13.1.12

Samba 4 on Ubuntu

Our openSUSE method for installing Samba 4 to serve Windows and Linux clients works for Ubuntu  too. This post is about the usual Red-Hat - Debian inconveniences. For speed and security we recommend 


UPDATE: s4bind. Ubuntu - Windows Single Sign On without Winbind. Full suite of tools, here.
UPDATE: automounting the nfs, as described here.
UPDATE: add reverse DNS here.
UPDATE: or even better, forward and reverse dlz zones here.
UPDATE: 12.04. No need for the bind9 beta. We now have 9.81 out of the box. Small change in packages for the server. We lose pam-krb5utils and instead install libpam-krb5.
UPDATE: 12.04 beta needs to be built with libacl1-dev installed for the s3fs to work.


The test domain with Ubuntu DC
Ubuntu DC and server
The otherwise excellent Samba 4 wiki is a little neglected. The packages needed to build from the git source on Ubuntu are missing. YMMV, but for Oneiric, I used this lot:

apt-get install
build-essential libattr1-dev krb5-user libblkid-dev gdb libgnutls-dev libreadline-gplv2-dev python-dev autoconf python-dnspython pkg-config pam-krb5utils libpopt-dev apparmor-utils  ldap-utils  libsasl2-modules-gssapi-mit

The client is much less greedy. See below. There's no decent bind available for Ubuntu out of the box. Not one which will survive a Samba 4 session anyway. To save hours of fiddling with dpkg on the 9.8.1 source, I can recommend the 9.9.0 beta. Edit:
/etc/apt/sources.list.d/hauke-bind9-oneiric.list
to contain:
deb http://ppa.launchpad.net/hauke/bind9/ubuntu natty main
deb-src http://ppa.launchpad.net/hauke/bind9/ubuntu natty main
Yeah, even though we're on 11.10 we use the Natty ppa. You may want to drop the packager a note thanking him:-)

For now, turn off apparmor:
sudo aa-complain /etc/aparmor.d/usr.sbin.named

 
Samba 4 on Ubuntu, yesterday 
Next, edit /etc/init.d/bind9 and change this line:
PIDFILE=/var/run/bind/run/named.pid
to this:
PIDFILE=/var/run/bind/run/named/named.pid
Finally, to get rid of the last remaining bind9 syslog error:
touch /var/cache/bind/managed-keys.bind
chown root:bind /var/cache/bind/managed-keys.bind

Nearly done. We must change the Samba 4 source so that it will talk to your bind9 beta. In: source4/dns_server/dlz_minimal.h
edit out:
//#define DLZ_DLOPEN_VERSION 1
and add:
#define DLZ_DLOPEN_VERSION 2
Obvious really. Then it's the usual.
./configure.developer
make
sudo su
make install
exit
make (again YMMV)
(coffee or something stronger break)

Then it's the usual:
sudo su

/usr/local/samba/sbin/provision --realm=hh3.site --domain=CACTUS 
--adminpass=Abcd@1ef --server-role=dc

The openSUSE package,
nss-pam-ldapd
comes as two packages on Ubuntu,
libnss-ldapd
libpam-ldapd
apt makes a user and group called nslcd for you and throws in k5start for good measure. Nice, but edit /etc/default/nslcd so that nslcd does not start it without warning:
K5START_START="no"


Turn off nscd:
service nscd stop

The NFS server is a bit different too. This is where you miss Yast. Here's the low-down.
apt-get install nfs-common nfs-kernel-server rpcbind

We'll set it up for Kerberized NFS4 and you can then choose 3 or 4 when you go to mount:
Edit the following:
/etc/default/nfs-kernel-server

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS=
RPCNFSDOPTS=

/etc/default/nfs-common (same on both server and client)
NEED_STATD="yes"
STATDOPTS=
NEED_IDMAPD="yes"
NEED_GSSD="yes"


/etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = hh3.site
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup


Then start the nfs server:
modprobe nfs
service nfs-kernel-server start
service idmapd start

Ubuntu Client
We need this stuff:


 apt-get install krb5-config krb5-user kstart libgssrpc4 libkadm5clnt-mit8 libkadm5srv-mit8 libkdb5-6 libnss-ldapd libpam-krb5 libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd nfs-common


There are some decisions about your ldap server, base LDAP address, nsswitch.conf and Kerberos authentication along the way. LDAP base is dc=hh3,dc=site. You need group and passwd for LDAP and the Kerberos server and authentication source is the same: 192.168.1.3. You do not need shadow lookup through NSS in LDAP. Some of the screens look as follows:
Ubuntu's equivalent of Yast
The poor mans Yast 2
DNS again. Go no further until hostname -f returns hh4.hh3.site. The easy way to do this is to add 192.168.1.3 hh3.hh3.site hh3 and 127.0.1.1 hh4.hh3.site hh4 to /etc/hosts. Ensure that /etc/hostname contains the short hostname only: hh4 No idea why. It really does help to have forward and reverse DNS lookups in place. plese see the articles under UPDATE above. 

The net command is already available on Oneiric so no need to install anything else, but smb.conf needs the kerberos method line adding to /etc/samba/smb.conf in this order:

workgroup = CACTUS
realm = HH3.SITE
security = ADS
kerberos method = system keytab


then (hold on tight):
net ads join -U Administrator
net ads keytab create -U Administrator
Ignore the warning about dns update.


to give (for our client with fqdn = hh4.hh3.site):

klist -k /etc/krb5.keytab

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Principal

---- -------------------------------

   1 host/hh4.hh3.site@HH3.SITE

   1 host/hh4.hh3.site@HH3.SITE

   1 host/hh4.hh3.site@HH3.SITE

   1 host/hh4@HH3.SITE

   1 host/hh4@HH3.SITE

   1 host/hh4@HH3.SITE

   1 HH4$@HH3.SITE

   1 HH4$@HH3.SITE

   1 HH4$@HH3.SITE
2 for des and 1 for arcfour

nfs4/3 stuff
Before going to mount and to help debugging(either a test mount on the server, or a production mount on a remote client) in a separate shell:
rpc.gssd -fvvv
will start the gss daemon and tell you in no uncertain terms if you have your keytabs wrong. DNS must be absolutely perfect at this stage.


Be careful with the nfs mount. This setup defaults to nfs4 so be sure to specify if you want nfs3 on the command line or in fstab:
nfs4
rpc.idmapd -fvvv
At both ends will help you trace any mapping probs.


mount -t nfs4 hh3:/home /home -osec=krb5
nfs3
make sure that rpc.statd is running at both ends
mount -t nfs hh3:/home /home -osec=krb5,vers=3

A example startup script:
 cat /usr/local/bin/s4start
#!/bin/bash
#this is the ubuntu client version. Steve 26 Feb 2012
echo "Starting Samba 4 LINUX services "
#service nscd stop
service nslcd restart
k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt &
echo "mounting nfs4 filesystem"
sleep 2
mount -t nfs4 hh3:/home /home -o sec=krb5
#mount -t nfs hh3:/home /home -o sec=krb5,vers=3

If you want POSIX acl's over nfs (you do, nfs4 acl's are hopeless (you can't even have group rw share from a 0022 umask), you'll have to drop back to nfs3:
mount -t nfs hh3:/home /home -o vers=3,sec=krb5

If you are having permission or mapping issues, turn off nscd and remount. Login with your s4 credentials and enjoy. THEN CHECK DNS AGAIN!


To save you the misery, here are the bind configuration files, including the Samba 4 stuff:
 /etc/bind/named.conf
include "/etc/bind/named.conf.options";
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
include "/usr/local/samba/private/named.conf";

 /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

So thanks to Ubuntu, you now have the perfect setup for listening to mp3's downloaded from your mobile 'phone.