Difference between revisions of "Samba-dc"
Bunkobugsy (talk | contribs) |
Bunkobugsy (talk | contribs) |
||
| Line 19: | Line 19: | ||
===Maintainer=== | ===Maintainer=== | ||
initial work of Bunkobugsy | initial work of Bunkobugsy | ||
| − | |||
===Version=== | ===Version=== | ||
<!-- keep this first element as is, you can add some if needed --> | <!-- keep this first element as is, you can add some if needed --> | ||
{{#smeversion: {{#var:smecontribname}} }} | {{#smeversion: {{#var:smecontribname}} }} | ||
| − | |||
| − | |||
===Description=== | ===Description=== | ||
This package provides templates for samba Active Directory support. More details found [https://bugs.koozali.org/show_bug.cgi?id=12798 here]. | This package provides templates for samba Active Directory support. More details found [https://bugs.koozali.org/show_bug.cgi?id=12798 here]. | ||
| Line 30: | Line 27: | ||
It will replace upstream samba packages with AD enabled ones from [https://sig-fasttrack.rocky.page SIG/FastTrack] repo. More details found [https://git.resf.org/sig_fasttrack/meta/issues/2 here]. | It will replace upstream samba packages with AD enabled ones from [https://sig-fasttrack.rocky.page SIG/FastTrack] repo. More details found [https://git.resf.org/sig_fasttrack/meta/issues/2 here]. | ||
| + | A secondary samba.service will use separate samba data directories, set up via a distinct samba configuration. | ||
| + | |||
| + | This ensures that samba-dc instance won't interfere with normal filesharing samba services provided by SME core. | ||
| + | |||
| + | User accounts created in SME will be kept in sync with the LDAP service provided by samba Active Directory. | ||
| + | |||
| + | Users logged in to domain joined Windows PCs will have access to SME's samba shares via their namesake usernames and matching passwords. | ||
| + | https://wiki.koozali.org/Client_Authentication:Windows#Login_to_shared_resources | ||
===Installation=== | ===Installation=== | ||
<tabs container><tab name="For SME 11"> | <tabs container><tab name="For SME 11"> | ||
| Line 50: | Line 55: | ||
config show samba | config show samba | ||
| − | Some of the properties are not shown, but are defaulted in a template or a script. Here a | + | Some of the properties are not shown, but are defaulted in a template or a script. Here is a list with default and expected values : |
{| class="wikitable" | {| class="wikitable" | ||
!property | !property | ||
| Line 91: | Line 96: | ||
Make sure realm does not match any secondary domain set up or it will be overwritten. | Make sure realm does not match any secondary domain set up or it will be overwritten. | ||
| − | WARNING: make sure to change Windows workgroup name before provisioning because domain rename is not supported. | + | WARNING: make sure to change Windows workgroup name before provisioning because domain rename is not supported and is possible for now only with complete domain reset and loss of all machine accounts. |
provision | provision | ||
===Testing=== | ===Testing=== | ||
| Line 102: | Line 107: | ||
sambatool user list | sambatool user list | ||
sambatool computer list | sambatool computer list | ||
| + | If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password. | ||
| + | |||
Other tools available for debugging | Other tools available for debugging | ||
| + | ifconfig | ||
| + | systemctl status samba | ||
sambatool | sambatool | ||
syncadusers | syncadusers | ||
Revision as of 23:10, 10 December 2024
 | |
| samba-dc logo | |
| Maintainer | maintainer |
|---|---|
| Url | https://wiki.koozali.org |
| Category | |
| Tags | File, this, with, a, list, of, tags |
Maintainer
initial work of Bunkobugsy
Version
Description
This package provides templates for samba Active Directory support. More details found here.
It will replace upstream samba packages with AD enabled ones from SIG/FastTrack repo. More details found here.
A secondary samba.service will use separate samba data directories, set up via a distinct samba configuration.
This ensures that samba-dc instance won't interfere with normal filesharing samba services provided by SME core.
User accounts created in SME will be kept in sync with the LDAP service provided by samba Active Directory.
Users logged in to domain joined Windows PCs will have access to SME's samba shares via their namesake usernames and matching passwords. https://wiki.koozali.org/Client_Authentication:Windows#Login_to_shared_resources
Installation
/sbin/e-smith/db yum_repositories set fasttrack-updates repository \ Name 'Rocky Linux 8.10 - SIG FastTrack Updates' \ BaseURL 'http://dl.rockylinux.org/$sigcontentdir/$releasever/fasttrack/$basearch/fasttrack-updates/' \ EnableGroups no \ GPGCheck no \ Visible yes \ Priority 9 \ status enabled
signal-event dnf-modify
dnf --enablerepo=smecontribs install smeserver-samba-dc
Configuration
you can list the available configuration with the following command :
config show samba
Some of the properties are not shown, but are defaulted in a template or a script. Here is a list with default and expected values :
| property | default | values |
|---|---|---|
| SambaIP | numeric | |
| Password | string | |
| status | disabled | enabled,disabled |
Add samba virtual interface
Samba in AD mode provides services that need a separate virtual interface.
A free static IP address needs to be chosen from the same range as SME's local network that is outside the DHCP pool.
WARNING: changing this IP address after the domain is provisioned can cause problems and is not supported.
/sbin/e-smith/db configuration setprop samba SambaIP a.b.c.d
Set domain administrator password
Provisioning will fail unless a password is chosen that matches the complexity requirements. More details found here.
Random Strong Password Generator can be used.
WARNING: make sure to keep a copy of this password and do not modify this key after the domain is provisioned.
/sbin/e-smith/db configuration setprop samba Password Blu3Onyx!
Provisioning will also reserve the administrator user in SME for domain administrator, make sure it is not already used.
Provisioning
By default provisioning will use for realm current Windows workgroup name (default: sme-server) and append .INTERNAL to it.
Active Directory DC locating algorithm relies on DNS resolution, samba internal DNS back end will handle this via SME's domain-remote feature.
Make sure realm does not match any secondary domain set up or it will be overwritten.
WARNING: make sure to change Windows workgroup name before provisioning because domain rename is not supported and is possible for now only with complete domain reset and loss of all machine accounts.
provision
Testing
After a successful provisioning you can confirm the domain functionality
domaininfo sambastatus realm -v discover SME-SERVER.INTERNAL #in this example kinit -V administrator klist sambatool user list sambatool computer list
If all went well you can proceed to joining Windows PCs to the domain using domain administrator and password.
Other tools available for debugging
ifconfig systemctl status samba sambatool syncadusers
Uninstall
/sbin/e-smith/db yum_repositories delete fasttrack-updates signal-event dnf-modify
dnf remove smeserver-samba-dc
/sbin/e-smith/db domains delete sme-server.internal #in this example signal-event domain-modify
Bugs
Please raise bugs under the SME-Contribs section in bugzilla
and select the smeserver-samba-dc component or use this link
Below is an overview of the current issues for this contrib:
Changelog
Only released version in smecontrib are listed here.
