Requirements
If you to plan to install Samba from sources, you must install the following dependencies. If you install Samba4 using package manager, you need only install the recommends dependencies.
Required
These packages are required for a successful build of Samba 4
Recommended optional development libraries and Programs:
In most distributions these libraries will be labeled with a lib*-dev or lib*-devel, for example for the Debian or Ubuntu acl would be libacl1-dev, but in Fedora, RHEL, CentOS, and openSUSE its named libacl-devel.
The examples following will cover all of these libraries. It will also cover bind, kerberos, and file system tools. If you plan to use the internal DNS server, you do not need bind, but you do still need the package that contains the nsupdate binary.
# apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
Note: docbook-xsl, xsltproc, and inkscape may be required for building the man pages.
Note: if you need pam winbind support you will need the libpam0g-dev package installed.
If you plan to use Samba4 Sernet Repository, follow the instructions in: Samba4 Sernet Repository Wiki and install this packages:
# apt-get install dnsutils attr krb5-user acl
# yum install libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig libattr-devel krb5-workstation
# yum install gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils
To use the advanced features of Samba4 you need a filesystem that supports both the “user” and “system” xattr namespaces.
You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support.
If you are using either ext4 for your file system you will need to include the option “barrier=1” in your /etc/fstab. For example:
# / was on /dev/sda5 during installation UUID=5e6e3446-5963-466e-86a7-b6376442d743 / ext4 defaults,barrier=1 1 1
If you are using either ext3 for your file system you will need to include the options “user_xattr”,“acl” and “barrier=1” in your /etc/fstab. For example:
# / was on /dev/sda5 during installation UUID=5e6e3446-5963-466e-86a7-b6376442d743 / ext4 defaults,user_xattr,acl,barrier=1 1 1
NOTE: The barrier=1 option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled.
Then restart the server to apply the changes or type:
# mount -a
If you plan to use a Proxmox container to deploy Samba4 AD DC; logging in Proxmox Server through ssh, modify /etc/fstab file and adjust with the following:
/dev/pve/data /var/lib/vz ext3 defaults,user_xattr,acl,barrier=1 1 1
Finally remount the file system:
# mount -a
You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem (In Debian and Ubuntu those options are enabled by default). For ext4 that means you need (change the 4 to a 3 for ext3):
CONFIG_EXT4_FS_XATTR=y CONFIG_EXT4_FS_SECURITY=y CONFIG_EXT4_FS_POSIX_ACL=y
If you are running a Linux 2.6 (or greater) kernel with CONFIG_IKCONFIG_PROC defined you can check this with the following command in Debian/Ubuntu:
# zgrep CONFIG_EXT4_FS /boot/config-`uname -r`
If you don't have a filesystem with xattr support, then you can simulate it by adding the following line to your smb.conf:
posix:eadb = /usr/local/samba/eadb.tdb
that will place all extra file attributes (NT ACLs, DOS EAs, streams etc), in that tdb. It is not efficient, and doesn't scale well, but at least it gives you a choice when you don't have a modern filesystem.
To test your filesystem support, run the following 4 commands as root:
# touch test.txt # setfattr -n user.test -v test test.txt # setfattr -n security.test -v test2 test.txt # getfattr -d test.txt # getfattr -n security.test -d test.txt
You should see output like this:
# file: test.txt user.test="test" # file: test.txt security.test="test2"
For ACL testing do the following as root:
# touch test3.txt # setfacl -m g:adm:rwx test3.txt # getfacl test3.txt
and you should get a line like group:adm:rwx in your output.
If you get any “Operation not supported” errors then it means your kernel is not configured correctly, or your filesystem is not mounted with the right options.
If you get any “Operation not permitted” errors then it probably means you didn't try the test as root.
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.
A working DNS setup is essential to the correct operation of Samba and AD. Without the right DNS entries, Kerberos won't work, which in turn means that many of the basic features won't work! It is worth spending some extra time to ensure your DNS setup is correct, as debugging problems caused by mis-configured DNS can take a lot of time later on. To manage DNS entries the DNS MMC on a Windows client can be used, or samba-tool on Linux - see DNS Administration for more information.
Samba provides two posible backend for DNS:
If you chose the internal server as DNS backend for your environment, there are two options that can be added to your smb.conf to control the behavior of DNS at this point:
# Don't allow any updates | allow unsigned updates | only allow signed updates allow dns updates = False | nonsecure | signed # If recursive queries = yes is set, the following is also needed dns forwarder = <ip addr of external dns server>
Note: You should add this options after provisioned your Samba4.
Limitations / Known issues (https://wiki.samba.org/index.php/DNS#Limitations_.2F_Known_issues)
Bind as backend for your Samba Active Directory Domain Controller is currently supported in version 9.8 and 9.9 only. Users of Bind 9.7 are strongly encouraged to upgrade!
Recent version of Debian (Debian 7 and up) and Ubuntu (12.04 LTS) have Bind 9.8.x and Bind 9.9.x.
But make sure that your vendor compiled Bind with the '- -with-gssapi' and '- -with-dlopen' options before using it as Samba AD DNS backend. In Debian Wheezy the '- -with-dlopen' not is present, but Bind9 works fine with dlz plugin.
To install Bind9 DNS server from repositories:
# apt-get install bind9 bind9utils
To check compiled options for your Bind9 installation
# named -V
To configure forwarders:
To enable external queries:
allow-query { 10.12.0.0/16; };
For any networks you can add “any;”
Then restart bind9 deamon to apply the changes:
# service bind9 restart
You can change the DNS backend without problem.
Changing from Internal DNS to BIND
# samba_upgradedns --dns-backend=BIND9_DLZ
server services = ........ -dns
# samba_upgradedns --dns-backend=SAMBA_INTERNAL
server services = ........ dns
For enabling debugging on the Bind DLZ module, change the following line in '/usr/local/samba/private/named.conf' from
database "dlopen .../bin/modules/bind9/dlz_bind9.so"; to database "dlopen .../bin/modules/bind9/dlz_bind9.so -d 3";
If you are running Bind 9.9, then add the '-d 3' to the corresponding line.
Stop Bind and run the service manually to capture logs:
# /usr/sbin/named -u named -f -g 2>&1 | tee named.log
New added DNS entries are not resolvable
If you have problems with resolving new added DNS entries using the BIND9 DLZ interface, you maybe want to check the following:
Files in 'samba/private/dns/sam.ldb.d/' are hardlinks to 'samba/private/sam.ldb.d/'. Maybe you've copied/moved it across filesystems and the hardlinking got lost and you're now running with two different copies of the databases at the moment (You can test this by adding a new DNS entry, e. g. by 'samba-tool'. If you can't resolve it, check if the inodes differ).
If you 'ls -i' on the two folders, you should see, that the following files have the same inodes (what indicates, that they are hard-linked):
# cd /usr/local/samba/private/ # ls -lai sam.ldb.d/ 32404 -rw-rw---- 2 root bind 4251648 Mar 5 11:39 DC=DOMAINDNSZONES,DC=UGENT2,DC=BE.ldb 32405 -rw-rw---- 2 root bind 4251648 Mar 5 11:39 DC=FORESTDNSZONES,DC=UGENT2,DC=BE.ldb 32397 -rw-rw---- 2 root bind 421888 Mar 6 00:11 metadata.tdb # ls -lai dns/sam.ldb.d/ 32404 -rw-rw---- 2 root bind 4251648 Mar 5 11:39 DC=DOMAINDNSZONES,DC=UGENT2,DC=BE.ldb 32405 -rw-rw---- 2 root bind 4251648 Mar 5 11:39 DC=FORESTDNSZONES,DC=UGENT2,DC=BE.ldb 32397 -rw-rw---- 2 root bind 421888 Mar 6 00:11 metadata.tdb
If the files in the two folders have different inode numbers, then they aren't hard-links. To fix this, run:
# samba_upgradedns --dns-backend=BIND9_DLZ
This will recreate the DNS files with correct hard links and permissions. Then restart Bind.
DDNS updates not working
tkey-gssapi-keytab tkey-domain
kerberos method = system keytab client ldap sasl wrapping = sign allow dns updates = nonsecure and secure nsupdate command = /usr/bin/nsupdate -g
The most important option is “allow dns updates = nonsecure and secure”.
Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. The Configure NTP page shows the full NTP configuration process including SELinux policies.
You require a recent ntpd version (⇒4.2.6) that supports signed NTP. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are too old. The ntpd of Debian Squeeze supports signed ntp.
NOTE: If your are using a OpenVZ CT you must followed the steps in time capability on OpenVZ CT before continue.
To install NTP:
# apt-get install ntp
To check ntpd version:
# ntpd --version
To enable supports for signed NTP, adjust the config in /etc/ntp.conf:
# Local clock server 127.127.1.0 fudge 127.127.1.0 stratum 8 # For signed NTP ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ # For SerNet packages. If you are using it comment the above line and uncomment the next line # ntpsigndsocket /var/lib/samba/ntp_signd/
Then adjust the “restrict default” police in your /etc/ntp.conf by:
# Access control # Default restriction: Only allow querying time (incl. ms-sntp) from this machine restrict default kod nomodify notrap nopeer mssntp
A suitable configuration for ntp.conf maybe:
# Local clock (Note: This is not the localhost address!) server 127.127.1.0 fudge 127.127.1.0 stratum 10 # The source, where we are receiving the time from server 0.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ # Access control # Default restriction: Only allow querying time (incl. ms-sntp) from this machine restrict default kod nomodify notrap nopeer mssntp # Allow everything from localhost restrict 127.0.0.1 # Allow that our time source can only provide time and do nothing else restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/ # chmod 750 /usr/local/samba/var/lib/ntp_signd/ # ls -ld /usr/local/samba/var/lib/ntp_signd/ drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
NOTE: for SerNet Packages the socket is located in /var/lib/samba/ntp_signd/
Restart NTP:
# service ntp restart
To view NTP peers list:
# ntpq -pn
To view connected clients:
# ntpdc -c monlist
To sync with other NTP servers:
# ntpd -qg
You can check if ntpd is syncronized after 5 or 10 minutes:
# ntptrace
After sync is necessary save the time to hardware clock:
# hwclock -w
# nano /etc/network/interfaces
Example to configure network interfaces:
# The primary network interface allow-hotplug eth0 iface eth0 inet static address 10.12.112.84 netmask 255.255.255.0 gateway 10.12.112.254