Table of Contents

Requirements

Development libraries and Programs

If you to plan to install Samba from sources, you must install the following dependencies. If you install Samba4 using package manager, you need only install the recommends dependencies.

Required

These packages are required for a successful build of Samba 4

Recommended optional development libraries and Programs:

In most distributions these libraries will be labeled with a lib*-dev or lib*-devel, for example for the Debian or Ubuntu acl would be libacl1-dev, but in Fedora, RHEL, CentOS, and openSUSE its named libacl-devel.

Distribution Setup

The examples following will cover all of these libraries. It will also cover bind, kerberos, and file system tools. If you plan to use the internal DNS server, you do not need bind, but you do still need the package that contains the nsupdate binary.

Debian or Ubuntu

 # apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl

Note: docbook-xsl, xsltproc, and inkscape may be required for building the man pages.

Note: if you need pam winbind support you will need the libpam0g-dev package installed.

If you plan to use Samba4 Sernet Repository, follow the instructions in: Samba4 Sernet Repository Wiki and install this packages:

 # apt-get install dnsutils attr krb5-user acl

Fedora

 # yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig libattr-devel krb5-workstation

CentOS

 # yum install gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils

File System Support


To use the advanced features of Samba4 you need a filesystem that supports both the “user” and “system” xattr namespaces.

You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support.

ext4 File System

If you are using either ext4 for your file system you will need to include the option “barrier=1” in your /etc/fstab. For example:

 # / was on /dev/sda5 during installation
 UUID=5e6e3446-5963-466e-86a7-b6376442d743  /   ext4 defaults,barrier=1   1  1

ext3 File System

If you are using either ext3 for your file system you will need to include the options “user_xattr”,“acl” and “barrier=1” in your /etc/fstab. For example:

 # / was on /dev/sda5 during installation
 UUID=5e6e3446-5963-466e-86a7-b6376442d743  /   ext4 defaults,user_xattr,acl,barrier=1   1  1

NOTE: The barrier=1 option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled.

Then restart the server to apply the changes or type:

 # mount -a

Proxmox VE

If you plan to use a Proxmox container to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following:

 /dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1  1 1

Finally remount the file system:

 # mount -a

Testing Kernel options

You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3):

 CONFIG_EXT4_FS_XATTR=y
 CONFIG_EXT4_FS_SECURITY=y
 CONFIG_EXT4_FS_POSIX_ACL=y

If you are running a Linux 2.6 (or greater) kernel with CONFIG_IKCONFIG_PROC defined you can check this with the following command in Debian/Ubuntu:

 # zgrep CONFIG_EXT4_FS /boot/config-`uname -r`

File Systems without xattr support (older filesystem)

If you don't have a filesystem with xattr support, then you can simulate it by adding the following line to your smb.conf:

  posix:eadb = /usr/local/samba/eadb.tdb

that will place all extra file attributes (NT ACLs, DOS EAs, streams etc), in that tdb. It is not efficient, and doesn't scale well, but at least it gives you a choice when you don't have a modern filesystem.

Testing the File System

To test your filesystem support, run the following 4 commands as root:

 # touch test.txt
 # setfattr -n user.test -v test test.txt
 # setfattr -n security.test -v test2 test.txt
 # getfattr -d test.txt
 # getfattr -n security.test -d test.txt

You should see output like this:

 # file: test.txt
 user.test="test"

 # file: test.txt
 security.test="test2"

For ACL testing do the following as root:

 # touch test3.txt
 # setfacl -m g:adm:rwx test3.txt
 # getfacl test3.txt

and you should get a line like group:adm:rwx in your output.

If you get any “Operation not supported” errors then it means your kernel is not configured correctly, or your filesystem is not mounted with the right options.

If you get any “Operation not permitted” errors then it probably means you didn't try the test as root.

If you are using the posix:eadb option then you don't need to test your filesystem in this manner.

DNS Server


A working DNS setup is essential to the correct operation of Samba and AD. Without the right DNS entries, Kerberos won't work, which in turn means that many of the basic features won't work! It is worth spending some extra time to ensure your DNS setup is correct, as debugging problems caused by mis-configured DNS can take a lot of time later on. To manage DNS entries the DNS MMC on a Windows client can be used, or samba-tool on Linux - see DNS Administration for more information.

Samba provides two posible backend for DNS:

  1. Internal DNS: The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when you provisioning/upgrading an Samba AD controller. The internal DNS is a new implementation, that allows to quick and easy setup of the DNS backend, that is required for every AD installation. No further work is required to set it up. Currently it covers the important and required parts for AD.
  2. Bind9 dlz plugin: BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in. If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.), that are currently not supported by the internal DNS, BIND should be the preferred backend.

Internal DNS

If you chose the internal server as DNS backend for your environment, there are two options that can be added to your smb.conf to control the behavior of DNS at this point:

 # Don't allow any updates | allow unsigned updates | only allow signed updates
 allow dns updates = False | nonsecure | signed

 # If recursive queries = yes is set, the following is also needed
 dns forwarder = <ip addr of external dns server>

Note: You should add this options after provisioned your Samba4.

Limitations / Known issues (https://wiki.samba.org/index.php/DNS#Limitations_.2F_Known_issues)

Bind9 DLZ plugin

Bind as backend for your Samba Active Directory Domain Controller is currently supported in version 9.8 and 9.9 only. Users of Bind 9.7 are strongly encouraged to upgrade!

