Difference between revisions of "Samba-dc"
Bunkobugsy (talk | contribs) |
Bunkobugsy (talk | contribs) |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 39: | Line 39: | ||
===Installation=== | ===Installation=== | ||
<tabs container><tab name="For SME 11"> | <tabs container><tab name="For SME 11"> | ||
| − | dnf --enablerepo=smetest update smeserver-base | + | dnf --enablerepo=smetest update smeserver-base # remove after released |
| − | Before continuing make sure you have at least smeserver-base-11.0.0- | + | Before continuing make sure you have at least smeserver-base-11.0.0-XX.el8.sme (remove after release) |
/sbin/e-smith/db yum_repositories set fasttrack-updates repository \ | /sbin/e-smith/db yum_repositories set fasttrack-updates repository \ | ||
Name 'Rocky Linux 8.10 - SIG FastTrack Updates' \ | Name 'Rocky Linux 8.10 - SIG FastTrack Updates' \ | ||
BaseURL 'http://dl.rockylinux.org/$sigcontentdir/$releasever/fasttrack/$basearch/fasttrack-updates/' \ | BaseURL 'http://dl.rockylinux.org/$sigcontentdir/$releasever/fasttrack/$basearch/fasttrack-updates/' \ | ||
| + | IncludePkgs samba*,python3-samba*,libnetapi,libsmbclient,libwbclient,python3-setproctitle \ | ||
EnableGroups no \ | EnableGroups no \ | ||
GPGCheck no \ | GPGCheck no \ | ||
| Line 68: | Line 69: | ||
|- | |- | ||
|SambaIP | |SambaIP | ||
| − | | | + | | |
|numeric | |numeric | ||
|- | |- | ||
|Password | |Password | ||
| − | | | + | | |
| + | |string | ||
| + | |- | ||
| + | |Realm | ||
| + | | | ||
|string | |string | ||
|- | |- | ||
| Line 83: | Line 88: | ||
A free static IP address needs to be chosen from the same range as SME's local network that is outside the DHCP pool. | A free static IP address needs to be chosen from the same range as SME's local network that is outside the DHCP pool. | ||
| − | + | config setprop samba SambaIP a.b.c.d | |
| − | + | /etc/e-smith/events/actions/update-ifcfg-1 | |
| + | systemctl restart network | ||
Confirm that the samba virtual interface is working | Confirm that the samba virtual interface is working | ||
| + | ip a | grep a.b.c.d | ||
| + | or check | ||
ifconfig | ifconfig | ||
It can be disabled anytime ONLY if domain is not operational. | It can be disabled anytime ONLY if domain is not operational. | ||
| − | / | + | config delprop samba SambaIP |
| − | + | /etc/e-smith/events/actions/update-ifcfg | |
| + | systemctl restart network | ||
WARNING: changing this IP address after the domain is provisioned can cause problems and is not supported. | WARNING: changing this IP address after the domain is provisioned can cause problems and is not supported. | ||
===Set domain administrator password=== | ===Set domain administrator password=== | ||
| Line 97: | Line 106: | ||
WARNING: make sure to keep a copy of this password and do not modify this key after the domain is provisioned. | WARNING: make sure to keep a copy of this password and do not modify this key after the domain is provisioned. | ||
| − | + | config setprop samba Password Blu3Onyx! | |
Provisioning will also reserve the administrator user in SME for domain administrator, make sure it is not already used. | Provisioning will also reserve the administrator user in SME for domain administrator, make sure it is not already used. | ||
| − | === | + | ===Choosing realm=== |
By default provisioning will use for realm current Windows workgroup name (default: sme-server) and append .INTERNAL to it. | By default provisioning will use for realm current Windows workgroup name (default: sme-server) and append .INTERNAL to it. | ||
| − | Active Directory DC locating | + | Active Directory DC locating relies on DNS resolution, samba internal DNS will handle this via domain-remote feature. |
| − | feature. | ||
| − | Make sure realm does not match | + | Make sure realm does not match SME's primary or additional domains because additional domains might get overwritten. |
| − | + | Choose well the realm by setting Windows workgroup before provisioning because domain rename is not supported. | |
WARNING: domain rename is only possible for now with complete domain reset and loss of all machine accounts. | WARNING: domain rename is only possible for now with complete domain reset and loss of all machine accounts. | ||
| + | ===Provisioning=== | ||
provision | provision | ||
| + | After a successful provisioning DO NOT CHANGE any configuration values. | ||
===Testing=== | ===Testing=== | ||
| − | + | To confirm Active Directory functionality | |
systemctl status samba | systemctl status samba | ||
samba-tool domain info a.b.c.d #SambaIP set above | samba-tool domain info a.b.c.d #SambaIP set above | ||
| − | realm -v discover | + | realm -v discover sme-server.internal #in this example |
| − | kinit -V administrator | + | kinit -V administrator #enter domain administrator password set above |
klist | klist | ||
sambatool user list | sambatool user list | ||
| Line 122: | Line 132: | ||
smbstatus --configfile=/etc/samba/samba.conf | smbstatus --configfile=/etc/samba/samba.conf | ||
samba-tool processes --configfile=/etc/samba/samba.conf | samba-tool processes --configfile=/etc/samba/samba.conf | ||
| + | Usual SME network shares are accessible on \\SME-IP\ whereas SYSVOL is available at \\SambaIP\ | ||
| + | smbclient -L localhost -U admin #enter SME admin password | ||
| + | smbclient -L a.b.c.d -U administrator #SambaIP set above, enter domain administrator password set above | ||
If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password. | If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password. | ||
| Line 132: | Line 145: | ||
===Password policies=== | ===Password policies=== | ||
| − | For now password changing via Ctrl-Alt-Delete is not | + | For now password changing via Ctrl-Alt-Delete is not supported and will be disabled via password policies. |
Password changing will only be possible from https://SME-IP/user-password or Server Manager - Collaboration - Users. | Password changing will only be possible from https://SME-IP/user-password or Server Manager - Collaboration - Users. | ||
To prevent passwords from getting out of sync [https://wiki.koozali.org/Password Password] contrib will be installed and password aging will be activated. | To prevent passwords from getting out of sync [https://wiki.koozali.org/Password Password] contrib will be installed and password aging will be activated. | ||
| − | === | + | ===Database backup and check=== |
samba-tool domain backup offline --targetdir=/root --configfile=/etc/samba/samba.conf | samba-tool domain backup offline --targetdir=/root --configfile=/etc/samba/samba.conf | ||
| Line 144: | Line 157: | ||
===Uninstall=== | ===Uninstall=== | ||
| + | remove custom repository | ||
/sbin/e-smith/db yum_repositories delete fasttrack-updates | /sbin/e-smith/db yum_repositories delete fasttrack-updates | ||
signal-event dnf-modify | signal-event dnf-modify | ||
| − | + | remove contrib | |
dnf remove {{#var:smecontribname}} | dnf remove {{#var:smecontribname}} | ||
| − | + | return to upstream samba packages | |
| − | + | dnf update | |
| − | |||
===Bugs=== | ===Bugs=== | ||
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title= bugzilla}} | Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title= bugzilla}} | ||
Latest revision as of 07:56, 16 December 2024
 | |
| samba-dc logo | |
| Maintainer | maintainer |
|---|---|
| Url | https://wiki.koozali.org |
| Category | |
| Tags | File, this, with, a, list, of, tags |
Maintainer
initial work of Bunkobugsy
Version
Description
This package provides templates for samba Active Directory support. More details found here.
It will replace upstream samba packages with AD enabled ones from SIG/FastTrack repo. More details found here.
A secondary samba service will use separate samba data directories, set up via a distinct samba configuration.
This ensures that samba-dc instance won't interfere with normal filesharing samba services provided by SME core.
User accounts created in SME will be kept in sync with the LDAP service provided by samba Active Directory. More details here.
Users logged in to domain joined Windows PCs will have access to SME's samba shares via their namesake usernames and matching passwords. https://wiki.koozali.org/Client_Authentication:Windows#Login_to_shared_resources
In an Active Directory Kerberos requires an accurate time synchronization so make sure to set up NTP for all client computers.
Installation
dnf --enablerepo=smetest update smeserver-base # remove after released
Before continuing make sure you have at least smeserver-base-11.0.0-XX.el8.sme (remove after release)
/sbin/e-smith/db yum_repositories set fasttrack-updates repository \ Name 'Rocky Linux 8.10 - SIG FastTrack Updates' \ BaseURL 'http://dl.rockylinux.org/$sigcontentdir/$releasever/fasttrack/$basearch/fasttrack-updates/' \ IncludePkgs samba*,python3-samba*,libnetapi,libsmbclient,libwbclient,python3-setproctitle \ EnableGroups no \ GPGCheck no \ Visible yes \ Priority 9 \ status enabled
signal-event dnf-modify
dnf --enablerepo=smecontribs install smeserver-samba-dc
Configuration
you can list the available configuration with the following command :
config show samba
Some of the properties are not shown, but are defaulted in a template or a script. Here is a list with default and expected values :
| property | default | values |
|---|---|---|
| SambaIP | numeric | |
| Password | string | |
| Realm | string | |
| status | disabled | enabled,disabled |
Add samba virtual interface
Samba in AD mode provides services that need a separate virtual interface.
A free static IP address needs to be chosen from the same range as SME's local network that is outside the DHCP pool.
config setprop samba SambaIP a.b.c.d /etc/e-smith/events/actions/update-ifcfg-1 systemctl restart network
Confirm that the samba virtual interface is working
ip a | grep a.b.c.d
or check
ifconfig
It can be disabled anytime ONLY if domain is not operational.
config delprop samba SambaIP /etc/e-smith/events/actions/update-ifcfg systemctl restart network
WARNING: changing this IP address after the domain is provisioned can cause problems and is not supported.
Set domain administrator password
Provisioning will fail unless a password is chosen that matches the complexity requirements. More details found here.
Random Strong Password Generator can be used.
WARNING: make sure to keep a copy of this password and do not modify this key after the domain is provisioned.
config setprop samba Password Blu3Onyx!
Provisioning will also reserve the administrator user in SME for domain administrator, make sure it is not already used.
Choosing realm
By default provisioning will use for realm current Windows workgroup name (default: sme-server) and append .INTERNAL to it.
Active Directory DC locating relies on DNS resolution, samba internal DNS will handle this via domain-remote feature.
Make sure realm does not match SME's primary or additional domains because additional domains might get overwritten.
Choose well the realm by setting Windows workgroup before provisioning because domain rename is not supported.
WARNING: domain rename is only possible for now with complete domain reset and loss of all machine accounts.
Provisioning
provision
After a successful provisioning DO NOT CHANGE any configuration values.
Testing
To confirm Active Directory functionality
systemctl status samba samba-tool domain info a.b.c.d #SambaIP set above realm -v discover sme-server.internal #in this example kinit -V administrator #enter domain administrator password set above klist sambatool user list sambatool computer list smbstatus --configfile=/etc/samba/samba.conf samba-tool processes --configfile=/etc/samba/samba.conf
Usual SME network shares are accessible on \\SME-IP\ whereas SYSVOL is available at \\SambaIP\
smbclient -L localhost -U admin #enter SME admin password smbclient -L a.b.c.d -U administrator #SambaIP set above, enter domain administrator password set above
If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password.
Before first login all users and admin must change their passwords from https://SME-IP/user-password portal.
WARNING: disabling samba service is not supported as user accounts and passwords will get out of sync.
Restoring missing user accounts can be done, additional passwords might also need to be reset.
syncadusers
Password policies
For now password changing via Ctrl-Alt-Delete is not supported and will be disabled via password policies.
Password changing will only be possible from https://SME-IP/user-password or Server Manager - Collaboration - Users.
To prevent passwords from getting out of sync Password contrib will be installed and password aging will be activated.
Database backup and check
samba-tool domain backup offline --targetdir=/root --configfile=/etc/samba/samba.conf
samba-tool dbcheck --cross-ncs --configfile=/etc/samba/samba.conf samba-tool dbcheck --cross-ncs --fix --yes --configfile=/etc/samba/samba.conf
Uninstall
remove custom repository
/sbin/e-smith/db yum_repositories delete fasttrack-updates signal-event dnf-modify
remove contrib
dnf remove smeserver-samba-dc
return to upstream samba packages
dnf update
Bugs
Please raise bugs under the SME-Contribs section in bugzilla
and select the smeserver-samba-dc component or use this link
Below is an overview of the current issues for this contrib:
Changelog
Only released version in smecontrib are listed here.
