Stadm - User contributions [en]

AD Topology

2016-04-19T20:22:20Z

Stadm1: /* Topology */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Linux==
===Servers===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
***Running a DNS forwarder, DNS can be viewed using RSAT, nothing really ever needs to be changed there
**NFS mounts here
**smb.conf location: /usr/local/samba/etc/smb.conf
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
**Also running DNS forwarder that syncs w/ rumba
*Managing rumba and limbo: http://wiki.eri.ucsb.edu/stadm/Samba4_Administration

==Windows==
===Servers===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers): http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#Creating_Users
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS
===Computers===
*lluvia/smaug-Windows 7 Machines with RSAT installed, can manage the domain. Can be used to test GPO's or user creation on the domain.

AD Topology

2016-04-19T20:19:54Z

Stadm1: /* Windows */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
***Running a DNS forwarder, DNS can be viewed using RSAT, nothing really ever needs to be changed there
**NFS mounts here
**smb.conf location: /usr/local/samba/etc/smb.conf
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
**Also running DNS forwarder that syncs w/ rumba
*Managing rumba and limbo: http://wiki.eri.ucsb.edu/stadm/Samba4_Administration

===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers): http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#Creating_Users
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T20:11:13Z

Stadm1: /* Linux */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
***Running a DNS forwarder, DNS can be viewed using RSAT, nothing really ever needs to be changed there
**NFS mounts here
**smb.conf location: /usr/local/samba/etc/smb.conf
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
**Also running DNS forwarder that syncs w/ rumba
*Managing rumba and limbo: http://wiki.eri.ucsb.edu/stadm/Samba4_Administration

===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T20:04:38Z

Stadm1: /* Servers */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
***Running a DNS forwarder, DNS can be viewed using RSAT, nothing really ever needs to be changed there
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
**Also running DNS forwarder that syncs w/ rumba
*Managing rumba and limbo: http://wiki.eri.ucsb.edu/stadm/Samba4_Administration
===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T19:57:49Z

Stadm1: /* Servers */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
***Running a DNS forwarder, DNS can be viewed using RSAT, nothing really ever needs to be changed there
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
**Also running DNS forwarder that syncs w/ rumba

===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T19:57:01Z

Stadm1: /* Linux */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
***Running a DNS forwarder, DNS can be viewed using RSAT
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
**Also running DNS forwarder that syncs w/ rumba

===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T19:55:04Z

Stadm1: /* Topology */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux===
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T19:54:50Z

Stadm1: /* Windows */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux==
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
***http://wiki.eri.ucsb.edu/stadm/Samba4_Administration#WSUS
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Topology

2016-04-19T19:52:39Z

Stadm1: /* Topology */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
===Linux==
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)
===Windows===
*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT
*atlas/quinaya/tliyel-Remote Desktop Servers that need a DC to provide Windows RDS

AD Samba4 Centos 7

2016-04-19T19:46:52Z

Stadm1: /* Purpose */

AD Samba4

2016-04-19T19:46:25Z

Stadm1: /* Purpose */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From windows command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO/WSUS==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Topology

2016-04-12T19:24:07Z

Stadm1: /* Topology */

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
*Rumba(CentOS 7)
**AD Controller
**Group Policy Objects(GPO) must be edited on Rumba(through Group Policy Management on a domain joined Windows computer)
***This is because GPO syncing is done through rsync and Limbo pulls the GPO changes from Rumba
*Limbo(Centos 6)
**AD Controller(in case rumba goes down users can still authenticate, NFS mount points are on rumba though so anyone with a roaming profile will have issues loading and saving profile)

*Daft(Windows Server)
**Windows Server Update Services(WSUS) - provides domain joined computers update management if GPO is applied
**Can be used to manage Domain(GPO's and Users/Computers)
***RSAT can as well from any domain joined machine: https://wiki.samba.org/index.php/Installing_RSAT

AD Topology

2016-04-12T19:16:44Z

Stadm1: Created page with "Category:Projects Category:Samba Category:Samba4AD =Topology= ==Servers== *Rumba(CentOS 7) **Services: AD Controller *Limbo(Centos 6) **Services: AD Controll..."

[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Topology=

==Servers==
*Rumba(CentOS 7)
**Services:
AD Controller

*Limbo(Centos 6)
**Services:
AD Controller

*Daft(Windows Server)
**Services:
WSUS

Samba4 Troubleshooting

2016-02-06T00:12:51Z

Stadm1:

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=

==Update Samba==
*When updating Samba you should only be doing a version change on one DC at a time. Then verify that the DC is working in the domain before upgrading other DCs, don't update more than one DC at a time, have proper backups!
*https://wiki.samba.org/index.php/Updating_Samba
*Stop service and make backup
systemctl stop samba
/usr/local/samba/bin/samba_backup
*Get samba, configure and install
wget http://www.samba.org/samba/ftp/stable/samba-4.3.3.tar.gz
tar -zxvf samba-4.3.3.tar.gz
cd ~/samba-4.3.3
./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
*Make sure configure completes successfully, be sure you have proper backups!!!
*Read the release notes to check compatibility.
make
make install
*start the samba service
systemctl start samba
*Go check the logs and verify the system came up correctly:
tail /usr/local/samba/var/$LOGNAME.log
*Test around and see that replication is still in sync. Check that other DCs logs for errors about upgraded DC or replication.

==Checking Replication==
*Check replication status
samba-tool drs showrepl
*Force a repl:
*https://wiki.samba.org/index.php/Samba-tool_drs_replicate

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==Join a DC==
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Backup and Restore==
*https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

==Local Intranet Settings for Roaming Profiles==
*http://www.technipages.com/fix-we-cant-verify-who-created-this-file-error
*https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Administration

2016-02-04T23:50:55Z

Stadm1: /* WSUS */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Quick Shortcuts/Tutorial==
*Lets face it navigating Windows is horrible, so lets show some quick ways of getting around to important places while not wasting much time
*Search in Windows 8 is subpar(especially when looking for admin tools), however commonly used tools can be opened a lot faster if using the run prompt provided by windows
*How To Open Run Prompt: Keyboard Shortcut
**Windows Key + R
*If on a Mac and using Remote Desktop the shortcut is:
**Command + R
*The following prompt should pop up:
[[File:win_R.png|Windows Key + R]]
*Here is a list of important commands that can be run here that open up the applications we will use most often:
**cmd - opens up a non-administrative windows command prompt
**regedit - opens up the local computer registry editor(not needed really, registry settings can be applied via GPO)
**control - opens up the Windows Control Panel where most(all) settings can be changed via GUI
**'''control admintools''' - opens up Administrative Tools, if you can't find something this is where it probably is!!!
*The rest of the list can be opened from Administrative Tools. but i included them to be accessed faster if need be:
**dsa.msc - Active Directory Users and Computers, here you can add an edit new users or computers in the domain
**gpmc.msc - Group Policy Management, here you can view and edit Group Policy Objects(GPOs) applied to the domain
**eventvwr - Event Viewer, Windows log files, this is where your errors/warnings will be when troubleshooting windows
*Here is the administrative tools folder, we will mostly be in Active Directory Users and Computers and Group Policy Management
[[File:win_r_admin.png|900px|Admin Tools]]

