Goals
- Building Samba from the source.
- Provisioning Samba Active Directory Domain Controller (AD DC).
- Creating shared folders with permissions depending on the domain controller.
- Configuring Samba to allow services to authenticate over StartTLS encryption.
- Setting Samba DC up to share folders.
- Giving some users different permissions on the shared folders.
Warning: I wrote this guide in the old days to be my personal guide, I did not intend to make it public, even though, I am sharing it here now so I may help somebody hopefully. So please keep that in mind while reading to not judge the writing style.
Building Samba from Source
At first, install the following Samba dependencies, they are needed for Samba compilation:
sudo apt install make python-dev build-essential libgnutls28-dev libacl1-dev libldap2-dev
Download the latest stable version of Samba from www.samba.org
, and extract it:
wget https://download.samba.org/pub/samba/stable/samba-4.5.0.tar.gz
tar xzf samba-4.5.0.tar.gz
cd samba-4.5.0
In the root directory of Samba’s source code (the folder you extracted), execute configure
script:
./configure
The main purpose of
configure
script is to create Makefile (a file used by the commandmake
, includes some compilation and installation configuration). Configure script enables you to set various options, (like installation paths, enable or disable parts of Samba). Normally, the default settings does exactly what you need. For more information please refer to Samba Wiki.
Compile Samba:
make
Install Samba:
sudo make install
Configuring System
Make sure that:
- Your hostname is your fully qualified domain name (FQDN).
- Your hosts file resolves your FQDN and your short hostname to your host’s static IP address.
- Your
resolv.conf
file has your domain controller IP address and your default gateway IP address as nameservers, and your domain as domain-search.
If any of the previous configuration was not correct, your domain controller will not work.
For more information about how to adapt your hostname
, hosts
file or resolv.conf
file, please refer to First Boot Configuration
guide.
(optional) If you build Samba from source, consider putting the directories Samba installation directories in your $PATH variable:
export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH
With that, you can use Samba binaries directly in command line during this session without needing to type the full path.
Provisioning Samba Active Directory Domain Controller
Start provisioning your domain controller:
samba-tool domain provision --use-rfc2307 --interactive
Fill out the information:
Realm [NOURELDIN.LOCAL]: Your full domain in upper case.
Domain [NOURELDIN]: Your short domain in upper case (your direct location in domain hierarchy).
Server Role (dc, member, standalone) [dc]: (dc to use Samba as domain controller).
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (SAMBA_INTERNAL to use Samba built-in DNS server).
DNS forwarder IP address: Your default gateway IP address (If your Samba internal DNS server failed to resolve any hostname or domain, it will forward the DNS query to this address "your default gateway", which may know who can resolve it).
Administrator password: Choose your domain controller administrator password.
Samba suggests the default settings to provision, if your system is configured properly, then the default settings are mostly the best choice. You may have to enter your default gateway IP address in DNS forwarder IP address instead of what Samba suggests.
--use-rfc2307
parameter: Enables NIS extensions. They allow a central management of Unix attributes (UIDs, shells, GIDs, etc.) inside Active Directory. It is recommended to always enable this feature during the provisioning. There are no disadvantages in not using it, but you may later find yourself in a situation where the central management of Unix account/group information becomes a requirement.
Start Samba:
samba
Use smbclient
tool to test that Samba provides the AD DC default shares “netlogon” and “sysvol”:
smbclient -L localhost -U%
The output should look similar to this:
Domain=[NOURELDIN] OS=[Unix] Server=[Samba 4.x.y]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.x.y)
Domain=[NOURELDIN] OS=[Unix] Server=[Samba 4.x.y]
Server Comment
--------- -------
Workgroup Master
--------- -------
SYSVOL folder stores the server’s copy of public data and files for the domain. These files consist of group or user policy information. The information stored in the SYSVOL folder is copied to all domain controllers on the respective domain.
NETLOGIN folder: Its main purpose is to store logon scripts.
To test that authentication is working, you should try to connect to the “netlogon” share, using the Domain Administrator account that was created during provisioning:
smbclient //localhost/netlogon -UAdministrator -c 'ls'
The output should look similar to this:
Domain=[NOURELDIN] OS=[Unix] Server=[Samba 4.x.y]
. D 0 Sat Jul 5 08:40:00 2015
.. D 0 Sat Jul 5 08:40:00 2015
49386 blocks of size 524288. 42093 blocks available
Test that DNS is working properly, run the following commands, you should not get any error:
host -t SRV _ldap._tcp.noureldin.local.
host -t SRV _kerberos._udp.noureldin.local.
host -t A dc1.noureldin.local.
If one of the previous tests failed, then check that
resolv.conf
file has your DNS nameserver as first choice.
Configuring Kerberos
Install kerberos
package:
sudo apt install krb5-user
During installation, you will be asked to enter some information:
- Default Kerberos version 5 realm: Your domain in upper case (NOURELDIN.LOCAL).
- Kerberos servers for your realm: The servers allowed to communicate with kerberos, use your short hostname (server01).
- Administrative server for your Kerberos realm: The servers allowed to administrate passwords, use your short hostname (server01).
(Optional) Or instead of entering the information during installation, you can use an auto-generated simple Kerberos configuration file, which was created during DC provisioning:
sudo ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf
Test that we can get Kerberos ticket
for our user:
kinit administrator@NOURELDIN.LOCAL
The realm (domain) must always be in UPPER CASE or it will not work.
View the received ticket by using klist
command:
klist
The output should look similar to this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@NOURELDIN.LOCAL
Valid starting Expires Service principal
08.09.2015 14:27:45 09.09.2015 00:27:45 krbtgt/NOURELDIN.LOCAL@NOURELDIN.LOCAL
renew until 09.09.2015 14:27:42
Now you can try joining any windows PC in your LAN to your DC.
Configuring Samba StartTLS
StartTLS
is a new encryption method where you can use the default LDAP port389
and it is a development of the old encryption methodLDAPS
where you have to use port636
.
To allow (or force) other services to authenticate against active directory using StartTLS encryption, you need to generate server certificate for Samba, and then tell samba about the that certificate and about the CA/ICAs stack file (in case of using ICAs to sign the server certificate). For more information about certificates please refer to Easy-RSA
guide.
After generating the certificate, edit Samba configuration file:
sudo vim /usr/local/samba/etc/smb.conf
To tell Samba about the server certificate (cert-key pair) and the stack file, add the following directives into global
section in smb.conf
file:
tls enabled = yes
tls keyfile = /etc/ssl/samba.key
tls certfile = /etc/ssl/samba.crt
tls cafile = /etc/ssl/ca.crt
Sharing Folders with Custom Permissions
We are going to share a folder, make it accessible over the libacl1-dev with the name MyShare
, and make it readable by all users on LAN, but only writable by some users in our LDAP backend (Active Directory).
Create a folder you want to share and make it accessible by Samba:
sudo mkdir /var/shared
sudo chown samba:samba /var/shared
sudo chmod 775 /var/shared
Edit Samba configuration file:
sudo vim /usr/local/samba/etc/smb.conf
Add the following lines:
[MyShare]
path = /var/shared
create mask = 755
directory mask = 755
browsable = yes
guest ok = yes
read only = yes
write list = username1 username2 username3
You can use
valid users
directive to make the folder not readable by any body except the valid users.
valid users = username1 username2 username3
The file will be be accessible over the network like this: \\<ServerAddressOrName>\MyShare
, for example:
\\192.168.1.10\MyShare
Control Password Configuration
You can use samba-tool
to control password settings (e.g. disabling password expiration or minimum password length). To view the available options execute the command:
samba-tool domain passwordsettings show
And to view how to change an option:
samba-tool domain passwordsettings set --help
Some Tricks
Auto Mounting Shared Folders Dynamically
From group policy
of your domain controller, you can configure the shared folders to be network drives to be mounted automatically as network drives when any member of your domain controller uses his active directory account to login to windows.
In case you want to mount a dynamically named folder (e.g. a folder has the name of the logged-in user), use one of these environment variables %LogonUser%
or %UserName%
while configuring the group policy to refer to currently logged in user, and I recommend specifying the exact drive mounting letter, to avoid any possible conflicts.
good