Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: gzartman on October 12, 2008, 12:09:07 AM
-
***********************************************************************
**** UPDATE *****
****Wiki Article Of This Topic Created Here: http://wiki.contribs.org/Advanced_Samba *****
***********************************************************************
I've created an rpm, and updates to existing sme core rpms, to extend SME Servers Samba functionality. This effort is tracked in the SME bug tracker under the following two bug reports:
http://bugs.contribs.org/show_bug.cgi?id=4172
http://bugs.contribs.org/show_bug.cgi?id=4196
In a nutshell, these packages allow SME to function in a variety of server modes. Currently supported by these packages are the server modes: Workgroup server, Primary Domain Controller, and Domain Member. Preliminary support is available for Backup Domain Controller, Active Directory Domain Controller, and Active Directory Member.
Of specific interest is the server mode Domain Member (new to SME). SME as a Domain Member allows SME to offer ibays as shares in a Windows Domain while relying on another SME box configured as a PDC or a Windows box configured as a PDC for authentication. In other words, there is no need to setup user accounts on the SME box configured as a Domain Member to access shares on this box.
Current versions of the smeserver-adv-samba package can be found on the mirrors in the contribs dir: http://distro.ibiblio.org/pub/linux/distributions/smeserver/releases/7/smecontribs/i386/RPMS/
(Please note that you must install version 0.1.0-2 or great for this package to function properly).
smeserver-adv-samba-0.1.0-2 and greater relies on changes to several core SME packages. I have provided these changes as patches in the bug tracker: http://bugs.contribs.org/show_bug.cgi?id=4172. I am working with the devteam to get these changes pushed to the core packages. In the interim, I have rolled a forked version of the necessary SME packages and uploaded them to my contribs space here: http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/Contribs/7/Samba/
Prior to installing smeserver-adv-samba, you will need to install my forked core packages. I will continue to patch the core packages as need to support smeserver-adv-samba until the patches make it into the core distribution (which I feel they ultimately will).
NOTE: These packages do not change any current SME functionlity. SME will continue to function as it always has, however addition Samba function is provided via command line options.
Procedure:
1. Download my forked SME core packages located in my contribs dir, http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/Contribs/7/Samba/, to your system.
2. Install the core forked packages using the command: yum localinstall *.rpm.
3. Download smeserver-adv-samba-0.1.0-2 or greater from the mirrors to your local system: http://distro.ibiblio.org/pub/linux/distributions/smeserver/releases/7/smecontribs/i386/RPMS/
4. Install smeserver-adv-samba: yum localinstall smeserver-adv-samba*
5. Issue the events: signal-event post-upgrade followed by signal-event reboot.
To configure SME as a Domain Member:
1. SSH into your SME box.
2. At the bash prompt: config setprop smb Workgroup your_domain_name
3. At the bash prompt: config setprop smb ServerName machine_name_for_domain_member_box
4. At the bash prompt: config setprop smb ServerRole DM
5. At the bash prompt: config setprop smb WINSServer ip_address_of_domain_PDC
6. Verify settings. At bash prompt: config show smb:
[root@testbed2 ~]# config show smb
smb=service
DeadTime=10080
DomainMaster=no
KeepVersions=disabled
OpLocks=enabled
OsLevel=35
RecycleBin=disabled
RoamingProfiles=no
ServerName=testbed2
ServerRole=DM
ShadowCount=10
ShadowDir=/home/e-smith/files/.shadow
UnixCharSet=UTF8
UseClientDriver=yes
WINSServer=90.0.0.20
Workgroup=lei-salem
status=enabled
7. At bash prompt: signal-event workgroup-update
8. Join the domain. At the bash prompt: net rpc join -U admin%pdc_admin_password
[root@testbed2 ~]# net rpc join -U admin%pdc_admin_password
Joined domain LEI-SALEM.
[root@testbed2 ~]#
Note: You will need the admin password from your PDC to complete this step.
9. At the bash prompt: signal-event workgroup-update.
The shares on your Domain Member box will now be accessible by authenticated domain members clients/users.
In time, I will work to provide full support for the Backup Domain Controller, Active Directory Domain Controller, and Active Directory Member Server Roles.
Thank you.
Greg J. Zartman
-
definitely.. STANDING OVATION :-)
very, very interesting contrib, I'll test asap
thank you
Ciao
Stefano
-
Greg, very nice work! Two suggestions: perhaps you can change the urls in your posts to use mirror.contribs.org instead of only pointing to ibiblio and perhaps you could add this howto to the wiki.
-
Greg, very nice work! Two suggestions: perhaps you can change the urls in your posts to use mirror.contribs.org instead of only pointing to ibiblio and perhaps you could add this howto to the wiki.
Many thanks.
I had initially hoped to document my work in the wiki, but I don't have access to it. I've requested access. Once I have it, I'll put together a proper howto/doco with more details, instruction, troubleshooting, etc.
Greg
-
Greg
i have tried this this morning on my in house system, and am not getting a sucessful connection, there does not seem to be contribs category for the contrib in the bugzilla yet, how do you want me to report the problems?
-
Brain,
There is a bug report over in there tracker:
http://bugs.contribs.org/show_bug.cgi?id=4196
However, tell me a little about what you've done.
1. Did you successfully install my forked e-smith-samba, e-smith-base, etc. packages along with smeserver-adv-samba?
2. At the bash shell. Issue the command testparm. You should get something like this:
[root@testbed2 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Primary]"
Processing section "[test]"
Processing section "[test2]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Note that Samba reports the Server role is Domain Member.
3. Verify that your Domain Member box thinks it is a member of the domain. At the bash prompt, issue the command "smbclient -L localhost" You should get something like this:
[root@testbed2 ~]# smbclient -L localhost
Password:
Anonymous login successful
Domain=[LEI-SALEM] OS=[Unix] Server=[Samba 3.0.25b-1.el4_6.4]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (SME Server)
test2 Disk testibay2
test Disk test
Primary Disk Primary i-bay
print$ Disk Printer drivers
Anonymous login successful
Domain=[LEI-SALEM] OS=[Unix] Server=[Samba 3.0.25b-1.el4_6.4]
Server Comment
--------- -------
NAMESERVER SME Server
TESTBED2 SME Server
Workgroup Master
--------- -------
LEI-SALEM NAMESERVER
Note that, in my case, the Domain is "LEI-Salem" and the PDC is "nameserver".
4. Finally, verify that your Domain Member box can pull domain user authentication from your PDC. On your Domain Member box, issue the command "wbinfo -u" You should get something like this:
[root@testbed2 ~]# wbinfo -u
LEI-SALEM\admin
LEI-SALEM\miked
LEI-SALEM\gz-salem
LEI-SALEM\brett
LEI-SALEM\jamie
LEI-SALEM\brandir
LEI-SALEM\chrisd
LEI-SALEM\larry
LEI-SALEM\ricky
LEI-SALEM\willk
LEI-SALEM\ryanm
LEI-SALEM\info
LEI-SALEM\gz-hotmail
LEI-SALEM\dallas
LEI-SALEM\greg
LEI-SALEM\jodi
LEI-SALEM\wallyh
LEI-SALEM\lindasueh
LEI-SALEM\pastorhoff
LEI-SALEM\accountant
If you get similar responses to what I have here, then your Domain Member box is part of the domain and pulling authentication information from the PDC. The only other issue could be permissions of the ibay. Try setting up a test ibay with the permission "Read Everyone Write Group"
Good luck.
Greg
-
Greg
ok everything goes through except the last step:
login as: root
root@192.168.100.10's password:
Last login: Sun Oct 12 10:32:17 2008 from pc-00123.maharishi.co.uk
[root@mapserver ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[Primary]"
Processing section "[company]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
dos charset = 850
unix charset = UTF8
display charset = ISO8859-1
workgroup = BJSYSTEMS
server string = SME Server
interfaces = 127.0.0.1, 192.168.100.10/255.255.255.0
security = DOMAIN
password server = 192.168.100.2
passdb backend = smbpasswd:/etc/samba/smbpasswd
guest account = public
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
check password script = /sbin/e-smith/samba_check_password
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 50
smb ports = 139
name resolve order = wins lmhosts bcast
unix extensions = No
deadtime = 10080
printcap name = /etc/printcap
add machine script = /sbin/e-smith/signal-event machine-account-create '%u'
logon drive = Z:
os level = 35
domain master = No
dns proxy = No
wins server = 192.168.100.2
remote announce = 192.168.100.2
remote browse sync = 192.168.100.2
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
hosts allow = 127.0.0.1, 192.168.100.0/255.255.255.0
printing = lprng
print command = /usr/bin/lpr -b -h -r -P%p %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
lppause command = lpc hold '%p' %j
lpresume command = lpc release '%p' %j
queuepause command = lpc stop '%p'
queueresume command = lpc start '%p'
strict locking = No
[homes]
comment = Home directory
path = /home/e-smith/files/users/%S/home
read only = No
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
use client driver = Yes
browseable = No
[print$]
comment = Printer drivers
path = /home/e-smith/files/samba/printers
guest ok = Yes
[Primary]
comment = Primary i-bay
path = /home/e-smith/files/ibays/Primary
force group = shared
read only = No
create mask = 0640
inherit permissions = Yes
[company]
comment = T Drive
path = /home/e-smith/files/ibays/company/files
force group = shared
read only = No
create mask = 0664
inherit permissions = Yes
[root@mapserver ~]# smbclient -L localhost
Password:
Anonymous login successful
Domain=[BJSYSTEMS] OS=[Unix] Server=[Samba 3.0.28-0.el4.9]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer drivers
Primary Disk Primary i-bay
company Disk T Drive
IPC$ IPC IPC Service (SME Server)
Anonymous login successful
Domain=[BJSYSTEMS] OS=[Unix] Server=[Samba 3.0.28-0.el4.9]
Server Comment
--------- -------
BJSSERVER bjsserver bjsystems server 3.0.28-0.el4.9
MAPSERVER SME Server
Workgroup Master
--------- -------
BJSYSTEMS BJSSERVER
[root@mapserver ~]# wbinfo -u
Error looking up domain users
[root@mapserver ~]#
The DC is actually an SMEServer, tomorrow i shall be able to try it on a SBS2003 DC.
when i set it up, I gt this at the end:
[root@mapserver ~]# net rpc join -U admin
Connection failed: NT_STATUS_UNSUCCESSFUL
-
Greg
ok everything goes through except the last step:
[root@mapserver ~]# net rpc join -U admin
Connection failed: NT_STATUS_UNSUCCESSFUL
I just confirmed that there is a problem with my solution given some recent updates to SME 7.3. Basically, I'm getting the same error you are with all latest updates applied.
I'll work to come up with a solution to the problem.
Thanks
Greg
-
After further investigation, I have found that the problem that Brian is having has nothing to do with the RPMs I've posted, but is a KNOWN bug with the "net" command in the version of Samba we are running in SME 7.3 with updates (looks like SME 7.4 will also suffer from this bug)! Here is the Samba development mailing list post detailing the problem:
http://lists.samba.org/archive/samba-technical/2008-August/060581.html
There is a work around. Replace step 8 above with the following:
8. Join the domain. At the bash prompt: net rpc join -U admin%pdc_admin_password
[root@testbed2 ~]# net rpc join -U admin%gregs_pdc_admin_password
Joined domain LEI-SALEM.
[root@testbed2 ~]#
I'll edit the step above, but I just wanted to follow up here.
Please give my procedure another shot and let me know how you fair out.
Thanks
Greg
-
Greg
ok, I now get the
Joined domain BJSYSTEMS
thanks for the fix.
-
Greg
ok, I now get the
Joined domain BJSYSTEMS
thanks for the fix.
Issue the command wbinfo -u and let me know if you get a listing of your PDC accounts. The output should report them in a format: domain_name/user_name.
Greg
-
oh, I still get:
[root@mapserver ~]# wbinfo -u
Error looking up domain users
[root@mapserver ~]#
despite the initial logon working now. This is now authenticating on a real SBS2003 server, and I can see the "computer" account for the SMEserver having been created in the AD.
what else can I tell you?
-
Is the kerberos set forgotten ? Can't imagine this working without KRB5.
-
Is the kerberos set forgotten ? Can't imagine this working without KRB5.
I've no idea what you mean by that...
-
I have been experimenting with this subject aswell. Never was able to do this without the use of Kerberos.
Greg knows for sure if he left out this issue on purpose or maybe simply forgot.
-
I have been experimenting with this subject aswell. Never was able to do this without the use of Kerberos.
Greg knows for sure if he left out this issue on purpose or maybe simply forgot.
Kerberos is not needed for regular domain membership. Winbindd provides local user authentication.
Greg
-
@Greg,
once more I would like to emphasize that your mod is addressing an urgent need.
I would like to pick up your original post. SME 7.4 is out now for a while, but AFAIK your forked Samba patches were built for 7.3, and nothing is available for 7.4 so far. Could you share some thoughts about the following topics.
- When will you be able to provide a fork for SME 7.4?
- What is the status of including your changes into SME core packages?
- Is your current mod smeserver-adv-samba-0.1.0-5.el4.sme.noarch.rpm capable to work with SME 7.4?
- What will happen if SME 7.3 with your fork plus the mod was updated to SME 7.4 by the normal update mechanism?
Many thanks,
turandot
-
This has been addressed in the wiki:
http://wiki.contribs.org/Advanced_Samba
ServerRole functionality is now part of the core SME packages, but are "post-SME7.4" so they've not been released yet, but can be installed from the smeupdates-testing repo. I personally run these packages on all of my production machines and have talked with others who are as well.
Yes, the current smeserver-adv-samba package works on SME 7.4 and the current SME 8 beta.
I'm confident that you can upgrade the forked packages with the ones in smeupdates-testing cleanly. Make sure you do a signal-event post-upgrade;signal-event reboot after you update these packages.
If you have any trouble, be sure to let me know.
Greg