Difference between revisions of "Samba"
Plittlefield (talk | contribs) |
Plittlefield (talk | contribs) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | == Audit Logging == | ||
+ | |||
+ | Want to know what every user is reading or writing on your samba server? | ||
+ | |||
+ | https://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/ | ||
+ | |||
+ | vfs objects = full_audit | ||
+ | full_audit:prefix = %u|%I|%m|%S | ||
+ | full_audit:success = mkdir rename unlink rmdir pwrite | ||
+ | full_audit:failure = none | ||
+ | full_audit:facility = local7 | ||
+ | full_audit:priority = NOTICE | ||
+ | |||
+ | To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this: | ||
+ | |||
+ | local7.* /var/log/samba/log.audit | ||
+ | |||
+ | This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon: | ||
+ | |||
+ | /etc/init.d/sysklogd restart | ||
+ | |||
+ | This is an example of what the audit logs will look like:- | ||
+ | |||
+ | Aug 10 11:52:52 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif | ||
+ | Aug 10 11:52:59 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif | ||
+ | Aug 10 11:53:41 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif | ||
+ | |||
== How to configure Samba to use SMBv2 and disable SMBv1 == | == How to configure Samba to use SMBv2 and disable SMBv1 == | ||
Line 12: | Line 39: | ||
== HOWTO: FIX: == | == HOWTO: FIX: == | ||
+ | |||
+ | === Read Only Microsoft Office Documents === | ||
+ | |||
+ | Because of the way Microsoft Office saves its' documents, you can end up with a situation where the Extended Attributes of the saved file override the Linux permissions, resulting in a 'read only' file when another user tries to open it on the shared drive. | ||
+ | |||
+ | To fix this, you need to set the Linux group sticky bit and ACL permissions on the shared directory. | ||
+ | |||
+ | This will make all the current and future files and folders have read-write permissions ... | ||
+ | |||
+ | sudo -i | ||
+ | ll /home/samba/shared/path/to/folder/ | ||
+ | find /home/samba/shared/path/to/folder/ -type d -exec chmod 2775 {} \; | ||
+ | find /home/samba/shared/path/to/folder/ -type f -exec chmod 0664 {} \; | ||
+ | setfacl -R -m default:group:users:rwX,g:users:rwX /home/samba/shared/path/to/folder/ | ||
+ | |||
+ | https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs | ||
=== Network Performance Issues Errors === | === Network Performance Issues Errors === | ||
Line 968: | Line 1,011: | ||
ldbsearch -H "/usr/local/samba/private/sam.ldb.d/DC=DOMAIN,DC=COM.ldb" >/path/to/ldbsearch_export.txt | ldbsearch -H "/usr/local/samba/private/sam.ldb.d/DC=DOMAIN,DC=COM.ldb" >/path/to/ldbsearch_export.txt | ||
+ | |||
+ | == SAMBA4 HOWTO: Rename COMPUTER == | ||
+ | |||
+ | Search for the name in LDAP ... | ||
+ | |||
+ | ldbsearch -H ldap://DC1 -UAdministrator 'CN=OLDNAME' | ||
+ | |||
+ | If most of the name and attributes are correct in AD but '''just the CN and NAME are wrong in LDAP''', then use this command ... | ||
+ | |||
+ | ldbrename -H ldap://DC1 -UAdministrator 'CN=OLDNAME,OU=Warehouse,OU=Computers,DC=domain,DC=com' 'CN=NEWNAME,OU=Warehouse,OU=Computers,DC=domain,DC=com' | ||
+ | |||
+ | If none of the name and attributes are correct and you want to '''rename it on the COMPUTER and AD at the same time''', then use this command ... | ||
+ | |||
+ | net dom renamecomputer -S OLDNAME -U OLDNAME\\administrator%secret newname=NEWNAME account=DOMAIN\\administrator password=topsecret reboot | ||
== SAMBA4 HOWTO: Samba Tool Documentation == | == SAMBA4 HOWTO: Samba Tool Documentation == |
Latest revision as of 14:02, 25 July 2023
Audit Logging
Want to know what every user is reading or writing on your samba server?
https://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/
vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = NOTICE
To specify a custom log file to which full_audit should write, you should create a new syslogd facility. A facility can be described in syslog.conf. Since I had chosen the facility local7, I can add that facility to the configuration like this:
local7.* /var/log/samba/log.audit
This line means that all log messages of facility local7 will be written to /var/log/samba/log.audit. The star is needed to say that I’d like to log messages of any severity to the same log file. Finally, restart the syslogd daemon:
/etc/init.d/sysklogd restart
This is an example of what the audit logs will look like:-
Aug 10 11:52:52 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|unlink|ok|public/Upload/hypnotoad.gif Aug 10 11:52:59 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|pwrite|ok|public/Upload/hypnotoad.gif Aug 10 11:53:41 rhino smbd_audit: moiristo|123.45.67.89|moiristo|moiristo|rename|ok|public/Upload/hypnotoad.gif|public/Upload/hypnotoads.gif
How to configure Samba to use SMBv2 and disable SMBv1
Samba4 AD DC Ubuntu Install
http://blogging.dragon.org.uk/samba4-ad-dc-on-ubuntu-14-04/
Samba4 and DNSMasq
http://www.0xf8.org/2014/01/integrating-sambas-dns-server-with-existing-dnsmasq-installations/
HOWTO: FIX:
Read Only Microsoft Office Documents
Because of the way Microsoft Office saves its' documents, you can end up with a situation where the Extended Attributes of the saved file override the Linux permissions, resulting in a 'read only' file when another user tries to open it on the shared drive.
To fix this, you need to set the Linux group sticky bit and ACL permissions on the shared directory.
This will make all the current and future files and folders have read-write permissions ...
sudo -i ll /home/samba/shared/path/to/folder/ find /home/samba/shared/path/to/folder/ -type d -exec chmod 2775 {} \; find /home/samba/shared/path/to/folder/ -type f -exec chmod 0664 {} \; setfacl -R -m default:group:users:rwX,g:users:rwX /home/samba/shared/path/to/folder/
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
Network Performance Issues Errors
30 second delay when browsing fixed
Sage Accounts Performance Fix with Oplocks
Subnet Interface Errors
If you cannot access your samba server, and in the /var/log/samba/log.nmbd you see this error...
create_subnets: No local IPv4 non-loopback interfaces create_subnets: Waiting for an interface to appear
...then change your interfaces parameter in /etc/samba/smb.conf to match your actual network interface card. For example...
From:
interfaces = 192.168.0.0/24 127.0.0.1
To:
interfaces = 192.168.0.200/24 127.0.0.1
Weird, but it works. :-/
SAMBA4 DC SysVol Replication
https://wiki.samba.org/index.php/SysVol_Replication
crontab -e # samba4 dc sysvol replication @hourly /usr/bin/rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync://sysvol-replication@samba.domain.com/SysVol/ /usr/local/samba/var/locks/sysvol/ # samba4 rebuild sysvol and check 01 * * * * samba-tool ntacl sysvolreset 02 * * * * samba-tool ntacl sysvolcheck
SAMBA4 Error In DC Replication
If you are getting these errors in your logs...
[2013/05/31 12:21:57, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]
...and domain replication does not appear to be working, then you have the glibc (at least 2.17) nss dns resolver bug - where the resolver cannot look up names with an _ underscore.
To find your _msdcs_ name, look it up...
ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid
To test this, try to ping the _msdcs_ name. You will receive an unknown host error...
ping 5813325c-fa80-4e0e-b76e-4666f6afe1e2._msdcs.xyz.com
To fix this, first add the _msdcs_ entry to /etc/hosts
127.0.0.1 localhost.localdomain localhost #127.0.1.1 samba2.xyz.com samba2 192.168.0.208 5813325c-fa80-4e0e-b76e-4666f6afe1e2._msdcs.xyz.com samba.xyz.com samba 192.168.0.209 f0605966-1d4f-4fef-8a75-2a24863dbaa9._msdcs.xyz.com samba2.xyz.com samba2
Second, make sure you add all the correct CNAME and A record entries in your Samba4 DCs DNS... that is, details of the secondary DC2 to _both_ DCs...
samba-tool dns add 192.168.0.208 xyz.com samba2 A 192.168.0.209 samba-tool dns add 192.168.0.209 xyz.com samba2 A 192.168.0.209 samba-tool dns add 192.168.0.208 _msdcs.xyz.com f0605966-1d4f-4fef-8a75-2a24863dbaa9 CNAME samba2.xyz.com -UAdministrator samba-tool dns add 192.168.0.209 _msdcs.xyz.com f0605966-1d4f-4fef-8a75-2a24863dbaa9 CNAME samba2.xyz.com -UAdministrator
Now try to ping the _msdcs_ name. It will work...
ping 5813325c-fa80-4e0e-b76e-4666f6afe1e2._msdcs.xyz.com
And you will see two-way tcp connections in netstat...
tcp 0 0 192.168.0.209:1024 192.168.0.208:36814 ESTABLISHED 582/samba tcp 0 0 192.168.0.209:35246 192.168.0.208:1024 ESTABLISHED 589/samba
Amazingly simple, but it fixes it.
You should see the extra Domain Computers that were not on your Secondary Samba4 Domain Controller.
To confirm all is working, add or edit a user and check it on the DC2...
samba-tool group listmembers "Domain Computers" |sort -f
or
samba-tool user list |sort -f
And look at the Replication status log...
samba-tool drs showrepl Default-First-Site-Name\SAMBA2 DSA Options: 0x00000001 DSA object GUID: f0605966-1d4f-4fef-8a75-2a24863dbaa9 DSA invocationId: d84e13de-4ed4-45e5-ba94-f04954536c51 ==== INBOUND NEIGHBORS ==== CN=Configuration,DC=xyz,DC=com Default-First-Site-Name\SAMBA via RPC DSA object GUID: 5813325c-fa80-4e0e-b76e-4666f6afe1e2 Last attempt @ Fri May 31 13:17:06 2013 BST was successful 0 consecutive failure(s). Last success @ Fri May 31 13:17:06 2013 BST ==== OUTBOUND NEIGHBORS ==== CN=Configuration,DC=xyz,DC=com Default-First-Site-Name\SAMBA via RPC DSA object GUID: 5813325c-fa80-4e0e-b76e-4666f6afe1e2 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 32efa02a-2852-45e8-bb49-78f0f3927895 Enabled : TRUE Server DNS name : samba.xyz.com Server DN name : CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=com TransportType: RPC options: 0x00000001
And check the Active Directory database consistency, etc...
root@samba:~# samba-tool drs kcc Consistency check on samba.xyz.com successful. root@samba2:~# samba-tool drs kcc Consistency check on samba2.xyz.com successful.
samba-tool dbcheck Checking 274 objects Checked 274 objects (0 errors)
Both DC1 and DC2 should give the same number of objects.
sudo apt-get install libpam-smbpass sudo service samba restart
Thanks to Stackoverflow.
Error - protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
You may see this if you try smbclient with the server name instead of an IP address...
smbclient -U username //server1/shared Enter username's password: protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
To fix it, use the IP address instead...
smbclient -U username //127.0.0.1/shared Enter username's password: Domain=[COMPANY] OS=[Unix] Server=[Samba 4.1.3-Ubuntu] smb: \>
SAMBA4 Time Synchronisation
https://wiki.samba.org/index.php/Time_Synchronisation
gvfsd-smb-browse taking 100% CPU in Ubuntu 16.04
sudo chmod 744 /usr/lib/gvfs/gvfsd-smb-browse
Thanks to Its FOSS.
SAMBA4 Administrator 3000000 User Id Ownership In Windows Explorer Files
samba-tool group addmembers 'Users' Administrator
SAMBA4 Group Policy Error
Error
The processing of Group Policy failed. Windows attempted to read the file \\domain.com\sysvol\domain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.
Check
find /usr/local/samba/ -type d -name 'Policies' /usr/local/samba/var/locks/sysvol/domain.com/Policies/ smbcacls //domain.com/sysvol domain.com -U Administrator@domain.com smbcacls //domain.com/sysvol domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U Administrator@domain.com
Fix
samba-tool ntacl sysvolreset samba-tool ntacl sysvolcheck
Secondary DC
For some reason, the file replication did not work and the Group Policy files and folders were missing on the secondary domain controller.
Copy the Group Policies folder to the secondary domain controller...
rsync -h -a -v /usr/local/samba/var/locks/sysvol/domain.com/ root@192.168.0.209:/usr/local/samba/var/locks/sysvol/domain.com/
Then, run the same 2 commands on the secondary dc to fix that as well...
samba-tool ntacl sysvolreset samba-tool ntacl sysvolcheck
Job, done.
HOWTO: LIST:
net rpc user -U username
All Domain Users
wbinfo -u |sort
All Domain Groups
wbinfo -g |sort
HOWTO: Create A File using smbclient
touch filename.txt smbclient //server/share -U user --directory folder/subfolder -c 'put "filename.txt"'
http://community.wd.com/t5/My-Book-Live/SOLVED-Read-Write-but-Don-t-Delete/td-p/406892
HOWTO: Use Ubuntu Nemo File Manager With Specific User Name
Type the following into the address bar of Nemo...
smb://username@123.456.789.0/sharedfolder/
HOWTO: Installing RSAT on Windows for AD Management
https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management
INFO: Samba4/videos
https://wiki.samba.org/index.php/Samba4/videos
HOWTO: Hide desktop.ini and $RECYCLE.BIN
nano /etc/samba/smb.conf hide files = /desktop.ini/$RECYCLE.BIN/
HOWTO: Shut Down Or Restart Windows PC
Shut down...
net rpc shutdown -U administrator@mydomain.com -S 10.0.0.10
Restart...
net rpc shutdown -r -U administrator@mydomain.com -S 10.0.0.10
HOWTO: Set Date And Time On A Remote Windows Desktop
Download, compile and install the winexe software...
sudo -i cd wget http://downloads.sourceforge.net/project/winexe/winexe-1.00.tar.gz tar xzvf winexe-1.00.tar.gz cd winexe-1.00/source4/ ./autogen.sh ./configure make basics bin/winexe cp -v ./bin/winexe /usr/local/bin/
Test...
winexe -V
Thanks - http://www.aldeid.com/wiki/Winexe
Then, use it to run a Windows command prompt on a remote desktop... (type exit to quit)
winexe --user Administrator%Password --runas Administrator%Password //192.168.0.67 "cmd.exe"
Or, use it to set the date and time on a remote Windows desktop... (note the extra double \\ to escape)
winexe --user Administrator%Password --runas Administrator%Password //192.168.0.67 "net time \\\\192.168.0.1 /set /yes"
HOWTO: Troubleshooting Samba
http://www.softpanorama.org/Net/Application_layer/Samba/troubleshooting_samba_problems.shtml
https://www.samba.org/samba/docs/using_samba/ch12.html
Usage: testparm /path/to/configfile machinename ipaddress
testparm /etc/samba/smb.conf dt01 192.168.0.101 Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[shared]" Loaded services file OK. Server role: ROLE_STANDALONE Allow connection from dt01 (192.168.0.101) to homes Allow connection from dt01 (192.168.0.101) to shared
HOWTO: Find SMB Hosts On A Network
findsmb
http://docs.fedoraproject.org/en-US/Fedora/13/html/Deployment_Guide/s1-samba-programs.html
Discover what hosts have NMB port 139 open...
nmblookup -d2 '*'
Or...
nmap -p 139 -sT 192.168.0.*
Scan a host to find its NETBIOS hostname...
