Difference between revisions of "SAMBA 4 - Misc Development Topics"
(Created page with "kdkdkd") |
|||
Line 1: | Line 1: | ||
− | + | =General Development Notes= | |
+ | ==Template Fragments== | ||
+ | |||
+ | ===/etc/smb.conf=== | ||
+ | Complete rewrite of all template fragments | ||
+ | |||
+ | ====smb.conf Considerations==== | ||
+ | |||
+ | The smb.conf configuration file can be simplified significantly for Samba 4. Of specific interest are the following new parameters: | ||
+ | |||
+ | |||
+ | '''Server Services:''' This parameter is not very well documented, but from what I could find thefollow services can be provided by the Samba daemon: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, ntp_signd, kcc, dnsupdate, dns, smb, nmb, winbind. The default for this parameter is: server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns. Services can be added/remove from the default by a +/- and the service to add/remove. Example | ||
+ | server services = -s3fs (remove) +smb (add). Note that the smb, nmb, and windbind services are services equivalent to the older, Samba 3, type services (stand alone daemons). Of specific interest to SME 9 may be the use of the nmb service for WINS support. As we begin testing we may need to enable this service and possibly smb for simple share access. | ||
+ | |||
+ | '''Server Role:''' Samba 4 currently only supports the active directory domain controller server role. For now, we'll force Samba config into DC server role, but provide a fragment for expansion later. There is a long explanation behind this, but for now, restriction doesn't hurt us. SME as a DC will provide auth for both domain membership and simple shares by either joining the domain or logging into the server every time. | ||
+ | |||
+ | ===/etc/raddb/radius.conf=== | ||
+ | Need to check and/or modify the following existing fragments: | ||
+ | |||
+ | etc/raddb/radiusd.conf/25modules30smbpasswd: # An example configuration for using /etc/samba/smbpasswd. | ||
+ | etc/raddb/radiusd.conf/25modules30smbpasswd:} passwd smbpasswd \{ | ||
+ | etc/raddb/radiusd.conf/25modules30smbpasswd: filename = /etc/samba/smbpasswd | ||
+ | etc/raddb/radiusd.conf/25modules25mschap: # reading from /etc/smbpasswd. | ||
+ | etc/raddb/radiusd.conf/25modules25mschap: # If you are using /etc/smbpasswd, see the 'passwd' | ||
+ | etc/raddb/radiusd.conf/25modules25mschap: # module for an example of how to use /etc/smbpasswd | ||
+ | etc/raddb/radiusd.conf/65authorization40default: # If you are using /etc/smbpasswd, and are also doing | ||
+ | etc/raddb/radiusd.conf/65authorization40default: # configure the 'smbpasswd' module, above. | ||
+ | etc/raddb/radiusd.conf/65authorization40default: ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd'; | ||
+ | |||
+ | ===/etc/krb5.conf=== | ||
+ | Create based new template fragments for this configuration file | ||
+ | |||
+ | ==Configuration Database Parameters== | ||
+ | Default key and property values: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Database name !! Unique key !! Property name !! Default value || Possible values || Description | ||
+ | |- | ||
+ | | configuration ||style="text-align:center;"| SMBD || ||style="text-align:center;"|'''DELETE'''|| || Delete this key. Replaced by other keys | ||
+ | |- | ||
+ | | ||style="text-align:center;"| NMBD || ||style="text-align:center;"|'''DELETE'''|| || Delete this key. Replaced by other keys | ||
+ | |- | ||
+ | | ||style="text-align:center;"| SMB || ||style="text-align:center;"|'''service'''|| || Existing SMB key properties changes | ||
+ | |- | ||
+ | | ||style="text-align:center;"| || UnixCharSet ||style="text-align:center;"|'''DELETE'''|| || Delete this property | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||workgroup || style="text-align:center;"|'''sme-server''' || User defined|| | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||ServerString || style="text-align:center;"|'''SME Server''' || User defined|| | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||ServerRole || style="text-align:center;"|'''DC''' || SA / BD / DC|| Stand Alone, Backup Domain or Domain Controller | ||
