Samba4 Development

From SME Server
Jump to navigation Jump to search

Introduction

This wiki page will be used to track the integration effort of Samba 4 into SME 9+

G.Zartman Note: At this point, I'm just going to randomly ramble on this wiki page as I work on Samba 4. Once I get some workable pieces, I'll go back and format this page so that it makes more sense.

Samba 4 Packages

Upstream Centos 6 & 7 do not provide support for the full version of Samba 4. Packages available in the upstream repos are a crippled version of Samba 4 with many of the features associates with Active Directory disabled. The reason for this is detailed here: https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/ A solution to provide Samba 4 active directory does not look to be forthcoming by viewing the Fedora project.

To further development of support for Samba 4 on the Koozali SME Server, Samba 4 packages from Sernet were selected. These packages will not immediately install cleaning on SME 9 due to the customization of Centos associated with SME 9, so the Sernet packages where re-built for SME 9. Details of this rebuild along with a link to the rebuilt packages are located in the following bug report: http://bugs.contribs.org/show_bug.cgi?id=8075

After rebuilding, these packages do install cleanly but the services will not start using the init.d scripts provided with the packaged due to changes made during the re-build of the packages for SME 9. A Daemontools run script will need to be developed to start the Samba 4 service.\

General Development Notes

Template Fragments to Modify

/etc/smb.conf

Complete rewrite of all template fragments

smb.conf Considerations

The smb.conf configuration file can be simplified significantly for Samba 4. Of specific interest are the following new parameters:


Server Services: This parameter is not very well documented, but from what I could find thefollow services can be provided by the Samba daemon: s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, ntp_signd, kcc, dnsupdate, dns, smb, nmb, winbind. The default for this parameter is: server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns. Services can be added/remove from the default by a +/- and the service to add/remove. Example server services = -s3fs (remove) +smb (add). Note that the smb, nmb, and windbind services are services equivalent to the older, Samba 3, type services (stand alone daemons). Of specific interest to SME 9 may be the use of the nmb service for WINS support. As we begin testing we may need to enable this service and possibly smb for simple share access.

Server Role: Samba 4 currently only supports the active directory domain controller server role. For now, we'll force Samba config into DC server role, but provide a fragment for expansion later. There is a long explanation behind this, but for now, restriction doesn't hurt us. SME as a DC will provide auth for both domain membership and simple shares by either joining the domain or logging into the server every time.

/etc/raddb/radius.conf

etc/raddb/radiusd.conf/25modules30smbpasswd: # An example configuration for using /etc/samba/smbpasswd. etc/raddb/radiusd.conf/25modules30smbpasswd:} passwd smbpasswd \{ etc/raddb/radiusd.conf/25modules30smbpasswd: filename = /etc/samba/smbpasswd etc/raddb/radiusd.conf/25modules25mschap: # reading from /etc/smbpasswd. etc/raddb/radiusd.conf/25modules25mschap: # If you are using /etc/smbpasswd, see the 'passwd' etc/raddb/radiusd.conf/25modules25mschap: # module for an example of how to use /etc/smbpasswd etc/raddb/radiusd.conf/65authorization40default: # If you are using /etc/smbpasswd, and are also doing etc/raddb/radiusd.conf/65authorization40default: # configure the 'smbpasswd' module, above. etc/raddb/radiusd.conf/65authorization40default: ( $ldap{Authentication} || 'disabled' ) eq 'enabled' ? 'ldap' : 'smbpasswd';

/etc/krb5.conf

Create based new template fragments for this configuration file

Configuration Database Parameters to Modify

SMBD : Delete

NMBD : Delete

SMB : In general, all of the template fragments will be redesigned to allow dbase parameters to override many Samba defaults. Specific parameters that need to be defined or modified are as follows:

  • ServerRole: Redefine with the following:
    • SA: Stand Alone Server Mode
    • BD: Backup Domain Controller/Member
    • DC: Domain Controller (Current default. See server role explanation)
  • UnixCharSet: Delete
  • KernelOplocks: Add and set to enabled
  • Level2Oplocks: Add and set to enabled
  • OSLevel: Redefine to 65#*dnsForwarder: New parameter that could be defined to forward DNS requests from the Samba DNS to another DNS.

Services to Modify

smbd : Remove

  • Remove /var/service/smbd
  • Remove /services/smbd
  • Remove /etc/rc.d/init.d/supervise/smb
  • REmove /etc/rc.d/rc7.d/S91smb
  • Remove /etc/rc.d/init.d/smbd

nmbd : Remove

  • Remove /var/service/smbd
  • Remove /services/smbd
  • Remove /etc/rc.d/init.d/smbd

samba: Create

  • Create /var/service/samba, using smbd as a template. Samba 4 should be started with /usr/sbin/samba -D
  • Create symlink /service/samba -> /var/service/samba
  • Create symlink /etc/rc.d/init.d/samba -> daemontools
  • Create symlink /etc/rc.d/rc7.d/samba -> e-smith-service

Other Development Tasks to Research and Complete

  1. LDAP: Look at the LDAP authentication backend and mechanism on SME. On the surface, it looks like all of the Samba related LDAP code will be dropped and much of the standard authentication code will need to be converted to Active Directory auth. This task should include looking at openldap-proxy.
  2. DNS: Samba 4 includes an buildin DNS server that is required for proper operation of active directory. This internal DNS server is for AD functions only and does not provide caching DNS functions. Therefore, further research and development will be required to integrate the Samba DNS with TinyDNS.
  3. Local Authentication: Samba 4 provides support for local authentication through PAM. This will need to be looked and and sorted out, especially as it relates to the previous LDAP authentication work.
  4. Domain Server-Manager Panel: A new Domain server-manager panel should be developed and the workgroup panel removed. Further discussion will need to take place to determine what needs to go into this new panel. This panel will likely be fairly simple, as much of the configuration parameters associated Samba Active directory will be incorporated into template fragments and database entries.
  5. User/Group Server-Manager Panels: These panels will need to be looked at as they relate to template fragments, adjusting services, and updating database entries associated with Samba.
  6. Ibay Server-Manager Panel: This panel will need to be looked at as it relates to template fragments, adjusting services, and updating database entries associated with Samba.
  7. Events/Actions': Existing events and actions related to samba will need to be reviewed and updated accordingly. A new event/action may need to be developed to provision a new Active Directory Domain using the Samba-Tool utility.

Status

  • Sernet Samba 4 package rebuild: DONE.
  • Create daemontools service for Samba 4: DONE.
  • Re-Write smb.conf template fragments: DONE.
  • Create Kerberos template fragments: DONE.
  • Add/Modify SMB database entries: DONE.
  • Re-configure init.d start-up/shutdown scripts: DONE.
  • Investigate Samba DNS + TinyDNS: UNDERWAY.

References

  1. http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!)
  2. https://lists.samba.org/archive/samba/2014-April/180336.html
  3. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO