Samba 4

Discussion in '*nix Software' started by OSULugan, Dec 28, 2012.

  1. OSULugan

    OSULugan Senior member

    Joined:
    Feb 22, 2003
    Messages:
    289
    Likes Received:
    0
    Anyone have any experience setting up the new Samba 4 release for use as an Active Directory controller? I have it on my to-do list this weekend and was wondering i there are any gotchas/tips. I've got 12.10 Ubuntu Server running already.
     
  2. Loading...

    Similar Threads - Samba Forum Date
    Suddenly can't mount Samba/CIFS read-write *nix Software Oct 12, 2016
    Start script when /etc/init.d is lost on reboot (Samba related)? *nix Software Aug 31, 2014
    Samba share issue *nix Software May 9, 2014
    VirtualBox and Samba 4 on Linux Guest (NAT and Host Only) *nix Software Feb 18, 2014
    My Samba conf - is it ok? *nix Software Jun 24, 2013

  3. Demo24

    Demo24 Diamond Member

    Joined:
    Aug 5, 2004
    Messages:
    8,302
    Likes Received:
    4
    Curious about this as well, also interested if anyone has used it as a secondary to a windows primary domain controller.
     
  4. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    I didn't notice they finally released that, I'll have to give it a try.

    Demo24, there's no such thing as a primary domain controller in AD. They're all mostly equal except for the ones holding specific FSMO roles. And the recently added read-only DC role in 2008 R2 but that's only used in niche places like a DMZ where you want another server to authenticate against AD without giving it access to your internal DCs.
     
  5. Demo24

    Demo24 Diamond Member

    Joined:
    Aug 5, 2004
    Messages:
    8,302
    Likes Received:
    4
    Right, my mistake. Meant in addition to an already existing domain and using the samba as an additional one.
     
  6. OSULugan

    OSULugan Senior member

    Joined:
    Feb 22, 2003
    Messages:
    289
    Likes Received:
    0
    So I thought I'd post my experience.

    Setup was pretty straight forward. I haven't had a whole lot of experience installing and configuring Linux stuff, but the HOWTO Wiki was pretty easy to follow. I did miss having a guide on how to get it into the startup processes, but I did some googling and figured out how to create a simple script and add it in.

    So far I have the domain controller up and running, domain users being able to authenticate from a Windows Vista Ultimate machine. I instituted some group policy management to control log-in times for my 10 year old. I was disappointed to see that Windows Vista does not allow Parental controls on domain users. One of the reasons for setting this up was to make it easier to allow my family members more ready access to other computers in the house. Not having a way to manage this for a domain user means I'll need to implement some controls in Linux.

    I'm thinking about putting up a DNS filter on the Linux server, which I think will require a different DNS server instead of the built-in one that came with Samba 4.

    I've also had problems getting profile space active and storing from the windows machines to the profile directory I setup (per the wiki HOWTO). Any gotchas that I should look out for?

    Also, with Samba 4, samba users do not have to have a local linux account. How do I manage file/directory permissions for samba users?
     
  7. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    Avoid roaming profiles regardless of the server involved, they've never worked well. You can use a GPO to do folder redirection for things like the Desktop, My Documents, etc and achieve the (usually) primary goal of keeping thing central and backed up without the hassles of full roaming profiles.

    I haven't touched Samba4 yet and I'm not sure if referencing itself would be a problem, but you could use winbind (assuming it's still in Samba4) to have the Linux machine also use AD for authentication and such. But that sounds like it could easily break if Samba ever fails to start so it would probably be best to make the DC a dedicated machine and put all of the files on a second one.
     
  8. OSULugan

    OSULugan Senior member

    Joined:
    Feb 22, 2003
    Messages:
    289
    Likes Received:
    0
    Am I reading that right? You're recommending using the Linux machine I have setup now as just the DC, and then setting up a second server as a storage server?
     
  9. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    Only because I'm not sure how the Linux DC would handle being pointed to the Samba instance on itself and how it would react if for some reason those Samba daemons failed to start. The reason it works as well as it does on Windows is because the local accounts on a DC become AD accounts (or vice versa depending on your perspective) once you run a dcpromo so there's no differentiation between them but on Linux that isn't true and the local services will still want to run as Linux accounts defined in the standard /etc files.

    If you're using physical machines for this then it's probably not worth it, but with virtualization as cheap and efficient as it is now I don't see a reason not to play it safe and build them as separate machines.
     
  10. OSULugan

    OSULugan Senior member

    Joined:
    Feb 22, 2003
    Messages:
    289
    Likes Received:
    0
    I hadn't even considered setting it up as a virtual machine. I may look into that.
     
  11. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    Out of curiosity - Why are you looking to do this? I only ask because the last time I tried to make Samba happy in the enterprise I ended up just spending the $400 to get a Windows license. Mostly because at the time, their Wiki tended to suck. There was lots of info there but it was often a mismash of versions / forum postings etc. I was never able to get permission mapping correct etc. I had better luck getting AD/LDAP and NIS playing together. [Read: I had better things to do than worry about this]

    Does Samba handle proper NTFS permissions yet or is still that odd ball hacky kludge of mapping to linux rights that doesn't really translate properly?

    Any idea what level of AD they are trying to emulate? I would be surprised if they have 2008 / R2 / 2012 working yet since they started making some pretty drastic under the hood changes like dropping FRS and all the added security.

    It has been a long while since I tried to get it working in a Domain however. I am still pretty "fearful" because I wasted way more $$ on time than just buying a proper Windows license.
     
  12. OSULugan

    OSULugan Senior member

    Joined:
    Feb 22, 2003
    Messages:
    289
    Likes Received:
    0
    There were a few motivations to this:

    1) I had the extra hardware available.
    2) I expect my kids will begin to want more heavy PC use, and I wanted a central way to manage user rights, etc.
    3) I expect that soon we'll be getting 1 or more additional PCs in the house (we currently have 2 in use, and 1 which I'm setting up as a server), and I want to enable single-account sign-on, shared desktop/documents/etc. so that there aren't fights over which PC is available for use.
    4) Potential migration from a Windows environment to a Linux desktop on the shared PCs in the house, since the family doesn't really need Windows (I'm the only real PC Gamer, and I'd expect open office to suffice for school papers, etc.).

    It looks like my DC is configured to emulate Windows Server 2003, but I seem to recall a selection to change that to other options (including 2008). But I haven't played with it. Same thing with how NTFS permissions are handled.

    My basic needs don't really extend much more than what I've got setup right now. I was hoping that WHS 2011 would provide single account sign-on/shared desktop functionality, and I would've just bought that. But from what I understand, it does not, and I didn't want to spend $400+ on a full blown Windows Server license for this project. It's overkill for my needs.

    Unfortunately, I didn't get to spend as much time playing with it over my holiday break from work, so now I am mainly relegated to making changes on the weekends.
     
  13. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    Remember you will need the "non-home" editions of XP / Vista / Win 7 if you want to join the local machines to the Domain then. Good luck on the Windows to Linux thing. I had an aunt and uncle that were fine with that but my Niece and Nephews hated it since it "didn't work" which was translation of they couldn't use most of their games and had some odd ball website issues. [I am assuming IE active x crap here btw since I didn't have an issue on my test boxes with most sites.]

    Good luck on your project. Roaming profiles is a major project on Windows [to correctly] implement, adding Samba should give you a thorough understanding of how that part works.
     
  14. OSULugan

    OSULugan Senior member

    Joined:
    Feb 22, 2003
    Messages:
    289
    Likes Received:
    0
    Yeah, I'm running Windows Vista Ultimate 64 on my machines currently. I freed up a license with the install of Ubuntu onto the one PC, so even if I get another PC, I can always join it to the domain using the older OS (although I would like to transition to Win 7 soon enough).

    I have one PC joined currently. I want to get it working in a limited environment before joining the other PC and then considering the transition. I'm sure I'll be bugging the forum more going forward as I run into issues. Since this isn't in a work environment, I have the benefit of implementing things in a non-rushed setting.
     
  15. mitcheldrake

    mitcheldrake Junior Member

    Joined:
    Aug 30, 2013
    Messages:
    1
    Likes Received:
    0
    We currently have a Samba4 setup with Active directory and have added several Windows 7 to the domain successfully. User accounts are able to authenticate to the Server and we have Folder redirection setup for Documents, Pictures, Music, Videos, Desktop and AppData\roaming.

    When I setup Windows 7 on the workstation I built and tested a customized Default User profile (In Win7 the directory is called "Default"). Before joining to the domain I tested my customized Default profile by logging on to a new local user account, and the profile was built as expected.

    However now that the workstation is joined to the Samba4 domain, when a new user logs on for the first time, the users profile is missing several of the directories that are present under the "Default" profile directory.

    My question is, when a new domain user account is logged on, from were is the profile directory structure built from?