+ | |||
+ | |- | ||
+ | | ||style="text-align:center;"| ||OpLocks || style="text-align:center;"|'''enabled''' || enabled / disabled|| | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||KernelOplocks || style="text-align:center;"|'''enabled''' || enabled / disabled|| | ||
+ | |||
+ | |- | ||
+ | | ||style="text-align:center;"| ||Level2Oplocks || style="text-align:center;"|'''enabled''' || enabled / disabled|| | ||
+ | |||
+ | |- | ||
+ | |||
+ | | ||style="text-align:center;"| ||AllowDNSUpdates || style="text-align:center;"|'''nonsecure''' |||| | ||
+ | |||
+ | |- | ||
+ | | ||style="text-align:center;"| ||DNSForwarder || style="text-align:center;"|'''TBA''' |||| | ||
+ | |} | ||
+ | |||
+ | |||
+ | The ''DNSForwarder'' property is a new property that could be defined to forward DNS requests from the Samba DNS to another DNS. | ||
+ | |||
+ | |||
+ | *'''''Others (optional)''''': These parameters are meant to take smb.conf inputs as defined the man pages. Defaults for these parameters are the same as the corresponding defaults in the smb.conf man page. Template fragments feed these parameters into the smb.conf file with minimal syntax checking, as it is assumed those who manually input them know what they are doing. | ||
+ | |||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Database name !! Unique key !! Property name !! Default value || Possible values || Description | ||
+ | |- | ||
+ | | configuration ||style="text-align:center;"| SMB ||||style="text-align:center;"| || || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||NameResolver||style="text-align:center;"|'''TBA'''|| || The order in which name resolution will take place by the Samba daemon | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||ServerServices||style="text-align:center;"|'''TBA'''|| || See the server services discussion detailed under smb.conf section | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||SMBPorts||style="text-align:center;"|'''TBA'''|| || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||SocketOptions||style="text-align:center;"|'''TBA'''|| || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||WideLinks||style="text-align:center;"|'''TBA'''|| || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||GuestAccount||style="text-align:center;"|'''TBA'''|| || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||GuestOK||style="text-align:center;"|'''no'''||yes / no || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||LogonDrive||style="text-align:center;"|'''TBA'''|| ||Drive letter to be used to the login drive when users login to a domain | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||RoamingProfiles||style="text-align:center;"|'''no'''||yes / no || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||LogonPath||style="text-align:center;"|'''TBA'''|| || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||BindInterfacesOnly||style="textalign:center;"|'''no'''||yes / no || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||CaseSensitive||style="text-align:center;"|'''yes'''||yes / no || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||MaxLogSize||style="text-align:center;"|'''50'''||User defined ||Samba log size in kilobytes. Default set to 50 | ||
+ | |} | ||
+ | |||
+ | |||
+ | '''KRB5''' : Create new configuration dbase entry for Kerberos service in Samba | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Database name !! Unique key !! Property name !! Default value || Possible values || Description | ||
+ | |- | ||
+ | | configuration ||style="text-align:center;"| Kerberos ||||style="text-align:center;"| || || | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||DefaultRealm||style="text-align:center;"|'''uninitialized'''|| || This parameter is built into a template fragment, but we will not define it at default. The template fragment will build the default realm by concatenating the SystemName and DomainName reordered elsewhere in the configuration dbase | ||
