Samba4 Development

From SME Server
Jump to navigation Jump to search

Sambalogo.png

Introduction

This wiki page will be used to track the integration effort of Samba 4 into SME 9+


  Note:
At this point, I'm just going to randomly ramble on this wiki page as I work on Samba 4. Once I get some workable pieces, I'll go back and format this page so that it makes more sense. - Gzartman


Lead developer: Gzartman

Overview and Objectives

The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy in integration, as is done on many of the other sub-systems on SME Server. Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options. Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deployments. Support for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console. The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity.


Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching.


Samba 4 on SME Server is targeted for Koozali SME Server 10, but is currently be developed simultaneously on both version 9.2 and 10.

Current Status

Current Release: Alpha 5

Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here: SME Server Samba 4 Packages

These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities. However, this code is available in CVS.

Samba 4 Packages

Upstream Centos 6 does not provide Samba 4 packages with full Active Directory support but they are provided in current Centos 7. The reason Samba + AD packages are not available on Centos 6 is is detailed here. A solution to provide Samba 4 active directory does not look to be forthcoming by viewing Samba status in the Fedora project.

To further development of support for Samba 4 on the Koozali SME Server, Samba 4 packages from Sernet were selected. These packages will not immediately install cleaning on SME 9 due to the customization of Centos associated with SME 9, so the Sernet packages where re-built for SME 9. Details of this rebuild along with a link to the rebuilt packages are located in bugzilla:8075. After rebuilding, these packages do install cleanly but the services will not start using the init.d scripts provided with the packaged due to changes made during the re-build of the packages for SME 9.

It should be noted that as of Samba 4.3, Sernet stopped providing packages for free. Samba 4.3+ sernet packages are commercial only. Therefore, we will only be able to provide support on SME 9+ through Samba 4.2 unless someone comes up with a solution to port Samba 4 + AD to Centos 6. The Sernet Samba packages up through Samba 4.2 work fine for providing Active Directory support on SME 9+. Given SME 10 is in Alpha, the lack of upstream support for Samba + AD on SME 9 likely won't be a big issue.

Installation

RPMs for this release can be found here: SME Server Samba 4 Packages


Install Instructions:

  1. Download all rpms to a fresh SME 9.1 install.
  2. yum localinstall *.rpm
  3. signal-event post-upgrade; signal-event reboot
  4. Once the server comes back up, provision the domain with: signal-event provision-domain-controller admin_password
  5. config setprop smb legacy enabled

Note: You can create users using the Server-Manager, but you will receive and error message because this alpha does not yet include full server-manager support. However, the user will be created in the Active Directory.

Change Log / Release Notes

Alpha 5

  • Extend Active Directory schema to include quota and smeCustom attributes via the koozaliUser objectClass
  • Remove adjust-samba event and use services2adjust
  • Add Group-create-AD action
  • Design changes to provision-domain-controller and bootstrap-provision-dc events to provision samba entirely cold using ldif
  • Add pseudonym support to esmith::AD
  • Further enhancement to esmith::AD to provide user & group management functionality similar to that provided by AccountsDB
  • Re-write createlinks to flow a more logical sequence
  • Fix dnsforwarder in smb.conf
  • Fix several esmith::AD::User and esmith::AD::Group methods broken in 0.1-0-3 when we added runtime binding

Alpha 4

  • Add dnscache and tinydns config per bug [SME: 9711]
  • Add iptables preroute rule for DNS per bug [SME: 9711]
  • Fix issues with domain admins assignment during provisioning
  • Nearly full re-write of user-create-AD action to utilize esmith::AD class
  • Add Legacy Mode to user-create-AD action to allow this action to work with AccountsDB
  • Add user-create-AD to user-create event
  • Add user-AD-disable action to disable AD user
  • Continued development and enhancement to esmith::AD including POD documentation
  • Continued development and enhancement to esmith::AD::User including POD documentation
  • Add esmith::AD::OU to manage Organizational Units in the Active Directory
  • Fix realm definition in provision action

Alpha 3

  • Reconfigure provision event to account for default Samba complex password policy
  • Abstract core LDAP queries in esmith::AD using runtime binding

Alpha 2

  • Set requires to e-smith-base-5.6.0-30+ [SME:8668]
  • Set requires for e-smith-LPRng-2.5.0+ [SME:8632]

Alpha 1

  • Roll new smeserver alpha package for Samba4 [SME:8075]

Status

# Task Status
1. Sernet Samba 4 package rebuild DONE
2. Create daemontools service for Samba 4 DONE
3. Re-Write smb.conf template fragments DONE
4. Create Kerberos template fragments DONE
5. Add/Modify SMB database entries DONE
6. Create krb5 configuration dbase key DONE
7. Re-configure init.d start-up/shutdown scripts DONE
8. Configure Samba DNS Service DONE
9. Configure DNS Cache Resolver DONE
10. Create Active Directory Provision/Re-Provision SME Event DONE
11. Add Active Directory Provisioning to Bootstrap-Console DONE
12. Reconfigure SME User Authentication for Active Directory UNDERWAY

References

  1. http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!)
  2. https://lists.samba.org/archive/samba/2014-April/180336.html
  3. https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
  4. http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller


Bugzilla references

bugzilla:4667 Adding Samba 4
bugzilla:8075 Adding Samba 4
bugzilla:8638 Modify e-smith-dnscache for Samba 4 support
bugzilla:8660 User account authentication with Active Directory and AccountsDB
bugzilla:8663 Proftpd and active directory authentication (Samba 4)
bugzilla:8665 esmith::AD perl module for interacting with Active Directory
bugzilla:8667 Get rid of PPTP when we upgrade to Samba 4
bugzilla:8670 Qmail updates for Samba 4
bugzilla:8674 Remove smbpasswd and WINS pieces for Samba 4
bugzilla:8675 e-smith-LDAP + Samba 4
bugzilla:8687 Add SSSD daemon for Samba 4 local authentication
bugzilla:8703 Samba 4: Home directory
bugzilla:9651
bugzilla:9653
bugzilla:9662
bugzilla:9700
bugzilla:9708
bugzilla:9712
bugzilla:9712
bugzilla:9713


Misc Development Topics

Active Directory Schema

Following is a direct dump of the active directory from a freshly provisioned SME Server domain. The DNS/Kerberos domain is domain.com, the hostname is virgin, and the windows domain is sme-server. The ipaddress for this test machine is 192.168.0.67. These data is quite long, but I found it very useful; as it is extremely difficult to find these attributes in any documentation about Samba 4 and ADDC:

Samba 4 Active Directory Schema