Monday, April 16, 2012

Active Directory with Samba 4 part 2

Next step is to compile and install Samba 4.

The process of compiling and installing Samba 4 is already described in the Samba 4 Howto. The Howto is very straightforward and easy to follow, my compilation was done in one step without more dependencies. I just want to add some Tips and Troubleshooting from that Howto.

From the 4th step, if you install a new samba domain, you can directly follow that procedure. For example, if you want to use EXAMPLE.COM as kerberos realm and the domain name SAMBA the provision command is as follow:

/usr/local/samba/sbin/provision --realm=example.com --domain=SAMBA --adminpass=SOMEPASSWORD --server-role=dc
If you want to upgrade from samba3 and want to keep the existing users, you should not do the process above, you must do this procedure and consider the following note.
  • Backup your Samba3 database directory (the location of all your Samba3 tdb files in /var/lib/samba) and Samba3 config file to the Samba4 server.
  • scp -r /var/lib/samba ip.to.new.server:/home/user/samba3db
    scp /etc/samba/smb.conf ip.to.new.server:/home/user/samba3.conf
    If you wish to rename the new server, you can change the netbios name in the Samba3 conf file.
  • Do provisioning upgrade using this command:
  • /usr/local/samba/bin/samba-tool domain samba3upgrade --dbdir=/home/user/samba3db  --use-xattrs=yes  --realm=EXAMPLE.COM /home/user/samba3.conf
    

If after this procedure you experienced any problems, for example there are already existing groups or the samba log complaining about no idmap, you can try this:
  • You can delete group_mapping.* from your Samba3 database directory. Consequently, your existing groups are not imported into the Samba4 database.
  • If in the samba log, you found an error mentioning about idmap, you can comment line "import_idmap(result.idmap, samba3, logger)" in file /usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py and do again the upgrade procedure.

Setting up home folder

You will need to create a share for the home, typically named home. Edit the /usr/local/samba/etc/smb.conf to include:
[home]
       path = /srv/home
       read only = no
2. Create the directory above using:
mkdir /srv/home
chown root.users /srv/home
chmod 775 /srv/home
The group users is a group with gid 100 in linux which is the default gid map for Samba4 Domain Users.
3. On windows start the Active Directory Users and Computers, select all the users, right click and hit properties
4. Under the profile tab, in the Connect type the drive path to your share along with %USERNAME% as follows:
\\sambaserver.example.com\home\%USERNAME%
5. click OK, logout and login as one of those users. When you logout again, you should see that the home directory has been mapped.
6. On the linux server, change the user home permission.
chmod 775 /srv/home/*
Or one by one
/usr/local/samba/bin/wbinfo -i user1
SAMBA\user1:*:3000011:100::/srv/home/user1:/bin/false
chown 3000011 /srv/home/user1
Now each user can create anything in their folder.
This is also applied when you set the profiles folder.

Account Expired

In my case, all imported users are having expired account status, so you must change this status either using windows domain admin tools or edit it using LDAP tools.

Kerberos Ticket

To make sure that you get kerberos tickets, try to login from Win XP client and run cmd line from windows support tools menu.
cmd
Command prompt
In the command line, type klist tickets, if everything work fine, you will get some tickets.
tickets
Tickets

Missing Key Registry

I do not know if this happened also with new provision, but in upgrade process, some key registry is reported missing by samba log. This will not make your samba 4 does not work, but some value will not showed up in windows configuration tools. You need to edit file hklm.ldb and add the following entries using this command /usr/local/samba/bin/ldbedit -e nano -H /usr/local/samba/private/hklm.ldb
dn: key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key: DefaultUserConfiguration
distinguishedName: key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

dn: key=SchedulingAgent,key=Microsoft,key=SOFTWARE,hive=NONE
key: SchedulingAgent
distinguishedName: key=SchedulingAgent,key=Microsoft,key=SOFTWARE,hive=NONE

dn: key=UserOverride,key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key: UserOverride
distinguishedName: key=UserOverride,key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

dn: key=Control Panel,key=UserOverride,key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key: Control Panel
distinguishedName: key=Control Panel,key=UserOverride,key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

dn: key=Desktop,key=Control Panel,key=UserOverride,key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key: Desktop
distinguishedName: key=Desktop,key=Control Panel,key=UserOverride,key=DefaultUserConfiguration,key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

dn: key=EventLog,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key: EventLog
distinguishedName: key=EventLog,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE

dn: key=DNS Server,key=EventLog,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key: DNS Server
distinguishedName: key=DNS Server,key=EventLog,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE


Next >>

2 comments:

Vidhyadhar said...

Excellent...!!! I was not able to map home directory for the windows user your article helped me a lot

Артём Горбунов said...

There are windows server 2008
I plugged it in and when the domain is connected via RDP logon freezes on welcome. In the logs, I have the following. My log from server

[2014/02/11 09:30:13.268394, 10, pid=23459, effective(3000019, 100), real(3000019, 0), class=registry] ../source3/registry/reg_backend_db.c:2074(regdb_get_secdesc)
regdb_get_secdesc: Getting secdesc of key [HKLM]
[2014/02/11 09:39:47.915385, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2014/02/11 09:39:47.932125, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb