Mit Samba steht seit 1992 eine Implementation des [[smb|SMB]]-Protokolls auch auf UNIX-Systemen (Linux etwas später) zur Verfügung. Ab Samba 3.6 (ab Ubuntu 14.04 LTS) wurden dann auch die Protokolle SMBv2 und SMBv3 schrittweise als Optionen nach Samba übernommen. Seit September 2017 ist nun auch in Samba SMBv3 Standard, und seit Samba 4.11 (ab Ubuntu 20.04 LTS) wird, wie auch in [[windows|Windows]] 10, das Protokoll SMBv1 in der Grundeinstellung nicht mehr unterstützt.

Mit Hilfe von NSS und PAM kann Samba sogar einen [[active_directory|Active Directory]] Domänencontroller ersetzen.

  * Laut [[https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction|Samba Wiki]] unterstützt Samba4 nur den internen [[ldap|LDAP]] server und eine spezielle [[kerberos|Kerberos]] Distribution (Heimdal).
  * Der Samba interne DNS Server hat auch [[https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations|einige Defizite]] (keine Wildcard Zertifikate, kein Caching, keine Zone transfers,...) statt dessen ist es besser einen bind DNS server aufzusetzen.

=====Installation=====

<code>
apt install samba
</code>

edit /etc/samba/smb.conf
<code>
[Global]
workgroup = WORKGROUP
security = user
map to guest = Bad User
name resolve order = bcast host
include = /etc/samba/shares.conf

[Public Files]
path = /share/public_files
force user = smbuser
force group = smbgroup
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
public = yes
writeable = yes

[Protected Files]
path = /share/protected_files
force user = smbuser
force group = smbgroup
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
public = yes
writeable = no
</code>

<code>
mkdir -p /share/public_files
mkdir -p /share/protected_files

groupadd --system smbgroup
useradd --system smbuser --no-create-home --group smbgroup -s /bin/false

chown -R smbuser:smbgroup /share
chmod -R g+w /share

// add a new user
useradd newuser

// add as smbuser
smbpasswd -a newuser

// delete as smbuser
smbpasswd -x newuser

systemctl start smbd
systemctl status smbd
</code>

https://www.youtube.com/watch?v=7Q0mnAT1MRg

=====Domain Controller=====

Set static ip, edit <code>/etc/network/interfaces</code>

<pre>
iface eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
dns-nameservers 127.0.0.1 192.168.0.1 8.8.8.8
dns-search example.com
</code>

Edit hostname in <code>/etc/hostname</code> und <code>/etc/hosts</code>.

/etc/hostname

<code>
dc.example.com
</code>

/etc/hosts

<code>
127.0.0.1   localhost
192.168.0.2    dc.example.com dc

...
</code>

Install packages

<code>
apt install -y samba krb5-user krb5-config winbind smbclient

// opt additional
libpam-winbind libnss-winbind
</code>

Stop services

<code>
systemctl stop samba-ad-dc smbd nmbd winbind
systemctl disable samba-ad-dc smbd nmbd winbind
</code>

Remove example config

<code>
rm /etc/samba/smb.conf
</code>

Domain provision

example

  * realm: example.com
  * domain: example

<code>
samba-tool domain provision --interactive --use-rfc2307 --use-ntvfs

mv /etc/krb5.conf /etc/krb5.conf.bak
ln -s /var/lib/samba/private/krb5.conf /etc/

systemctl start samba-ad-dc
systemctl enable samba-ad-dc
</code>

Edit <code>/etc/resolv.conf</code>.

<code>
search example.com
nameserver 127.0.0.1
nameserver 192.168.0.1
nameserver 8.8.8.8
</code>

Test dc.

<code>
samba-tool domain level show

ping example.com
ping dc.example.com
ping dc

host -t SRV _ldap._tcp.example.com
host -t SRV _kerberos._udp.example.com
host -t A example.com
host -t A dc.example.com
</code>

Test kerberos

<code>
kinit administrator@example.com

klist
</code>
=====samba-tool=====

<code>
samba-tool user create user1
samba-tool user enable user1
samba-tool group add group1
samba-tool group addmembers group1 user1,user2,..
samba-tool group removemembers group1 user1,user2,..
samba-tool group delete group1
</code>

<code>
// to create a unix group in samba
samba-tool group add groupname --nis-domain=samdom --gid-number=<next available GID>
</code>

=====Links=====

  * https://www.tecmint.com/install-samba4-active-directory-ubuntu/
  * [[https://www.youtube.com/watch?v=7Q0mnAT1MRg|Basic Installation]]
  * [[https://www.oreilly.com/openbook/samba/book/|Oreilly Samba Book]]
  * [[https://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/|User Logging]]
  * https://www.youtube.com/watch?v=eJrH59mxLmo
  * https://ubuntu.com/server/docs/samba-openldap-backend
  * https://community.nethserver.org/t/should-i-use-ldap-or-samba-active-directory/6095
  * https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service_Using_Systemd
  * https://wiki.ubuntuusers.de/Archiv/Howto/Samba4_als_Domaincontroller/
  * https://wiki.ubuntuusers.de/Archiv/Howto/Samba4-Server_als_Active-Directory_Domain-Controller/
  * https://docs.huihoo.com/ubuntu/11.10/serverguide/samba-ldap.html
  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/samba-pdc-ldap
  * https://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10
  * https://www.youtube.com/watch?v=IgZM4urpjMM
  * https://ubuntu.com/server/docs/samba-openldap-backend
  * https://ubuntu.com/server/docs/samba-domain-controller