Line 5: |
Line 5: |
| =Introduction= | | =Introduction= |
| This wiki page will be used to track the integration effort of Samba 4 into SME 9+ | | This wiki page will be used to track the integration effort of Samba 4 into SME 9+ |
− |
| |
− | {{Note_box|msg=At this point, I'm just going to randomly ramble on this wiki page as I work on Samba 4. Once I get some workable pieces, I'll go back and format this page so that it makes more sense. - [[User:Gzartman|Gzartman]]}}
| |
| | | |
| Lead developer: [[User:Gzartman|Gzartman]] | | Lead developer: [[User:Gzartman|Gzartman]] |
Line 12: |
Line 10: |
| =Overview and Objectives= | | =Overview and Objectives= |
| | | |
− | The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy in integration, as is done on many of the other sub-systems on SME Server. Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options. Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deployments. Support for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console. The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity. | + | The primary objective of this effort is to create Active Directory support on SME 9+ with a focus on simplicity and easy integration, as is done on many of the other sub-systems on SME Server. Other distributions with Samba 4 support take the approach of providing a fairly complex front end to Samba 4 with many configuration parameters and options. Our approach for Samba 4 is to stream line implementation to provide a straight forward and simple set of UI parameters for the administrator to deploy Active Directory in a configuration that will work in most deployments. Support for the full array of Samba 4 options is provided under the hood in SME Server, but will be available primary from the console. The SME Server community may decide to create an Advanced Samba server-manager panel to control and configure some of the more advanced features available in Samba 4, but the Core SME Server deployment of Active Directory will remain focused on simplicity. |
− | | |
| | | |
| Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching. | | Deployment of Samba 4 on SME Server means that many of the authentication mechanisms on SME Server need to change to integrate with Active Directory, therefore this development effort is quite far reaching. |
| | | |
− | | + | Samba 4 on SME Server is targeted for Koozali SME Server 10 |
− | Samba 4 on SME Server is targeted for Koozali SME Server 10, but is currently be developed simultaneously on both version 9.2 and 10. | |
| | | |
| =Current Status= | | =Current Status= |
| | | |
− | Current Release: Alpha 5 | + | '''Current Release:''' Alpha 7 |
| | | |
− | Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here: [http://www.leiengineering.com/repository/smeserver/Packages/SME_Server_Samba4/ SME Server Samba 4 Packages] | + | Samba 4 on SME Server will be provided by way of the package smeserver-samba, which will upgrade and obsolete e-smith-samba. The current release of Samba 4 on SME Server is available here: [http://www.leiengineering.com/repository/smeserver/Packages/Samba4_Alpha7/ SME Server Samba 4 Packages] |
| | | |
| These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities. However, this code is available in CVS. | | These packages are currently not provided by the Koozali buildsys because there is still a fair bit of work to do to integrate this code with existing SME services. Since Samba 4 on SME Server includes many other sub-systems, inclusion of the Samba 4 code is not being including in current development streams until the code is closer to release so as not to hold up other development activities. However, this code is available in CVS. |
| + | <br> |
| | | |
| =Samba 4 Packages= | | =Samba 4 Packages= |
| | | |
