Add a Simple Samba File Server as a Domain Member

ssambaIf you already have an Active Directory Domain Controller in place, diligently servicing all your needs and making itself indispensable, hopefully you’ve chosen Linux and Samba 4 to fulfill this.

If you haven’t used this free and open version of Active Directory and the domain controller, perhaps you’d like to? For the latest and greatest Samba 4 version that you compile yourself, you can follow the steps outlined for Debian Wheezy (and possibly Ubuntu).

Remember, too, that Debian backports now has a much more recent version of Samba 4 in its archives, and it seems to be working great right now.

But suppose you have that beast in place, and you want to add, say, a network file server — some storage that can be accessed by all domain users and whose rights and permissions are determined by your Active Directory domain controller.

It’s easy to just create a share on your Samba 4 Active Directory Domain Controller, and serve that out, with all the permission “goodness”.  But maybe you don’t have tons of storage in that box, or in that VM, and you don’t want to, either.

Or, you could find some filthy user’s computer in the domain that has a lot of hard drive space in an array, and map it out to the others. (I mean lovely user – it’s a joke!#$@!). But we know that’s a terribly unsettling idea.

So why not build out or spin up a new Samba 4 server that’s pretty much dedicated to housing user data, whether that’s shared between the masses for apps or data, or just for daily backups.

I’ll tell you why. Because you’re frightened. How can you get one Samba server to listen to another Samba server and believe all its tales about the users and their permissions? How will the UIDs and GIDs match up for filesystem stuff? Sure, you know it’s possible. You’ve looked around. You’ve seen all kinds of insanity for linking Samba 3 into Windows AD/DC, mapping local users and huge cut-‘n-paste swaths of wild configuration blocks.

But if you go Samba 4 again, will you find any documentation that is currently to the point where Samba 4 development is? Or to the way that Debian has mutated it?

The answer is yes! All over the place, including the Samba site itself, and it’s all whacko and incomplete, if all you want to do is create a simple file server – you just want a simple Samba 4 file server that is a domain member file server. You don’t care if users can ever log into the Linux box. You just want them to have access to Windows file shares served with Windows users permissions and rights honored.

And you may think… I’ll just make a big RAID disk on some server, and serve out to my One Box To Rule Them All Samba 4 AD/DC – and then it has big drives and plenty of space! Well, it would if NFS or CIFS handled extended filesystem attributes… Alas! We are thwarted.

So here’s what I did:

Prerequisite

You must a Samba 4 Active Directory Domain Controller running just fine already. Or a normal Windows-y one if you must run a Windows one for some nonsense reason.

You must have a Debian (or possibly Ubuntu) server ready to go with only the minimal stuff installed – like the SSH server. That’s because it’s proper. And you will be proper. Another distribution is fine of course, just don’t complain to me.

Don’t use Debian Wheezy’s version of Samba 4. It’s not ripe yet. And don’t use Samba 3. It’s overripe. (Simply too many notes) Either roll your own Samba 4 from source or enable the Debian backports repository and go with that version of Samba 4, there.

If you follow the instructions to roll your own, skip the samba-tool domain-provision step and the Cold, Cruel Kerberos sections!It makes your new Samba 4 server have delusions of grandeur and it won’t want to listen to your already-existing AD/DC.

If you go with Debian backports, this is what you’ll need:

# apt-get -t wheezy-backports install samba samba-doc samba-testsuite winbind libnss-winbind
# apt-get install acl

Setting Up the Samba 4 Domain Member

The smb.conf [global] section

If you’re using the Debian version of the /etc/samba/smb.conf from backports, throw away everything in it, because it’s garbage Samba 3 stuff and they haven’t bothered tidying anything up.

For a simple Samba file server, you just need your [global] section and your share definition. I’ll highlight some of the stuff in it, after this example listing (that works just great). Be certain that your filesystem that serves out the stuff is mounted to support xattr and acl’s. (in your /etc/fstab put the mount options “user_xattr,acl” in place of “defaults”).

