Samba 4 storage on the network
Since the release of the final version, Samba 4 has become increasingly significant in IT practice; now it has found its way into Jessie, the next Debian release. We take a look at the new features.
When Samba 3 was released in 2003, it consisted of three services: the file server
smbd, the name server
nmbd, and the authentication server
winbind. In their interaction with the rest of the system, these three services provided a file service and an NT4 domain controller.
The development of Samba 4  completely changed this structure. Samba 4's support for an Active Directory domain means that it needs to provide a wider range of services: Classic NETBIOS name resolution was superseded by DNS, authentication was centralized using Kerberos, and centralized data storage was implemented via LDAP – only the file server remained the same, with changes to match the new structure.
For the first time, it's now possible to use Samba 4 to map a full Windows domain structure on Linux. The Debian Samba packages offer this possibility and prompt you at install time to decide the role the system will play on your network. I provisioned four systems in the lab: a virtual machine as a domain controller (Debian Jessie ), an openATTIC system  as a domain member (Debian Jessie), and two Windows clients as domain members (Windows 7/8).
The network filesystem is now more integrated than ever into the domain concept – using it without managing users and permissions in the domain makes little sense. The setup described in this article is thus a basic requirement for using Samba as a shared filesystem in the enterprise.
The new Samba is a modular system (Listing 1) that lets you outsource various Active Directory-related services; for example, you can replace DNS with
bind9 or the directory service with OpenLDAP.
Processes in Samba 4
root@dev-mz-s4dc:~# netstat -tupl | grep samba tcp 0 0 *:kpasswd *:* LISTEN 4908/samba tcp 0 0 *:domain *:* LISTEN 4914/samba tcp 0 0 *:kerberos *:* LISTEN 4908/samba tcp 0 0 *:ldaps *:* LISTEN 4906/samba tcp 0 0 *:1024 *:* LISTEN 4902/samba tcp 0 0 *:3268 *:* LISTEN 4906/samba tcp 0 0 *:3269 *:* LISTEN 4906/samba tcp 0 0 *:ldap *:* LISTEN 4906/samba tcp 0 0 *:loc-srv *:* LISTEN 4902/samba udp 0 0 *:kpasswd *:* 4908/samba udp 0 0 *:domain *:* 4914/samba udp 0 0 *:kerberos *:* 4908/samba udp 0 0 *:netbios-ns *:* 4904/samba udp 0 0 *:netbios-dgm *:* 4904/samba udp 0 0 *:ldap *:* 4907/samba
A central service that provides the domain controller (DC) is easy to overlook: A Windows domain handles its complete authentication via Kerberos. Kerberos only works if all systems keep time with a drift of no more than five minutes from one another. It is therefore essential to configure an NTP server to avoid time problems.
The domain controller software installation is easy with
apt-get install samba. Debconf pops up during the installation with questions about the server role and the key data of the domain and also handles provisioning automatically. Ideally, you need to do nothing yourself. If anything goes wrong, re-provisioning with
samba-tool domain provision is easily possible. The packages also ensure that
samba-tool uses the correct values.
Among other files, the provisioning process produces both
/etc/samba/smb.conf, which looks like Listing 2 when done. This configuration covers everything you need for getting started.
01 # Global parameters 02 [global] 03 workgroup = SAMBA 04 realm = SAMBA.LAN 05 netbios name = DEV-MZ-S4DC 06 server role = active directory domain controller 07 dns forwarder = 172.16.101.23 08 09 [netlogon] 10 path = /var/lib/samba/sysvol/samba.lan/scripts 11 read only = No 12 13 [sysvol] 14 path = /var/lib/samba/sysvol 15 read only = No
Installing the Domain Member
You need to be aware of a restriction to running a Samba 4 server as a domain member: The
samba program does not support operation as a member. This configuration is thus implemented using the known programs
winbind. At this point, remember the NTP client, which definitely needs to be configured up front: If the time is not synchronized, you can't expect a working Samba installation. Furthermore, you need to check whether
hostname --fqdn returns the correct, fully qualified name of the computer:
$ hostname --fqdn benrime.samba.lan
In the lab, I wanted the openATTIC storage server to act as a domain member. To do this, I first installed Debian Wheezy on the computer, then configured openATTIC on the system, and finally upgraded to Debian Jessie. The system is then – as envisaged by the openATTIC standard – added to the domain using the
oaconfig domainjoin command. This script executes a series of commands that are described in more detail later and should work on any Linux system.
OpenATTIC first creates the
krb5.conf file (this can also be copied from the DC) and the Samba configuration
/etc/samba/smb.conf (Listing 3).
/etc/samba/smb.conf for openATTIC
01 [global] 02 workgroup = SAMBA 03 realm = SAMBA.LAN 04 netbios name = BENRIME 05 security = ADS 06 07 encrypt passwords = true 08 vfs objects = acl_xattr 09 10 kerberos method = dedicated keytab 11 dedicated keytab file = /etc/krb5.keytab 12 13 idmap config *:backend = tdb 14 idmap config *:range = 1000000-1999999 15 16 idmap config SAMBA:backend = rid 17 idmap config SAMBA:range = 10000-999999 18 19 winbind nss info = rfc2307 20 winbind trusted domains only = no 21 winbind use default domain = yes 22 winbind enum users = no 23 winbind enum groups = no 24 template shell = /bin/bash 25 26 sync always = yes
Next, openATTIC tests whether Kerberos is working by authenticating as the administrator (Listing 4).
root@benrime:~$ kinit Administrator Password for Administrator@SAMBA.LAN: root@benrime:~$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SAMBA.LAN Valid starting Expires Service principal 06.02.2014 11:58:27 06.02.2014 21:58:27 krbtgt/SAMBA.LAN@SAMBA.LAN renew until 07.02.2014 11:58:24
If this step is successful, you can use
net ads join -U Administrator to join the domain. The Samba configuration for openATTIC uses an external keytab to enable Kerberos authentication for other services beyond Samba. This is why you need to generate and validate the keytab (Listing 5).
root@benrime:~$ net ads join -U Administrator Password: root@benrime:~$ net ads keytab create # Generate keytab root@benrime:~$ net ads keytab add HTTP # Principally used for HTTP root@benrime:~$ kdestroy # Log out administrator root@benrime:~$ klist -k # Display generated keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal 2 host/benrime.samba.lan@SAMBA.LAN 2 host/benrime.samba.lan@SAMBA.LAN 2 host/benrime.samba.lan@SAMBA.LAN 2 host/benrime@SAMBA.LAN 2 host/benrime@SAMBA.LAN 2 host/benrime@SAMBA.LAN 2 BENRIME$@SAMBA.LAN 2 BENRIME$@SAMBA.LAN 2 BENRIME$@SAMBA.LAN 2 HTTP/benrime.samba.lan@SAMBA.LAN 2 HTTP/benrime.samba.lan@SAMBA.LAN 2 HTTP/benrime.samba.lan@SAMBA.LAN 2 HTTP/benrime@SAMBA.LAN 2 HTTP/benrime@SAMBA.LAN 2 HTTP/benrime@SAMBA.LAN root@benrime:~$ # Log in using Keytab + machine account: root@benrime:~$ kinit -k BENRIME$ root@benrime:~$ # Keytab-Auth -> no password prompt! root@benrime:~$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: BENRIME$@SAMBA.LAN Valid starting Expires Service principal 06.02.2014 10:05:26 AM 06.02.2014 8:05:26 PM krbtgt/SAMBA.LAN@SAMBA.LAN renew until 07.02.2014 10:05:26 AM
If everything worked out, the domain join is now complete. The remaining task is to configure
winbind by modifying the
/etc/nsswitch.conf file as follows:
passwd: compat winbind group: compat winbind
After a subsequent reboot of the Winbind server (
service winbind restart), the new domain member can access the domain and retrieve users and groups:
root@benrime:~$ getent passwd Administrator administrator:*:10500:10513:Administrator:/home/SAMBA/administrator:/bin/bash root@benrime:~$ getent group "Domain Admins" domain admins:x:10512:test,administrator
This completes the domain join process.
Windows systems join a Samba 4 domain just like a classic Windows Active Directory (Figure 1). To do this, navigate in the system settings to Advanced System Settings | Computer Name | Change, then enter the domain name, answer the prompt for the administrator password, and after a few seconds of waiting and a reboot, you are done joining the domain. Windows automatically updates the NTP client configuration on joining.
To manage the shiny, new domain, you can use the classic Windows management tools. These are included as part of any current Windows server operating system but are also available as a retroactively installable package for Windows 7 and Windows 8 clients under the name "Remote Server Administration Tools" . New users can then be created, for example, in Active Directory Users and Computers.
The good old Samba Web Administration Tool, SWAT, unfortunately no longer matches with the Samba 4 concept and died along with Samba 3. Currently, there is no substitute for it, so the only administration tools are those provided by Windows. However, Samba 4 does provide a Python API to simplify the development of such tools.
After creating two users, herbert and otto, I wanted to test whether openATTIC had already met them:
root@benrime:~$ getent passwd herbert herbert:*:11110:10513::/home/SAMBA/herbert:/bin/bash root@benrime:~$ getent passwd otto otto:*:11109:10513::/home/SAMBA/otto:/bin/bash
That is good news. These users can log in on the Windows clients from now on. Next, you can create a volume and a CIFS share on openATTIC. This happens in
smb.conf, for example, by adding a new section:
[tank] path = /tank available = yes browseable = yes guest ok = no writeable = yes
Note that I have not said anything about permissions so far. They are configured completely by the administrator in Windows by opening the share in Windows Explorer and granting permissions. For this to work cleanly, two things are needed: a filesystem with support for extended attributes and the line
vfs objects = acl_xattr in the
smb.conf file of the storage host.
Buy this article as PDF
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm