server role WILL NOT provide domain membership in a Active Directory domain, only a NT4 domain.

Bugs

Please raise bugs under the SME Contribs section in bugzilla .

IDProductVersionStatusSummary
11305SME Contribs10alphaIN_PROGRESSInitial Import to SME10 tree [smeserver-adv_samba]


Changelog

Only released version in smecontrib are listed here.