Samba4 Installation and Configuration

Posted on Posted in linux, samba

Where I work, the University of Navarra, has emerged a new project, the integration of samba4 and Vmware VIEW (VDI).

In this post I’ll explain how install and configure samba4 server, if somebody don’t know what feactures provide this software:

  • support of the ‘Active Directory’ logon and administration protocols, supporting XP, Windows7 and OS X clients
  • support for Group Policy definitions
  • new ‘full coverage’ testsuites
  • full NTFS semantics for sharing backends
  • Internal LDAP server, with AD semantics
  • Internal Kerberos server, including PAC support
  • Bind9 integration for AD DNS support (with DLS)
  • fully asynchronous internals
  • flexible process models
  • better scalablilty from micro to very large installations
  • new RPC infrastructure (PIDL)
  • flexible database architecture (LDB)
  • Python support – used extensively for client and management tools
  • generic security subsystem (GENSEC)
  • over 50% auto-generated code!
  • implement an Active Directory compatible Domain Controller

Ok, now start with the installation 

Samba4 Installation

Pre-requisites

Install the necessary libraries for the compilation

yum install zlib-devel setroubleshoot-server \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel libacl-devel \
libblkid-devel gnutls-devel readline-devel \
python-devel gdb pkgconfig

Download the software

The first thing to do is download the samba4 binary software, check the last version in the official samba ftp webpage, and download it:

wget http://ftp.samba.org/pub/samba/samba4/samba-4.0.0beta5.tar.gz

Install SAMBA4

Extract and install

tar xvfz samba-4.0.0beta5.tar.gz

If we configure with developer mode it will include extra debug information that will help us diagnose problems in case of failures

./configure.developer
'configure' finished successfully (39.442s)

If we have ldap server we have the posibility to integrate samba with ldap:

./configure.developer --with-ldap

But be sure that you have the correct configuration in you /etc/ldap.conf configuration file:

cat /etc/ldap.conf 
ldap_version 3
pam_login_attribute uid
ssl start_tls
TLS_REQCERT allow
HOST ldap.albertolarripa.com,
BASE ou=smb,o=accounts,dc=albertolarripa,dc=com

Ok, continuate with the installation

make
'build' finished successfully (11m13.591s)
make install
'install' finished successfully (3m12.719s)

By default if we don’t specify the installation directory (–prefix) it is “/usr/local/samba

Domain creation

If you want to setup your new samba DC as an additional domain controller in an existing domain follow this procedure, on the contrary if you want migrate your current samba3 domain to samba4 follow this documentation.

But if you want to set up a new domain provision with:

/usr/local/samba/sbin/provision \
  --realm=samba4.albertolarripa.com --domain=SAMBA4 \
  --adminpass=PASSWD --server-role=dc

The output:

Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=samba4,DC=albertolarripa,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=samba4,DC=albertolarripa,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Unable to find group id for BIND,
 set permissions to sam.ldb* files manually
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: pdc
NetBIOS Domain: SAMBA4
DNS Domain: samba4.albertolarripa.com
DOMAIN SID: S-1-5-21-2245891800-3728967979-3598708122
A phpLDAPadmin configuration file suitable for administering the Samba 4 LDAP server has been created in /usr/local/samba/private/phpldapadmin-config.php.

PATH

Make sure you put the bin and sbin directories from your new install in your $PATH

Wrong:

echo $PATH
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

Edit /etc/profile file and add in the end of the file

export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH

Test

# . /etc/profile
# echo $PATH
/usr/local/samba/bin:/usr/local/samba/sbin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

Start SAMBA

We have differents ways to start samba:

  • If we want to run samba4 in a production envioroment, run samba like root
 /usr/local/samba/sbin/samba

Or create a startup scirpt:

#! /bin/bash
 #
 # samba4       Bring up/down samba4 service 
 #
 # chkconfig: - 90 10
 # description: Activates/Deactivates all samba4 interfaces configured to \
 #              start at boot time.
 #
 ### BEGIN INIT INFO
 # Provides: 
 # Should-Start: 
 # Short-Description: Bring up/down samba4
 # Description: Bring up/down samba4
 ### END INIT INFO
 # Source function library.
 . /etc/init.d/functions

 if [ -f /etc/sysconfig/samba4 ]; then
 	. /etc/sysconfig/samba4
 fi

 CWD=$(pwd)
 prog="samba4"

 start() {
       # Attach irda device 
       echo -n $"Starting $prog: "
 	/usr/local/samba/sbin/samba
 	sleep 2
 	if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then success $"samba4 startup"; else failure $"samba4 startup"; fi
       echo
 }
 stop() {
       # Stop service.
       echo -n $"Shutting down $prog: "
 	killall samba
 	sleep 2
 	if ps ax | grep -v "grep" | grep -q /samba/sbin/samba ; then failure $"samba4 shutdown"; else success $"samba4 shutdown"; fi
       echo
 }
 status() {
 	/usr/local/samba/sbin/samba --show-build
 }

 # See how we were called.
 case "$1" in
 start)
 	start
       ;;
 stop)
 	stop
       ;;
 status)
 	status irattach
 	;;
 restart|reload)
 	stop
 	start
 	;;
 *)
       echo $"Usage: $0 {start|stop|restart|status}"
       exit 1
 esac

 exit 0
  •  If you need run samba4 like developer, run in interactive mode
 /usr/local/samba4/sbin/samba -i -M single
  • If you want to run in debug mode, you have the possibility to run it with differents debug levels, like:
/usr/local/samba/sbin/samba -iM single -d 4

 Samba4 testing

First check you have the right version of smbclient in your $PATH

# smbclient -V
Version 4.0.0beta5

Now  check the list of shares available on your server

# smbclient -L localhost -U%
Domain=[SAMBA4] OS=[Unix] Server=[Samba 4.0.0beta5]

Sharename Type Comment

--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.0beta5)
Domain=[SAMBA4] OS=[Unix] Server=[Samba 4.0.0beta5]

Server Comment
--------- -------

Workgroup Master
--------- -------

Now test the connectivity to your domain

# smbclient //localhost/netlogon -Uadministrator%PASSWORD
Domain=[SAMBA4] OS=[Unix] Server=[Samba 4.0.0beta5]
smb: \>

DNS Installation

Like official samba4 said:

A working DNS setup is essential to the correct operation of Samba4. Without the right DNS entries, kerberos won’t work, which in turn means that many of the basic features of Samba4 won’t work.

It is worth spending some extra time to ensure your DNS setup is just right, as debugging problems caused by mis-configured DNS can take a lot of time later on.

To the corrent integration of samba4 and bind we need a bind9.8.x or newer DNS server installed.

Pre-requisites

To the correct bind installation we need the lastest openssl package

wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz

Extract and install it

tar xvfx openssl-1.0.1c.tar.gz
./config  --prefix=/usr/local/openssl --openssldir=/usr/local/openssl/lib
make
make install

Download bind

wget ftp://ftp.ciril.fr/pub/isc/bind9/9.9.1-P2/bind-9.9.1-P2.tar.gz

Install bind

Install bind with dlopen:

tar xvfz bind-9.9.1-P2.tar.gz
cd bind-9.9.1-P2
./configure --with-gssapi=/usr/include/gssapi --with-dlopen=/usr/local/openssl
make
make install

Configure Bind

Now is the moment to configure the DNS server assuming your have a bind9.8.x or newer DNS server installed, you can edit the /etc/named.conf file and adding the samba4 configuration

 include "/usr/local/samba/private/named.conf";