==Managing Domain==
*To Manage, Add Users, change settings, edit GPO's, view DNS entires, etc. for the domain it should be done from a Windows 7 or Higher, or Server 2012 or higher Computer
*Any computer on the Domain can manage the domain controller(rumba), as long as you are an Administrator to the Domain and have RSAT installed(see below)
*Because there are two domain controllers you want to make sure you are making your changes to rumba and not limbo
*'''NOTE:''' if you're going to do the following run a backup first:
*Any GPO edits will have to be manually rsynced to limbo(you want to make your changes on rumba)
**This can and will be scripted, at the moment not enough testing has been done to ensure the script will not mess up the GPO's(basically the SYSVOL folder) which can lead to corruption and a huge headache if there are no recent backups
**How to rsync: run this command, its a dry run, ensure those are the changes and files that want to me rsynced over
**This as an '''IMPORTANT''' reminder: rsync --options '''SOURCE''' '''DESTINATION'''
**Do not mess up the SOURCE and DESTINATION addresses, this will cause corruption
**Last Note: RUN this command on LIMBO!!, you want to pull your data, not push it
rsync --dry-run -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
*that was the dry run version, it will only tell you what files it will overwrite/write if run without the dry-run option, once you have seen the dry-run output and want to copy those files run:
rsync -XAavz --delete-after root@rumba:/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/

==Install RSAT==
*If not installed on your Windows Computer Remote Server Administration Tools(RSAT) will have to be downloaded and installed
*If your running a Windows Server version they are already installed you usually just must enable them(skip down to enabling RSAT after installing)
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool(Really just the Active Directory, Group Policy, and DNS stuff), then click okay
==Creating Users==
*users can be created in two ways:
*they can be done through the gui provided by RSAT(Remote Service Administration Tools) to add users into Active Directory (AD)
*simply click new user in the appropriate OU (organizational unit) and enter in name,username and password
*The AD LDAP schema has been extended to allow the storage of UIDS in Active Directory
*To change a users UID, click properties on a user under Active Directory Users and Computers, on the properties tab click UNIX Attributes
**Click the NIS Domain of EADM and give them a UID, login shell can be /bin/false or /sh(later on we'll try logging in linux users against AD)
**Give them a home(doesnt matter for now as we are not allowing linux users to authenticate against ad yet)
**Add them to a primary group, for most users the group of "Domain Users" is fine
*To create user into AD using terminal use samba-tool
samba-tool user add USERNAME
*This will create a user in the default OU of Users, to manage this user use RSAT
==Giving User a Profile==
*Once a user is added he might need to be given a roaming profile
**Roaming profiles live on the server, whenever a user logins in the profile is loaded from the server and the users local profile(if there is one) is update to reflect any changes that are on that roaming profile on the server, on logout the changes the user has made are sent back to the server and stored there as well as the local profile
**Key Point: On login user pulls info from server, on logout user pushes changes back, if the server is down the user can still login but he will login to the most recent local profile stored on the computer, changes will not be pushed back on logout if there is no domain controller, the system will warn you and may even log you in with a temporary profile, unless the server comes back up and you are able to logout eventually after making changes to the local profile there is a chance your roaming profile will not be updated with your settings/files
**This is a good setup for Administrators who will be logging in to multiple machines at the same time without logging out or carrying a lot of files in there profiles
**allows you to move scripts and useful files with you on login, mount a few drives and make changes, also good if your anything like me and login into 4 computers at the same time(note be careful with this) usually your profile will most accurately reflect the changes you made to the same file on the last computer you logout from(i believe timestamps are taken to consideration as well)
*Local Profiles
**Local profiles has it pros and cons
**Pros: for the default Administrator account it is perfect, no files should be carried around on an Administrator profile, all changes to the profile stay local to the machine and are not synced back to the server, if you login to two separate computers with the Administrator account all changes will stay local to there separate computers. This is probaly good as well for users who work at home but sometimes bring there laptops in to work here, at home all there files stay local to there machine they will always have what they need locally, when they connect to our network and login, GPO's can be applied and they can have network mounted drives and firewall settings implemented automatically
**Cons: For the user, there is no backup of there profile, if they have no backups and there hard drive crahes/act of god/ etc. it is gone, there would be no way to recover the users settings and files(not completely, look below at Folder Redirection)
*Folder Redirection
**Here is where it gets a little tricky, we can have folder redirection with local profiles, and we can also have folder redirection with roaming profiles, or we can have none at all
**Usually folder redirection will want to be implemented on a users Roaming Profile if in his home directory he/she has gigabytes worth of data (2-1000+GB), this will increase there login/logout times significantly as well as keep all there information on the server
*Roaming profiles with folder redirection allows the profile to be kept small(usually only the size of the AppData folder which is around 100mb), while the users profile(basically now just settings) still "Roams" the Folder setup for redirection(Usually Documents, Pictures, Videos, Music, etc.) will not roam in the same way. The Client will instead now pull and push data as changes are made, the information will reside on the local client and server, whenever the client makes a change to any Folder that is "redirected" the changes will be updated on the server immediately
**on logout only the changes that are made to the "roaming" part of the profile(again usually just APPData folder) will be pushed back to the server, the redirected folders have been synced in real time and will not have to be sent back unless a file was recently edited before logout.
**Cons: this type of setup doesn't really work if you log into a lot of machines at once. Yea your files on one machine get updated immediately if you are working on them from another, but because Folder Sync will be working on both(or more) computers at the same time trying to update al the files that change at once (including settings files that programs decide to stupidly store in Documents instead of APPData) corruption generally happens pretty quickly. If you only login to one machine and use that as your main machine you really shouldn't experience any problems, the problems arise when logging in from different machines at the same time and even different versions of windows
*Local Profiles with Folder Redirection
**Dont really have this setup anywhere but there are uses for it
**Same as above if user doesn't move between computers and wants his files on the server updated automatically, profile info(basically just settings) just live on his computer
**this is good if the user wants all his files on the server and logins in from different versions of windows(his settings will be local to each machine) this to however can be setup up with Roaming profiles
==GPO Office==
*admx files must be downloaded for each version of microsoft office that clients use(office 2007, 2010, etc.)
*run a "gpudate \force" if you dont see them appear in group policy editor
*once placed in policyDefinitions under sysvol GPO may be applied to that specific version of office
*User Configuration->Administrative Templates ->"Microsoft Office [version]" ->Privacy->Trust Center
*enable the "Disable opt-in..", disable "Enable Customer Experience..." and "Automatically receive small.."
*must be done for every version of office clients are running(annoying pop up messages when office starts if this is not set)
==GPO Windows Update==
*locate a copy of wuau.adm and install into PolicyDefinitions
*Windows update group policy should be set up on a per machine bases(GPO applied to Machines not Users)
*Computer Configuration ->Policies-> Administrative Templates ->Windows Components->Windows Update
Configure Automatic Update: Enabled
Allow non-administrators to receive update notifications: enabled
Allow Automatic Updates Immediate installations: enabled
No auto-restart with logged in users: enabled
Reschedule Automatic Updates scheduled installation: enabled
==GPO Network, Firewall, Remote Desktop Connections==
*GPO for RDC are in two locations
*Computer Configuration->Policies->Administrative Templates->Network->Network Connections->Windows Firewall-> Domain Profile
Windows Firewall:Allow inbound Remote Desktop conneciotns
*limit to subnets of eri and vpn
Windows Firewall: Allow ICMP exceptions: Enabled
*check Allow inbound echo Request
*Computer Configuration->Policies->Administrative Templates->Windows Components->Remote Desktop Connection Host->Connections
Allow users to connect remotely using Remote Desktop Services: enabled
*to allow specific users/group login:
*Computer Configuration->Policies->Windows Settings->Security Settings->Restricted Groups
*create Remote Desktop Users group if not created, add users manually into group or add an entire group to allow Remote Desktop Connections
*DNS suffix search list
*Computer Configuration->Policies->Administrative Templates => Netowrk => DNS client => DNS suffix search list
**Enabled: mydomain.edu, name.mydomain.edu
==Profile Version for Windows Server 2012==
*If you are using roaming profiles and using any of the following operating Systems you must enable the .V3 extension on roaming profiles
*Operating systems: Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012
*Link: http://technet.microsoft.com/en-us/library/jj649079.aspx
*Basically you install an update from Microsoft and edit a registry key so that Windows Server 2012 will pick up the profile with the .V3 extension instead of .V2 which is used for Windows 7