+ | |- | ||
+ | | ||style="text-align:center;"| ||DNSLookup||style="text-align:center;"|'''false'''|| true / false|| | ||
+ | |||
+ | |- | ||
+ | | ||style="text-align:center;"| ||DNSLookupRealm||style="text-align:center;"|'''false'''|| true / false|| | ||
+ | |||
+ | |- | ||
+ | | ||style="text-align:center;"| ||DNSLookupKDC||style="text-align:center;"|'''false'''|| true / false|| | ||
+ | |||
+ | |- | ||
+ | |} | ||
+ | |||
+ | ==Services to Modify== | ||
+ | |||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! Service name !! Type !! Action !! File !! Description | ||
+ | |- | ||
+ | | smbd || Existing | ||
+ | |- | ||
+ | | || || Remove ||/var/service/smbd || | ||
+ | |- | ||
+ | | || || Remove ||/services/smbd || | ||
+ | |- | ||
+ | | || || Remove ||/etc/rc.d/init.d/supervise/smb || | ||
+ | |||
+ | |- | ||
+ | | || || Remove ||/etc/rc.d/rc7.d/S91smb || | ||
+ | |- | ||
+ | | || || Remove ||/etc/rc.d/init.d/smbd || | ||
+ | |||
+ | |- | ||
+ | | nmbd || Existing | ||
+ | |- | ||
+ | | || || Remove ||/var/service/smbd || | ||
+ | |||
+ | |- | ||
+ | | || || Remove ||/services/smbd || | ||
+ | |||
+ | |- | ||
+ | | || || Remove ||/etc/rc.d/init.d/smbd || | ||
+ | |- | ||
+ | | smb || New || || ||I would have liked to have called this "Samba," but that would have meant changing alot of existing code that looks for "smb" | ||
+ | |- | ||
+ | | || || Create ||/var/service/smb || using smbd as a template. Samba 4 should be started with /usr/sbin/samba -D | ||
+ | |- | ||
+ | | || || Create symlink ||/service/smb -> /var/service/smb || | ||
+ | |||
+ | |- | ||
+ | | || || Create symlink ||/etc/rc.d/init.d/smb -> /etc/rc.d/init.d/daemontools || | ||
+ | |- | ||
+ | | || || Create symlink ||/etc/rc.d/rc7.d/S91smb -> /etc/rc.d/init.d/e-smith-service || | ||
+ | |} | ||
+ | |||
+ | ==DNS== | ||
+ | |||
+ | Samba 4 includes an builtin DNS server that is required for proper operation of active directory. This internal DNS server is for AD functions only and does not provide caching DNS functions. | ||
+ | |||
+ | SME Server 9.0 includes a caching DNS (djb dnscache) that listens for DNS requests on the LAN IP address and the localhost. This caching DNS then routes DNS requests for domains defined in the server-manager to tinyDNS and other requests to a resolving dns cache (djb dnscache.forwarder). | ||
+ | |||
+ | One approach for DNS architecture with Samba 4 would have samba 4 primary dns requests to LAN clients, forwarding to the dnscache.forwarder service. The primary dnscache instance and tinydns would then be obsoleted. | ||
+ | |||
+ | ==LDAP== | ||
+ | |||
+ | Need to look at the LDAP authentication backend and mechanism on SME. On the surface, it looks like all of the Samba related LDAP code will be dropped and much of the standard authentication code will need to be converted to Active Directory auth. This task should include looking at openldap-proxy. | ||
+ | |||
+ | ==Local and Samba Authentication== | ||
+ | #'''Local Authentication''': Samba 4 provides support for local authentication through PAM. This will need to be looked and and sorted out, especially as it relates to the previous LDAP authentication work. Consider replacing with SSSD. | ||
+ | #'''Updates to esmith::util perl module''': This perl module contains function for setting and modifying user passwords. We will need to redesign these functions to integrate with AD. Specific changes: | ||
+ | #*''setSambaPassword function'': This function needs to be completely re-written to set the Active directory password instead of the old samba password in smbpasswd | ||
+ | #*''cancelSambaPassword function'': Needs to be re-written for active directory instead of old smbpasswd file | ||
+ | #*''local password functions'': We need to look at these once we decide how we are going to handle local authentication on SME with Active directory. | ||