And the tkey-gssapi-keytab

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

There is my named.conf file

acl samba4 { 192.168.100.0/24; };
acl interfaces { 192.168.100.201; 127.0.0.1; };

options {
        listen-on { interfaces; };
        notify no;
        recursive-clients 1500;
        tcp-clients 200;
        minimal-responses yes;
        provide-ixfr yes;
        request-ixfr yes;
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
        recursion yes;
};

logging {
        channel daemon_info {
                syslog daemon;
                severity debug;
                print-category yes;
                print-severity yes;
                print-time no;
                };
        category lame-servers { null; };
        category default { daemon_info; };
};

view "samba" {
        match-clients { samba4; };
        allow-update { localhost; samba4; };
        allow-query { localhost; samba4; };
        include "/usr/local/samba/private/named.conf";
};

Edit /usr/local/samba/private/named.conf :

    •  For BIND 9.8.0
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};
    •  For BIND 9.9.0
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};

Ok, now test if the named daemon start with out errors

# named && tail -f /var/log/messages 
Aug 12 10:30:33 pdc named[10853]: automatic empty zone: view samba: B.E.F.IP6.ARPA
Aug 12 10:30:33 pdc named[10853]: automatic empty zone: view samba: 8.B.D.0.1.0.0.2.IP6.ARPA
Aug 12 10:30:33 pdc named[10853]: open: /etc/rndc.key: file not found
Aug 12 10:30:33 pdc named[10853]: couldn't add command channel 127.0.0.1#953: file not found
Aug 12 10:30:33 pdc named[10853]: open: /etc/rndc.key: file not found
Aug 12 10:30:33 pdc named[10853]: couldn't add command channel ::1#953: file not found
Aug 12 10:30:33 pdc named[10853]: the working directory is not writable
Aug 12 10:30:33 pdc named[10853]: general: info: managed-keys-zone/samba: loaded serial 0
Aug 12 10:30:33 pdc named[10853]: general: notice: all zones loaded
Aug 12 10:30:33 pdc named[10853]: general: notice: running

Test samba4 and named

Test if samba4 start correctly running it in debug and interactive mode

samba -i -M single -d 4

Python-DNS

In my case I have a python2.4 errors:

/usr/local/samba/sbin/smbd: smbd version 4.0.0beta5 started.
/usr/local/samba/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2012
/usr/local/samba/sbin/smbd: WARNING: No path in service IPC$ - making it unavailable!
/usr/local/samba/sbin/smbd: standard input is not a socket, assuming -D option
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 50, in ?
/usr/local/samba/sbin/samba_dnsupdate: samba.ensure_external_module("dns", "dnspython")
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib64/python2.4/site-packages/samba/__init__.py", line 345, in ensure_external_module
/usr/local/samba/sbin/samba_dnsupdate: import_bundled_package(modulename, location)
/usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib64/python2.4/site-packages/samba/__init__.py", line 331, in import_bundled_package
/usr/local/samba/sbin/samba_dnsupdate: sys.modules[modulename] = __import__(
/usr/local/samba/sbin/samba_dnsupdate: TypeError: __import__() takes no keyword arguments

To resolve it install the packet python-dns

wget ftp://rpmfind.net/linux/epel/5/x86_64/python-dns-1.9.4-1.el5.noarch.rpm
# rpm -ivh python-dns-1.9.4-1.el5.noarch.rpm 
advertencia:python-dns-1.9.4-1.el5.noarch.rpm: CabeceraV3 DSA signature: NOKEY, key ID 217521f6
Preparando...               ########################################### [100%]
   1:python-dns             ########################################### [100%]

resolv.conf

It’s the hour to change your name server, edit /etc/resolv.conf and change it:

search albertolarripa.com
  nameserver 192.168.100.201
  domain samba4.albertolarripa.com

Test your DNS

Now you need to test that DNS is working correctly

# host -t SRV _ldap._tcp.samba4.albertolarripa.com
_ldap._tcp.samba4.albertolarripa.com has SRV record 0 100 389 pdc.samba4.albertolarripa.com.
# host -t SRV _kerberos._udp.samba4.albertolarripa.com
_kerberos._udp.samba4.albertolarripa.com has SRV record 0 100 88 pdc.samba4.albertolarripa.com.
# host -t A samba.samba4.albertolarripa.com
Host samba.samba4.albertolarripa.com not found: 3(NXDOMAIN)

You can check if the dns samba update run correctly

# /usr/local/samba/sbin/samba_dnsupdate --verbose

Kerbeos configuration

Before test your kerbeos copy the current /etc/krb5.conf and remplace with the samba /usr/local/samba/share/setup/krb5.conf file:

# cp -pr /etc/krb5.conf /etc/krb5.conf-DIST
# cp -pr /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf
cp: ¿sobreescribir «/etc/krb5.conf»? (s/n) s

Now edit the file and configure your domain:

[libdefaults]
        default_realm = SAMBA4
        dns_lookup_realm = false
        dns_lookup_kdc = true

And configure the krb5.keytab file like symlink to /usr/local/samba/private/dns.keytab

ln -s /usr/local/samba/private/dns.keytab /etc/krb5.keytab
# ll /etc/krb5.*
-rw-r--r-- 1 root root 87 ago 12 10:48 /etc/krb5.conf
-rw-r--r-- 1 root root 608 jun 25 2007 /etc/krb5.conf-DIST
lrwxrwxrwx 1 root root 35 ago 12 10:50 /etc/krb5.keytab -> /usr/local/samba/private/dns.keytab

Test your Kerbeos

Test if the internal kerberos server is correctly running (DOMAIN IN CAPITAL LETTERS)

# kinit administrator@SAMBA4.ALBERTOLARRIPA.COM
Password for administrator@SAMBA4.ALBERTOLARRIPA.COM: 
Warning: Your password will expire in 41 days on Sun Sep 23 08:35:56 2012

Check the ticket with:

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@SAMBA4.ALBERTOLARRIPA.COM

Valid starting     Expires            Service principal
08/12/12 10:52:02  08/12/12 20:52:02  krbtgt/SAMBA4.ALBERTOLARRIPA.COM@SAMBA4.ALBERTOLARRIPA.COM
	renew until 08/13/12 10:51:59, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

To destroy the current ticket

kdestroy

To see what key we used:

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/pdc.samba4.albertolarripa.com@SAMBA4.ALBERTOLARRIPA.COM
   1 dns-pdc@SAMBA4.ALBERTOLARRIPA.COM
   1 DNS/pdc.samba4.albertolarripa.com@SAMBA4.ALBERTOLARRIPA.COM
   1 dns-pdc@SAMBA4.ALBERTOLARRIPA.COM
   1 DNS/pdc.samba4.albertolarripa.com@SAMBA4.ALBERTOLARRIPA.COM
   1 dns-pdc@SAMBA4.ALBERTOLARRIPA.COM
   1 DNS/pdc.samba4.albertolarripa.com@SAMBA4.ALBERTOLARRIPA.COM
   1 dns-pdc@SAMBA4.ALBERTOLARRIPA.COM
   1 DNS/pdc.samba4.albertolarripa.com@SAMBA4.ALBERTOLARRIPA.COM
   1 dns-pdc@SAMBA4.ALBERTOLARRIPA.COM

If you’re using a client behind NAT then you have to add the following to krb5.conf on the server domain controller

[kdc] 
check-ticket-addresses = false

 Windows configuration

Domain joining

It’s the hour to join your computer to the samba4 domain, enter your domain administrator password

DNS Registry

To check if the DNS server allow dynamic updates, run in a joining domain computer “ipconfig /registerdns

And check the named server logs:

Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: starting transaction on zone samba4.albertolarripa.com
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: cancelling transaction on zone samba4.albertolarripa.com
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: starting transaction on zone samba4.albertolarripa.com
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: allowing update of signer=vdi\$\@SAMBA4.ALBERTOLARRIPA.COM name=VDI.samba4.albertolarripa.com tcpaddr= type=AAAA key=984-ms-7.2-5e12a.17fc9d87-edff-11e1-60a3-000c29a18e78/160/0
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: allowing update of signer=vdi\$\@SAMBA4.ALBERTOLARRIPA.COM name=VDI.samba4.albertolarripa.com tcpaddr= type=A key=984-ms-7.2-5e12a.17fc9d87-edff-11e1-60a3-000c29a18e78/160/0
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: allowing update of signer=vdi\$\@SAMBA4.ALBERTOLARRIPA.COM name=VDI.samba4.albertolarripa.com tcpaddr= type=A key=984-ms-7.2-5e12a.17fc9d87-edff-11e1-60a3-000c29a18e78/160/0
Aug 24 17:28:29 pdc named[4232]: update: info: client 192.168.100.203#63209/key vdi\$\@SAMBA4.ALBERTOLARRIPA.COM: view samba: updating zone 'samba4.albertolarripa.com/NONE': deleting rrset at 'VDI.samba4.albertolarripa.com' AAAA
Aug 24 17:28:29 pdc named[4232]: update: info: client 192.168.100.203#63209/key vdi\$\@SAMBA4.ALBERTOLARRIPA.COM: view samba: updating zone 'samba4.albertolarripa.com/NONE': deleting rrset at 'VDI.samba4.albertolarripa.com' A
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: subtracted rdataset VDI.samba4.albertolarripa.com 'VDI.samba4.albertolarripa.com.    1200    IN    A    192.168.100.203'
Aug 24 17:28:29 pdc named[4232]: update: info: client 192.168.100.203#63209/key vdi\$\@SAMBA4.ALBERTOLARRIPA.COM: view samba: updating zone 'samba4.albertolarripa.com/NONE': adding an RR at 'VDI.samba4.albertolarripa.com' A
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: added rdataset VDI.samba4.albertolarripa.com 'VDI.samba4.albertolarripa.com.    1200    IN    A    192.168.100.203'
Aug 24 17:28:29 pdc named[4232]: database: info: samba_dlz: committed transaction on zone samba4.albertolarripa.com
Aug 24 17:28:29 pdc named[4232]: security: info: client 192.168.100.203#61294 (203.100.168.192.in-addr.arpa): view samba: query (cache) '203.100.168.192.in-addr.arpa/SOA/IN' denied
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: starting transaction on zone samba4.albertolarripa.com
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: cancelling transaction on zone samba4.albertolarripa.com
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: starting transaction on zone samba4.albertolarripa.com
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: allowing update of signer=vdi\$\@SAMBA4.ALBERTOLARRIPA.COM name=VDI.samba4.albertolarripa.com tcpaddr= type=AAAA key=984-ms-7.2-5e12a.17fc9d87-edff-11e1-60a3-000c29a18e78/160/0
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: allowing update of signer=vdi\$\@SAMBA4.ALBERTOLARRIPA.COM name=VDI.samba4.albertolarripa.com tcpaddr= type=A key=984-ms-7.2-5e12a.17fc9d87-edff-11e1-60a3-000c29a18e78/160/0
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: allowing update of signer=vdi\$\@SAMBA4.ALBERTOLARRIPA.COM name=VDI.samba4.albertolarripa.com tcpaddr= type=A key=984-ms-7.2-5e12a.17fc9d87-edff-11e1-60a3-000c29a18e78/160/0
Aug 24 17:28:32 pdc named[4232]: update: info: client 192.168.100.203#54061/key vdi\$\@SAMBA4.ALBERTOLARRIPA.COM: view samba: updating zone 'samba4.albertolarripa.com/NONE': deleting rrset at 'VDI.samba4.albertolarripa.com' AAAA
Aug 24 17:28:32 pdc named[4232]: update: info: client 192.168.100.203#54061/key vdi\$\@SAMBA4.ALBERTOLARRIPA.COM: view samba: updating zone 'samba4.albertolarripa.com/NONE': deleting rrset at 'VDI.samba4.albertolarripa.com' A
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: subtracted rdataset VDI.samba4.albertolarripa.com 'VDI.samba4.albertolarripa.com.    1200    IN    A    192.168.100.203'
Aug 24 17:28:32 pdc named[4232]: update: info: client 192.168.100.203#54061/key vdi\$\@SAMBA4.ALBERTOLARRIPA.COM: view samba: updating zone 'samba4.albertolarripa.com/NONE': adding an RR at 'VDI.samba4.albertolarripa.com' A
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: added rdataset VDI.samba4.albertolarripa.com 'VDI.samba4.albertolarripa.com.    1200    IN    A    192.168.100.203'
Aug 24 17:28:32 pdc named[4232]: database: info: samba_dlz: committed transaction on zone samba4.albertolarripa.com

DSA – Active Directory Console

For administrate your samba4 domain like Windows Active Directory, install the windows tool “dsa.msc

Windows Sever 2008

In windows server 2008 install the Active Directory Domain Controller Tools

Windows7

Download the Windows Remote Administration Tools and install the software

Vista

Download from here and follow the “Install RSAT” instruction described here

Windows XP Pro

In Windows XP, download adminpak and supporttools

Finally press start->run, type dsa.msc

Future Post

In future post I’ll explain how install and configure the Vmware VIEW (VDI) Server with samba4 domain.

13 thoughts on “Samba4 Installation and Configuration

  1. Hola Alberto. Está muy buena su página…

    He tratado de hacer la migración de Windows 2003 a Samba 4, que es muy parecido pero con domain join. Todo me anda bien, se une al dominio, toma los usuarios, grupos, gpo, roles, etc., los clientes hacen login igual que con el Windows; pero cuando apago el Windows, Bind no es capaz de resolver los nombres de los nuevos clientes que se loguean. Por ej. host wintendo, me devuelve: Host wintendo not found: 3(NXDOMAIN). Sin embargo los datos de bind tienen todavia las entradas del Windows y del Linux mismo. Las zonas parecen estar bien.

    No se si esos detalles le dan una pista de lo que pueda pasar.

    Le agradecería su ayuda.

    Un saludo.

    1. Saludos claudio,

      Según deduzco con lo que me estas contando el problema parece estar en los clientes, podrían no tener correctamente configurado el servidor DNS, el cual este apuntando al Windows 2003.
      Revisa en la configuración de DHCP que los datos facilitados en la configuración TCP/IP son correctos, y el DNS que entra en juego es el BIND integrado con SAMBA4.

      Si quieres facilitamé por mail más información sobre tu infraestructura y lo revisamos.

      Un saludo.

      1. Hola Alberto. Gracias por tu pronta respuesta.

        Te cuento que el problema no está en los clientes, puesto que: 1o. Los he configurado manualmente (IP, Máscara, DNS, Gateway) y sucede lo mismo. 2o. He dejado la configuración automática (ya que los servicios dhcpd y named están iniciados), los clientes toman la configuración correctamente, pero sucede lo mismo:

        Host wintendo not found: 3(NXDOMAIN)

        Ahora bien. He revisado el /var/log/messages:
        sambapdc01 named-sdb[2318]: running
        sambapdc01 dhcpd: DHCPREQUEST for 192.168.5.10 from 08:00:27:5a:1d:23 (wintendo) via eth1
        sambapdc01 dhcpd: DHCPACK on 192.168.5.10 to 08:00:27:5a:1d:23 (wintendo) via eth1
        sambapdc01 named-sdb[2318]: samba_dlz: starting transaction on zone mydomain.local
        sambapdc01 named-sdb[2318]: client 192.168.5.10#1227: update ‘mydomain.local/IN’ denied
        sambapdc01 named-sdb[2318]: samba_dlz: cancelling transaction on zone mydomain.local

        Estoy convencido de que el problema está en Bind o algún fichero que tiene que ver con él y Samba4, pero no se cómo resolverlo. Mi configuración en named.conf permite update, query, transfer y recursion para la subred a la que pertenece el host wintendo.

        Espero me puedas echar una mano con esto.

        De antemano: Gracias.

        1. Hola amigo yo estoy bajo la misma investigacion… También eh hecho algo parecido, sin embargo yo no uso bind9, sino que uso el de la configuración de smb4. Te comento que para poder hacer lo que quieres debes pasar los roles del windows 2003 al samba4… ve el siguiente video y me escribes para ver si lograste. http://www.youtube.com/watch?v=V4melZHGMLI

          1. Gracias Deibis. Muy bueno el vídeo. Sin embargo, ese escenario es un “domain join”, que se hace cuando unimos un servidor Linux con Samba 4 a un servidor Windows con AD. Es mandatorio tomar los roles del servidor Windows.

            En mi caso particular, hice un “domain provision”, el cual no necesita tomar roles pues será el Primary Domain Controler del dominio creado.

            Usaré los conocimientos de ese vídeo en otro proyecto de migración de Windows a Samba 4 que tengo pendiente de hacer. La idea es tomar todo de un controlador de dominio Windows y pasarlo a Samba 4 para luego apagar dicho servidor Windows, y que Linux pase a ser el controlador de dominio con todos los usuarios, grupos, GPO, FSMO, etc., que tenía el servidor Windows. Toda una migración.

            Un saludo.

      2. Hola Alberto. Ya resolví el problema, y éste era que estaba utilizando bind de los repositorios CentOS, el cual no está compilado con soporte dlz y gssapi.

        Compilé bind con las opciones –with-gssapi=/usr/include/gssapi y –with-dlopen=yes.

        Finalmente está funcionando.

        Saludos…

  2. Hello Alberto,
    I read with great interest your article, I’m trying to create a similar infrastructure for the University of Modena and Reggio (Italy). And I was curious to read your future post on how to install and configure VMware View Server Domain with Samba 4.
    This is because during the deployment of the vDesktop I have problems to join the domain correctly and the sysprep/quickprep process fail with the error: Failed to join the domain, even if I can see the new vDSK into the domain into the right OU.

    Have you had the same problem? Have you solved?

    Thanks in advanced. Best Regards,
    Lorenzo

  3. Hola Alberto, saludos desde Brasil.
    Excelente el post, muchas gracias por compartir. Si no te molestas, tengo dos preguntas :
    Esse tutorial sirve para Ubuntu 12.04 LTS 32 Bits ?
    He usado um tutorial muy similar, y logre hacer “todo funcionar”, pero cuando intento usar RSAT para administrar el DC, no funciona, me retorna un error :
    ” Naming information cannot be located because : The domain specified doesn´t exist or can´t be reached ” .
    Aun asi, logro conectarme al DC usando um Windows XP.

    Cualquier ayuda sera muy bien venida.

    Um Abrazo.

  4. Hola soy nuevo con Samba y guiandome por un tutorial he podido configurar un servidor de dominio utilizando samba 4.1.8. Todo funciona bien excepto por la actualizacion automatica de los registros de DNS. Solo me funciona para algunos clientes. Para la mayor parte obtengo este error: client XXX.XXX.XXX.XXX#55873: update ‘XXX/IN’ denied —samba_dlz: cancelling transaction on zone

    Al parecer no tiene que ver con el SO de los clientes. Buscando y leyendo vi algo sobre que podia ser que Windows tratara de hacer la transaccion de forma insegura y que despues se finalizara de forma segura y se actualizara … pero esto no sucede. Tengo algunos clientes que si se han actualizado… que puede ser esto … Estoy utilizando Bind 9.9.5 > Gracias por su atencion disculpen si no proporciono suficiente informacion. Cualquier cosa me preguntan.. Gracias

Leave a Reply

Your email address will not be published. Required fields are marked *