User Tools

Site Tools


linux:samba

Active Directory Mode

Server 2008_R2 supported 100000 users and computers, 100 DC in domain tested

IN LXC YOU MUST USE PRIVILEGED CONTAINER AND DNS may be 127.0.0.1 in the end!

Insert AD name ad.corp.janforman.com

sudo vi /etc/hostname
sudo vi /etc/hosts

etc/cloud.cfg

preserve_hostname: true
sudo apt-get install samba krb5-user krb5-config winbind smbclient libpam-winbind libnss-winbind wsdd

wsdd2 conflicts with SMBD!

Kerberos Realm: CORP.JANFORMAN.COM
Kerberos servers for your realm: ad.corp.janforman.com
Administrative server for your Kerberos realm: ad.corp.janforman.com
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.original
sudo samba-tool domain provision --use-rfc2307 --interactive

Set DNS resolver

sudo mkdir /etc/systemd/resolved.conf.d/

/etc/systemd/resolved.conf.d/custom.conf

[Resolve]
DNSStubListener=no
Domains=corp.janforman.com
DNS=127.0.0.1

sudo systemctl restart systemd-resolved
or simply disable that service

add to smb.conf global section

dns forwarder = 172.24.16.254

Kerberos.conf

[libdefaults]
        default_realm = CORP.JANFORMAN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
CORP.JANFORMAN.COM = {
        kdc = ad.corp.janforman.com
        admin_server =  ad.corp.janforman.com
        default_domain = corp.janforman.com
}

[domain_realm]
        ad = CORP.JANFORMAN.COM

Enable AD

sudo mv /etc/krb5.conf /etc/krb5.conf.original
sudo cp /var/lib/samba/private/krb5.conf /etc/
sudo systemctl disable --now smbd nmbd winbind
sudo systemctl unmask samba-ad-dc
sudo systemctl enable --now samba-ad-dc wsdd

WSDD

/etc/default/wsdd

WSDD_PARAMS="-w CORP"

Verify

sudo samba-tool domain level show
smbclient -L localhost -N

kinit administrator
klist

Set resolv.conf

sudo rm -f /etc/resolv.conf && sudo vi /etc/resolv.conf
nameserver 127.0.0.1
domain corp.janforman.com

smbstatus

Samba version 4.15.13-Ubuntu
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
----------------------------------------------------------------------------------------------------------------------------------------
1526    root         users        172.24.16.123 (ipv4:172.24.16.123:50210)  SMB3_11           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing
---------------------------------------------------------------------------------------------
public       1526    172.24.16.123 Wed Jun 21 09:31:07 PM 2023 UTC  -            AES-128-CMAC

Locked files:
Pid          User(ID)   DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
1526         0          DENY_NONE  0x100081    RDONLY     NONE             /mnt   .   Wed Jun 21 21:31:11 2023
1526         0          DENY_NONE  0x100081    RDONLY     NONE             /mnt   .   Wed Jun 21 21:31:11 2023
1526         0          DENY_NONE  0x100081    RDONLY     NONE             /mnt   .   Wed Jun 21 21:31:09 2023

Check Samba Dialects

nmap --script smb-protocols 192.168.101.0/24
nmap -sS -sV -sC 192.168.101.0/24

Redhat Install

yum install samba samba-client samba-common

Enable startup

systemctl enable smb.service
systemctl enable nmb.service
systemctl restart smb.service
systemctl restart nmb.service

smb.conf

[global]
workgroup = WINDOWS
server string = Samba Server Version %v
netbios name = SAMBA
log level = 1
log file = /var/log/samba/log.%m
max log size = 50
security = user
local master = no
os level = 33
preferred master = no
wins support = no
#====== connect to existing wins or enable wins support
wins server = 172.24.16.254
wins proxy = yes
#======
dns proxy = yes
map to guest = bad user

username map = /etc/samba/smbusers

use sendfile = 1
deadtime = 10

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

#====== Share Definitions
[public]
comment = Public
path = /storage/public
public = yes
writable = yes
printable = no
guest ok = yes

Add users

smbpasswd -a <linuxuser>

Samba users mapping to Linux

/etc/samba/smbusers

linuxuser = sambaname

Mount SAMBA device

/etc/fstab

//172.24.16.20/backup_oracle /backup_oracle cifs _netdev,rw,username=USER,password=PASSWORD,file_mode=0640,dir_mode=0750,uid=oracle,gid=oinstall 0 0

Mount SAMBA with older protocol

mount -o vers=1.0 //x.x.x.x/share /mnt/samba
linux/samba.txt · Last modified: 2023/12/29 16:05 by Jan Forman