+ | #*''ldapPassword function'': Need to look at this and likely deprecate it, as we will likely set active directory passwords differently. | ||
+ | |||
+ | ==Home directories and Homes Share== | ||
+ | Samba 4 changes the way Samba used to handle home directories. | ||
+ | # Samba 4 does not use the [homes] share with the [home] share. | ||
+ | # With respect to the [home] share, Samba 4 currently does not expand the %S variable in the smb.conf file due to a bug with Samba 4. Therefore, this will not work for us to share home directories: /home/e-smith/files/users/%S/home. Instead, we may be able to use this: '/home/%WORKGROUP%/%ACCOUNTNAME% and them link (symlink/hardlink) this to our current home directory structure so that we can share the home dirs via samba. | ||
+ | # We need to look at the "template homedir" configuration parameter in smb.conf and/or SSSD, as this may allow us to create home directories easier on a new user create event. | ||
+ | # The Samba active directory includes two attributes for home directories: homeDirectory (used by windows) and unixHomeDirectory(used by *nix). The current unixHomeDirectory attribute doesn't seem to be fully utilized by Samba. | ||
+ | |||
+ | # Good thread on the topic: https://lists.samba.org/archive/samba/2014-January/178151.html | ||
+ | |||
+ | ==Other Development Tasks to Research and Complete== | ||
+ | #'''Domain Server-Manager Panel''': A new Domain server-manager panel should be developed and the workgroup panel removed. Further discussion will need to take place to determine what needs to go into this new panel. This panel will likely be fairly simple, as much of the configuration parameters associated Samba Active directory will be incorporated into template fragments and database entries. | ||
+ | #'''User/Group Server-Manager Panels''': These panels will need to be looked at as they relate to template fragments, adjusting services, and updating database entries associated with Samba. | ||
+ | #'''Ibay Server-Manager Panel''': This panel will need to be looked at as it relates to template fragments, adjusting services, and updating database entries associated with Samba. | ||
+ | #'''Events/Actions'''': Existing events and actions related to samba will need to be reviewed and updated accordingly. A new event/action may need to be developed to provision a new Active Directory Domain using the Samba-Tool utility. | ||
+ | #'''e-smith-samba''': This package needs to be updated with development pieces detailed in this wiki page, for wider testing and development assistance. |
Latest revision as of 23:12, 30 July 2016
General Development Notes
Template Fragments
/etc/smb.conf
Complete rewrite of all template fragments
smb.conf Considerations
The smb.conf configuration file can be simplified significantly for Samba 4. Of specific interest are the following new parameters:
Server Services: This parameter is not very well documented, but from what I could find thefollow services can be provided by the Samba daemon: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, ntp_signd, kcc, dnsupdate, dns, smb, nmb, winbind. The default for this parameter is: server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns. Services can be added/remove from the default by a +/- and the service to add/remove. Example
server services = -s3fs (remove) +smb (add). Note that the smb, nmb, and windbind services are services equivalent to the older, Samba 3, type services (stand alone daemons). Of specific interest to SME 9 may be the use of the nmb service for WINS support. As we begin testing we may need to enable this service and possibly smb for simple share access.
Server Role: Samba 4 currently only supports the active directory domain controller server role. For now, we'll force Samba config into DC server role, but provide a fragment for expansion later. There is a long explanation behind this, but for now, restriction doesn't hurt us. SME as a DC will provide auth for both domain membership and simple shares by either joining the domain or logging into the server every time.
/etc/raddb/radius.conf
Need to check and/or modify the following existing fragments:
etc/raddb/radiusd.conf/25modules30smbpasswd: # An example configuration for using /etc/samba/smbpasswd. etc/raddb/radiusd.conf/25modules30smbpasswd:} passwd smbpasswd \{ etc/raddb/radiusd.conf/25modules30smbpasswd: filename = /etc/samba/smbpasswd etc/raddb/radiusd.conf/25modules25mschap: # reading from /etc/smbpasswd. etc/raddb/radiusd.conf/25modules25mschap: # If you are using /etc/smbpasswd, see the 'passwd' etc/raddb/radiusd.conf/25modules25mschap: # module for an example of how to use /etc/smbpasswd etc/raddb/radiusd.conf/65authorization40default: # If you are using /etc/smbpasswd, and are also doing etc/raddb/radiusd.conf/65authorization40default: # configure the 'smbpasswd' module, above. etc/raddb/radiusd.conf/65authorization40default: ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';
/etc/krb5.conf
Create based new template fragments for this configuration file
Configuration Database Parameters
Default key and property values:
Database name | Unique key | Property name | Default value | Possible values | Description |
---|---|---|---|---|---|
configuration | SMBD | DELETE | Delete this key. Replaced by other keys | ||
NMBD | DELETE | Delete this key. Replaced by other keys | |||
SMB | service | Existing SMB key properties changes | |||
UnixCharSet | DELETE | Delete this property | |||
workgroup | sme-server | User defined | |||
ServerString | SME Server | User defined | |||
ServerRole | DC | SA / BD / DC | Stand Alone, Backup Domain or Domain Controller | ||
OpLocks | enabled | enabled / disabled | |||
KernelOplocks | enabled | enabled / disabled | |||
Level2Oplocks | enabled | enabled / disabled | |||
AllowDNSUpdates | nonsecure | ||||
DNSForwarder | TBA |
The DNSForwarder property is a new property that could be defined to forward DNS requests from the Samba DNS to another DNS.
- Others (optional): These parameters are meant to take smb.conf inputs as defined the man pages. Defaults for these parameters are the same as the corresponding defaults in the smb.conf man page. Template fragments feed these parameters into the smb.conf file with minimal syntax checking, as it is assumed those who manually input them know what they are doing.
Database name | Unique key | Property name | Default value | Possible values | Description |
---|---|---|---|---|---|
configuration | SMB | ||||
NameResolver | TBA | The order in which name resolution will take place by the Samba daemon | |||
ServerServices | TBA | See the server services discussion detailed under smb.conf section | |||
SMBPorts | TBA | ||||
SocketOptions | TBA | ||||
WideLinks | TBA | ||||
GuestAccount | TBA | ||||
GuestOK | no | yes / no | |||
LogonDrive | TBA | Drive letter to be used to the login drive when users login to a domain | |||
RoamingProfiles | no | yes / no | |||
LogonPath | TBA | ||||
BindInterfacesOnly | no | yes / no | |||
CaseSensitive | yes | yes / no | |||
MaxLogSize | 50 | User defined | Samba log size in kilobytes. Default set to 50 |
KRB5 : Create new configuration dbase entry for Kerberos service in Samba
Database name | Unique key | Property name | Default value | Possible values | Description |
---|---|---|---|---|---|
configuration | Kerberos | ||||
DefaultRealm | uninitialized | This parameter is built into a template fragment, but we will not define it at default. The template fragment will build the default realm by concatenating the SystemName and DomainName reordered elsewhere in the configuration dbase | |||
DNSLookup | false | true / false | |||
DNSLookupRealm | false | true / false | |||
DNSLookupKDC | false | true / false |
Services to Modify
Service name | Type | Action | File | Description |
---|---|---|---|---|
smbd | Existing | |||
Remove | /var/service/smbd | |||
Remove | /services/smbd | |||
Remove | /etc/rc.d/init.d/supervise/smb | |||
Remove | /etc/rc.d/rc7.d/S91smb | |||
Remove | /etc/rc.d/init.d/smbd | |||
nmbd | Existing | |||
Remove | /var/service/smbd | |||
Remove | /services/smbd | |||
Remove | /etc/rc.d/init.d/smbd | |||
smb | New | I would have liked to have called this "Samba," but that would have meant changing alot of existing code that looks for "smb" | ||
Create | /var/service/smb | using smbd as a template. Samba 4 should be started with /usr/sbin/samba -D | ||
Create symlink | /service/smb -> /var/service/smb | |||
Create symlink | /etc/rc.d/init.d/smb -> /etc/rc.d/init.d/daemontools | |||
Create symlink | /etc/rc.d/rc7.d/S91smb -> /etc/rc.d/init.d/e-smith-service |
DNS
Samba 4 includes an builtin DNS server that is required for proper operation of active directory. This internal DNS server is for AD functions only and does not provide caching DNS functions.
SME Server 9.0 includes a caching DNS (djb dnscache) that listens for DNS requests on the LAN IP address and the localhost. This caching DNS then routes DNS requests for domains defined in the server-manager to tinyDNS and other requests to a resolving dns cache (djb dnscache.forwarder).
One approach for DNS architecture with Samba 4 would have samba 4 primary dns requests to LAN clients, forwarding to the dnscache.forwarder service. The primary dnscache instance and tinydns would then be obsoleted.
LDAP
Need to look at the LDAP authentication backend and mechanism on SME. On the surface, it looks like all of the Samba related LDAP code will be dropped and much of the standard authentication code will need to be converted to Active Directory auth. This task should include looking at openldap-proxy.
Local and Samba Authentication
- Local Authentication: Samba 4 provides support for local authentication through PAM. This will need to be looked and and sorted out, especially as it relates to the previous LDAP authentication work. Consider replacing with SSSD.
- Updates to esmith::util perl module: This perl module contains function for setting and modifying user passwords. We will need to redesign these functions to integrate with AD. Specific changes:
- setSambaPassword function: This function needs to be completely re-written to set the Active directory password instead of the old samba password in smbpasswd
- cancelSambaPassword function: Needs to be re-written for active directory instead of old smbpasswd file
- local password functions: We need to look at these once we decide how we are going to handle local authentication on SME with Active directory.
- ldapPassword function: Need to look at this and likely deprecate it, as we will likely set active directory passwords differently.
Samba 4 changes the way Samba used to handle home directories.
- Samba 4 does not use the [homes] share with the [home] share.
- With respect to the [home] share, Samba 4 currently does not expand the %S variable in the smb.conf file due to a bug with Samba 4. Therefore, this will not work for us to share home directories: /home/e-smith/files/users/%S/home. Instead, we may be able to use this: '/home/%WORKGROUP%/%ACCOUNTNAME% and them link (symlink/hardlink) this to our current home directory structure so that we can share the home dirs via samba.
- We need to look at the "template homedir" configuration parameter in smb.conf and/or SSSD, as this may allow us to create home directories easier on a new user create event.
- The Samba active directory includes two attributes for home directories: homeDirectory (used by windows) and unixHomeDirectory(used by *nix). The current unixHomeDirectory attribute doesn't seem to be fully utilized by Samba.
- Good thread on the topic: https://lists.samba.org/archive/samba/2014-January/178151.html
Other Development Tasks to Research and Complete
- Domain Server-Manager Panel: A new Domain server-manager panel should be developed and the workgroup panel removed. Further discussion will need to take place to determine what needs to go into this new panel. This panel will likely be fairly simple, as much of the configuration parameters associated Samba Active directory will be incorporated into template fragments and database entries.
- User/Group Server-Manager Panels: These panels will need to be looked at as they relate to template fragments, adjusting services, and updating database entries associated with Samba.
- Ibay Server-Manager Panel: This panel will need to be looked at as it relates to template fragments, adjusting services, and updating database entries associated with Samba.
- Events/Actions': Existing events and actions related to samba will need to be reviewed and updated accordingly. A new event/action may need to be developed to provision a new Active Directory Domain using the Samba-Tool utility.
- e-smith-samba: This package needs to be updated with development pieces detailed in this wiki page, for wider testing and development assistance.