==MAC==
*https://lists.samba.org/archive/samba/2013-June/174090.html
==WSUS==
*http://mizitechinfo.wordpress.com/2013/08/19/step-by-step-installing-configuring-wsus-in-server-2012-r2/
*http://technet.microsoft.com/en-us/library/hh852344.aspx
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

AD Samba4

2016-02-04T23:50:42Z

Stadm1: /* Windows Update GPO */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From windows command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO/WSUS==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

Samba4 BDC

2016-02-04T23:41:03Z

Stadm1:

[[Category:Samba]]
[[Category:Samba4AD]]

==Required Packages==

==Kerberos==
*make backup of kerberos conf
cp /etc/krb5.conf /etc/krb5.bak
*add realm to kerberos file /etc/krb5.conf
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*change ${REALM} variable to your realm
*test that you can kinit
kinit administrator
*type password then klist to check if you have ticket
klsit

==Join DC to domain==
*if kerberos is working check that you can see the PDC dns entries
*then join DC to domain
samba-tool domain join example.edu DC -Uadministrator --realm=example.edu
*should end with
Joined domain EXAMPLE (SID ...) as a DC

==Transfer Roles==
*DNS entries must ne setup before you can transfer roles, samba must be running (check log before for any errors)
*see who has what roles
samba-tool fsmo show
*transfer them all(can also transfer individual roles)
samba-tool fsmo transfer --role=all

==nssswitch==
*enumerate users in getent passwd
*link winbind so nsswitch can see
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2
*check that it is linked
ldconfig -v | grep winbind

*edit /etc/nssswitch to contain
passwd: files winbind
shadow: files
group: files winbind
==SYSVOL==
*syncing
rsync --dry-run -XAavz --delete-after root@"HOSTNAME":/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/
rsync -XAavz --delete-after root@"HOSTNAME":/usr/local/samba/var/locks/sysvol/ /usr/local/samba/var/locks/sysvol/

AD Samba4

2016-02-04T23:30:49Z

Stadm1: /* Adding User and profile path */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From windows command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:28:24Z

Stadm1: /* Add Windows computer to domain */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few minutes apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:22:37Z

Stadm1: /* SSSD */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

Samba4 Administration

2016-02-04T23:19:16Z

Stadm1: /* Managing Domain */

AD Samba4

2016-02-04T23:16:05Z

Stadm1: /* Adding Profile path to Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
hide files = /desktop.ini/$RECYCLE.BIN/
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:15:19Z

Stadm1: /* Adding Profile path to Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/domain
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/domain
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:14:12Z

Stadm1: /* Adding Profile path to Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/var/profiles
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:13:44Z

Stadm1: /* Change Security on Profiles folder */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
Follow:
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*https://wiki.samba.org/index.php/User_home_drives

==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:12:40Z

Stadm1: /* Adding Profile path to Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*Samba wiki's:
**https://wiki.samba.org/index.php/User_home_drives
**https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
*Right Click on the folder and select properties
*Change security to allow Domain Administrators Full Control
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:12:23Z

Stadm1: /* Adding Profile path to Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
Samba wiki's:
*https://wiki.samba.org/index.php/User_home_drives
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
*Right Click on the folder and select properties
*Change security to allow Domain Administrators Full Control
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:11:54Z

Stadm1: /* Adding Profile path to Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
Samba wiki's:
*https://wiki.samba.org/index.php/User_home_drives
*https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
*Right Click on the folder and select properties
*Change security to allow Domain Administrators Full Control
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:10:43Z

Stadm1: /* Firewall */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
Samba Ports needed here:
*https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
*settings(old?):
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
*Right Click on the folder and select properties
*Change security to allow Domain Administrators Full Control
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:04:57Z

Stadm1: /* Install CentOS */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
*settings:
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
*Right Click on the folder and select properties
*Change security to allow Domain Administrators Full Control
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4

2016-02-04T23:04:39Z

Stadm1: /* Install CentOS */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Purpose==
The purpose of this wiki page is to document the steps needed to set up or recreate an Active Directory(AD) Environment using Samba 4. Not all features of a Windows Server AD are incorporated into Samba 4, such as DFS and others, will try and document what you can and can not accomplish at the moment with Samba 4. At the time of writing/editing the current version of Samba 4 being used is: 4.1.12

Current operating system Samba 4 is run on: Centos 6.5

Will try and make this page as simple to recreate using the same environment, however if confused or have no idea where to begin I recommend heading over to the Samba Wiki pages and reading there How To's and Documentation:
*https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
*https://wiki.samba.org/index.php/User_Documentation
If still confused over anything I would recommend googling it, all of this I have found over the internet from different resources and will try and incorporate them into this wiki. For a complete list of all the references I found extremely useful see the bottom of this page.

*'''Note''': Until this message removed consider the following a work in progress
=Samba 4 Active Directory Domain Controller=
==Install CentOS==
Install a minimal install of CentOS 6.5, at time of writing can be downloaded here:
*http://mirrors.usc.edu/pub/linux/distributions/centos/6.5/isos/x86_64/CentOS-6.5-x86_64-minimal.iso
If you prefer to use a gui or a full install go check out the CentOS mirrors list:
*http://isoredirect.centos.org/centos/6/isos/x86_64/
*I would not recommend using CentOS 7 as the install procedure, startup service, as well as packages are a bit different, that being said it is entirely possible to get Samba 4 working on CentOS 7, if I have time and am upgrading I may come back and add in the changes CentOS 7 requires.
*See here for CentOS 7: http://wiki.eri.ucsb.edu/stadm/AD_Samba4_Centos_7

==Samba 4 Requirements==
Here are the OS Requirements as listed by the Samba Team:
*https://wiki.samba.org/index.php/OS_Requirements
Basically for a working Active Directory on CentOS install it is required that your system support Extended File Attributes.

Here are the packages I needed to install to build Samba 4, please note that all of these packages are probably not required and you are free to use the minimal list provided in the Samba Wiki, I have been trying to weed out most of the packages not needed and will be updating as I find extras, but as this is how a working setup was accomplished(with extra features not needed to just compile a basic Samba 4 server) I will leave this up for now:
yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
glibc glibc-devel gcc libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
openldap-devel openldap-clients openldap-servers openldap-servers-sql \
openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel cups sqlite-devel \
setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel ctdb-devel pam-devel gnutls-devel \
krb5-server-ldap nss-pam-ldapd pam_ldap openssh-ldap python-ldap docbook-style-xsl vim wget
*Note: if not installing vim(why wouldn't you in the first place?) make sure to install perl(dependency for vim), ./configure will fail down below without perl

*Here is a more minimal list to compile with AD support
yum install perl gcc libacl-devel libblkid-devel gnutls-devel \
> readline-devel python-devel gdb pkgconfig krb5-workstation \
> zlib-devel setroubleshoot-server libaio-devel \
> setroubleshoot-plugins policycoreutils-python \
> libsemanage-python setools-libs-python setools-libs \
> popt-devel libpcap-devel sqlite-devel libidn-devel \
> libxml2-devel libacl-devel libsepol-devel libattr-devel \
> keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils \
> libxslt docbook-style-xsl openldap-devel pam-devel

Once CentOS is installed, give it hostname as well as static IP Address, this can be done through DHCP or by manually editing CentOS network scripts
vim /etc/sysconfig/network
*Edit "HOSTNAME=***" to say "HOSTNAME=samba" or whatever you want to name the server
*Manually edit or add network-scripts if not there
cd /etc/sysconfig/network-scripts/
vim ifcfg-eth0
*Make sure these options are included
DEVICE=eth0
HWADDR=**:**:**:**:**:**
TYPE=ETHERNET
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
*For a static IP Address, go look at an example here: https://gist.github.com/fernandoaleman/2172388 (or just google how to give centos a static ip)
*Restart the network service
service network restart
For the purpose of saving time I have setup CentOS with selinux disabled, check to see this allowed by your Organization/Company before disabling selinux(this could be potentially dangerous depending on your network setup). Google Samba 4 selinux or visit the Samba Wiki here: https://wiki.samba.org/index.php/Samba_AD_DC_access_control_settings , if time allows I may come back and try to incorporate selinux into this wiki
*To disable selinux
vim /etc/sysconfig/selinux
*Change "SELINUX=enforcing" to "SELINUX=disabled"
*Restart the computer
shutdown -r now

==Installing Samba==
Decide what version of Samba 4 you would like to use, if your demoing or a developer consider using the newer developer version. Note: May have bugs and is not suitable in a production environment
*For developers:
*install git
yum install git-core
git clone git://git.samba.org/samba.git ~/samba-master
*For stable Samba version visit: http://www.samba.org/
*or(as of 09-26-14):
wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz
*Extract the archive if not done so already
tar -zxvf samba-4.1.12.tar.gz
*Build the samba install, replace samba-master with samba-[Version#]
cd ~/samba-master
./configure --enable-debug --enable-selftest
*If it completes successfully, make sure it is Building with Active Directory support, if not you may have forgotten a few packages
*Finally compile and then install
make
make install

==Creating Samba Service==
Samba does not come with a provided service script, however it is easy to just copy a script from a service that is already implemented, we will use rdisc and modify it for starting and stopping samba.
cd /etc/init.d
cp rdisc samba
vim samba
:%s/rdisc/samba/g
:wq
*Change daemon location from /sbin/samba to /usr/local/samba/sbin/samba, as well as killproc location
*Delete RDISCOPT variable, remove usage from daemon command
*Change what gets echoed to the screen
Or after reviewing to make sure it work with your system, you can download the scripts here: https://github.com/t-ali/samba4_scripts/blob/master/samba

Move the file samba to /etc/init.d/
*Portreserve gets installed as a dependency, nothing wrong with it however it only gives slapd access to port 636 which is required for samba ldap service, to get around this remove this file used by portreserve
rm /etc/portreserve/slapd
*You may have to restart your server to get portreserve to release port 636