Recent version of Debian (Debian 7 and up) and Ubuntu (12.04 LTS) have Bind 9.8.x and Bind 9.9.x.

But make sure that your vendor compiled Bind with the '- -with-gssapi' and '- -with-dlopen' options before using it as Samba AD DNS backend. In Debian Wheezy the '- -with-dlopen' not is present, but Bind9 works fine with dlz plugin.

To install Bind9 DNS server from repositories:

 # apt-get install bind9 bind9utils

To check compiled options for your Bind9 installation

 # named -V

To configure forwarders:

To enable external queries:

allow-query { 10.12.0.0/16; };

For any networks you can add “any;”

Then restart bind9 deamon to apply the changes:

 # service bind9 restart

Changing DNS backend

You can change the DNS backend without problem.

Changing from Internal DNS to BIND

 # samba_upgradedns --dns-backend=BIND9_DLZ
 server services = ........ -dns

Changing from BIND to Internal DNS

 # samba_upgradedns --dns-backend=SAMBA_INTERNAL
 server services = ........ dns

Debugging Bind as Samba AD backend

For enabling debugging on the Bind DLZ module, change the following line in '/usr/local/samba/private/named.conf' from

    database "dlopen .../bin/modules/bind9/dlz_bind9.so";
to
    database "dlopen .../bin/modules/bind9/dlz_bind9.so -d 3";

If you are running Bind 9.9, then add the '-d 3' to the corresponding line.

Stop Bind and run the service manually to capture logs:

 # /usr/sbin/named -u named -f -g 2>&1 | tee named.log

Known issues and ways to fix/workaround

New added DNS entries are not resolvable

If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following:

Files in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'. Maybe you've copied/moved it across filesystems and the hardlinking got lost and you're now running with two different copies of the databases at the moment (You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't resolve it, check if the inodes differ).

If you 'ls -i' on the two folders, you should see, that the following files have the same inodes (what indicates, that they are hard-linked):

 # cd /usr/local/samba/private/
 # ls -lai sam.ldb.d/
 32404 -rw-rw---- 2 root bind   4251648 Mar  5 11:39 DC=DOMAINDNSZONES,DC=UGENT2,DC=BE.ldb
 32405 -rw-rw---- 2 root bind   4251648 Mar  5 11:39 DC=FORESTDNSZONES,DC=UGENT2,DC=BE.ldb
 32397 -rw-rw---- 2 root bind    421888 Mar  6 00:11 metadata.tdb

 # ls -lai dns/sam.ldb.d/
 32404 -rw-rw---- 2 root bind 4251648 Mar  5 11:39 DC=DOMAINDNSZONES,DC=UGENT2,DC=BE.ldb
 32405 -rw-rw---- 2 root bind 4251648 Mar  5 11:39 DC=FORESTDNSZONES,DC=UGENT2,DC=BE.ldb
 32397 -rw-rw---- 2 root bind  421888 Mar  6 00:11 metadata.tdb

If the files in the two folders have different inode numbers, then they aren't hard-links. To fix this, run:

 # samba_upgradedns --dns-backend=BIND9_DLZ

This will recreate the DNS files with correct hard links and permissions. Then restart Bind.

DDNS updates not working

tkey-gssapi-keytab 
tkey-domain
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command =  /usr/bin/nsupdate -g

The most important option is “allow dns updates = nonsecure and secure”.

Configure NTP


Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. The Configure NTP page shows the full NTP configuration process including SELinux policies.

You require a recent ntpd version (⇒4.2.6) that supports signed NTP. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are too old. The ntpd of Debian Squeeze supports signed ntp.

NOTE: If your are using a OpenVZ CT you must followed the steps in time capability on OpenVZ CT before continue.

To install NTP:

 # apt-get install ntp

To check ntpd version:

 # ntpd --version

To enable supports for signed NTP, adjust the config in /etc/ntp.conf:

 # Local clock
 server 127.127.1.0
 fudge 127.127.1.0  stratum 8

 # For signed NTP
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/

 # For SerNet packages. If you are using it comment the above line and uncomment the next line
 # ntpsigndsocket /var/lib/samba/ntp_signd/

Then adjust the “restrict default” police in your /etc/ntp.conf by:

# Access control
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine
restrict default kod nomodify notrap nopeer mssntp

A suitable configuration for ntp.conf maybe:

# Local clock (Note: This is not the localhost address!)
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# The source, where we are receiving the time from
server 0.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine
restrict default kod nomodify notrap nopeer mssntp

# Allow everything from localhost
restrict 127.0.0.1

# Allow that our time source can only provide time and do nothing else
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other:

# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
# chmod 750 /usr/local/samba/var/lib/ntp_signd/

# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/

NOTE: for SerNet Packages the socket is located in /var/lib/samba/ntp_signd/

Restart NTP:

 # service ntp restart

To view NTP peers list:

  # ntpq -pn

To view connected clients:

  # ntpdc -c monlist

To sync with other NTP servers:

 # ntpd -qg

You can check if ntpd is syncronized after 5 or 10 minutes:

 # ntptrace

After sync is necessary save the time to hardware clock:

 # hwclock -w

Check that your network IP addrees is static


 # nano /etc/network/interfaces

Example to configure network interfaces:

 # The primary network interface
 allow-hotplug eth0
 iface eth0 inet static
     address 10.12.112.84
     netmask 255.255.255.0
     gateway 10.12.112.254