nmblookup -A 192.168.0.201
List a host shares...
smbclient -L \\COMPUTERNAME (just pressing Enter might work here)
Or...
smbclient -L \\COMPUTERNAME -Uusername
Or...
smbclient -L \\COMPUTERNAME -Uusername -I ip-address
Or...
smbtree -b -N
Find Master Browser
nmblookup -M -- -
Check NetBIOS Names IP Addresses
smbtree
WORKGROUPNAME \\DT06 \\DT05 \\DT04 \\DT03 \\DT01 \\SERVER1 server1 server (Samba, Ubuntu) \\SERVER1\shared Shared file space \\SERVER1\IPC$ IPC Service (server1 server (Samba, Ubuntu))
nmblookup -U WORKGROUPNAME -R 'DT01' 192.168.0.101 DT01<00>
SAMBA4 - A Little Light Reading
https://www.tecmint.com/manage-samba4-active-directory-linux-command-line/
http://www.techradar.com/news/networking/samba-4-share-filesystems-between-linux-and-windows-1154705
http://petestechblog.com/archives/tag/windows-7
http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/
http://www.okiprintingsolutions.com/support/printer/troubleshooting/detail.aspx?id=tcm:138-124905-16
http://www.okiprintingsolutions.com/support/printer/troubleshooting/detail.aspx?id=tcm:138-108998
SAMBA4
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Gentoo
eselect python set python2.7 python-updater emerge --unmerge --ask app-crypt/mit-krb5 emerge --ask --quiet app-crypt/heimdal revdep-rebuild -- -ask echo "net-dns/bind berkdb dlz gssapi" >>/etc/portage/package.use echo "net-dns/bind-tools gssapi" >>/etc/portage/package.use emerge --ask --quiet net-dns/bind net-dns/bind-tools nano /etc/portage/package.keywords # required by samba4 sys-libs/tevent ~amd64 sys-libs/tdb ~amd64 sys-libs/ldb ~amd64 sys-libs/talloc ~amd64 nano /etc/portage/package.use sys-libs/tdb python sys-libs/talloc python emerge --ask --quiet sys-libs/talloc sys-libs/tdb sys-libs/tevent sys-libs/ldb emerge --ask --quiet net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn nano /etc/fstab /dev/md4 /home ext4 user_xattr,acl,barrier=1,noatime 1 1 cd /usr/src/linux make menuconfig make && make modules_install cp -av arch/x86/boot/bzImage /boot/kernel-3.3.8-gentoo cp -av System.map /boot/System.map-3.3.8-gentoo cp -av .config /boot/config-3.3.8-gentoo reboot mkdir /root/misc/ cd /root/misc/ touch test.txt setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt getfattr -d test.txt getfattr -n security.test -d test.txt touch test3.txt setfacl -m g:adm:rwx test3.txt getfacl test3.txt eselect python set python2.7 mkdir /usr/src/samba4 cd /usr/src/samba4 git clone git://git.samba.org/samba.git samba-master cd samba-master ./configure --enable-debug --enable-selftest make Waf: Leaving directory `/usr/src/samba4/samba-master/bin' 'build' finished successfully (11m54.988s) make install Waf: Leaving directory `/usr/src/samba4/samba-master/bin' 'install' finished successfully (3m15.214s) samba.EXAMPLE.com ~ $ samba-tool domain provision Realm [EXAMPLE.COM]: Domain [EXAMPLE]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.1]: Administrator password: Retype password: Looking up IPv4 addresses More than one IPv4 address found. Using 172.16.215.1 Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=EXAMPLE,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=EXAMPLE,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: samba NetBIOS Domain: EXAMPLE DNS Domain: EXAMPLE.com DOMAIN SID: S-1-5-21-1142887457-1374467446-1811036830 cp /usr/local/samba/private/krb5.conf /etc/ cat /etc/resolv.conf domain example.com nameserver 192.168.0.208 cat /usr/local/samba/etc/smb.conf # Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.COM netbios name = SAMBA server role = active directory domain controller dns forwarder = 192.168.0.1 [netlogon] path = /usr/local/samba/var/locks/sysvol/example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No samba -i -M single
(separate terminal) $ smbclient --version Version 4.1.0pre1-GIT-8aae8b5 $ smbclient -L localhost -U% Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-8aae8b5] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-8aae8b5) Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-8aae8b5]
smbclient //localhost/netlogon -UAdministrator%'passW0rd' -c 'ls'
host -t SRV _ldap._tcp.example.com. _ldap._tcp.example.com has SRV record 0 100 389 samba.example.com. host -t SRV _kerberos._udp.example.com. _kerberos._udp.example.com has SRV record 0 100 88 samba.example.com. kinit Administrator@EXAMPLE.COM Administrator@EXAMPLE.COM's Password: klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: Administrator@EXAMPLE.COM Issued Expires Principal Apr 10 15:52:04 2013 Apr 11 01:52:04 2013 krbtgt/EXAMPLE.COM@EXAMPLE.COM -= DNS ISSUES / PROBLEMS / HOW TO EDIT SAMBA4_INTERNAL A RECORDS =- host -t A samba.example.com samba.example.com has address 172.16.215.1 samba.example.com has address 172.16.224.1 samba.example.com has address 192.168.0.208 samba-tool dns zonelist 192.168.0.208 samba-tool dns delete samba example.com @ A 172.16.215.1 samba-tool dns delete samba example.com samba.example.com A 172.16.215.1 samba-tool dns delete samba example.com @ A 172.16.224.1 samba-tool dns delete samba example.com samba.example.com A 172.16.224.1
Testing From Windows
ipconfig /release ipconfig /renew ipconfig /all net view /domain:$DOMAIN net view \\$ADHOST nbtstat -A $ADHOST_IP4
0. http://en.gentoo-wiki.com/wiki/Samba4_as_Active_Directory_Server
1. http://wiki.samba.org/index.php/Samba4
2. http://wiki.samba.org/index.php/Samba_4/OS_Requirements
3. http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
4. http://wiki.samba.org/index.php/Configuring_a_windows_client_for_AD
5. http://wiki.samba.org/index.php/Samba_AD_management_from_windows
6. http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
7. http://wiki.samba.org/index.php/Backup_and_Recovery
SAMBA4 HOWTO: samba-tool
https://www.samba.org/samba/docs/current/man-html/samba-tool.8.html
SAMBA4 HOWTO: Ports Used
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
SAMBA4 HOWTO: Add Another DC In Ubuntu 18.04
...
SAMBA4 HOWTO: Time Synchronisation
https://wiki.samba.org/index.php/Time_Synchronisation
SAMBA4 HOWTO: SysVol Replication
https://www.tecmint.com/samba4-ad-dc-sysvol-replication/
SAMBA4 HOWTO: Add File Server As A Domain Member
http://linuxtot.com/add-a-simple-samba-file-server-as-a-domain-member/
Testing
testparm -s smbstatus smbclient -L \\127.0.0.1 (just press enter when asked for password) net ads info wbinfo -u wbinfo -g getent passwd smbclient -U Administrator //127.0.0.1/shared
valid users = "@DOMAIN\Domain Users"
SAMBA4 HOWTO: Stop Samba Daemons
Gentoo
sudo -i start-stop-daemon --stop --pidfile /usr/local/samba/var/run/samba.pid
Ubuntu
sudo start-stop-daemon --stop --pidfile /usr/local/samba/var/run/samba.pid
SAMBA4 HOWTO: Add PATH To LOGIN For GIT Binaries
sudo -i echo "export PATH=$PATH:/usr/local/samba/bin:/usr/local/samba/sbin" >>~/.bashrc source ~/.bash_profile which samba-tool
SAMBA4 HOWTO: Check Everything
Version
samba --version
Configuration
testparm -s cat /etc/hosts cat /etc/resolv.conf
Start
samba tail /usr/local/samba/var/log.smbd tail /usr/local/samba/var/log.samba pidof samba
Authenticate
kinit Administrator klist
Status
smbstatus
DNS
/usr/bin/nslookup dc.domain.com dc.domain.com /usr/bin/host -t SRV _ldap._tcp.domain.com. samba-tool dns query dc domain.com @ ALL -U Administrator /usr/bin/dig /usr/bin/nslookup dc
Database
samba-tool dbcheck
Consistency
samba-tool drs kcc
Role
samba-tool fsmo show
Shares
smbclient -L localhost -U%
Netlogon
smbclient //localhost/netlogon -U username
Replication
samba-tool drs showrepl netstat -ntp |grep 'samba'
Sysvol
samba-tool ntacl sysvolreset samba-tool ntacl sysvolcheck find /usr/local/samba/ -type d -name 'Policies' smbcacls //domain.com/sysvol domain.com -U Administrator@domain.com smbcacls //domain.com/sysvol domain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U Administrator@domain.com
SAMBA4 HOWTO: Check Database And User Passwords In DC Replication
On PDC (Primary Domain Controller) DC #1...
samba-tool dbcheck samba-tool ntacl sysvolcheck samba-tool drs showrepl smbclient //localhost/netlogon -U username
On SDC (Secondary Domain Controller) DC #2...
samba-tool dbcheck samba-tool ntacl sysvolcheck samba-tool drs showrepl smbclient //localhost/netlogon -U username
SAMBA4 HOWTO: Move DC1 To A Virtual Computer
- check daily backup files on physical dc1
- make note of physical dc1 mac and ip address
- copy daily backup files from physical dc1 to virtual dc1
- restore daily backup files on virtual dc1 - https://wiki.samba.org/index.php/Backup_and_Recovery#Restore
- rsync sysvol from physical dc1 to virtual dc1, reset and check
- rsync sysvol from physical dc1 to virtual dc2, reset and check
- shut down ALL other windows servers and pcs
- shut down virtual dc2
- shut down physical dc1
- take out power and network cables from physical dc1
- shut down virtual dc1
- change mac address and ip address on virtual dc1 to match physical dc1
- start virtual dc1
- check mac and ip address, route, ping, etc.
- follow "check everything" on wiki - http://wiki.indie-it.com/wiki/Samba#SAMBA4_HOWTO:_Check_Everything
- say 3 hail mary's, do a rain dance and pray to your deity :)
- check a domain login with a windows pc
- start up a second pc
- start up the servers
- start up the rest :)
- backup virtual dc1... and breath a sigh of relief
SAMBA4 HOWTO: Move DC1 To Another Computer (OLD NOTES)
- Start up virtual DC1 with no Samba installed.