==Enabling Samba 4 as DC==
*Add samba path to $PATH, this only works for bash
echo 'export PATH=$PATH:/usr/local/samba/bin' >> ~/.bashrc
echo 'export PATH=$PATH:/usr/local/samba/sbin' >> ~/.bashrc
*Run command
/usr/local/samba/bin/samba-tool domain provision
*the domain-provision tool should pick all defaults automatically, however they can be changed to your liking
*it is your choice to decide what kind of DNS you would like to use, you can configure your own bind DNS server and manage it yourself for the domain(not going to be covered here) or you can forward requests to your DNS server and have Samba 4 deal with the Windows DNS entries(Samba 4 will be a DNS forwarder). Feel free to use your own DNS server to forward requests to, for the sake of testing I am just putting in googles public DNS address 8.8.8.8
[root@dumbo var]# /usr/local/samba/bin/samba-tool domain provision
Realm: AD1.domain.edu
Domain [AD1]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad1,DC=domain,DC=edu
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad1,DC=domain,DC=edu
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dumbo
NetBIOS Domain: AD1
DNS Domain: ad1.domain.edu
DOMAIN SID: S-1-5-21-3942629588-2438417362-1542489463
After provisioning a kerberos file has been created that is usable with samba, make a backup of current kerberos configuration and copy the generated file to /etc/krb5.conf
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*your krb5.conf file should look like
[libdefaults]
default_realm = AD1.DOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
Now we can fnially start the samba service, if you tried starting it earlier it most likely failed to start, you can check the status by:
service samba status
Now that we have everything in place start the samba service:
service samba start
We can check a couple ways to make sure samba is up and running, go check out the log files located at
cd /usr/local/samba/var/
tail log.samba
tail log.smbd
Usually any errors will appear at the end of log.smbd telling you smbd did not start, a working output would look like
[2014/09/26 16:32:48, 0] ../source3/smbd/server.c:1189(main)
smbd version 4.1.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
[2014/09/26 16:32:49.031941, 0] ../lib/util/become_daemon.c:136(daemon_ready)
And one more way just to check for the paranoid:
ps aux | grep -v grep | grep samba
Output should spit out a bunch of running processes
[root@dumbo var]# ps aux | grep -v grep | grep samba
root 1626 0.0 2.3 538864 44768 ? Ss 10:56 0:00 /usr/local/samba/sbin/samba
root 1628 0.0 1.6 538864 31916 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1629 0.0 1.6 538864 32676 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1630 0.0 1.7 538864 33544 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1631 0.0 1.6 538864 31884 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1632 0.0 2.4 587472 46564 ? Ss 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root 1633 0.0 1.7 538864 33880 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1634 0.0 1.6 538864 32472 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1635 0.0 1.8 545120 36128 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1636 0.0 1.7 538864 33324 ? S 10:56 0:11 /usr/local/samba/sbin/samba
root 1637 0.0 1.7 541692 33180 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1638 0.0 1.6 538864 31996 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1639 0.0 2.1 539024 41976 ? S 10:56 0:04 /usr/local/samba/sbin/samba
root 1640 0.0 1.7 538864 33012 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1641 0.0 1.8 541388 35248 ? S 10:56 0:00 /usr/local/samba/sbin/samba
root 1644 0.0 1.7 587996 32820 ? S 10:56 0:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
Once you have verified samba has started without any errors you should add it to the startup
chkconfig samba on
*samba version as well as samba client version can be checked using the following commands
/usr/local/samba/sbin/samba -V
/usr/local/samba/bin/smbclient --version

==Configuring DNS==
*DNS forwarding was set up on the domain provisioning using the samba-tool script
cat /usr/local/samba/etc/smb.conf
*there should be a line under "[global]" that says "dns forwarder = ***.***.***.***", if not it was not enabled during domain provisioning
The server that samba was installed on should have itself as a DNS server(if using DNS forwarding, if not you must add in all the entires manually into your own DNS server, listed further below)
*Edit your network script to include itself as a DNS server
vim /etc/sysconfig/network-scripts/ifcfg-eth0
*Add in the line
DNS1="127.0.0.1"
*Restart the network service so that the correct DNS is now used
service network restart
*Check to see server sees itself as a DNS server
cat /etc/resolv.conf
*There should be a line that says
nameserver 127.0.0.1
*Test that the correct DNS entries are in your samba server and that you can resolve them(change "ad1.domain.edu" to the name of your domain and "dumbo" to your hostname)
host -t SRV _ldap._tcp.ad1.domain.edu
host -t SRV _kerberos._udp.ad1.domain.edu
host -t A dumbo.ad1.domain.edu
*Should return:
[root@dumbo var]# host -t SRV _ldap._tcp.ad1.domain.edu
_ldap._tcp.ad1.domain.edu has SRV record 0 100 389 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t SRV _kerberos._udp.ad1.domain.edu
_kerberos._udp.ad1.domain.edu has SRV record 0 100 88 dumbo.ad1.domain.edu.
[root@dumbo var]# host -t A dumbo.ad1.domain.edu
dumbo.ad1.domain.edu has address 10.0.2.15
*If the test did not produce those outputs DNS has not been configured properly
*These are the entries required if you are going to do this manually in your DNS server, or script it, or use samba_dnsupdate script
*you can see these values at /usr/local/samba/private/dns_update_list
cat /usr/local/samba/private/dns_update_list
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP

# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME}
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88

# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389

# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268

# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

==Firewall==
*settings:
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 137:138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 88 -j ACCEPT
-A INPUT -p udp --dport 88 -j ACCEPT
-A INPUT -p tcp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p udp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 1024 -j ACCEPT

-A INPUT -p tcp --dport 636 -j ACCEPT
-A INPUT -p tcp --dport 3268 -j ACCEPT
-A INPUT -p tcp --dport 3269 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 135 -j ACCEPT
-A INPUT -p tcp --dport 5722 -j ACCEPT
-A INPUT -p udp --dport 464 -j ACCEPT
-A INPUT -p tcp --dport 137 -j ACCEPT

==Kerberos==
*make a backup of original kerberos file and replace it with the copy generated by samba
mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
*edit the new krb5.conf file and change the ${REALM} variable to the realm selected during domain provisioning, ALL CAPS
vim /etc/krb5.conf
*test Kerberos using the kinit command
kinit administrator@MYDOMAIN.COM
*if Kerberos is working you will be asked for your password
*verify that it is working by running klist, output should look something along the lines of
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
07/25/13 15:23:33 07/26/13 1:23:33 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 07/26/13 15:23:31

==NTP==
*Check this guide for installing and debugging NTP for domain joined machines:
**http://wiki.eri.ucsb.edu/stadm/Samba4_NTP
*Quick setup
yum install ntp
chown root:ntp /usr/local/samba/var/lib/ntp_signd/
chmod 750 /usr/local/samba/var/lib/ntp_signd
*Edit
vim /etc/ntp.conf
*add
restrict default mssntp kod nomodify notrap nopeer noquery
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
*add to startup and start
systemctl enable ntpd
systemctl start ntp
*or(Centos 6/SysVinit)
chkconfig ntpd on
service ntpd start

=Windows Domain=
==Add Windows computer to domain==
*manually edit network settings to point DNS to samba4 server
*assign static ip so there are no problems with joining computers to domain
*ping samba4 server at ip address to verify you can see it
ping 128.***.***.****
*ping FQDN to verify DNS is working
ping samba4.mydomain.com
*should get replies form both verifying that you can communicate with server and that DNS is functioning
*run the date command in your server
date
*Change the date and time on Windows Computer so that it is within a few seconds of the server, Kerberos requires the times between computers be no more than a few seconds apart
*Right click on "My Computer" and click "Properties"
*Under "Computer name, domain, and workgroup settings" click change settings
*Under "Member of" check "Domain"
*Type in the name of your domain in full uppercase letters, ex.
**MYDOMAIN.COM
*When asked enter in the username and password for the Administrator created during the samba-tool domain provisioning
*Once you have joined the domain restart the computer and you can now log in to the domain

==Adding Profile path to Samba==
*make a folder where the profiles will be stored
mkdir /usr/local/samba/var/profiles
*Add the following to smb.conf to inlcude that location
vim /usr/local/samba/etc/smb.conf
*insert the follwing
[profiles]
path = /usr/local/samba/etc/smb.conf
read only = No
*restart samba
/usr/local/samba/bin/smbcontrol all reload-config
*once restarted check the shares on your samba server, profiles should appear under there
smbclient -L localhost -U%

==Change Security on Profiles folder==
*login to the domain as administrator onto a windows 7 computer
*open up my computer and navigate to "\\servername" , ex. "\\samba4"
*Right Click on the folder and select properties
*Change security to allow Domain Administrators Full Control
*add Domain Users to Security with options, Traverse folder/execute file. List Folder/read data, Create folder/append data
==Install RSAT==
*Download Remote Server Administration Tool from the microsoft website, http://www.microsoft.com/en-us/download/details.aspx?id=7887
*Install, Once installed open up control panel and then open up programs, then programs and features
*on the left pane click "Turn Windows features on or off"
*Select all under Remote Server Administration Tool, then click okay
==Adding User and profile path==
*From a windows computer with RSAT installed run: dsa.msc
*create a new user and edit its properties to include a profile path of "\\servername\profiles\%USERNAME%"
*then run: gpupdate /force
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server
*If you're having Group Policy Issues you can view what has been applied by gpresult
*From command line run:
gpresult /H filename.html
*or if you only want Computer Configuration(must be run as an administrator)
gpresult /SCOPE COMPUTER /H filename.html
*Login with new user on domain and roaming profile will be created under /usr/local/samba/var/profiles on the server

==Folder Security==
*create a share for where users folder redirections will go, want on a NFS, demoing on local drive
[users]
path = usr/local/samba/var/data/users
comment = temp user folders for folder redirection, move to NFS
read only = No
*make the folder or have the NFS mouted
mkdir -p usr/local/samba/var/data/users
chown root:3000000 usr/local/samba/var/data/users
chmod 755 usr/local/samba/var/data/users
*login into windows computer using a domain administrator to change permissions on users folder
*navigate to users folder on windows computer \\domainame.edu
*right click on users folder and select properties, go to security tab, click on advanced, click change permissions
*remove all current permissions, add new permissions making sure "Include inheritable permissions from the object's parents" is NOT checked
*add:
**Administrator: Full Control : This Folder, Subfolder, and Files
**Domain Admins: Full Control : This Folder, Subfolder, and Files
**SYSTEM: Full Control : This Folder, Subfolder, and Files
**CREATOR OWNER: Full Control : Subfolder, and Files
**Authenticated Users: Traverse Folder/Execute FIle, List Folder/Read Data, Create Files/Write Data, Create Folders/Append Data, Change Permissions: This Folder Only
*restart service and check that settings stay
*using getfacl
getfacl /data/users
*returns
# file: users
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:3000002:rwx
group:3000003:rwx
group:3000008:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:3000002:rwx
default:group:3000008:rwx
default:mask::rwx
default:other::---
==Folder Redirection with GPO==
*Download admx files for windows 7/2008 and place them in \\mydomain.edu\sysvol\domainname.edu\policies\PolicyDefinitions
*service samba restart
*Create OU in AD and add a couple users
*Open up Group Policy Management
*Do not edit default domain policy, instead right click on the OU, Create GPO and link to OU
*edit linked GPO
*Go to User Configuration => Policies => Windows Settings => Folder Redirection
*Click each folder and change setting under "Target" tab to:
**Setting: Basic - Redirect everyone's folder to the same location
**Target Folder Location: Create a folder for each user under the root path
**Root path:\\MYDOMAIN.EDU\users
*under the "Settings" tab
**Uncheck "Grant the user exclusive rights to (name_of_folder)"
**under policy removal: Leave the folder in the new location when policy is removed should remain checked
*Since folder redirection windows will ask for conformation every time you try and open a shortcut because they are stored on NFS
*Go to User Configuration => Policies => Windows Settings => Internet Explorer Maintenance => Security
**NOTE!!!: This can only be done from a Windows 7 Machine running RSAT, server 2012 and Windows 8 deprecated this feature
**reference:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f6a0d43-e81f-4038-88f6-75d8921fdf82/missing-group-policy-internet-explorer-maintenance
*Double Click Security Zones and Content Ratings
*A windows may pop up before you can edit settings click "continue"
*click modify settings, click on Local intranet, click Sites, click Advanced
*add:
file://mydomain.edu
*click, close, OK, OK, and Apply
*Configuring Automatic Resolution Policy(when sync conflicts rise keep the last modified file)
*Navigate to Computer Configuration => Preferences => Windows Settings => Registry
*create a new registry item
*add: Software\Microsoft\Windows\CurrentVersion\NetCache\SyncConflictHandling :to the key path
*in the UNC path add the share you want to Auto resolve conflicts with, \\DOMAIN\users
*set Value Data to 4
**0-7:
***1:Keep the local state. This overwrites the remote copy with the local copy's contents. If the local copy was deleted, this deletes the remote copy on the server.
***2:Keep the remote state. This overwrites the local copy with the remote copy's contents. If the remote copy was deleted, this deletes the local copy in the Offline Files cache.
***4:Retains the state of the latest operation as determined by last-change times of the items in conflict. If the local item was deleted, the time of deletion is used for comparison.
*save and apply

==Map a Network Drive with GPO==
*Go to User Configuration => Preferences => Windows Settings => Drive Maps
*Create new mapped drive with:
Action:Create
Location: \\mydomainname.edu\folder\location
Reconnect:Checked
Use:"*" (pick any drive letter)
Hide/Show this drive:Show this Drive
Hide/Show all drives:No Change
*click Okay
*samba must be restarted for GPO to take effect
*make sure all the right ports are open on your firewall or mapped drive may not connect, tcp 137, udp 137 etc..

