Samba4_ubuntu域控服务器架设详解

Davis

Steps	history	Description
1	ping www.163.com	check internet connection
2	apt-get install openssh-server	install openssh-server in samba server
3	passwd root	set the root password
4	wget http://www.samba.org/samba/ftp/stable/samba-4.1.4.tar.gz	download samba's current stable version
5	apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev	install all compilations required packages. 1)build-essential package:tool for making the package; 2)libacl1-dev package:Access control list static libraries and headers; 3)libblkid-dev:Extended attribute static libraries and headers package;4)libgnutls-dev package:GNU TLS library - development files;5)libreadline-dev package:GNU readline and history libraries, development files;6)python-dev package:header files and a static library for Python  ;7)python-dnspython package:DNS toolkit for Python;8)gdb pkg-config package; 9)libpopt-dev package:lib for parsing cmdline parameters - development files; 10)libldap2-dev package:This package allows development of LDAP applications using the OpenLDAP libraries. It includes headers, libraries and links to allow static and dynamic linking
6	cd /root	change to root directory
7	ls	list its content
8	tar xvfz samba-4.1.4.tar.gz	decompressing the tar file of the samba~ package
9	cd samba-4.1.4/	change into the directory of your uncompressing downloaded files
10	./configure –enable-debug	the configure command does the initial work: configure paths, detects the shell used, checks the dependencies etc.. This command is an automatically generated script and after being executed, generates the Makefile with the specific settings of your system. This saves a lot of work from the developer, given the wide variety of dependencies that may exist in the grand universe of Unix-like systems. which is a script to make sure that the program can be compiled on your computer.This command will check to see if you've got all the programs needed to install the program — in most cases you will not, and it will error out with a message about needing a program.
11	make	The “make” takes care of the heavy lifting, making the compilation itself. It relies on the information left by ”./Configure” to find the components you need. which does the actual building (compiling) of the program
12	make install	set up, default installation path /usr/local/samba
13	/usr/local/samba/bin/samba-tool domain provision	Setting up a new domain
14	cd /etc/init.d/	enter to
15	ls	list directory contents – no samba4
16	vim /etc/init.d/samba4	Create a script file
17	ls	have samba4 now
18	vim /etc/init.d/samba4	just for confirm the content is complete
19	chmod 755 /etc/init.d/samba4	make it can execute
20	ls	already change the executed color
21	update-rc.d samba4 defaults	After creating the script, set to start at system boot
22	reboot	reboot the machine
23	/usr/local/samba/bin/smbclient -L localhost -U%	test the function of the SMB domain and see if all the shares requied for a functional directorates activities are working
24	vim /etc/resolv.conf	Verify that the primary dns Linux server is th ip of your local interface
25	vim /etc/network/interfaces	change to fix IP and add your dns-nameservers
26	reboot	reboot the server
27	ping johny.local
28	vi /etc/hostname
29	vi /etc/hosts
30	vi /etc/resolv.conf
31	netstat -ln	less
32	host -t SRV _kerberos._udp.johny.local.	verify that name resolution is working properly qualified name for the lab1.johny.local
33	host -t SRV _kerberos._tcp.johny.local.	test some basic DNS queries and see if they return a valid response
34	host -t A lab1.johny.local	prove DNS can resolve the A record
35	init 0	shutdown the server
36	history	review
37	ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so	create your symbolic links to the appropriate libraries
38	ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
39	ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
40	ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
41	vim /etc/nsswitch.conf	to initially resolve user and group information from /etc/passwd and /etc/group/ and then from the Windows NT server.To setup winbindd for user and group lookups plus authentication from a domain controller use something like the following setup in nsswitch.conf file ⇒ passwd: files winbind     ⇒group:  files winbind to instruct the system to use the nss winbind library when searching for users or groups(to allow user and group entries to be visible from the winbindd daemon)
42	ldconfig -v | grep winbind	The libraries needed by the winbindd  daemon will be automatically entered into the ldconfig  cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually.This makes libnss_winbind available to winbindd and reports the current search path that is used by the dynamic link loader. The use of the grep  filters the output of the ldconfig  command so that we may see proof that this library is indeed recognized by the dynamic link loader. confirm the library is loaded
43	/usr/local/samba/bin/wbinfo -p	test if winbind is “pingable”
44	/usr/local/samba/bin/wbinfo -u	test of Winbind is able to provide user list
45	getent passwd	It returns as a password file with the entries for the domain users
46	id Administrator	The identification command returns information about the user
47	apt-get install acl	install acl package
48	vim /etc/fstab	set acl to desired partition to enable ACL
49	mount	check if ACL is ok for your partition
50	reboot	force ACL work for your ACL partition
51	mount	confirm acl is enabled
52	vim /usr/local/samba/etc/smb.conf	have a look the default smb.conf
53	cd /usr/local/samba/etc/	enter to its directory
54	mv smb.conf smb.conf.bak	backup the default smb.conf file
55	ls	confirm it's OK
56	vim /usr/local/samba/etc/smb.conf	create simple sharing or scp smb.conf file from other server to edit it
57		help locate the problem in smb.conf
58	/etc/init.d/samba4 restart
59	cd /home	enter to share folder directory
60	ls	check the current situation
61	mkdir /home/it /home/hr /home/commercial	create the share folder as smb.conf
62	mkdir public
63	ls
64	chmod 777 public/	give full permission to everybody
65	chmod 770 it/ hr/ commercial/	give the folder  owner and group owner full permission
66	reboot	reboot the server
67	cd /home/
69	ls
70	ls -lha
71	getfacl	johny/
72	setfacl -m g:it:rwx /home/it	set folder acl, modify group “it” have full permission to folder /home/it
73
74
75	mkdir /home/recycle
76	chmod 777 /home/recycle/
77	smbstatus	check at any time which users and which machines are accessing shares on the server
78	setfacl -m u:pauly:r-x /home/hr/	set user johny only read permission on a particular folder
79	getfacl /home/hr

smb.conf

Configuration	Description
# Global parameters	the file is divided into sections
[global]	the first is always the ”[global]” section, which contains the general server options
workgroup = JOHNY	the name of the workgroup
realm = JOHNY.LOCAL
netbios name = LAB5	server name
server role = active directory domain controller	the server was configured as a AD and DC
dns forwarder = 8.8.8.8
vfs objects = recycle, full_audit	VFS module records selected client operations to the system log
recycle:keeptree = yes	Specifies whether the directory structure should be preserved or whether the files in a directory that is being deleted should be kept separately in the repository
recycle:versions = yes	If this option is True, two files with the same name that are deleted will both be kept in the repository. Newer deleted versions of a file will be called “Copy #x of filename”.
recycle:repository = /home/recycle	Path of the directory where deleted files should be moved
recycle:exclude = *.tmp, *.log, ~*.*, *.bak, *.iso	List of files that should not be put into the repository when deleted, but deleted in the normal way. Wildcards such as * and ? are supported.
recycle::exclude_dir = tmp, cache	List of directories whose files should not be put into the repository when deleted, but deleted in the normal way. Wildcards such as * and ? are supported
full_audit:facility = local5	all this audit logs are going to system log(/var/log/syslog)
full_audit:priority = notice
full_audit:prefix = %u	%I	%s	adds additional useful information to audit log file.%u – User; %I – User IP address; %S – Server share name
full_audit:sucess = open, write, rename, rmdir, mkdir, chmod, chown
full_audit:failure = none	do not give a list of VFS operations that should be recorded if they failed
log level = 5
[netlogon]	indicates the name of sharing,describes a shared resource (known as a “share”).
path = /usr/local/samba/var/locks/sysvol/johny.local/scripts	share folder path
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[public]	name of the share folder
path = /home/public	path of the share folder
comment = Pasta Publicco	description of the share folder
browseable = yes	This controls whether this share is seen in the list of available shares in a net view and in the browse list.
create mask = 0777	This setting tells samba what permissions to mask against the DOS/Windows assigned permissions for a new file when it is created from a Windows/DOS client
writeable = yes
directory mask = 0777
force directory mode = 0777
map acl inherit = yes	This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories

[it]  
    path = /home/it    comment = Pasta IT    browseable = yes    create mask = 0770    writeable = yes    directory mask = 0770    force directory mode = 0770    map acl inherit = yes

---

  
    path = /home/hr    comment = Pasta HR    browseable = yes    create mask = 0770    writeable = yes    directory mask = 0770    force directory mode = 0770    map acl inherit = yes[commercial]  
    path = /home/commercial    comment = Pasta Commercial    browseable = yes    create mask = 0770    writeable = yes    directory mask = 0770    force directory mode = 0770    map acl inherit = yes

Basic Concept

Name	Function	Description
winbindd	The service provided by winbindd is called `winbind' and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module. Name Service Switch daemon for resolving names from NT servers	The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system.

Useful command

Description	Command
Reboot the machine	root@lab1:/# reboot
Turn off the machine	root@lab1:/# init 0
Check listening ports	root@lab1:/# netstat -ln | less
Restart Samba	root@lab1:/# /etc/init.d/samba4 restart or service samba4 restart
Restart the network	root@lab1:/# /etc/init.d/networking restart or service networking restart
Set root password	root@lab1:/# passwd root
Unzip a file	root@lab1:/# tar xvfz samba-4.1.4.tar.gz
Check Samba	/usr/local/samba/bin/smbclient -L localhost -U%

Important Configuring file path and their service command

Description	configuring file path	Start up Script
Network	/etc/hosts; /etc/resolv.conf; /etc/network/interfaces	/etc/init.d/networking restart
Samba	/usr/local/samba/etc/smb.conf;/etc/inite.d/samba4	/etc/init.d/samba4 restart
Winbind	/etc/nsswitch.conf

User Manager Commmand

User and Group manager	command
Add a user test	/usr/local/samba/bin/samba-tools user add test
Add group level1	/usr/local/samba/bin/samba-tool group add level1
Add user1 to group level1	/usr/local/samba/bin/samba-tool group addmembers “level1” user1
Remove user1 from group level1	/usr/local/samba/bin/samba-tool group removemembers “level1” user1
List the current group	/usr/local/samba/bin/samba-tool group list
List the current user	/usr/local/samba/bin/samba-tool user list
Add a user test	/usr/local/samba/bin/samba-tool user create test
Delete a user test	/usr/local/samba/bin/samba-tool user delete test
Delete a group test	/usr/local/samba/bin/samba-tool group delete test
Add a user test to ou yanling	/usr/local/samba/bin/samba-tools user add test –userou=OU=yanling
Add a user group to ou yanling	/usr/local/samba/bin/samba-tools group add grouptest –groupou=OU=yanling

ACL permission	command
Set user “pauly” have read-only permission to the other department's share folder	setfacl -R -m u:pauly:r-x /home/hr/
Set group “pauly” have read-only permission to the other department's share folder	setfacl -m g:pauly:r-x /home/hr/
Removed user “pauly” access permission share folder	setfacl -x u:pauly /home/hr/
Removed group “pauly” access permission share folder	setfacl -x g:pauly /home/hr/
Set user “pauly” be default user of share folder	setfacl -d –set u:pauly:rx /home/hr/
Set group “pauly” be default group of share folder	setfacl -d –set g:pauly:rx /home/hr/
Removed all group and user access permission of share folder	setfacl -b /home/hr/
Add “Domain Users” to ACL	setfacl -m g:Domain\ Users:rwx /home/public/

netlogon script for map network drivers1) Copy the bat files to \\sambaserver\netlogon folder



below is its samba path




2) add the bat file to user by “Active Directory Users and Computers”



Samba4 as a replica Active Directory Domain Controller

Step	History	Description
2	passwd root
4	apt-get install openssh-server
5	ping lab1
6	ping lab1.johny.local
7	ifconfig
8	vim /etc/network/interfaces	Setup a fix IP
9	reboot
12	ifconfig
13	ping lab1
14	ping johny.local
15	vi /etc/resolv.conf
17	vi /etc/hosts	correct the hostname and add two line
26	reboot
27	ifconfig
34	apt-get remove –purge krb5-config
35	apt-get install krb5-config
36	kinit administrator@johny.local
38	apt-get remove –purge krb5-config
39	wget http://www.samba.org/samba/ftp/stable/samba-4.1.4.tar.gz	better copy it from another samba server
40	apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev
41	cd /root/
42	ls
43	tar zxvf samba-4.1.4.tar.gz
44	cd samba-4.1.4/
45	./configure –enable-debug
47	make
48	make install
49	vim /etc/hostname
50	vim /etc/resolv.conf
51	ping lab1
52	cd /usr/local/samba/etc/
53	ls
54	cd
55	apt-get install krb5-user
56	kinit administrator@JOHNY.LOCAL
57	klist
58	host -t dc lab2.johny.local	of course will failed
59	cd /usr/local/samba/bin/
60	ls
63	cd /
64	/usr/local/samba/bin/samba-tool domain join johny.local DC -Uadministrator –realm=johny.local
65	host -t A lab2.johny.local
66	/usr/local/samba/bin/samba-tool dns add 192.168.202.57 johny.local lab2 A 192.168.202.53 -Uadministrator
67	host -t A lab2.johny.local
68	/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' –cross-ncs objectguid
69	host -t CNAME d40ea8d6-5e70-4b8b-ba3c-8ca20fe4451f._msdcs.demo.local
70	host -t CNAME d40ea8d6-5e70-4b8b-ba3c-8ca20fe4451f._msdcs.johny.local
71	cd /usr/local/samba/etc/
72	ls
73	vim smb.conf	it already created a smb.conf file
74	cd..
75	cd ..
76	cd bin/
77	ls
78	cd
79	host -t dc lab2.johny.local
82	cd /etc/init.d/	scp samba4 from other samba server
83	ls
84	ls samba4
86	/etc/init.d/samba4 restart
88	cd
89	getent passwd
90	ping lab1
98
99	ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
100	vim /etc/nsswitch.conf
101	ldconfig -v	grep winbind
102	ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
103	ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
104	ldconfig -v	grep winbind
105	/usr/local/samba/bin/wbinfo -p
106	/usr/local/samba/bin/wbinfo -u
107	getent passwd

create the samba4 start script1:vim /etc/init.d/samba4

  #! /bin/sh  ### BEGIN INIT INFO  # Provides: samba  # Required-Start: $network $local_fs $remote_fs  # Required-Stop: $network $local_fs $remote_fs  # Default-Start: 2 3 4 5  # Default-Stop: 0 1 6  # Short-Description: start Samba daemons  ### END INIT INFO  #  # Start/stops the Samba daemon (samba).  # Adapted from the Samba 3 packages.  #  SAMBAPID=/var/run/samba/samba.pid  # clear conflicting settings from the environment  unset TMPDIR  # See if the daemon and the config file are there  test -x /usr/local/samba/sbin -a -r /usr/local/samba/etc/ || exit 0  . /lib/lsb/init-functions  case "$1" in  start)  log_daemon_msg "Starting Samba 4 daemon" "samba"  if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then  log_end_msg 1  exit 1  fi  log_end_msg 0  ;;  stop)  log_daemon_msg "Stopping Samba 4 daemon" "samba"  start-stop-daemon --stop --quiet --name samba $SAMBAPID  # Wait a little and remove stale PID file  sleep 1  if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null  then  # Stale PID file (samba was succesfully stopped),  # remove it (should be removed by samba itself IMHO.)  rm -f $SAMBAPID  fi  log_end_msg 0  ;;  restart|force-reload)  $0 stop  sleep 1  $0 start  ;;  *)  echo "Usage: /etc/init.d/samba {start|stop|restart|force-reload}"  exit 1  ;;  esac  exit 0  2:chmod 755 /etc/init.d/samba4


3:update-rc.d samba4 defaults

Install remote administration tools in windows to manage the users and computers1.login to your domain with administrator, search tools by google and download it to ftp then install itDownload: http://www.microsoft.com/zh-cn/download/details.aspx?id=7887
Install:



2.run administrative tools's Active Directory users and computers to add a OU and 3 uers and groups in it


Add OU


New OU


Add Group in johny OU


New Group – It;Commercial;Hr


Add Users


New User – johny


you also can create the user in Linux but it's not in your OU
/usr/local/samba/bin/samba-tools user add test
Accociate the users with the groups


create group policyGoal
Control Domain(baidu.local) user martin.lee can't use Usb Removable Disk by Group policy.How To
1: Runas ad administrator /Control Panel/Adminstative Tools/Group Policy Management



2:Right click OU, Create a GPO in this domain......


3:Give name to GPO



4:Right click the GPO, Edit

5:User configuration--Administrative templates......--System--Removable storage access. Enable option Removable disks: read and write.

6:Add domain user martin.lee to apply the GPO, step as below.

7: Finish:


Install ACL and setup it and confirm it worksapt-get install acl

setup ACL in fstabvim /etc/fstabAdd acl behind "errors=remount-ro,"

Reboot and mount  (to confirm the acl work)


Smb.confBackup original smb.conf file and copy below to create a new smb.conf fileroot@lab5:/home# vim /usr/local/samba/etc/smb.conf
# Global parameters
[global]      workgroup = JOHNY      realm = JOHNY.LOCAL      netbios name = LAB5      server role = active directory domain controller      dns forwarder = 8.8.8.8      vfs objects = recycle, full_audit      recycle:keeptree = yes      recycle:versions = yes      recycle:repository = /home/recycle      recycle:exclude = *.tmp, *.log, ~*.*, *.bak, *.iso      recycle::exclude_dir = tmp, cache      full_audit:facility = local5      full_audit:priority = notice      full_audit:prefix = %u|%I|%s      full_audit:sucess = open, write, rename, rmdir, mkdir, chmod, chown      full_audit:failure = none      log level = 5[netlogon]      path = /usr/local/samba/var/locks/sysvol/johny.local/scripts      read only = No[sysvol]      path = /usr/local/samba/var/locks/sysvol      read only = No[public]      path = /home/public      comment = Pasta Publicco      browseable = yes      create mask = 0777      writeable = yes      directory mask = 0777      force directory mode = 0777      map acl inherit = yes[it]      path = /home/it      comment = Pasta IT      browseable = yes      create mask = 0770      writeable = yes      directory mask = 0770      force directory mode = 0770      map acl inherit = yes

---

      path = /home/hr      comment = Pasta HR      browseable = yes      create mask = 0770      writeable = yes      directory mask = 0770      force directory mode = 0770      map acl inherit = yes[commercial]      path = /home/commercial      comment = Pasta Commercial      browseable = yes      create mask = 0770      writeable = yes      directory mask = 0770      force directory mode = 0770      map acl inherit = yes