Topic: [ANNOUNCE] smeserver-adv-samba rpm

[gzartman]

***********************************************************************
****                                          UPDATE                                                           *****
****Wiki Article Of This Topic Created Here:  http://wiki.contribs.org/Advanced_Samba *****
***********************************************************************


I've created an rpm, and updates to existing sme core rpms, to extend SME Servers Samba functionality.  This effort is tracked in the SME bug tracker under the following two bug reports:

http://bugs.contribs.org/show_bug.cgi?id=4172
http://bugs.contribs.org/show_bug.cgi?id=4196

In a nutshell, these packages allow SME to function in a variety of server modes.  Currently supported by these packages are the server modes:  Workgroup server, Primary Domain Controller, and Domain Member.  Preliminary support is available for Backup Domain Controller, Active Directory Domain Controller, and Active Directory Member.

Of specific interest is the server mode Domain Member (new to SME).  SME as a Domain Member allows SME to offer ibays as shares in a Windows Domain while relying on another SME box configured as a PDC or a Windows box configured as a PDC for authentication.  In other words, there is no need to setup user accounts on the SME box configured as a Domain Member to access shares on this box.

Current versions of the smeserver-adv-samba package can be found on the mirrors in the contribs dir:  http://distro.ibiblio.org/pub/linux/distributions/smeserver/releases/7/smecontribs/i386/RPMS/
(Please note that you must install version 0.1.0-2 or great for this package to function properly).

smeserver-adv-samba-0.1.0-2 and greater relies on changes to several core SME packages.  I have provided these changes as patches in the bug tracker:  http://bugs.contribs.org/show_bug.cgi?id=4172.  I am working with the devteam to get these changes pushed to the core packages.  In the interim, I have rolled a forked version of the necessary SME packages and uploaded them to my contribs space here:  http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/Contribs/7/Samba/

Prior to installing smeserver-adv-samba, you will need to install my forked core packages.  I will continue to patch the core packages as need to support smeserver-adv-samba until the patches make it into the core distribution (which I feel they ultimately will).

NOTE:  These packages do not change any current SME functionlity.  SME will continue to function as it always has, however addition Samba function is provided via command line options.

Procedure:

1. Download my forked SME core packages located in my contribs dir, http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/Contribs/7/Samba/, to your system.

2. Install the core forked packages using the command:  yum localinstall *.rpm.

3. Download smeserver-adv-samba-0.1.0-2 or greater from the mirrors to your local system:  http://distro.ibiblio.org/pub/linux/distributions/smeserver/releases/7/smecontribs/i386/RPMS/

4. Install smeserver-adv-samba:  yum localinstall smeserver-adv-samba*

5. Issue the events:  signal-event post-upgrade followed by signal-event reboot.

To configure SME as a Domain Member:

1. SSH into your SME box.

2. At the bash prompt:  config setprop smb Workgroup your_domain_name

3. At the bash prompt:  config setprop smb ServerName machine_name_for_domain_member_box

4. At the bash prompt:  config setprop smb ServerRole DM

5. At the bash prompt:  config setprop smb WINSServer ip_address_of_domain_PDC

6. Verify settings.  At bash prompt:  config show smb:

[root@testbed2 ~]# config show smb
smb=service
    DeadTime=10080
    DomainMaster=no
    KeepVersions=disabled
    OpLocks=enabled
    OsLevel=35
    RecycleBin=disabled
    RoamingProfiles=no
    ServerName=testbed2
    ServerRole=DM
    ShadowCount=10
    ShadowDir=/home/e-smith/files/.shadow
    UnixCharSet=UTF8
    UseClientDriver=yes
    WINSServer=90.0.0.20
    Workgroup=lei-salem
    status=enabled

7. At bash prompt:  signal-event workgroup-update

8. Join the domain.  At the bash prompt:  net rpc join -U admin%pdc_admin_password

[root@testbed2 ~]# net rpc join -U admin%pdc_admin_password
Joined domain LEI-SALEM.
[root@testbed2 ~]#

Note: You will need the admin password from your PDC to complete this step.

9.  At the bash prompt:  signal-event workgroup-update.

The shares on your Domain Member box will now be accessible by authenticated domain members clients/users.

In time, I will work to provide full support for the Backup Domain Controller, Active Directory Domain Controller, and Active Directory Member Server Roles.

Thank you.

Greg J. Zartman

[Stefano]

definitely.. STANDING OVATION

very, very interesting contrib, I'll test asap

thank you

Ciao
Stefano

[cactus]

Greg, very nice work! Two suggestions: perhaps you can change the urls in your posts to use mirror.contribs.org instead of only pointing to ibiblio and perhaps you could add this howto to the wiki.

[gzartman]

Greg, very nice work! Two suggestions: perhaps you can change the urls in your posts to use mirror.contribs.org instead of only pointing to ibiblio and perhaps you could add this howto to the wiki.

Many thanks.

I had initially hoped to document my work in the wiki, but I don't have access to it.  I've requested access.  Once I have it, I'll put together a proper howto/doco with more details, instruction, troubleshooting, etc.

Greg

[brianr]

Greg

i have tried this this morning on my in house system, and am not getting a sucessful connection, there does not seem to be contribs category for the contrib in the bugzilla yet, how do you want me to report the problems?

[gzartman]

Brain,

There is a bug report over in there tracker:
http://bugs.contribs.org/show_bug.cgi?id=4196

However, tell me a little about what you've done.

1. Did you successfully install my forked e-smith-samba, e-smith-base, etc. packages along with smeserver-adv-samba?

2. At the bash shell.  Issue the command testparm. You should get something like this:

[root@testbed2 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Primary]"
Processing section "[test]"
Processing section "[test2]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Note that Samba reports the Server role is Domain Member.

3.  Verify that your Domain Member box thinks it is a member of the domain.  At the bash prompt, issue the command "smbclient -L localhost"  You should get something like this:

[root@testbed2 ~]# smbclient -L localhost
Password:
Anonymous login successful
Domain=[LEI-SALEM] OS=[Unix] Server=[Samba 3.0.25b-1.el4_6.4]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (SME Server)
        test2           Disk      testibay2
        test            Disk      test
        Primary         Disk      Primary i-bay
        print$          Disk      Printer drivers
Anonymous login successful
Domain=[LEI-SALEM] OS=[Unix] Server=[Samba 3.0.25b-1.el4_6.4]

        Server               Comment
        ---------            -------
        NAMESERVER           SME Server
        TESTBED2             SME Server

        Workgroup            Master
        ---------            -------
        LEI-SALEM            NAMESERVER

Note that, in my case, the Domain is "LEI-Salem" and the PDC is "nameserver".

4.  Finally, verify that your Domain Member box can pull domain user authentication from your PDC.  On your Domain Member box, issue the command "wbinfo -u"   You should get something like this:

[root@testbed2 ~]# wbinfo -u
LEI-SALEM\admin
LEI-SALEM\miked
LEI-SALEM\gz-salem
LEI-SALEM\brett
LEI-SALEM\jamie
LEI-SALEM\brandir
LEI-SALEM\chrisd
LEI-SALEM\larry
LEI-SALEM\ricky
LEI-SALEM\willk
LEI-SALEM\ryanm
LEI-SALEM\info
LEI-SALEM\gz-hotmail
LEI-SALEM\dallas
LEI-SALEM\greg
LEI-SALEM\jodi
LEI-SALEM\wallyh
LEI-SALEM\lindasueh
LEI-SALEM\pastorhoff
LEI-SALEM\accountant

If you get similar responses to what I have here, then your Domain Member box is part of the domain and pulling authentication information from the PDC.  The only other issue could be permissions of the ibay.  Try setting up a test ibay with the permission "Read Everyone Write Group"

Good luck.

Greg

[brianr]

Greg

ok everything goes through except the last step:

login as: root
root@192.168.100.10's password:
Last login: Sun Oct 12 10:32:17 2008 from pc-00123.maharishi.co.uk
[root@mapserver ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Primary]"
Processing section "[company]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        dos charset = 850
        unix charset = UTF8
        display charset = ISO8859-1
        workgroup = BJSYSTEMS
        server string = SME Server
        interfaces = 127.0.0.1, 192.168.100.10/255.255.255.0
        security = DOMAIN
        password server = 192.168.100.2
        passdb backend = smbpasswd:/etc/samba/smbpasswd
        guest account = public
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        check password script = /sbin/e-smith/samba_check_password
        unix password sync = Yes
        log file = /var/log/samba/log.%m
        max log size = 50
        smb ports = 139
        name resolve order = wins lmhosts bcast
        unix extensions = No
        deadtime = 10080
        printcap name = /etc/printcap
        add machine script = /sbin/e-smith/signal-event machine-account-create '%u'
        logon drive = Z:
        os level = 35
        domain master = No
        dns proxy = No
        wins server = 192.168.100.2
        remote announce = 192.168.100.2
        remote browse sync = 192.168.100.2
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        hosts allow = 127.0.0.1, 192.168.100.0/255.255.255.0
        printing = lprng
        print command = /usr/bin/lpr -b -h -r -P%p %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        lppause command = lpc hold '%p' %j
        lpresume command = lpc release '%p' %j
        queuepause command = lpc stop '%p'
        queueresume command = lpc start '%p'
        strict locking = No

[homes]
        comment = Home directory
        path = /home/e-smith/files/users/%S/home
        read only = No
        create mask = 0660
        force create mode = 0660
        directory mask = 0770
        force directory mode = 0770
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        use client driver = Yes
        browseable = No

[print$]
        comment = Printer drivers
        path = /home/e-smith/files/samba/printers
        guest ok = Yes

[Primary]
        comment = Primary i-bay
        path = /home/e-smith/files/ibays/Primary
        force group = shared
        read only = No
        create mask = 0640
        inherit permissions = Yes

[company]
        comment = T Drive
        path = /home/e-smith/files/ibays/company/files
        force group = shared
        read only = No
        create mask = 0664
        inherit permissions = Yes
[root@mapserver ~]# smbclient -L localhost
Password:
Anonymous login successful
Domain=[BJSYSTEMS] OS=[Unix] Server=[Samba 3.0.28-0.el4.9]

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer drivers
        Primary         Disk      Primary i-bay
        company         Disk      T Drive
        IPC$            IPC       IPC Service (SME Server)
Anonymous login successful
Domain=[BJSYSTEMS] OS=[Unix] Server=[Samba 3.0.28-0.el4.9]

        Server               Comment
        ---------            -------
        BJSSERVER            bjsserver bjsystems server 3.0.28-0.el4.9
        MAPSERVER            SME Server

        Workgroup            Master
        ---------            -------
        BJSYSTEMS            BJSSERVER
[root@mapserver ~]# wbinfo -u
Error looking up domain users
[root@mapserver ~]#

The DC is actually an SMEServer, tomorrow i shall be able to try it on a SBS2003 DC.

when i set it up, I gt this at the end:

[root@mapserver ~]# net rpc join -U admin
Connection failed: NT_STATUS_UNSUCCESSFUL

[gzartman]

Greg

ok everything goes through except the last step:

[root@mapserver ~]# net rpc join -U admin
Connection failed: NT_STATUS_UNSUCCESSFUL

I just confirmed that there is a problem with my solution given some recent updates to SME 7.3.  Basically, I'm getting the same error you are with all latest updates applied.

I'll work to come up with a solution to the problem. 

Thanks

Greg

[gzartman]

After further investigation, I have found that the problem that Brian is having has nothing to do with the RPMs I've posted, but is a KNOWN bug with the "net" command in the version of Samba we are running in SME 7.3 with updates (looks like SME 7.4 will also suffer from this bug)!  Here is the Samba development mailing list post detailing the problem:

http://lists.samba.org/archive/samba-technical/2008-August/060581.html

There is a work around.  Replace step 8 above with the following:

8. Join the domain.  At the bash prompt:  net rpc join -U admin%pdc_admin_password

[root@testbed2 ~]# net rpc join -U admin%gregs_pdc_admin_password
Joined domain LEI-SALEM.
[root@testbed2 ~]#

I'll edit the step above, but I just wanted to follow up here.

Please give my procedure another shot and let me know how you fair out.

Thanks

Greg

[brianr]

Greg

ok, I now get the

Joined domain BJSYSTEMS

thanks for the fix.

[gzartman]

Greg

ok, I now get the

Joined domain BJSYSTEMS

thanks for the fix.

Issue the command wbinfo -u and let me know if you get a listing of your PDC accounts.  The output should report them in a format:  domain_name/user_name.

Greg

[brianr]

oh, I still get:

[root@mapserver ~]# wbinfo -u
Error looking up domain users
[root@mapserver ~]#

despite the initial logon working now.  This is now authenticating on a real SBS2003 server, and I can see the "computer" account for the SMEserver having been created in the AD.

what else can I tell you?

[Confucius]

Is the kerberos set forgotten ? Can't imagine this working without KRB5.

[brianr]

Is the kerberos set forgotten ? Can't imagine this working without KRB5.

I've no idea what you mean by that...

[Confucius]

I have been experimenting with this subject aswell. Never was able to do this without the use of Kerberos.
Greg knows for sure if he left out this issue on purpose or maybe simply forgot.