==Windows Update GPO==
*Download ADM files from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=18664
*Install when asked, navigate to where it installed the ADM files. Usually C:\Program Files(x86)\Microsoft Group Policy\Windows Server...\...
*copy only wuau.adm to \\mydomain.edu\sysvol\mydomain.edu\Policies\PolicyDefinitions\
*Edit GPO
*Go to Computer Configuration => Policies => Administrative Templates => Windows Components => Windows Update
*still testing, enable the following
Configure Automatic Updates: Enabled: Auto Download and Schedule Install: Every Day: 17:00
Specify intranet Microsoft update service location: Enabled: http://servername:port, http://servername:port
Automatic Updates Detection Frequency: enabled 12 hours
Allow non administrators to receive update notifications : enabled
Allow Automatic Updates immediate installation: Enabled
No auto-restart with logged on user for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installations: Enabled: 10 minutes
Enable clients-de targeting: Enabled or Disabled, can be used to organize wsus better
Allow signed updates from an intranet Microsoft update service location: enabled

==SSSD==
vim /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=domain,dc=edu
krb5_realm = $REALM
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://domain.edu
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=idmap,dc=domain,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
ldap_tls_reqcert = demand
ldap_default_bind_dn = cn=Manager,dc=domain,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = ******
debug_level = 8
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]

[pam]

==ACL==
*set privileges
net rpc rights grant 'Domain\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
*view privileges
net rpc rights list accounts -Uadministrator
*https://wiki.samba.org/index.php/Setup_and_configure_file_shares
*http://manpages.ubuntu.com/manpages/lucid/man1/setfacl.1.html
*http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
*http://pic.dhe.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.bpxa500%2Fsfacl.htm
*add group acl to folder or file
setfacl -m "g:groupname:permissions" folder
*https://wiki.archlinux.org/index.php/Access_Control_Lists
*get and set acls(x is location you want acls from, y is location you want acls to)
getfacl x | setfacl -R –-set-file=- y

==Misc==
*after a yum update portreserve may have been updated and interferes with samba
*holds a lock on port 636 for slapd, samba provides an ldap service on 636 so slapd cannot hold it
*go to /etc/portreserve and remove the slapd file, restart server, portreserve will not hold lock in 636 anymore and samba can use it
cd /etc/portreserve
rm slapd
*deleting regedit user profile
http://social.technet.microsoft.com/wiki/contents/articles/13895.how-to-remove-a-corrupted-user-profile-from-the-registry.aspx
*Network level Authentication GPO
http://trekker.net/archives/group-policy-quick-tip-enable-remote-desktop-network-level-authentication/

==ID Mapping/Group Mapping==
*https://wiki.samba.org/index.php/Adding_users_with_samba_tool
*http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
==Extending Schema for UIDs==
*https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
*https://wiki.samba.org/index.php/Samba_AD_Schema_Extenstions

==save==
http://pig.made-it.com/samba-ldap-member.html
http://doub.home.xs4all.nl/samba-ldap/index.html
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sdmnss
https://wiki.samba.org/index.php/Samba4/Domain_Member
http://directory.fedoraproject.org/wiki/Howto:Samba
http://ptgmedia.pearsoncmg.com/images/013188221X/downloads/013188221X_book.pdf

=References=
*http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
*http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
*http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
*http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
*http://clintboessen.blogspot.com/2012/08/open-file-security-warning.html
*http://stealthpuppy.com/configuring-an-automatic-resolution-policy-for-offline-files-in-windows-7/
*http://support.microsoft.com/kb/2189014
*https://www.samba.org/samba/docs/using_samba/ch07.html
*https://www.samba.org/samba/docs/using_samba/ch08.html

AD Samba4 Centos 7

2016-02-04T23:01:35Z

Stadm1: /* Installing Samba */

Samba4 Troubleshooting

2016-01-27T23:38:26Z

Stadm1: /* Update Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=

==Update Samba==
*When updating Samba you should only be doing a version change on one DC at a time. Then verify that the DC is working in the domain before upgrading other DCs, don't update more than one DC at a time, have proper backups!
*https://wiki.samba.org/index.php/Updating_Samba
*Stop service and make backup
systemctl stop samba
/usr/local/samba/bin/samba_backup
*Get samba, configure and install
wget http://www.samba.org/samba/ftp/stable/samba-4.3.3.tar.gz
tar -zxvf samba-4.3.3.tar.gz
cd ~/samba-4.3.3
./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
*Make sure configure completes successfully, be sure you have proper backups!!!
*Read the release notes to check compatibility.
make
make install
*start the samba service
systemctl start samba
*Go check the logs and verify the system came up correctly:
tail /usr/local/samba/var/$LOGNAME.log
*Test around and see that replication is still in sync. Check that other DCs logs for errors about upgraded DC or replication.

==Checking Replication==
*Check replication status
samba-tool drs showrepl
*Force a repl:
*https://wiki.samba.org/index.php/Samba-tool_drs_replicate

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==Join a DC==
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Backup and Restore==
*https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T23:02:14Z

Stadm1: /* Checking Replication */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=

==Update Samba==
*https://wiki.samba.org/index.php/Updating_Samba
systemctl stop samba

==Checking Replication==
*Check replication status
samba-tool drs showrepl
*Force a repl:
*https://wiki.samba.org/index.php/Samba-tool_drs_replicate

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==Join a DC==
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Backup and Restore==
*https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T23:00:05Z

Stadm1: /* Update Samba */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=

==Update Samba==
*https://wiki.samba.org/index.php/Updating_Samba
systemctl stop samba

==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==Join a DC==
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Backup and Restore==
*https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T22:26:51Z

Stadm1: /* Troubleshooting */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=

==Update Samba==
*https://wiki.samba.org/index.php/Updating_Samba

==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==Join a DC==
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Backup and Restore==
*https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T22:25:54Z

Stadm1: /* Troubleshooting */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=
==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==Join a DC==
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Backup and Restore==
*https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T22:24:42Z

Stadm1: /* Troubleshooting */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=
==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==Demote a DC==
*https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T22:24:00Z

Stadm1: /* Force Removal of DC */

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=
==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==
*If a Samba4 DC goes offline and cannot be restored so that replication can resync with another DC it must be forcibly removed from the domain.
*If the failed DC owned any of the FSMO roles they must be seized by the current working DC. See link for howto:
*https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
*Once all roles are on a working DC you may force remove the down DC from the domain. Use the following script:
*https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content
*Check in ADUC under Domain Controllers(or appropriate OU) the DC was removed, if not delete the object.
*Open up the DNS Manager and remove all entries for the failed DC.
*Never restore/reintroduce the failed DC back into the domain, it will cause replication issues.
*To bring another DC up, setup samba as usual and join the domain as a DC using samba-tool:
*https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T22:14:15Z

Stadm1:

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

=Troubleshooting=
==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

Samba4 Troubleshooting

2016-01-27T22:13:49Z

Stadm1:

[[Category:Active Projects]]
[[Category:Projects]]
[[Category:Samba]]
[[Category:Samba4AD]]

==Checking Replication==
*Check replication status
samba-tool drs showrepl

==Force Removal of DC==

==LDB Search/Edit==
*ldb search example:
ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=***\,DC\=***\,DC\=***\,DC\=***.ldb

*weird error with tombstone lifetime
[2015/05/20 14:27:27.377734, 0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
Failed to apply records: replmd_replicated_apply_add: error during DRS repl ADD: No objectClass found in replPropertyMetaData for DC=lluvia\0ACNF:fe4415b8-8a9d-417d-abb3-77771ec99f88\0ADEL:fe4415b8-8a9d-417d-abb3-77771ec99f88,CN=Deleted Objects,DC=DomainDnsZones,DC=***,DC=***,DC=***,DC=edu!
: Object class violation
*use ldbedit to change the tombstone lifetime from 6 months to 10 days to get rid of all extra "Deleted Objects" that wont replicate
ldbedit -H ldap://localhost -Uadministrator -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***,DC=***,DC=***,DC=***"
*https://wiki.samba.org/index.php/Restoring_deleted_AD_objects#Changing_the_defaults_for_msDS-deletedObjectLifetime_and_tombstoneLifetime

CISN Display CentOS

2015-12-16T23:24:49Z

Stadm1: /* Additional Steps */

[[Category:Projects]]
[[Category:CISN]]
==Introduction==
This page will attempt to document the creation of a kiosk type display of the CISN Display.
The CISN Display software displays near real-time earthquake location information available via the network.
A complementary component would be a waveform viewer showing seismograms (in real time) from various locations around
California (or beyond), but we have not had time to mount a concerted effort along those lines yet.
==Historical Notes==
*http://wiki.eri.ucsb.edu/stadm/CISN_Display
=Installation Guide=
==Setup==
*Install centos 6 on a compatible system, we will use a script that runs off this machine
**note:have not tested on centos minimal, install centos with a gui, script can be run remotely
*once installed run the following script to get the CISN Display installed as a kiosk
*Download [[Media: make_cisn.sh]]
==Additional Steps==
*after restart you have to type in credentials for cisn_display
*set a password for the kiosk user
*add a sleep and reboot to the crontab
#Sleep at 8pm everyday for 11 hours, reboot at 7:30 am
0 20 * * * /usr/sbin/rtcwake -m mem -s 39600
30 7 * * * /sbin/shutdown -r now

==References==
*Adapted from: http://www.marcinwilk.eu/lang/en-us/2014/05/scientific-linux-6-centos-6-kiosk/

File:Make cisn.sh

2015-12-16T19:44:12Z

Stadm1: Makes a kiosk for CISN Display on CentOS

Makes a kiosk for CISN Display on CentOS

CISN Display CentOS

2015-12-16T19:39:02Z

Stadm1: /* Additional Steps */

[[Category:Projects]]
[[Category:CISN]]
==Introduction==
This page will attempt to document the creation of a kiosk type display of the CISN Display.
The CISN Display software displays near real-time earthquake location information available via the network.
A complementary component would be a waveform viewer showing seismograms (in real time) from various locations around
California (or beyond), but we have not had time to mount a concerted effort along those lines yet.
==Historical Notes==
*http://wiki.eri.ucsb.edu/stadm/CISN_Display
=Installation Guide=
==Setup==
*Install centos 6 on a compatible system, we will use a script that runs off this machine
**note:have not tested on centos minimal, install centos with a gui, script can be run remotely
*once installed run the following script to get the CISN Display installed as a kiosk
*Download [[Media: make_cisn.sh]]
==Additional Steps==
*after restart you have to type in credentials for cisn_display
*set a password for the kiosk user
==References==
*Adapted from: http://www.marcinwilk.eu/lang/en-us/2014/05/scientific-linux-6-centos-6-kiosk/

CISN Display CentOS

2015-12-16T19:37:28Z

Stadm1: /* Additional Steps */

CISN Display CentOS

2015-12-16T19:32:44Z

Stadm1: /* Installation Guide */

CISN Display CentOS

2015-12-16T19:31:54Z

Stadm1: /* Setup */

[[Category:Projects]]
[[Category:CISN]]
==Introduction==
This page will attempt to document the creation of a kiosk type display of the CISN Display.
The CISN Display software displays near real-time earthquake location information available via the network.
A complementary component would be a waveform viewer showing seismograms (in real time) from various locations around
California (or beyond), but we have not had time to mount a concerted effort along those lines yet.
==Historical Notes==
*http://wiki.eri.ucsb.edu/stadm/CISN_Display
=Installation Guide=
==Setup==
*Install centos 6 on a compatible system, we will use a script that runs off this machine
**note:have not tested on centos minimal, install centos with a gui, script can be run remotely
*once installed run the following script to get the CISN Display installed as a kiosk

==Additional Steps==
*after restart you have to type in credentials for cisn_display

CISN Display CentOS

2015-12-16T19:30:39Z

Stadm1: /* Additional Steps */

CISN Display CentOS

2015-12-14T22:51:15Z

Stadm1:

CISN Display CentOS

2015-12-14T22:49:08Z

Stadm1: