mycroes

There's always time to play

Thursday, September 30, 2010

Installing Samba 4 on Ubuntu Maverick (10.10)

Samba 4 is currently able to serve as a active directory domain controller for both Windows XP and Windows 7 (as tested by me) and probably for other Windows versions too. With Ubuntu 10.10 there finally is a recent enough version to make use of all the current Samba 4 functionality, however some issues still remain. This post will provide a short guide to setting up Samba 4 on your Ubuntu Maverick system, but it won't go into more advanced Samba topics. At first I wanted this to be a full step-by-step guide, however I can't find the time to complete it as such (I started writing when Maverick was in beta). I welcome comments adding more details and I hope everyone will be able to follow this howto.

Let's start by updating the system.
$ sudo apt-get update


Next add a PPA which includes a more recent Bind 9 version. I believe this is mainly needed so your Windows clients can send DNS updates to the domain controller, but I can't say I thoroughly tested with the Ubuntu Maverick distributed version.

Personally I used bind9 from Hauke Lampe's PPA (BIND 9 Updates : Hauke Lampe).

Install samba4 and bind9:
$ sudo apt-get install samba4 samba4-clients bind9


Move existing smb.conf:
$ sudo mv /etc/samba/smb.conf{,.old}


Create a samba 4 config and provision the database:
$ sudo LD_PRELOAD=/usr/lib/libdcerpc.so.0.0.1 /usr/share/samba/setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller'

You might be wondering what this LD_PRELOAD is about, well it's needed because some stuff is missing the link to the dcerpc library.

Now we want to start samba, there's another issue ahead. The samba4 init script doesn't check for the existence of the samba directory in /var/run, so let's add that ourselves.
# /etc/init.d/samba4
...
log_daemon_msg "Starting Samba 4 daemon" "samba"

if [ ! -d $(dirname $SAMBAPID) ]; then
mkdir -p $(dirname $SAMBAPID)
fi


if !...


We're still not there yet... Remember the missing library link? It will also return while running Samba, so let's work around it by creating local versions of the samba programs that will load the library:

Create /usr/local/sbin/samba:
#!/bin/sh
LD_PRELOAD=/usr/lib/libdcerpc.so.0.0.1 /usr/sbin/$(basename $0)


Now symlink samba_dnsupdate and samba_spnupdate to the same file:
$ sudo ln -s /usr/local/sbin/samba{,_dnsupdate}
$ sudo ln -s /usr/local/sbin/samba{,_spnupdate}


Now start samba:
$ sudo /etc/init.d/samba4 start


Let's do a quick test if it's working:
$ smbclient -UAdministrator -Llocalhost
Password for [SAMDOM\Administrator]:

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.0alpha12-GIT-UNKNOWN)
ADMIN$ Disk DISK Service (Samba 4.0.0alpha12-GIT-UNKNOWN)
REWRITE: list servers not implemented

Seems to be working!

Now let's get DNS working too. Start by editing named.conf.local:
// /etc/bind/named.conf.local
...
//include "/etc/bind/zones.rfc1918";

include "/var/lib/samba/private/named.conf";

Thought we were done? Think again! AppArmor is protecting our samba4 files from bind, I'd rather have bind read them though...
# /etc/apparmor.d/usr.sbin.named
...
/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,

}

Reload AppArmor profiles and restart bind:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/bind9 restart

Bind should now start without any issues. Next is to actually use bind for DNS:
# /etc/resolv.conf
nameserver 127.0.0.1

You can verify it's working by querying dns for kerberos:
$ host -t SRV _kerberos._udp.samdom.example.com

This should return an SRV record, if not, something's broken!

Now let's move the Kerberos config into place:
$ sudo cp /var/lib/samba/private/krb5.conf /etc/


You can verify it's working by installing krb5-user and doing a kinit Administrator, but since Kerberos comes out of the box with samba, I'm assuming it's working (it always did for me).

If you chose to add a PPA with a recent Bind version, you can enable Kerberized DNS updates by pointing named to the correct principal and keytab. More details on this can be found on the Samba 4 howto, I will add my own details here later.



You should now be able to administer your Samba 4 domain controller using the microsoft utilities for windows server management, the Samba net tool or direct LDAP queries.

Updates

dec 8 2010, 22:56

Added missing apparmor policy changes

21 comments:

Bradley Hook said...

Great info, but it looks like you left out the lines that need to be edited for apparmor.

I had to add the following:

/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,

Michael Croes said...

@Bradley
Thanks! I actually have another line in there at work because when using Kerberos, Bind also tries to create/open a tempfile.

Unfortunately I'm quite busy atm, would add some more info otherwise.
Regards,

Michael

Craig said...

Hi there and great tutorial!

Any chance of it working on Lucid Lynx server (10.04)?

Thanks..

Michael Croes said...

@Craig
Unfortunately, Samba 4 in 10.04 is too old, but you might be able to install 10.10 samba4 in 10.04. Keep in mind you'll also need newer libraries for stuff samba depends on.

Alternatively you could use packages from a PPA, there's at least one PPA by an official samba developer, however that's containing daily builds which might be a bit too adventurous.
Regards,

Michael

Craig said...

Hi Michael and thank you

Yes i thought as much. So Ive looked at the samba 4 wiki which refers to 9.04 jaunty and building from source. Im going to grab a tarball of alpha 13 release and give it a whirl. Otherwise theres no harm in upgrading to maverick i suppose..

Will keep you posted..

Thanking you
Craig..

石添小草 said...

I got this after restarting bind9:

rndc: connect failed: 127.0.0.1#953: connection refused

What is likely to be happening? Did I did something wrong?

Michael Croes said...

Hi,

Check if bind is running, if not, do a '/etc/init.d/bind9 start'. If it's not starting, check your log files. One probable cause for issues is apparmor, so you could try '/etc/init.d/apparmor teardown', then restart bind to see if it works.
Regards,

Michael

nasori said...

Hi,
i found this message
root@semar:/etc/bind# /etc/init.d/samba4 start
* Starting Samba 4 daemon samba /etc/init.d/samba4: 67: /var/run: Permission denied
[ OK ]


i add script in /etc/init.d/samba4 file :

if [ ! -d $(/var/run $SAMBAPID) ]; then
mkdir -p $(/var/run $SAMBAPID)
fi
. how to solve this problem

Michael Croes said...

@nasori
You altered the code as listed in my post, just use what I posted and you should be fine.

To be over-explicit, 'dirname' is a command, not some variable you should substitute (and if it was, you chose the wrong directory).
Regards,

Michael

Thomas said...

Thank you for nice tutorial!

Is anywhere a tutorial what explains how to set up the "member server" part?

Thank you!

Michael Croes said...

@Thomas
Yes, on the official Samba 4 wiki they tell you not to use Samba 4 as a member server.

I have to agree, Samba 3 works fine as member server, including proper permission handling when using the right config options. Just avoid Samba 4 for your member servers for now.

Robert said...

I challenge you to make this easier... It was almost painless. What are the 'issues' you mention? I thought there was only issue with multiple forests of samba DCs?....
Oh also... you'll want to get libnss_winbind installed as well... it will install libnss-winbind.so.2 which needs to be linked to libnss-winbind.so per the samba 4 web pages

Robert said...
This comment has been removed by the author.
Kishore said...

try this link.. if anybody interested

http://admingeeks.blogspot.com

Thomas said...

Hi Michael, thank for your guide.

I have configured my Ubuntu server, but, when i do:

smbclient -L localhost

i got:

root@mailserver:/etc/init.d# smbclient -L localhost
Password for [SOCIPSRL\root]:
Password for [SOCIPSRL\root]:
Password for [SOCIPSRL\root]:
Failed to connect to ncacn_np:localhost - NT_STATUS_LOGON_FAILURE

and when i do:

smbclient -UAdministrator -Llocalhost

i got:

root@mailserver:/etc/init.d# smbclient -UAdministrator -Llocalhost
Password for [SOCIPSRL\Administrator]:
Failed to connect to ncacn_np:localhost - NT_STATUS_CONNECTION_REFUSED
REWRITE: list servers not implemented
root@mailserver:/etc/init.d#

Why?

I have search over google but nothing...

Thank you in advance.

Thomas

Michael Croes said...

@Thomas:
I'm guessing that Samba isn't running. Check if Samba is running, check log files for what's happening. Also, it should be a lot easier to install Samba 4 on Ubuntu Natty. I installed a Natty machine as second domain controller (just Samba 4, no dns or anything), which was as easy as installing Samba 4 and following the documentation for adding a new domain controller to an existing domain on the Samba wiki.
Regards,

Michael

poster said...

Step by Step configuration of samba server:
http://www.redhatlinux.info/2011/11/configure-samba-server.html

Nitocris Kamahat said...

with ubuntu 11.10, the pre_load change to : LD_PRELOAD=/usr/lib/i386-linux-gnu/libdcerpc.so.0

Michael Croes said...

@nitocris
Unfortunately, you're incorrect. For one, the path is determined by architecture, so your suggestion would only work on a 32 bit x86 install. Last but not least, the package in 11.10 doesn't require any of these hacks as far as I know, thus adding them is a mistake.

Michael Croes said...

@nitocris
Unfortunately, you're incorrect. For one, the path is determined by architecture, so your suggestion would only work on a 32 bit x86 install. Last but not least, the package in 11.10 doesn't require any of these hacks as far as I know, thus adding them is a mistake.

Mithrandir said...

Still 2012 and working like a charm, thx mate.