Install Samba 4.1 AD DC on CentOS 7 with yum

CentOS 7's bundled Samba 4 does not provide Active Directory (AD) Domain Controller (DC) functionality due to the incompatibility between the Kerberos 5 libraries used by a Samba 4 AD DC (Heimdal) and those by RHEL/CentOS (MIT). However, Samba 4 binaries (rpms) compiled with Heimdal Kerberos library for CentOS 7 can be obtained from the Sernet Samba repository without the need of compiling Samba from its source code.

To download the rpm files with yum, a user account is necessary at the Sernet Samba repository. Signing up for a user account at Sernet is totally free and can be done in a minute. Upon successful registration, one can log into the portal and obtain a yum repo file with his username and password embedded in the repo URL. The repo file can be copied to /etc/yum.repos.d and one can then use yum to install the necessary rpms for a Samba 4 AD DC on CentOS 7.

If the bundled Samba 4 was installed in the system, remove it with yum first.
 yum remove samba*
The following Samba 4.1 rpms can then be installed from Sernet on CentOS 7 to enable a AD DC
sernet-samba-libs-4.1.14-9.el7.x86_64
sernet-build-key-1.1-4.noarch
sernet-samba-common-4.1.14-9.el7.x86_64
sernet-samba-libsmbclient0-4.1.14-9.el7.x86_64
sernet-samba-4.1.14-9.el7.x86_64
sernet-samba-winbind-4.1.14-9.el7.x86_64
sernet-samba-ad-4.1.14-9.el7.x86_64
sernet-samba-client-4.1.14-9.el7.x86_64

If there is existing Samba 3 NT4-style domain, it can be upgraded to AD type domain with samba-tool, which is installed as part of the packages above. The following Samba Classic Upgrade wiki guide provides excellent instructions on the upgrade. For simplicity,  one can use Samba 4's built-in DNS server for the AD DC. After the upgrade is complete, start the AD DC by
service sernet-samba-ad start
and test it following this guide.

How to make Samba 4 shares writable with Fedora 19 and Selinux

Today I found I couldn't create new folders in my samba 4 share under Fedora 19. And this was due to the settings of Selinux since there wasn't any problem without enabling Selinux.

The status of the Selinux boolean values that are relevant to Samba can be queried via the following command:

#getsebool -a | grep samba
#getsebool -a | grep smbd
Since we need to allow samba to modify shared files, the files/directories must be labeled public_content_rw_t and we must turn on the smbd_anon_write boolean.

• Labeling all files under the share folder (e.g. /mnt/media) to public_content_rw_t so that they can be modified by multiple domains (Apache, FTP, rsync, Samba).


#semanage fcontext -a -t public_content_rw_t "/mnt/media(/.*)?"
#restorecon -F -R /mnt/media
Note: File context can be temporarily modified with the chcon command. However, that won't survive a relabeling. We need to permanently change the file context by using the semanage fcontext command. This will modify the SELinux labeling database. It is necessary to use restorecon to apply the labels.

• Turn on the smbd_anon_write boolean:


#setsebool -P smbd_anon_write 1

• It's NOT necessary to turn on samba_export_all_rw if the shared files/directories are properly labeled and the smbd_anon_write boolean is turned on.
• The security context of the files can be verified via
  # ls -Z /mnt/media
drwxrwxr-x. video media system_u:object_r:public_content_rw_t:s0 video

NT ACL on Samba

• Enable ACL support in the file system by remounting it with acl option. ACL must be enabled in a file system before Samba can use it.
  mount -o remount,acl /home
• Enable acl support during boot time with the following in the /etc/fstab
  LABEL=/home /home ext4 noatime,acl 1 2
• Enable acl support in Samba on a per share basis with the following in /etc/samba/smb.conf (typically already enabled by default)
  nt acl support = yes
acl map full control = yes
• Set the setgid bit for the directory
  chmod g+s /home
• Have the following in /etc/samba/smb.conf
  inherit acls = Yes
delete readonly = Yes
• Check the ACL of current directory
  getfacl .
• Set a default group (manager) ACL for files created in /home
  setfacl -m d:g::---,d:g:manager:r-x /home
• Copy the ACL from a template folder to /home
  getfacl /template | setfacl -M - /home
  There's a warning of "getfacl: Removing leading '/' from absolute path names" from the above command, which can be safely ignored.

Reference

Uploading windows printer drivers to Samba

1. Click Start->Run.  In the Open field, type \\%sambaserver% where %sambaserver% is the actual Samba server name.  i.e. \\myserver Click OK
   
2. Find and double click on Printers and Faxes.
3. Right-click on the printer name that's relevant and select the Properties entry. This opens a dialog box that indicates that The printer driver is not installed on this computer. Some printer properties will not be accessible unless you install the printer driver. Do you want to install the driver now?  It is IMPORTANT at this point you ANSWER NO.
   
4. The printer properties panel for the printer on the server is displayed. Click the Advanced tab. Note that the box labeled Driver is empty. Click the New Driver button that is next to the Driver box. This launches the Add Printer Wizard.
5. The Add Printer Driver Wizard on Pier panel is now presented. Click Next to continue. Select the printer manufacturer from the left panel.  In the right panel, select the printer. Click Next, and then Finish to commence driver upload. A progress bar appears and instructs you as each file is being uploaded and that it is being directed at the network server \\myserver\print$\W32X86. If the driver upload fails, verify that the W32X86 folder exists.  If it does not exist, create it and then try adding the printer drivers again.
   

I found the method on this web link.

Display Chinese file names correctly on Samba shares

I found I had to add the following to /etc/samba/smb.conf
unix charset = GBK
and restart samba. I also have the following locale rpm installed:
locales-zh-2.9-4mdv2009.1

Samba 3 as PDC

1. Set up the Samba 3 server to authenticate against OpenLDAP as shown in a previous post
2. Set the following in smb.conf (roaming profile disabled)
   domain logons = yes
   domain master = yes
   logon home =
   logon path =
   
3. Create the following well-known groups under Ou=Group. This can be done in phpLDAPadmin by creating a child entry using the template Samba3 Group Mapping. It may also be done with the command net groupmap add. Their values for the attritubes cn, displayName and sambaSID are shown below (first three are essential domain groups):
   admin,Domain Admins, (sambaSID of sambaDomainName)-512
   guest,Domain Users, (sambaSID of sambaDomainName)-513
   host,Domain Guests, (sambaSID of sambaDomainName)-514
   user,Domain Computers, (sambaSID of sambaDomainName)-515
   The result can be checked by net groupmap list
   
4. Add at least a user from Ou=people to the memberUid attribute of the group cn=admin,ou=Group. Its credential will be needed later when joining workstations to the domain.
   
5. Create machine trust accounts under Ou=Hosts for the workstations before joining them to the domain. This can be done in phpLDAPadmin by creating a child entry using the template Samba 3 machine. Its Machine Name attribute must be in the format of machine_name$ and I choose to set its gid attritube to that of host group. The attribute sambaNTPassword will later automatically show up upon successful joining of the workstation to the domain.
6. When prompted for username and password to join the domain, enter the uid and sambaNTPassword of the user who is a member of Domain Admins.
   
7. Add the group Domain Users to the local Administrators group on a domain workstation (XP pro) to enable remote desktop access on it for the domain users. The group Domain Admins (RID 512) is already added upon joining of the domain.
   

Great Ref: The Official Samba 3.2.x HOWTO and Reference Guide
1. Chapter 27. Desktop Profile Management: contains instructions on how to

• Disable roaming profiles
• Convert Local Profile to Domain Profile

2. Chapter 12. Group Mapping: MS Windows and UNIX: contains important information about essential domain groups and their default RID.

Samba 3 user authentication against OpenLDAP server

Samba 3 daemon is running on the same host as the LDAP server (openldap 2.4) and only the following settings related to LDAP are added into /etc/samba/smb.conf:

passdb backend = ldapsam:ldap://127.0.0.1/
#Specifies the base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=examples,dc=com

ldap ssl = off
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap delete dn = no
ldap admin dn = cn=manager,dc=examples,dc=com
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'


Then run testparm to make sure the smb.conf file is OK. New Samba users can be added to the LDAP directory by running the command "pdbedit -a -u username" if username exists in the system (e.g. /etc/passwd). Otherwise run "useradd username" first.

At the LDAP server, there's an entry sambaDomainName=XXX,dc=examples,dc=com created by pdbedit. Note XXX must be the netbios name of the Samba server. It has an attribute sambaSID=S-YYY which is required. The Samba user entry created by pdbedit has the following attributes:

objectClass: sambaSamAccount
sambaAcctFlags: [U ]
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
sambaPwdLastSet: 1222817828
sambaSID: S-YYY-ZZZ

Note the sambaPwdLastSet attritube is required for the windows client to authenticate properly. Otherwise net use would report the following error:

System error 1907 has occurred.
The user's password must be changed before logging on the first time.

If the pwdInHistory attribute of the Password policy under cn=default,ou=password policies is set and a user is trying to change his password to one stored in history in windows, he'll receive an error message like the following:
Your password must be at least x characters; cannot repeat any of your previous x passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name. Please type a different password. Type a password which meets these requirements in both text boxes.

The required attributes can be easily added to all the user account entries with the perl module Net::LDAP

Close unwanted SAMBA or NTLM sessions in Windows

As an administrator, type in CMD

1. net stop WORKSTATION then Y then N.


2. net use /persistent:no
   net use * /delete /yes

Any of the methods above will close all remote connections this computer made as client. Then type the in CMD
net use \\Server\share * /user:username

Samba share access control

Recently I found a problem with my existing settings of Samba share: every time after I edit and save a file in the share from Windows client, the UNIX file permission will also be changed in Samba server. And that's not desired.

After I read this article about Samba share access control, I found the solution is on the "security mask" setting, which controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. Another userful setting is "force create mode", which specifies a set of UNIX-mode bit permissions that will always be set on a file created by Samba.

So I added security mask = 0000 and force create mode = 0774 (rwxrwxr--) into my smb.conf configuration file under the the Share definitions section. Now Windows will no longer be able to change the UNIX permissions on a file. And the new share definition looks like below:

[homes]
comment = Home Directories
browseable = no
writable = yes
inherit permissions=no
security mask = 0000
force create mode = 0774

Specify force user= for better sharing a folder
[sysbak]
valid users=@admin
force user = apache
force group = admin

Set the following in the global section if MS Office often saves/writes to the samba shares:
strict sync = Yes
sync always = Yes
oplocks = No
level2 oplocks = No