− | Upstream Centos 6 does not provide Samba 4 packages with full Active Directory support but they are provided in current Centos 7. The reason Samba + AD packages are not available on Centos 6 is is detailed [https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/ here]. A solution to provide Samba 4 active directory does not look to be forthcoming by viewing Samba status in the Fedora project. | + | Upstream Centos 6 and 7 do not provide Samba 4 packages with full Active Directory support. This is because Samba 4 Kerberos is based upon Heimdal Kerberos whereas the upstream vendor uses MIT Kerberos. Heimdal Kerberos and MIT Kerberos are not compatible with one another and so the upstream vendor has decided to disable Kerberos support in Samba until such time as Samba supports MIT Kerberos. Details can be found here https://wiki.samba.org/index.php/MIT_Build |
| + | and here https://blog.cryptomilk.org/2014/07/09/samba-ad-dc-in-fedora-and-rhel/ |
| | | |
− | To further development of support for Samba 4 on the Koozali SME Server, Samba 4 packages from Sernet were selected. These packages will not immediately install cleaning on SME 9 due to the customization of Centos associated with SME 9, so the Sernet packages where re-built for SME 9. Details of this rebuild along with a link to the rebuilt packages are located in [[bugzilla:8075]]. After rebuilding, these packages do install cleanly but the services will not start using the init.d scripts provided with the packaged due to changes made during the re-build of the packages for SME 9. | + | To provide Active Directory support, the Koozali devteam has decided to fork the upstream Samba 4 package and re-compile with Heimdal Kerberos support on Koozali SME Server 10. Details of this rebuild are located in [[bugzilla:9751]]. Support for Active Directory on SME 9 can be provided by Sernet Samba 4.2 packages, which are the last set of open source Sernet packages. However, the devteam is currently focusing development effort on SME 10. |
− | | |
− | It should be noted that as of Samba 4.3, Sernet stopped providing packages for free. Samba 4.3+ sernet packages are commercial only. Therefore, we will only be able to provide support on SME 9+ through Samba 4.2 unless someone comes up with a solution to port Samba 4 + AD to Centos 6. The Sernet Samba packages up through Samba 4.2 work fine for providing Active Directory support on SME 9+. Given SME 10 is in Alpha, the lack of upstream support for Samba + AD on SME 9 likely won't be a big issue.
| |
| | | |
| =Installation= | | =Installation= |
| | | |
− | RPMs for this release can be found here: [http://www.leiengineering.com/repository/smeserver/Packages/SME_Server_Samba4/ SME Server Samba 4 Packages] | + | RPMs for this release can be found here: [https://www.leiengineering.com/repository/smeserver/Packages/Samba4_Alpha7/ SME Server Samba 4 Packages] |
− | | |
| | | |
| Install Instructions: | | Install Instructions: |
Line 47: |
Line 42: |
| # signal-event post-upgrade; signal-event reboot | | # signal-event post-upgrade; signal-event reboot |
| # Once the server comes back up, provision the domain with: signal-event provision-domain-controller admin_password | | # Once the server comes back up, provision the domain with: signal-event provision-domain-controller admin_password |
− | # config setprop smb legacy enabled
| |
| | | |
− | Note: You can create users using the Server-Manager, but you will receive and error message because this alpha does not yet include full server-manager support. However, the user will be created in the Active Directory. | + | Note: The password utilities in the server-manager are not yet working. We will be working to include SSSD in the next alpha and then all password utilities and functions will work as expected. |
| | | |
| =Change Log / Release Notes= | | =Change Log / Release Notes= |
| + | ==Alpha 7== |
| + | * Implementation of Samba 4 on SME 10. |
| + | * Drop bootstrap-console patch for e-smith-base for provisioning samba 4 from the console. We'll add this back in later |
| + | |
| + | ==Alpha 6== |
| + | * Final alpha on SME 9. Going forward, this code will be moved to the SME 10 alpha release for ongoing development and testing |
| + | * Change the way we are naming alpha package versions because it is becoming difficult to apply alpha level changes with patch files. Each alpha release will have its own source archive. Source archive (.tar.xz) file version numbers will track with the alpha release number. |
| + | * Rewrite server-manager user accounts panel for AD integration, except for the Reset Password link. We won't be able to update this function until we deploy SSSD, which will come in the next release |
| + | * Move smb.conf and AD schema extension fragments to /etc/samba |
| + | * Extend AD schema to include the attributes: lockable, removable, and emailForward |
| + | * Change the koozliUser objectClass to smeExtended for extended schema attributes |
| + | * Get rid of the user-create-AD action because we don't have enough control over the user create process in a server-manager panel using an action. Instead, we added the esmith::util::createADUser() function that sets up a basic Active Directory user. This function is somewhat analogous to the useradd utility |
| + | * Drop "Legacy Mode," which was part of the user-create-AD action |
| + | * Replace user-create event with user-initialize |
| + | * Add user-create-profiledir and user-create-home actions as part of the user-intialize event, since the useradd utility used to do this |
| + | * Update user-modify, user-delete, user-lock events for AD integration |
| + | * Create user-AD-enable and user-AD-disable actions |
| + | * Extensive clean-up of smb.conf fragments now that we have a working Samba 4 deployment, including default configuration dbase parameters. This clean-up and enhancement results in a very clean smb.conf file |
| + | * Update qmail and .qmail template fragments and configuration to pull user data from the Active Directory. Spam and filtering fragments have been excluded because we have not yet decided how to handle these configuration in the Active Directory |
| + | * Further enhancement and refinement to esmith::AD |
| | | |
| ==Alpha 5== | | ==Alpha 5== |
Line 87: |
Line 101: |
| ==Alpha 1== | | ==Alpha 1== |
| * Roll new smeserver alpha package for Samba4 [SME:8075] | | * Roll new smeserver alpha package for Samba4 [SME:8075] |
− | | + | <br> |
− | =Status=
| |
− | | |
− | {| class="wikitable"
| |
− | |-
| |
− | |#
| |
− | ! Task !! Status
| |
− | |-
| |
− | |1.
| |
− | | Sernet Samba 4 package rebuild || style="text-align:center;" | <span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |2.
| |
− | | Create daemontools service for Samba 4 || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |3.
| |
− | | Re-Write smb.conf template fragments || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |4.
| |
− | | Create Kerberos template fragments || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |5.
| |
− | | Add/Modify SMB database entries || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |6.
| |
− | | Create krb5 configuration dbase key || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |7.
| |
− | | Re-configure init.d start-up/shutdown scripts || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |8.
| |
− | | Configure Samba DNS Service || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |9.
| |
− | | Configure DNS Cache Resolver || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |10.
| |
− | | Create Active Directory Provision/Re-Provision SME Event || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |11.
| |
− | | Add Active Directory Provisioning to Bootstrap-Console || style="text-align:center;" |<span style="color:green">'''DONE'''</span>
| |
− | |-
| |
− | |12.
| |
− | | Reconfigure SME User Authentication for Active Directory|| style="text-align:center;" |<span style="color:orange">'''UNDERWAY'''</span>
| |
− | |}
| |
− | | |
− | =References=
| |
− | | |
− | # http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!)
| |
− | # https://lists.samba.org/archive/samba/2014-April/180336.html
| |
− | # https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
| |
− | # http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
| |
− | | |
| | | |
| =Bugzilla references= | | =Bugzilla references= |
Line 144: |
Line 107: |
| '''[[bugzilla:4667]]''' <br> | | '''[[bugzilla:4667]]''' <br> |
| '''[[bugzilla:8075]]''' Adding Samba 4<br> | | '''[[bugzilla:8075]]''' Adding Samba 4<br> |
| + | '''[[bugzilla:8632]]''' Remove smb.conf template fragments from e-smith-LPRng-2.4.0-1<br> |
| '''[[bugzilla:8638]]''' Modify e-smith-dnscache for Samba 4 support<br> | | '''[[bugzilla:8638]]''' Modify e-smith-dnscache for Samba 4 support<br> |
| '''[[bugzilla:8660]]''' User account authentication with Active Directory and AccountsDB<br> | | '''[[bugzilla:8660]]''' User account authentication with Active Directory and AccountsDB<br> |
| '''[[bugzilla:8663]]''' Proftpd and active directory authentication (Samba 4)<br> | | '''[[bugzilla:8663]]''' Proftpd and active directory authentication (Samba 4)<br> |
| '''[[bugzilla:8665]]''' esmith::AD perl module for interacting with Active Directory<br> | | '''[[bugzilla:8665]]''' esmith::AD perl module for interacting with Active Directory<br> |
− | '''[[bugzilla:8667]]''' Get rid of PPTP when we upgrade to Samba 4<br> | + | '''[[bugzilla:8668]]''' Get rid of PPTP when we upgrade to Samba 4<br> |
| '''[[bugzilla:8670]]''' Qmail updates for Samba 4<br> | | '''[[bugzilla:8670]]''' Qmail updates for Samba 4<br> |
| '''[[bugzilla:8674]]''' Remove smbpasswd and WINS pieces for Samba 4<br> | | '''[[bugzilla:8674]]''' Remove smbpasswd and WINS pieces for Samba 4<br> |
Line 155: |
Line 119: |
| '''[[bugzilla:8703]]''' Samba 4: Home directory<br> | | '''[[bugzilla:8703]]''' Samba 4: Home directory<br> |
| '''[[bugzilla:9651]]''' Remove Samba Parts from esmith::Util for Samba 4 <br> | | '''[[bugzilla:9651]]''' Remove Samba Parts from esmith::Util for Samba 4 <br> |
− | '''[[bugzilla:9653]]''' <br> | + | '''[[bugzilla:9653]]''' Pseudonyms handling with Active Directory<br> |
− | '''[[bugzilla:9662]]''' <br> | + | '''[[bugzilla:9662]]''' System Initialization and Re-Configuration with Active Directory<br> |
− | '''[[bugzilla:9700]]''' <br> | + | '''[[bugzilla:9700]]''' Consider removing /sbin/e-smith/samba_check_password <br> |
− | '''[[bugzilla:9708]]''' <br> | + | '''[[bugzilla:9708]]''' Evaluate registry fragments in server-resources for Samba 4<br> |
− | '''[[bugzilla:9711]]''' <br> | + | '''[[bugzilla:9711]]''' Include dnscache and tinydns config in smeserver-samba for Samba 4 DNS queries<br> |
− | '''[[bugzilla:9712]]''' <br> | + | '''[[bugzilla:9712]]''' Reconfigure shadowcopy for Samba 4<br> |
− | '''[[bugzilla:9713]]''' <br> | + | '''[[bugzilla:9713]]''' Reconfigure recycle bin for Samba 4<br> |
− | <br><br> | + | '''[[bugzilla:9715]]''' Modify e-smith-dnscache to allow connections from entire loopback network<br> |
− | | + | '''[[bugzilla:9755]]''' Re-Write Users Panel for AD integration<br> |
− | =[http://wiki.contribs.org/SAMBA_4_-_Misc_Development_Topics Misc Development Topics]=
| + | '''[[bugzilla:9799]]''' Update esmith::util::chown for Samba users<br> |
| + | '''[[bugzilla:9800]]''' Update e-smith-quota to process quotas for active directory users<br> |
| + | '''[[bugzilla:9802]]''' Modify user events/actions and server-manager panel<br> |
| + | '''[[bugzilla:9804]]''' Update password functions in esmith::util for Samba 4<br> |
| + | '''[[bugzilla:9806]]''' e-smith-openssh modifications for Samba 4<br> |
| + | '''[[bugzilla:9807]]''' smeserver-qpsmtpd changes for Samba 4<br> |
| + | <br> |
| | | |
| =Active Directory Schema= | | =Active Directory Schema= |
Line 171: |
Line 141: |
| [http://wiki.contribs.org/SAMBA_4_Active_Directory_Schema Samba 4 Active Directory Schema] | | [http://wiki.contribs.org/SAMBA_4_Active_Directory_Schema Samba 4 Active Directory Schema] |
| | | |
| + | =[http://wiki.contribs.org/SAMBA_4_-_Misc_Development_Topics Misc Development Topics]= |
| + | |
| + | |
| + | =References= |
| + | |
| + | # http://dev.nethserver.org/projects/nethserver/wiki/Samba4 (Thanks Filippo!) |
| + | # https://lists.samba.org/archive/samba/2014-April/180336.html |
| + | # https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO |
| + | # http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller |
| | | |
| | | |
| [[Category:Core Development]] | | [[Category:Core Development]] |