30.5.13

Samba 3.6.15 file server for Samba 4.0.6 AD Domain

Gotchas
Having wasted so much time trying to use 4.0.6 as a member server, 3.6.15 from here came as a realtive breath of fresh air. In the most time honoured Samba manner, there is not the slightest hint as to how to build it after unpacking! OK, I found a configure script under the source3 directory. Promising and hey, it's the usual ./configure && make make install scenario. There's no mention of build dependencies either of course. I took this lot which is needed to build the Samba4 DC on Debian:

 apt-get install build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev \           cifs-utils

You could probably get away with a lot less than that, but at least it builds. Next, where's it all gone? /usr/local/samba. So, stick your smb.conf in /usr/local/samba/lib and hey, that's about it.

Administrator account mapping
All users other than the Domain Admin can access the shares. Big problem trying to get the Administrator created by a Samba4 DC install to be able to access them. We needed a:

username map = /home/steve/smbmap
line with /home/steve/smbmap containing:
!root = HH3\\Administrator HH3\Aministrator Administrator

Yeah, I know. Don't ask. The '!' infront of root ensures that smbd doesn't keep looking up new instances of whatever it's replacing. If you see what I mean. As far as we're concerned, it works.
roaming profiles
Always fun. Best just to give our smb.conf. The rest is as they say. . .
[global]
workgroup = HH3
realm = HH3.SITE
kerberos method = system keytab
security = ADS
log level = 3
username map = /home/steve/smbmap  

[users]
path = /home/users
read only = No

[profiles]
path = /home/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = No
guest ok = No
printable = No
profile acls = Yes
csc policy = disable

group shared folder

[shared]
path = /home/shared
read only = No
force user = %U
force group = staff2
create mask = 0775
directory mask = 0775
force create mode = 0660
force directory mode = 0660


kerberised cifs
On the DC, make a user:
samba-tool user add cifsuser
Add posixAccount, uidNumber and gidNumber
join the 3.6.15 server to the domain:
net ads join -UAdministrator

Extract and merge a keytab:
cd /etc
ktutil: addent -password -p cifsuser@HH3.SITE -k 1 -e arcfour-hmac Password for cifsuser@HH3.SITE ktutil: wkt cifs.keytab ktutil: quit
(or just add it directly to /etc/krb5.keytab and forget the merge in the next bit)

For the kerberised mouut, we need that key in the default keytab at /etc/krb5.conf, so:
cd /etc
ktutil
ktutil: read_kt krb5.keytab
ktutil: read_kt cifs.keytab
ktutil: write_kt temp.keytab
ktutil: quit

mv krb5.keytab krb5.keytab.original
mv temp.keytab krb5.keytab

Try a mount:
sudo service smbd restart
mount -t cifs //oliva/users /mnt -o sec=krb5,username=cifsuser,multiuser