Tag Archives: debian

Installing Perl 6 on Debian or Ubuntu

Keep in mind, this is written on 09-Sep-2016 and stuff can change over time.

Perl 6 is developing rapidly, specifically, the MoarVM and Rakudo which comprise the environment that implements the Perl 6 specifications.

Every Linux distribution comes with Perl. Many have Perl 6 now as well. With Perl 6’s rapid development, these distribution packages of Perl 6 can be outdated.

This is how I installed Perl 6 in Ubuntu and this should also work for Debian. We rely on a system much like Perlbrew, called Rakudobrew to automatically download and compile the necessary stuff for us, and change our environment to be able to find perl6

Git Your Compile Tools

First, you need to be certain you have the tools and libraries necessary to compile stuff on your local machine.

apt-get install build-essential git

This will install the gcc compiler and various libraries along with the git version control system so we can download the latest rakudobrew and keep up to date over time.

Download and Install Rakudobrew

git clone https://github.com/tadzik/rakudobrew ~/.rakudobrew
 echo 'export PATH=~/.rakudobrew/bin:$PATH' >> ~/.bashrc
 source ~/.bashrc

The first line uses git to download the rakudobrew archive into your home directory in .rakudobrew. No biggie. These instructions are taken (mostly) directly from the Rakudo site.

The second line alters your shell environment PATH to include this directory’s “bin” subdirectory. This is wildly dangerous unless you trust absolutely where you are downloading from, which is never a good idea. You can always just compile it yourself if you follow the instructions on the above-linked Rakudo site.

The third line alters your currently-existing PATH in your terminal to add that .rakudobrew/bin directory (you could also close your terminal and open a new one instead).

Have Rakudobrew Compile Rakudo and MoarVM

This bit’s the easy part now, thanks to Rakudobrew.

rakudobrew build moar
rakudobrew build panda

The second line builds and installs Panda, which seems to be a cpanm-like thang for Perl 6 modules. To have a complete Perl 6 experience, you’ll need some of those modules that are commonly bundled up with Perl. You can get them with

panda install Task::Star

And they’re you’ll have Rakudo Star! Like cpan or cpanm, it will take a while to download and compile the modules.

How to Run a Perl 6 Program

Easy enough if you’ve done the bit above to include .rakudobrew/bin in your shell path. You can just type “perl6” and have an interactive interpreter to play around with.

Or if you prefer to edit a file, you can run the file with

perl6 filename

Tough, eh? Or if you’d rather the OS knows to do perl6 for you, give it that magic hashbang at the top of the file like so

#!/usr/bin/env perl6
my $code = "about normal";say "I know nothing " ~ $code;
("I know nothing" ~ $code).say;
say "The new $code";

No need for warnings. No need for use Modern::Perl . No need for strict, Try::Tiny, etc.

There ya go!

Creating a Debian GNU/Linux Server – a Minimal Install

When you’re creating servers you usually don’t want the overhead of a GUI. This is particularly true when you’re creating a virtual server. You only want the stuff you need. And the basic Debian, of course, to hold it.

Grab an Install Image

Debian has several install images available. I usually prefer the network install image (netinst). It’s minimal in size, giving you what  you need to install, and then downloads only what you need.

I usually use the 64-bit one as well, even though you can save a little memory using a 32-bit one. There is a “Live” one, but I’ve not had good luck with it in unusual circumstances, which is often the case when I’m making servers or little devices.

If you won’t have a working network connection, get one of the full images instead. All Debian images are updated from time to time, as updated releases happen, so check occasionally.

Install Media

If you’re installing into a virtual machine, you’re already set with this ISO image. If you’re installing onto hardware, I find a USB thumb drive is most useful.

The Debian ISO images have long been set up to create proper bootable disks by just dumping the ISO data directly to the USB.

To create the USB stick in Linux, it’s just a matter of using dd to dump it. In Windows you’ll need a program such as Unetbootin to create the bootable USB stick from that ISO image. Unetbootin also runs in Linux, and it often packaged in Debian already.

But the quick and easy way is just use a command prompt. Find your USB drive’s device name – that’s the hardest part. In Gnome you can look at disk utility, or tail the syslog and watch while you plug it in. 😉

$ wget http://cdimage.debian.org/debian-cd/7.6.0/amd64/iso-cd/debian-7.6.0-amd64-netinst.iso

$ dd if=debian-7.6.0-amd64-netinst.iso of=/dev/usbdrivename bs=4M ; sync

Please be very careful with that dd command. You can easily destroy your system or data if you put in the wrong of= parameter. But if you don’t destroy your system or data, we’re ready to go.

Make sure you set your BIOS or UEFI to boot from the USB drive, or if you’re installing into a virtual machine, don’t forget to attach it as a CDROM.

The Install

The first screen you’ll come to when booting will let you pick between a normal install and a graphical install (along with some advanced options, which we’ll hopefully cover later).

I usually pick the normal install because you don’t have to worry about moving a mouse around as much, nor do you have to worry about there being any strangeness with your graphics cards and this particular kernel (which is rare any more on a base install).

The next screen lets you pick the language, which defaults to English, your location, your keyboard layout (all English and American by default).

After just those few very basic questions, the install will start loading some kernel modules it might need, including those needed to activate your network interface.

The Network Interface

The Debian installer will now try to set up any network interfaces it finds. It will try to configure both IPv6 and IPv4 with DHCP. You can, of course, specify the configuration manually if it doesn’t detect network configurations.

If you’ve got a good hostname, it will fill that in from DNS automatically, or you can specify it yourself. Same with domain name.

If no hardware interfaces are detected, you can always go back to the main menu and try loading kernel modules manually, if there are any, or just weep. It seems that just about everything is recognized any more.

User Account Setup

Next you’ll be prompted to enter a password for the root user. Debian enabled root logins by default. If you want to disallow them, you’ll need to install “sudo” and  add a normal user to the “sudo” group, and disable the password of root (passwd –lock root). If you do that, you can still log in as root with SSH keys, if you have them.

After you set root’s password, you’ll be prompted to add a new, normal system user. I hate that they added this bit. But just enter something I suppose.

Final Little Miscellaneous Config

You’ll need to enter in your timezone. I know! So hard.

Disk Partitioning

Gods help you. There are so many ways you can do it. If you have one drive and want everything just on that drive, select “Guided – use entire disk”.

I never do that, though, unless it’s a virtual server. I like to set disks up with LVM, and RAID multiple disks together. You can do all that nice and easily in the disk partitioner if you like. It’s very well laid out. But more complex disk partitioning schemes is beyond the scope of this quickie walk-though.

You can, of course, read through an intro to various Logical Volume Manager disk stuff if you like. The Debian installer automates a lot of that.

Another nice feature is that you can set up full disk or partition encryption here, too, which is convenient for your secret purposes. You can encrypt a partition or a RAID device or LVM volumes themselves. Many people argue over which is best to do. I have my moods, and like variety.

I rarely choose anything but to place all files in one partition. This is because I would rather muck about with the underlying volumes and and devices. However, there are some very good reasons to separate your mountpoint concerns in some situations, particularly with read-only and highly space-constrained systems.

After answer the partitioner’s few questions, you’ll be presented with its final understanding of what you wanted, which you should verify. Let’s look at one I just did:

Debian Partitioner

Here you see I chose to put everything in one partition using LVM underneath it. Which, of course, the installer lies about, and really creates a boot partition for you as well.  And even a UEFI one if your system’s got that. It’s good practice to keep a separate boot partition.

The Debian installer organizes things from the most abstract up top, to the most low-level stuff below. You’ll see the LVM volume group and logical volumes it wants to create on top, and the actual disks that contain those down below.

Generally, when you want to make changes, start at the top and work your way down, if you really need to. I’m going to skip the LVM configurator and the RAID configurator, because we could really just go on forever with that.

The point is, the Debian installer gives you incredibly good access to setting up your storage in all kinds of ways. They were the first to support so many different things at boot, and although it can bring complexity, you don’t have to deal with that complexity any more if you just follow their defaults (all in one place).

So… after it looks right to you, or doesn’t and you’re just trusting, you select “Finish partitioning and write changes to disk” and you’re good to go.

Oh, you can move the cursor to any of those top mount points and change the filesystems you want to use, or what gets mounted where, all that stuff. If you like, or have the need. Even mount options that will get automatically passed along to your system’s fstab

You should know that the base Debian system is very small indeed. The 8Gb you see here will leave plenty of room for many, many things that servers do. The end user data stuff, probably not. But you can always tack on a new disk for that, or partition it in a different place.

Installing the Debian System

After your partitioning and formatting are successful, the installer will install the base Debian system, which is, well, the base system. All you need to boot up and get going, adding whatever packages you like.

After it does that, it will want to set up updates for you, and will ask where you are so that it can find a Debian archive mirror that is close to you.

Pick one! Then it will ask you if you use an HTTP proxy to get out to the net. If you do, enter the info here. And as an aside, setting up a proxy for Debian packages is really, really nice when you do a lot of virtual machines. It saves you having to download the packages to every machine, which can save a great deal of time, over time. apt-cacher-ng is my personal favorite.

It will then download archive package indexes, install and update any packages that may need doing, and then it wants to know just what type of Debian system do you want here?

Software Selection

If you’re doing a server, uncheck the Debian desktop environment. It’s too fat. Odds are you don’t want a print server, either. Why is that checked by default? Whose version of madness is allowed to permeates us all so?

Standard system utilities is all you want. And SSH server.

But, maybe you’ll want to run this as a DNS server, whether master or slave? You can check that and it will set up Bind9 for you.

File server will give you Samba 3 and some utilities. Mail server gives you Exim 4 – which I finally, after years of clinging to Sendmail, surrendered to myself. Web server gives you Apache 2

But all those others can be easily added with apt-get later. Standard system and SSH is the way to go. Check that, and away you go.

Boot Loader

After the install finishes, the installer will want to place a boot loader on the drives. The boot loader used by default is Grub. It’s pretty good at detecting other installed operating systems, which hopefully you haven’t overwritten by telling the installer to use an entire hard drive. Well, unless you want that.

The installer seems to do a very good job of working with UEFI as well. However, I have noticed that from time to time, Windows 8 will not like to boot after installing a new boot loader. Be warned if you’re trying to dual boot with Windows 8. Sometimes it works, and sometimes it doesn’t, and the only thing I can think of is different motherboard manufacturers implementing UEFI differently.

Let the boot loader install, and your new minimal Debian system should reboot up just fine, ready for you to begin work on making that new server.

The Debian developers have done a really great job of creating a very minimalist and simple installation system. And for popping out one virtual machine after another, it really can’t be beat.

Change Default SMTP Relay Port in Debian’s Exim4

It seems fairly common for someone to have a private range of IP addresses behind a dynamic IP address assigned by an ISP. If this is your situation, you may get your SMTP port blocked by your ISP.

For those of us with SMTP relays in a central place on the Internet, having our SMTP port blocked by our “conscientious” local ISP is troublesome. But, they usually excel at troublesome.

So when your local machines or servers need to send mail, like, say, to report that a hard drive in the array has failed… they’re out of luck unless you send it through your ISP’s relay.

Unless… your ISP allows at least some mail ports though (or you set yours to listen on bizarre ports, which is commendable when necessary).

So we know that residential Comcast blocks SMTP port 25 which keeps us from relaying our valid email from local machines. But they don’t block port 587, which they consider “secured” for some reason. Why? I don’t know. You can, and should, and most smart people do encrypt on port 25. And you don’t have to encrypt on port 587 if you don’t want to. And relays can be open on port 587 as easily as port 25. So… not sure why they think port 587 is “secured” while port 25 “unsecured”.  I think they just enjoy being fascists all-around. (please don’t smite me Comcast, I’m just a poor thing trying at humor)

Anyway, mail servers typically aren’t configured to relay on ports other than 25. It’s pretty easy to get them to listen and relay on the other ports, though. This post isn’t about listening, though. It’s about sending. And to send mail, relaying on port 587 (submission port) instead of port 25:

# edit /etc/exim4/update-exim4.conf.conf

Then just change your SMTP smarthost (mail server that relays mail on  your behalf to its destination) line:

dc_smarthost='mymxserver.mydomain.com::587'

You just append 2 colons and the port number. Of course, your mail server actually has to be listening on that port as well. Debian’s (and by extension Ubuntu’s) mail server Exim4 automatically deals with protocol and encryption negotiation.

Remember, any time you change your update-exim4.conf.conf file you need to run:

# update-exim4.conf
# service exim4 reload

That lets Debian generate all it’s Exim4 configuration magic that vexxes so the Exim4 developers. But believe me, it’s nicer than having to worry about doing it all by hand in the pure Exim4 way.

By the way, you can also just reconfigure Exim4 using the standard Debian dpkg scripts, and for your “smarthost” question, answer with those extra 2 colons and the port number as well as the FQDN of your mail relay.

# dpkg-reconfigure exim4-config

That script stuff will also restart the exim daemon for you.

Do that, and your boxes can now happily relay to your central SMTP mail server on port 587 instead of port 25 – or whatever other port your preferences or necessities might take you.

Fix for MRTG Generating SNMP_Session Error in Debian Wheezy (and possibly Ubuntu)

Lately, after an upgrade from Debian Squeeze to Debian Wheezy, MRTG is sending emails every few minutes when it runs from the crontab. This is quickly filling up my Inbox. There error message is as follows:

Subroutine SNMP_Session::pack_sockaddr_in6 redefined at /usr/share/perl/5.14/Exporter.pm line 67.
 at /usr/share/perl5/SNMP_Session.pm line 149

After waiting for a while to see if a fix came from Debian, I decided to look around on my own. It seems there is a patch that works, but it has not been propagated out to the repositories. Luckily, this error problem is easy to fix.

You can apply the patch at the link above, or you can just edit a file and make 2 quick changes: Edit the file

/usr/share/perl5/SNMP_Session.pm

Change line #149:

old: import Socket6;
new: Socket6->import(qw(inet_pton getaddrinfo));

Then change line #609:

old: import Socket6;
new: Socket6->import(qw(inet_pton getaddrinfo));

That seems to fix the problem quite well. Hopefully the Debian maintainer will get that change in sooner that later so others don’t have to bother!

Note: Someone commented that the line numbers listed were a bit off from version to version of Debian. Not entirely unexpected. It’s the change to calling the class directly that counts.

Compiling Samba 4 on Debian Wheezy – Active Directory Domain Controllers Ho!

ssambaI’ve managed to avoid working with Microsoft’s Active Directory for many years, which is actually somewhat of a skill. But recently a client, unhappy with the support and the direction their MS “specialist” was taking them, asked me to see what I could do with their network.

Long ago I advised them to steer clear of Active Directory if they could, because it would only tie them in to more and more expensive MS “necessities” over time. This is the position they found themselves in, years later, having to shell out more and more money to MS and their MS-oriented “consultant” just to keep things running – and not running well, either.

It was important to this company that they remain able to manage user identity and authentication from a central place, as well as authorities and permissions. So I thought it might be a good time to at last examine Samba-4 and its claims to support Active Directory.

The Samba-4 guys can claim anything they like related to Active Directory and I would be none the wiser. I knew nothing of AD. But that soon changed as I delved into Samba-4. I must point out that the things I say here are my own impressions and conclusions based upon next to no research – so I could be quite wrong in some places.

It turns out that Active Directory is an unholy marriage of DNS, Kerberos, LDAP and CIFS. Unholy only in that it tries to obscure the individual technologies. On the MS side of things, they like to include DHCP, but it isn’t necessary at all.

Maybe I shouldn’t say that it tries to obscure the individual technologies. Maybe I should say it tries to unite them in holy simplicity for the good user. Yes, that’s it.

The tricky key (and shackle) is DNS. I always wondered why Windows clients had to use the Active Directory server as their DNS server – it seemed so limiting (and error-prone). It turns out that Active Directory will “inject” funny yet specific DNS names into your domain that identify the AD server to clients. It’s not necessary to be designed that way of course, really – but it’s a good hook. Windows clients joining a “domain” expect these funny DNS entries, and it does no good just specifying the AD server to connect to, unless you have these DNS entries being injected there as well. (salutes and rifle fanfare, etc.)

As for Kerberos and LDAP – anyone who’s worked with them knows it can take some strenuous wrestling to get stuff seated and right for handling your user auth stuff. And in this I am actually impressed with Active Directory. MS has done a great job integrating these Free technologies into something standardized on a platform. Although there are many ways this can be accomplished, Microsoft’s dominance on client machines made a standardization possible. And I’m happy that the European courts saw fit to rule in a way that allowed these Free technologies to be free once again — and this is where Samba-4 comes in.

If you have worked with Samba in the past, you know how versatile it is for file serving, and how complicated it can get. I don’t think I’ve ever dealt with a longer man page with more options. Samba 4 is no different. However, in some ways, it’s much easier than Samba 3 if you’re using the standard Windows administration tools to administer the users and shares. From my understanding so far, you basically just put the shares you want into the smb.conf file with minimal definitions, and define the user authority stuff through the Windows tools connected as an Administrator to Samba 4. If you’re managing rights on share servers other than your Samba 4 DC, then you don’t even have to worry about defining them in the smb.conf file.

But of course you can if you want – there is a command line tool that gives you access to the same stuff that tweaks this marriage of Kerberos, LDAP and DNS – without the need of Windows at all.

Anyway, enough of these background thoughts. The Samba team has done a great job. A really great job. And I’m going to donate some dollars to them, because they do need pizza, even though they say they don’t.

So, being mostly a Debian guy, I decided to try this Samba-4 out in Debian Wheezy. The Wheezy repositories have an older version of Samba-4, of course. This is one of those rare instances where I will compile my own version of a package outside the normal Debian space, since Samba-4 is such a newer and only recently became stable, in the more unix-y sense of stability.

And it’s not that hard to compile and get Samba-4 running in Debian Wheezy. And it’s certainly worth the time if you want to replace an Active Directory Domain Controller with Samba-4 or to just play with it, to see what it’s all about. I took some notes while I was doing it, which I decided to share here, since other people have found my doing so helpful previously, on other systems.

Note: It looks like Debian Backports is updated with a newer version of Samba4 at last. This is a great way to go to avoid compiling and maintaining your own. I’ve tried it, and it works well. FYI

Do Your Debian

I used a KVM virtual machine to create a Debian Wheezy installation that would run Samba-4. I think it’s probably a good idea not to use a production server at first. If you use a VM, you can always just trivially put it into production later.

During the install, I chose the most minimal installation package option with the addition of an SSH server.

Of course, this will probably work just as well with other distributions if you get your library dependencies right. Ubuntu may work with no modification, but I’m not sure.

Kerberos is very finicky about time. You will need an ntp server to keep your clock well synchronized.

apt-get install ntp

Also, generally I like to assign my servers static IP’s. And it also seems like the AD stuff does not like changing IP addresses once it’s been set up. Seriously. It’s probably an ingredient in the unholy glue.

edit /etc/network/interfaces

Change your “dhcp” flag to “static” and give yourself your proper address and routing info.

auto eth0
iface eth0 inet static
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1

Unless you’re right on top of your DNS zone information, including PTR records, you should probably edit your /etc/hosts file too, to include the machine name you’re going to use:

edit /etc/hosts

I’m not really sure about the 127.0.1.1 entry here, but it freakishly seemed to work for me. And I’m not sure why I did it. And it may not be necessary. I think it must not be.

127.0.0.1       localhost
127.0.1.1       samba4.mydomain.com    samba
192.168.1.2     samba4.mydomain.com    samba

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

As for DNS, you can use Bind9 just fine with Samba 4 — but Samba 4 also has its own built-in DNS server that does that filthy injection. If you want to use Bind9 as your backend DNS server, you can, but you will need to allow the Samba 4 server to dynamically update the zone for your domain with Kerberos. There are howto’s on that. I chose to just let Samba 4 use its own built-in DNS server. Because I’m lazy. And I’m just playing for now. And I don’t like a “domain controller” being able to update my real DNS zone file.

This leads to an interesting, and by that I mean boring and unnecessary, discussion of how you should name your Active Directory “domain”. There are a few schools of thought on it, and even Microsoft has changed their tune over time on the subject. I have chosen to name my Samba 4 “domain” as a “subdomain” of my root domain – that way the Active Directory stuff doesn’t have to be authoritative for my whole domain, and I don’t have to make up a fake domain either.

And leave it to Microsoft to terribly confuse everyone by “making it easy”. By domain they do not mean a DNS domain. It’s a hybrid abomination of DNS and what is known in Kerberos as a “realm”.

So yes, well, I made Samba 4 be the DNS server, but it will also do sensible lookups to the real DNS information from my proper DNS server when it doesn’t know a name. That’s why I named it as a DNS “subdomain” (host) rather than the whole domain. For resolution:

edit /etc/resolv.conf

Now, in Ubuntu you’re going to have to do some special editing of configs to keep Network-Manager from overwriting your resolv.conf file after you make these changes.

domain mydomain.com
search mydomain.com
nameserver 192.168.100.2
nameserver 192.168.100.1

The first should be your Samba 4 installation IP. The second should be your real DNS server.

Probably quick & dirtiest to reboot after all this, if you like that sort of thing. BTW – make sure your /etc/hostname matches your DNS hostname. I don’t know if it’s necessary, but how can you stand it otherwise??

Debian Requirements to Compile Samba 4

I should mention, if you plan on having your Samba 4 server also be a filesharing server, and for the Active Directory stuff to manage the users and permissions for you, you need to make sure that whatever filesystem you’re going to be serving out is supporting ACL’s and extended attributes. In Debian this is a normal part of their ext4 mounts, and I think their ext3 ones as well. So you’re set!

But still, might be good to put it in, in your /etc/fstab, just as a reminder. Do, of course, use your own partition’s UUID. And whatever mountpoint you want to share.

UUID=b99750a8-9c39-11e3-82f1-525400990c6c   /home ext4      user_xattr,acl  0       2

Many docs also want you to specify barrier=1 as a mount option, to make sure stuff doesn’t get corrupt in a power failure. This is enabled by default in ext4, but you may want to in ext3. And if you’re using LVM volumes, this is passed through and respected now. Ah, the wonders of the modern world.

Now, what you really want to know: which Debian packages do I need to install when compiling Samba 4? Well, how about these?

apt-get install build-essential pkg-config libacl1 acl libacl1-dev libblkid-dev libblkid1 attr libattr1 libattr1-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb libpopt-dev libldap2-dev dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev libncurses-dev libpam0g-dev libdm0-dev libfam0 fam libfam-dev xsltproc libnss3-dev docbook-xsl-doc-html docbook-xsl-ns

If you don’t have other Kerberos servers, well, I just used this server as my kerberos ones, and it works just fine. The initial realm, where it defaults to your domain name in upper-case — I made that the FQDN in upper-case as well. Apparently the realm likes to be upper-case.

Maybe you’ll want to reboot again, after the acl stuff. Maybe not. Maybe you didn’t reboot a few minutes ago, so it will only be this one reboot. Or none. I don’t care.

Compile Samba 4

The version of Samba I grabbed was their latest at the time, listed below. They may have a newer version when you read this, so always check the Samba site for the version you want.

I like compiling in /usr/src — and I’m letting Samba 4 install to its default location, which I know is a horrific violation of Debian policy. But I’m naughty.

cd /usr/src
wget http://www.samba.org/samba/ftp/stable/samba-4.1.4.tar.gz
tar -xzf samba-4.1.4.tar.gz
cd samba-4.1.4
./configure && make && make install

Oh, the places we’ll go.

After that completes successfully the first try and love descends upon all humanity, you might want to put the install directory into your PATH environment variable so you can avoid over-stressing your poor little phalanges. Put this in your .bashrc

export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH

If you’re feeling particularly cavalier, trusting in the goodness of strangers that is. And source it! (or log out/in, open a new terminal, whatever)

I also symlinked my /usr/local/samba/etc to /etc/samba to make it less typing to edit configs:

ln -s /usr/local/samba/etc /etc/samba

Then you’ll want to make the Samba 4 stuff work. Right? First thing is to provision the so-called domain. I’m leaving it open to do some Un*x-side integration later here – that’s why the “rfc” switch.

samba-tool domain provision --use-rfc2307 --interactive

It will ask you some questions, and here’s where we get into the “domain” naming philosophy again. Just make it the same as your DNS decision above. In my example, the Realm I chose was SAMBA4.MYDOMAIN.COM

Do do the upper-case! Why? I don’t know!

And for the “Domain” I chose “MYDOMAIN” (without the .COM). It’s pretty much like your workgroup setting, is all I can figure.

If you do it this way, then all machines joining your Active Directory “domain” will get the right DNS information for your DNS zone — because the AD server will only consider itself authoritative for SAMBA4.MYDOMAIN.COM and “higher”, but not for all of MYDOMAIN.COM itself — and it will forward those DNS requests on to your proper DNS server when it doesn’t know about them.

So be sure to set your DNS forwarder here to your real DNS server.

Cold, Cruel Kerberos

I’ve never know it to be so easy. I’m leaping with joy inside. Or maybe that’s lasagna.

cd /etc
cp krb5.conf krb5.conf.original
cp /usr/local/samba/share/setup/krb5.conf .

Then edit your new /etc/krb5.conf and change the REALM variable to the realm you chose: SAMBA4.MYDOMAIN.COM

I know! Can you believe it! It’s here where I feel a twinge of almost… non-sickness about MS. Ok it may even be stronger than that. A little.

Reboot again. Hahaha!

You Can Dance

Now, just start Samba 4 by typing in “samba”

It will give minimal info in /var/log/syslog – mine complained about CUPS not being there, but it wasn’t enough trauma for it to die, thankfully.

Now you’ll want to set up your administrator auth-y stuff, yes?

kinit administrator@SAMBA4.MYDOMAIN.COM
samba-tool user setexpiry administrator --noexpiry

Bad idea that no-expiry flag probably. But we’ve already established I’m naughty.

That’s about it! You can now fully administer it just like an Active Directory domain controller from Windows, using their remote server administration tools. Crazy, I know! That link is for Windows 8.1 download, BTW.

Also, the Samba website has a good howto on stuff like this.

The thing is, when you join a Windows machine into the “domain”, you have to make sure that you’re using your Samba 4 server as the DNS server for that machine, just like you would have to do with Microsoft’s Active Directory domain controllers. They need the filthy DNS injection.

Home Directories for Windows Users

If you want to have your Samba 4 server serve out home directories to your users, you accomplish that pretty easy. It just requires a “[home]” section in your smb.conf file.

That’s not a “[homes]” section like in Samba 3 by the way — just a singular “[home]”. It’s special. Apparently.

That section only requires a path and a not-read-only:

[home]
        path = /home/
        read only = no

You don’t really need local accounts for your users. Samba 4 will create crazy high-numbered fictional users and groups to service your Windows throngs. Just make sure that mountpoint has the acl and xattr flags.

Oh, and your administrator account will need the “SeDiskOperatorPrivilege” I think:

net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator

This will make it so that, if you use the Windows remote administration tools in Windows, you can create users that can have a drive automatically mapped to their Windows machine when they log in, and Samba 4 will create their home directory automatically.

The setup in Windows is a little convoluted. I’m no Windows person. But here’s a step by step that I followed and it worked great.

It should also be noted that the default setup seems to allow normal workgroup functioning to continue working as well. So even if you have Windows machines that aren’t the insanely more expensive “Pro” version of Windows, you can still map to the shares like you could to a workgroup.

But then again, that begs the question, why then bother with an Active Directory Domain Controller at all? Unless you want to spend a lot more money per seat on Windows.

Final Comments

I am impressed with Microsoft’s ability to impose a standardized way of implementing LDAP in conjunction with Kerberos. I am less impressed with their shameless violations of DNS to rope this in.

I haven’t tried it yet, but apparently you can pretty easily have your Linux boxes authenticate against Samba 4 as well. I think I may not be doing that. Well, maybe I will.

It is really nice and compelling that it’s all tied together. And it’s not so bad since Samba 4’s been able to bring it into the light. I’m undecided. It seems to work well.

Anyway, I hope this helped someone. I was very daunted by the whole Active Directory integration mess at first. But these Samba guys really have done a great job. I’ll be showing them some love. Of the monetary type! Well, I suppose unless…