Samba 4 DC with Samba 3 cifs and NFS file server

Not for the weak of heart this one. You have been warned.

You just set up the Samba 4 DC and a Samba 3 fileserver on another box. Setup the NFS keytabs and that's it. It's really easy.

Samba4 DC: 192.168.1.30 hh30.hh3.site
Samba3 file server: 192.168.1.32 hh32.hh3.site

The rest follows these fixed IP settings.
Method
1. Install and provision a Samba4 DC using these instructions. Do not edit smb.conf. Ours looks like this:

[global]
        server role = domain controller
        workgroup = ALTEA
        realm = hh3.site
        netbios name = HH1
        passdb backend = samba4
     
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

2. On a separate computer, install Samba and winbind from your usual distro.
3. In /etc/samba/smb.conf, delete everything and add this:

[global]
realm = polop.site
workgroup = ALTEA
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = Yes

[profiles]

path = /home2/profiles

read only = No

[home]

path =/home2/home

read only = No

[staff]

path=/home2/staff

read only = No

4. Create the folder for the shares:

mkdir /home2

mkdir /home2/profiles

chmod 1777 /home2/profiles

mkdir /home2/home

mkdir /home2/staff

5. Set your DNS to that of the Samba4 DC

6. Join the domain: 

Net ads join -UAdministrator

7. pam.-config --add --krb5
8. pam-config --add --winbind

Tomorrow: How to rid the world of hunger, famine and all known diseases.

Samba 4 in Plain English

Samba 4 in plain English
After installing Samba 4 (S4) you will find these files in /usr/local/samba/sbin:
1. samba
2. smbd
3. nmbd
4. winbindd
If you want to use S4 as an Active Directory (AD) domain controller (DC) then you provision and run:
samba. The details of how you get this far are here in the Samba 4 wiki
When you run samba, it runs its own internal versions of smbd and winbind. But not nmbd. There is no nmbd in S4.
Facts and figures:
-The version of smbd which runs when you run samba is called s3fs
-Under samba winbind is called winbind
-If you don't need a DC then you run smbd, nmbd and winbindd just as you did with your Samba 3.x
install from whatever distribution you are using.
-If you have a default Samba4, your smb.conf file is in:
/usr/local/samba/etc/smb.conf
-If you run samba, you cannot use a smb.conf file from an existing samba 3.x install.
-If you want to do that then forget AD and run smbd, nmbd and winbindd separately.
-If you want a DC and use your familiar smb.conf commands then you must run samba on one machine and
smbd, nmbd and winbindd on another.
Where do I put smb.conf?
1. Samba 4.
If you installed Samba 4 and run any combination of samba or smbd, nmbd and winbindd, smb.conf goes in:
/usr/local/samba/etc/smb.conf
2. Samba 3
-If you installed Samba 3 from a tarball, it goes in /usr/local/etc/smb.conf
-If you installed Samba 3 from  your distribution (like Ubuntu or openSUSE)  it goes in /etc/samba/smb.conf
What can I put in smb.conf?
1. Samba4 AD
Not very much. If you want to be able to put anything you are used to, use either Samba4, smbd, nmbd and winbindd on a separate computer or use Samba 3 on a separate computer.
2. Samba4 no Ad with smbd, nmbd and winbindd
Exactly the same as you put in your own smb.conf. But remember that if you do this, you have no AD capability.
Gotchas
- If you have installed S4, then make sure you disable or remove your old Samba 3 installation.
Conclusion
At no stage must you run samba and any of smbd, nmbd nor winbindd together. You either run
1. samba
or you run
2. smbd with nmbd and winbindd.

Internal ssh client and server on openSUSE

Client: (the box where you want to connect from)
Do nothing

Server: (the box where you want to connect to)
Start the sshd daemon:
rcsshd start

Use Yast assign the internal zone to the internal LAN interface and make sure port 22 is open (it opens all ports on the internal interface by default unless you tell it to protect from the internal zone)

That's it. Now you can:
ssh user@server
password:

ssh without a password. We create a rsa key and store it on both client and server. We then will not be asked for a password. Here we create the key for root:

1. Login as root and change to /root
ssh-keygen -t rsa

2. ssh to the server:
ssh root@server (e.g. in my case ssh root@hh32.hh3.site)
enter the root password, then:
cd /root
mkdir .ssh
exit
now we are back on the client issue:
cat .ssh/id_rsa.pub | ssh  root@server 'cat >> .ssh/authorized_keys'

Now, root can login to the server without a password

Cute:)

Winbind on Samba4 II

OK. I'm not giving up on this one. We have nss-pam-ldap working perfectly against Samba4 LDAP. We want to compare it with nss-winbind performance.

We need to pull the uid:gid number pair from LDAP. nss-ldapd just does it but we are experimeting with winbind at both ends. This is proving to be a real pita.

Let's have a go. We're on openSUSE 12.1 with a Samba4 beta 6 checkout from today
Samba 4 DC with s3fs and nfs file server
smb.conf needs:
idmap enum users = Yes
idmap enum groups = Yes
login shell = /bin/bash
idmap_ldb:use rfc2307 = Yes
(note: no white space either side of the ":")

Samba 3.6 clients. We're also on openSUSE 12.1 with Samba 3.6.3 patched a thousand times to make it work
idmap config : backend = ad
idmap config : range = 20000-4000000

UPDATE: Final solution for smb.conf on 3.6 which pulls all rfc2307 from the Samba4 AD.


[global]
realm = polop.site
workgroup = ALTEA
security = ADS

winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307 
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes 

I add a sample user object to AD and add:

objectClass: posixAccount
uidNumber: 3000027
gidNumber: 20513

I use Domain Users as my default group so add::
objectClass: posixGroup
gidNumber: 20513

I choose 20513 for readability. 513 is the rid for Domain Users and adding 20000 to it keeps it out of the way of local users.


UPDATE: Samba4 DC working with uidNumber and gidNumber being pulled from AD. Whahey! Unfortunately that's as good as it gets with winbind. To pull the whole of rfc2307 on the DC, you must use e.g. nss-ldapd or even better, sssd with its own ad backend.