- Install exactly the same Samba version on virtual DC1, but do not start yet.
- Shut down real DC2.
- Backup real DC1 using Samba script.
- Shut down real DC1.
- Restore from real DC1 to virtual DC1 using Samba script.
- Basic DNS, LDAP and Kerberos checks.
- Start virtual DC1 Samba and test Windows logon and log files for errors.
- Start real DC2.
- Check replication.
SAMBA4 HOWTO: Windows Roaming Profiles
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles
http://www.golinuxhub.com/2012/08/create-roaming-profiles-in-samba4.html
SAMBA4 HOWTO: Add New User, Specific Group, Non Expiring Password
samba-tool user create newuser P4ssw0rD --given-name=New --surname=User samba-tool user setpassword newuser --newpassword=P4ssw0rD samba-tool user setexpiry newuser --noexpiry samba-tool group addmembers 'Users' newuser samba-tool group addmembers 'Print Operators' newuser samba-tool group listmembers 'Users' |sort samba-tool group listmembers 'Domain Users' |sort
http://www.samba.org/samba/docs/man/manpages/samba-tool.8.html
https://wiki.samba.org/index.php/Samba-tool-external
SAMBA4 HOWTO: Map Samba4 Users To Their UNIX UID
sudo cp -av /var/lib/samba/private/idmap.ldb /root/ sudo aptitude install -y ldb-tools sudo id plittlefield sudo wbinfo --name-to-sid plittlefield sudo wbinfo --sid-to-uid S-1-5-21-3341700322-3244603124-2130708482-1109 sudo ldbedit -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-3341700322-3244603124-2130708482-1109 wbinfo --sid-to-uid S-1-5-21-3341700322-3244603124-2130708482-1109 1000
Thanks - http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
SAMBA4 HOWTO: List All AD Groups
samba-tool group list |sort
SAMBA4 HOWTO: Add AD Group
samba-tool group add GroupName
SAMBA4 HOWTO: List AD Group Members
samba-tool group listmembers 'Administrators'
SAMBA4 HOWTO: Add AD Group Members
samba-tool group addmembers 'Administrators' username1 samba-tool group addmembers 'Administrators' username2,username3,username4
SAMBA4 HOWTO: Remove AD Group Members
samba-tool group removemembers 'Administrators' username
SAMBA4 HOWTO: Force DC Replication
samba-tool drs replicate dc2.domain.com dc1.domain.com CN=Configuration,DC=domain,DC=com -U Administrator
SAMBA4 HOWTO: Check DC LDAP Replication
Compare the entire directory on Domain Controller DC1 and DC2...
samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
Compare single AD partitions on Domain Controller DC1 and DC2...
samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest
Thanks - https://wiki.samba.org/index.php/Samba-tool_ldapcmp
SAMBA4 HOWTO: Rsync based SysVol Replication
Set up rsync on DC1...
sudo apt-get install rsync sudo nano /etc/rsyncd.conf [SysVol] path = /var/lib/samba/sysvol/ comment = Samba Sysvol Share uid = root gid = root read only = yes auth users = sysvol-replication secrets file = /etc/rsyncd.secret sudo systemctl restart rsync
Install Rsync on DC2...
sudo apt-get install rsync
Test Rsync connection on DC2...
rsync dc1::
Run command in TEST mode, to PULL files from DC1...
sudo rsync -XAavz --delete-after --log-file=/var/log/rsync.log --password-file=/etc/rsync-sysvol.secret rsync://sysvol-replication@dc1/SysVol/ /var/lib/samba/sysvol/
Then add to crontab every 5 minutes...
sudo crontab -e */5 * * * * rsync -XAavz --delete-after --log-file=/var/log/rsync.log --password-file=/etc/rsync-sysvol.secret rsync://sysvol-replication@dc1/SysVol/ /var/lib/samba/sysvol/
Full script on DC2...
#!/bin/bash echo -n "Starting SysVol Rsync... " && /usr/bin/rsync -XAavz --delete-after --password-file=/etc/samba/rsync-sysvol.secret rsync://sysvol-replication@dc1/SysVol/ /var/lib/samba/sysvol/ && sleep 5s && /usr/bin/samba-tool ntacl sysvolreset && sleep 5s && /usr/bin/samba-tool ntacl sysvolcheck && echo "done!"
SAMBA4 HOWTO: Check AD Schema Version
ldbsearch -H /var/lib/samba/private/sam.ldb -b 'cn=Schema,cn=Configuration,dc=example,dc=com' -s base objectVersion
https://wiki.samba.org/index.php/AD_Schema_Version_Support
SAMBA4 HOWTO: Transferring and Seizing FSMO Roles
https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles
Log in to the DC you want to become the new Primary DC.
samba-tool fsmo transfer --role=all --username=Administrator
HOWTO: FIX ERROR: Failed FSMO transfer: NT_STATUS_IO_TIMEOUT
Make sure you are using Python 2.7
python --version
Edit the Samba fsmo Python Library and add an extra line...
sudo nano /usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py
import samba import samba.getopt as options import ldb import samba.drs_utils from ldb import LdbError
Now, run your transfer command again, and it will work :-)
sudo samba-tool fsmo transfer --role=all --username=Administrator
Thanks - http://samba.2283325.n4.nabble.com/samba-4-7-0-AD-DC-FSMO-roles-transfer-error-td4725099.html
HOWTO: FIX ERROR: uncaught exception - 'module' object has no attribute 'drs_utils'
Same fix as above.
SAMBA4 HOWTO: Show Domain Function Level
samba-tool domain level show
SAMBA4 HOWTO: Raising the Domain Function Levels
To raise the level of the AD Schema...
samba-tool domain level raise --domain-level=2008_R2 --forest-level=2008_R2
https://wiki.samba.org/index.php/Raising_the_Functional_Levels
SAMBA4 HOWTO: Export LDAP Database
ldbsearch -H "/usr/local/samba/private/sam.ldb.d/DC=DOMAIN,DC=COM.ldb" >/path/to/ldbsearch_export.txt
SAMBA4 HOWTO: Rename COMPUTER
Search for the name in LDAP ...
ldbsearch -H ldap://DC1 -UAdministrator 'CN=OLDNAME'
If most of the name and attributes are correct in AD but just the CN and NAME are wrong in LDAP, then use this command ...
ldbrename -H ldap://DC1 -UAdministrator 'CN=OLDNAME,OU=Warehouse,OU=Computers,DC=domain,DC=com' 'CN=NEWNAME,OU=Warehouse,OU=Computers,DC=domain,DC=com'
If none of the name and attributes are correct and you want to rename it on the COMPUTER and AD at the same time, then use this command ...
net dom renamecomputer -S OLDNAME -U OLDNAME\\administrator%secret newname=NEWNAME account=DOMAIN\\administrator password=topsecret reboot
SAMBA4 HOWTO: Samba Tool Documentation
https://www.samba.org/samba/docs/man/manpages/samba-tool.8.html
SAMBA4 HOWTO: DNS Administration
https://wiki.samba.org/index.php/DNS_Administration
https://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/
SAMBA4 HOWTO: Query Server Information
samba-tool dns serverinfo server
SAMBA4 HOWTO: Query Root Hints Information
samba-tool dns roothints server
SAMBA4 HOWTO: List Zones
samba-tool dns zonelist server
SAMBA4 HOWTO: Query / Show All Entries In DNS
samba-tool dns query server domain.com @ ALL
SAMBA4 HOWTO: Edit Entries In DNS
A Record
samba-tool dns update server domain.com www A 123.456.789.0 123.456.789.1
SAMBA4 HOWTO: Reverse DNS
For a /24 reverse zone...
samba-tool dns add dc domain.com dt01 A 192.168.0.101 samba-tool dns zonecreate dc 0.168.192.in-addr.arpa samba-tool dns zonelist dc samba-tool dns add dc 0.168.192.in-addr.arpa 101 PTR dt01.domain.com samba-tool dns query dc domain.com @ ALL -U samba-tool dns query dc 0.168.192.in-addr.arpa @ ALL host dt01 host 192.168.0.101 nslookup dt01 nslookup 192.168.0.101 ping dt01
https://wiki.samba.org/index.php/DNS_Administration#To_create_a_.2F24_reverse_zone
For a /16 reverse zone...
samba-tool dns add dc domain.com dt01 A 130.130.0.101 samba-tool dns zonecreate dc 130.130.in-addr.arpa samba-tool dns zonelist dc samba-tool dns add dc 130.130.in-addr.arpa 101.0 PTR dt01.domain.com samba-tool dns query dc domain.com @ ALL -U samba-tool dns query dc 0.168.192.in-addr.arpa 0 ALL
Note the use of 0 in the above command so that you can see the children records :-)
https://wiki.samba.org/index.php/DNS_Administration#To_create_a_.2F16_reverse_zone
SAMBA4 HOWTO: /etc/resolv.conf
When you have a Primary and Backup DC and DNS you can have these extra settings in the Linux /etc/resolv.conf
to help things...
search domain.com nameserver 130.130.0.218 nameserver 130.130.0.219 options timeout:2 options attempts:3 options rotate
SAMBA4 HOWTO: Change Normal User Password
samba-tool user setpassword JoeBloggs --newpassword=MyNewPassword -U Administrator
SAMBA4 HOWTO: Change Administrator Password
kpasswd
and
samba-tool user setpassword Administrator New Password: Enter it again: Password changed.
http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html
SAMBA4 HOWTO: Check NTLM Authentication
ntlm_auth --username=username --domain=MYDOMAIN
SAMBA4 HOWTO: Check ADS Information
net ads info
SAMBA4 HOWTO: FIX: NT_STATUS_OBJECT_NAME_NOT_FOUND
Problem...
sudo smbclient -L localhost -U% session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
Fix...
sudo apt-get install winbind sudo reboot
SAMBA4 HOWTO: Windows 10
Thanks - https://support.microsoft.com/en-us/kb/2696547
Problems Administering - Backup Key
Upgrade to Samba 4.3.
The problem is related to a buggy and/or incomplete implementation of the "Backup Key" sub-protocol that older Samba versions have. You'll probably notice that Credential Manager was also unusable for the same reason.
Alternatively, use an older OS to manage the directory – e.g. Server 2003 can create user accounts without any problems, since it doesn't use the "Backup Key" protocol for anything yet. (I am not sure about Server 2008.)
Unfortunately, 4.3 is not yet packaged for Ubuntu – still pending in Debian's "unstable" too – however, it's actually easy to build Samba from source code.
As for the [Users] block, it simply defines a shared folder.
In smb.conf, every section except [global] corresponds to a share definition – "netlogon" and "sysvol" are special AD shares, and "Users" is probably a custom one.
Upgrade from 14.04 LTS to 16.04 LTS...
sudo do-release-upgrade
Then, follow this...
https://lists.samba.org/archive/samba/2016-April/199416.html
SAMBA4 TO DO
- Updating From GIT
Shut down Samba on both DC1 and DC2.
git pull
...but may have to do:-
git clean -x -f -d
Make and Install as above.
Start Samba on both DC1 and DC2.
Ubuntu Startup Script
https://wiki.samba.org/index.php/Samba4/InitScript
Secondary AD DC
samba-tool rds showrepl
1. On the server you have already installed what you want to match:-
$ cd /usr/src/samba4/samba-master $ git log -1
This will show you have HASH revision number.
2. On the server you want to install the same:-
$ mkdir /usr/src/samba4 $ cd /usr/src/samba4/ $ git clone git://git.samba.org/samba.git samba-master $ cd samba-master/ $ git checkout 8aae8b5bad167ac732b7f8949dfb40aebb2f26a9 $ git reset --hard
Proceed as above for installing the software.
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
List Domain Users
samba-tool user list |sort
Active Directory Windows Tool
dsa.msc
DNS Editing
Adding an A record...
samba-tool dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
Example...
samba-tool dns add samba example.com www A 123.456.789.0 Record added successfully
Testing...
nslookup www.example.com samba Server: samba Address: 192.168.0.208#53 Name: www.example.com Address: 123.456.789.0
Slow Logons
Fixed by deleting multiple incorrect IP addresses for Samba4 server.
Add New Users in Linux command-line
samba-tool user add jbloggs joe
Non Complex Passwords
samba-tool domain passwordsettings set --complexity=off Password complexity deactivated! All changes applied successfully! samba-tool domain passwordsettings set --min-pwd-length=3 Minimum password length changed! All changes applied successfully!
Backup and Restore
https://wiki.samba.org/index.php/Backup_and_Recovery
Gentoo Samba4 Startup Script
#!/sbin/runscript # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/samba4.initd,v 1.3 2011/09/14 22:52:33 polynomial-c Exp $ extra_started_commands="reload" description="The samba daemon init script" description_reload="Reloads the samba daemon" depend() { need net } start() { ebegin "Starting samba" start-stop-daemon --start --exec samba eend $? } stop() { ebegin "Stopping samba" start-stop-daemon --stop --pidfile /usr/local/samba/var/run/samba.pid eend $? } reload() { ebegin "Reloading samba" killall -HUP samba eend $? }
HOWTO: Restrict File Sharing To Particular Users or Network Addresses
http://www.cyberciti.biz/faq/samba-user-network-file-sharing-restictions/
Shut Down A Windows PC Remotely
net rpc SHUTDOWN -C "Test of remote shutdown with Samba" -f -I "192.168.0.61" -W DOMAIN -U username%password Shutdown of remote machine succeeded
Windows PC cannot access Samba Share. This is from Samba log file (/var/log/samba/log.mypc)...
[2012/06/08 12:03:21, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 192.168.0.55. Error = Connection reset by peer
Fix #1:
Control Panel > System and Security > Administrative Tools > Local Security Policy Local Policies > Security Options > Network Security LAN Manager Authentication Level > Send LM & NTML Responses Uncheck Require 128-bit Encryption on Clients Uncheck Require 128-bit Encryption on Servers Save and Reboot
Fix #2:
Control Panel > Credentials Manager > Browse to Samba Server and check or delete stored usernames and passwords Save and Reboot
Adding And Testing Users
Adding...
smbpasswd -a testuser
or...
pdbedit -a -u testuser
Testing...
grep 'testuser' /etc/passwd testuser:*:1001:1001::0:0:Test User:/home/testuser:/usr/sbin/nologin
pdbedit -u testuser testuser:1001:Test User
pdbedit -v -u testuser
Add Roaming Profile Machine Trust Account
useradd -c "Company 003 Machine Account" -d /dev/null -g machines -s /bin/false company-003$ smbpasswd -a -n -m company-003
You should have entries like the following:
/etc/passwd: company-010$:x:1016:101:Company-010 Machine Account:/dev/null:/bin/false /etc/shadow: company-003$:!:15393:0:99999:7::: /var/lib/samba/private/smbpasswd: company-003$:1035:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:2D6AF5372CEEE519054B3EAA0FC1B9D6:[W ]:LCT-4F4664C3:
server.domain.co.uk ~ $ smbclient -U username //server.domain.co.uk/sharename Password: Domain=[DOAMIN] OS=[Unix] Server=[Samba 3.0.28] smb: \> ls smb: \> quit
Tweaks For Network Browsing
smb port = 139 local master = yes domain master = yes preferred master = yes os level = 35 interfaces = 192.168.0.0/24 127.0.0.1 bind interfaces only = yes
Windows 7: Domain Log On
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0
Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
HKLM\System\CCS\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 1 DWORD RequireStrongKey = 1
Primary Domain Controller
http://en.gentoo-wiki.com/wiki/Samba/Primary_Domain_Controller