Samba4 Administration
From Stadm
Jump to navigationJump to search
Contents
Managing Domain
- To Manage, Add Users, change settings, edit GPO's, view DNS entires, etc. for the domain it should be done from a Windows 7 or Higher, or Server 2012 or higher Computer
- Any computer on the Domain can manage the domain controller(rumba), as long as you are an Administrator to the Domain and have RSAT installed(see below)
- Because there are two domain controllers you want to make sure you are making your changes to rumba and not limbo
- NOTE: if you're going to do the following run the eadm_backup script BEFORE you make any changes to GPO, in case you mess up, these backups will save you form a nightmare
- backup script is a BASH script that stops the samba service and calls /usr/local/samba/bin/samba_backup, backups to /usr/local/backups and logs to /usr/local/backups/logs, this should be run on rumba, would not hurt you to run it on limbo just in case
/usr/local/sbin/eadm_backup
- The script will email the user defined email address(look inside the script) if anything failed, you should however go to /usr/local/backups and see that etc.{TIMESTAMP}.tar.bz2, samba_private{TIMESTAMP}.tar.bz2, and sysvol{TIMESTAMP).tar.bz2 where created and if they where not check the logs at /usr/local/backups/logs(they are also timestamped as well)
- Any GPO edits will have to be manually rsynced to limbo(you want to make your changes on rumba)
- This can and will be scripted, at the moment not enough testing has been done to ensure the script will not mess up the GPO's(basically the SYSVOL folder) which can lead to corruption and a huge headache if there are no recent backups
- How to rsync: run this command, its a dry run, ensure those are the changes and files that want to me rsynced over
- This as an IMPORTANT reminder: rsync --options SOURCE DESTINATION
- Do not mess up the SOURCE and DESTINATION addresses, this will cause corruption
- Last Note: RUN this command on LIMBO!!, you want to pull your data, not push it
rsync --dry-run -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
- that was the dry run version, it will only tell you what files it will overwrite/write if run without the dry-run option, once you have seen the dry-run output and want to copy those files run:
rsync -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
Creating Users
- users can be created in two ways:
- they can be done through the gui provided by RSAT(Remote Service Administration Tools) to add users into Active Directory (AD)
- simply click new user in the appropriate OU (organizational unit) and enter in name,username and password
- User UID can be changed or specified using modXid script on AD server
- to create user into AD using terminal use samba-tool
samba-tool user add USERNAME
- UID can be specified at creation using command line, use:
samba-tool user add USERNAME --uid-number=UIDNUMBER
Changing XID
- uid and gid for users in samab are translated from the users windows SID using idmap
- idmap stores its database locally which contains the mappings
- a script
GPO Office
- admx files must be downloaded for each version of microsoft office that clients use(office 2007, 2010, etc.)
- run a "gpudate \force" if you dont see them appear in group policy editor
- once placed in policyDefinitions under sysvol GPO may be applied to that specific version of office
- User Configuration->Administrative Templates ->"Microsoft Office [version]" ->Privacy->Trust Center
- enable the "Disable opt-in..", disable "Enable Customer Experience..." and "Automatically receive small.."
- must be done for every version of office clients are running(annoying pop up messages when office starts if this is not set)
GPO Windows Update
- locate a copy of wuau.adm and install into PolicyDefinitions
- Windows update group policy should be set up on a per machine bases(GPO applied to Machines not Users)
- Computer Configuration ->Policies-> Administrative Templates ->Windows Components->Windows Update
Configure Automatic Update: Enabled Allow non-administrators to receive update notifications: enabled Allow Automatic Updates Immediate installations: enabled No auto-restart with logged in users: enabled Reschedule Automatic Updates scheduled installation: enabled
GPO Network, Firewall, Remote Desktop Connections
- GPO for RDC are in two locations
- Computer Configuration->Policies->Administrative Templates->Network->Network Connections->Windows Firewall-> Domain Profile
Windows Firewall:Allow inbound Remote Desktop conneciotns
- limit to subnets of eri and vpn
Windows Firewall: Allow ICMP exceptions: Enabled
- check Allow inbound echo Request
- Computer Configuration->Policies->Administrative Templates->Windows Components->Remote Desktop Connection Host->Connections
Allow users to connect remotely using Remote Desktop Services: enabled
- to allow specific users/group login:
- Computer Configuration->Policies->Windows Settings->Security Settings->Restricted Groups
- create Remote Desktop Users group if not created, add users manually into group or add an entire group to allow Remote Desktop Connections
- DNS suffix search list
- Computer Configuration->Policies->Administrative Templates => Netowrk => DNS client => DNS suffix search list
- Enabled: mydomain.edu, name.mydomain.edu
Profile Version for Windows Server 2012
- If you are using roaming profiles and using any of the following operating Systems you must enable the .V3 extension on roaming profiles
- Operating systems: Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012
- Link: http://technet.microsoft.com/en-us/library/jj649079.aspx
- Basically you install an update from Microsoft and edit a registry key so that Windows Server 2012 will pick up the profile with the .V3 extension instead of .V2 which is used for Windows 7