Anyway, here’s that /etc/samba/smb.conf file:

[global]
  netbios name = <servername>
  workgroup = <win domain>
  security = ADS
  realm = <kerberos realm>
  encrypt passwords = yes

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config <win domain>:backend = ad
  idmap config <win domain>:schema_mode = rfc2307
  idmap config <win domain>:range = 3000000-4000000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

That’s it, really. I love Samba 4 for this. Consider me gushing and oozing again, all over the Samba development team again for doing such a damn fine job pulling so much together. Very well done.

Here’s what some of those things are:

  • netbios name – anything you like – I like to use the hostname portion from DNS
  • workgroup – that’s your Windows “domain”. Make it the same as your main Samba 4 server’s.
  • realm – your Kerberos realm – again, make it the same as what your main Samba 4 server’s is.

Now, the idmap stuff should be fine for you to use, if your AD/DC is standard Samba 4. The range values are UID values that map to local users (the asterisks) and your AD users (the <win domain> ones).

By default, at least right now, Samba 4 is by default using the UID range of 3000000 – 4000000. That can be changed when you set up your Samba 4 AD/DC. A Windows-based AD/DC is probably different. Find it out, and put it there.

The local mapping range just shouldn’t overlap your domain range ones. And I kept mine well above any UIDs I’d really be using locally on this machine (in the 70000’s… 😉 )

I hate winbind. I just copy and pasted that bit from some Samba site documentation dealing with domain member servers. It seems necessary, especially the nss bit for letting your system know about domain users on the AD/DC.

The last 3 lines are critical if you want permissions to be right on the filesystem here.

The smb.conf Share Definition

Behold the glory of letting a fascist AD/DC handle all your decisions for you!

[storage]
   path = /srv/storage
   read only = no
   admin users = "@MYDOMAIN\Domain Admins"

Whatever path you want there, Sparky. And the MYDOMAIN bit is your domain of course, just like above. And oddly, this is the tricky one that caused me quite the headache.

After I got all this set up, I couldn’t set permissions on the share as a domain administrator. Permission denied. You have to add the “admin users” parameter even for domain administrators. I like this because it gives your local root the final authority still. But nobody mentioned this and it took forever to figure out. Here, I have the admin users be anyone @MYDOMAIN who is part of the Domain Admins group on the AD/DC.

But I digress.

The Final Steps

Of course, reload or restart this Samba daemon and its associated daemon cohorts of nmb and winbind.

# service samba restart
# service winbind restart

I hope you didn’t “provision” this Samba 4 server with samba-tool…

Also, remember to edit your /etc/resolv.conf file to make sure the nameserver you’re using is your Active Directory Domain Controller. If you don’t, you won’t be able to join the domain, since it relies on that absurd DNS injection flotsam.

The next step is to join your domain as a domain member.

# net ads join -Uadministrator

No, it’s not magic. It just gets your domain info from you smb.conf file.

If you got an error, you might want to make sure that you’re using your main AD/DC server as your DNS server in /etc/resolv.conf – that is, make sure your ‘nameserver’ is set to the IP address of your primary AD/DC. If it’s not, you won’t get the revolting Microsoft DNS injection they made necessary, and you’ll fail.

Remember the NIS/YP stuff? No? Well, then just do what I say:

# edit /etc/nsswitch.conf

Then add “winbind” to the end of the passwd and group lines, while leaving the rest of the file alone:

passwd:         compat winbind
group:          compat winbind

Final Thoughts

You might want to reboot. Make sure your mountpoint for the share you’re offering has those attributes specified in /etc/fstab.

You’ll probably want to grant your domain admins the ability to control files and permissions on your shares as well:

# net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator

But maybe not! I think it’s pretty well handled by specify the admin on the share level of the smb.conf file. But I did both, because I was flailing with that problem I mentioned earlier, and will not reiterate out shame.

Anyway, that’s about it. Except for, of course, always be sure you install ntp since time is so critical for this implementation with Kerberos. Just a few steps really, but lots of words and background info on why. Hope it helps.

25 thoughts on “Add a Simple Samba File Server as a Domain Member”

  1. Great article. Thank you very much.

    One slight correction (I think) – it wouldn’t work unless I flipped the “@ in the following line:

    admin users = “@MYDOMAIN\Domain Admins”

    For me:

    admin users = @”MYDOMAIN\Domain Admins”

    Again, thanks much – worked a treat.

  2. Thanks so much for these articles, I dare say you’ve surmarised it all to the point of being manageable! Cheers {^_^} b

  3. Thanks! But one thing, I had to remove the two lines about idmap config *
    Then wbinfo -i and getent enumerates AD users.
    I use Debian Jessie

    1. Hi again!
      Sorry I did my ansawer too fast… unfortunately, even if domain users shown this way, their UIDs are identical and non revelant.
      I ended up by using SSSd with Realmd and it rocks!
      But you must give uid-number and gid-number to your samba users

  4. Mark

    Thank you for sharing this samba4 how-to. It was exactly what I was looking for. I have followed all steps with no errors.
    However when I test it, the user gets a temporary profile.
    The path where the profiles are supposed to be stored is owned by “Domain Users” and it also belongs to the same group. For testing purposes I have given full permissions to “everyone” on the path but user still gets temp profile.
    If you have any troubleshooting ideas please let me know

    Many thanks.
    Yanni

    1. Thanks Yanni! 🙂

      Hmm. Well, this was meant to be a step by step for being a file server, not for a machine people log into. But if you’re talking about logging in as users, you’ll need something like libpam-winbind and/or libnss-windbind — that links it to login process, and the creation of user home directories, which should happen in /home and then your active directory domain name, and then the userid: /home/my.domain.com/userid

      1. Hi Mark

        No users do not log into directly to the samba fileserver., they just store their profile there.
        I have a winserv2012 AD. All users are created in there and the profile path is set to \\sambafileserver\profiles. The samba fileserver is a member only of the microsoft AD domain. User logs into a win7 client (also AD domain member) but always gets a temp profile. If anyone has come across a how-to relative to this scenario please share the link.

        Thank you.

        1. Ah! So for “roaming” profiles then, yes? Well, if you have a profiles share set up on your Samba server, and have pointed your MS AD user profiles to it in their editing tool, it should work. But if I’m remembering right… I know sometimes Windows clients have trouble finding their profiles when you make a change, even if they’re pointing to the right one. There was a registry key somewhere that made them search for it again… I’ll do a quick search… that might be what you need, but I don’t know… HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList is what I came up with.

  5. Just curious what you mean when you say Debian with SSH is proper. Are you referring to some characteristic or property of Debian/Ubuntu that is “proper” or that having SSH configured right away on a fresh *nix install is “proper”? Second question, what do you mean by proper–that it’s a best practice?

    Thanks for the write-up!

    1. Well, the “proper” way is my way. 😉 As is best practice. 😛

      Unless I get convinced otherwise, which won’t be easy, if I’ve chosen to use the word “proper”. I almost never use the term “best practice”. It relies on my believing some group mind out there somewhere.

      As for Debian — that use there is a bit of a jab at Debian for making SSH its own separate thing during an install. Just a tiny little SSH, in the middle of those big groups of software meta-package selections.

      Never, ever have I not wanted SSH. Nor have I know anyone else to not want SSH. Even on their laptops. Who doesn’t select it?? Or have to go through the same back-breaking inconvenience of installing it manually after you forgot to select it.

      SSH is proper on a system. Debian or otherwise. Unless it’s some finalized set-in-stone device that may live or die of its own accord.

      It’s always irritated me that the SSH selection is there on install. Of course install SSH!! It’s the very rare case where you wouldn’t want it. And it took me years to remember to go down and check it, stopping at that particular screen… waiting for it… and to undo the desktop. Debian presumes I want a Desktop more that in presumes I want SSH!

      Then again, SSH allows an opening. An opening bigger than a login manager that has TCP disabled by default. So I can’t really complain too loudly about it.

      But I can give a little jibe about years of angst that SSH select box has provided me with, by saying, yes, a Debian system is proper with SSH.

      So… there you have it. 😉 Proper in that instance defined. By me. 😉

      Thanks Matt 🙂

      1. Best argument for SSH evar! But really, who DOESN’T want it?

        The only thing that makes me more angry is sitting down at a windows machine (rare occasion…), popping open a term window, and trying to telnet to something….command not found? WHAT? Ugh, right, MS in their infinite wisdom decided to drop that minuscule but infinitely useful utility somewhere along the line, and I am always having to fumble around trying to remember where the hell to ‘install’ it again. As if another 27k is going to make much difference to their titanic sized bloatware that they claim to be an OS. /rant.

  6. I try since hours, since days. But all I get is “Access denied”. I have a Windows 2012R2 Essentials server and a Debian Jessie client running Samba 4.1.17. The domain-join works perfect and the fileserver is reachable from the dc but no share is accessable. Years ago it worked using Win Server 2008 and Wheezy, but I hoped I can drop all those kerberos, winbind, etc.-configthings and just use samba4? What else do I have to configure? Heeelp…

    1. Perhaps a bit more details: I get those log-messages:

      [2015/06/26 22:10:39.757750, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
      Kerberos ticket principal name is [Admin@MYDOMAIN.LOCAL]
      [2015/06/26 22:10:39.759062, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
      Username MYDOMAIN\Admin is invalid on this system
      [2015/06/26 22:10:39.759091, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
      Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)

      wbinfo -u and wbinfo -g are showing the correct things. If I try (from Windows-Server) to access the samba-server using an unknown user the error message says: “Username or password wrong”, with known users there only comes “Access denied” – So this shows to me, that the system recognizes the ad-users, but it does not allow access. What can I do… I have to get it running til monday… goodbye weekend.

  7. Hi Mark

    I have followed your tutorial , But when the users, even logged in the domain, click on the share, a box appears asking for authentication and the authentication failure, I believe it may be because of the values below, placed on smb.conf:

    idmap config *:range = 70001-80000
    ….
    idmap config CMB:range = 3000000-4000000

    The member server is in the domain, it see the users and groups (wbinfo –u and wbinfo –g), the Kerberos show ticket (klist) for users.
    I use Debian 7.2 – 64 bits, on Citrix XenServer with the Samba 4.2.2 compiled
    Do you have any idea?

    1. There are so many things I don’t know about what you have set up elsewhere that it’s very hard to say. Did you set the permissions on the shared folders from your main domain controller? I think that step is probably pretty important.

  8. Hello Mark,
    I have a question regarding to Samba Domain Controller,
    I have setup the samba 4 as a Domain Controller and I attached Window 8.1/10 Client into this Domain but when I try to login with domain user I always got Temporary Profile, all I want to do is a Local profile on each client, do you have any information that allow me to config samba or maybe window client to be able to use a local profile? I don’t want to use roaming profile anyway.
    Thank you in advance,
    Ping

    1. Hi Ping! Sorry but I have no idea about the more esoteric Windows aspects, such as the profiles. Furthest I’ve gone is having it auto mount (map drives) for home directories on the network

  9. Hi, thanks for the post.
    I found a problem with access shares by users that have a “point” in the username. Example: “fistname.lastname”
    Do you have any idea what might be the problem?
    All other users without “.” the name can normal access.

    On the domain server everyone can access without problems. PDC samba3 + openLDAP.

    1. It probably happens because in the way I set things up, I do mapping back to local unix userids if they are there. That’s the idmap in samba and the use of Winbind.

      However, unix usernames don’t allow any weird characters by default, except I believe you can use dashes. You may be running into something there. And if you don’t have local unix userids, still it may be a problem in that something doesn’t like that invalid local userid even when you don’t have any (just from it checking if they exist).

      That’s my guess anyway! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *