...
| Code Block |
|---|
apt-get install python-dev
apt-get install libldap2-dev
apt-get install pkg-config
apt-get install git
apt-get install gdb
#Wenn man winbind-Unterstützung benötigt
apt-get install libnss3-dev
apt-get install libpam-dev (oder libpam0g-dev) |
Installation
Wechseln sie in das Installationsverzeichnis (welches nach dem Auspacken des o.g. tar-Archives entstanden ist) und geben sie nach folgende Befehle ein.
Das konfigurieren und compilieren ist sehr aufwändig und kann je nach Systemgeschwindigkeit über 1 Stunde dauern.
...
| Code Block |
|---|
| language | bash |
|---|
| title | /etc/init.d/samba-ad-dc |
|---|
| collapse | true |
|---|
|
#! /bin/sh
### BEGIN INIT INFO
# Provides: samba-ad-dc
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons for the AD DC
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
SAMBAPID=$PIDDIR/samba.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /etc/samba/smb.conf || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
exit 0
fi
#if init_is_upstart; then
#exit 1
#fi
# CVE-2013-4475
KEYFILE=/var/lib/samba/private/tls/key.pem
if [ -e $KEYFILE ]
then
KEYPERMS=`stat -c %a $KEYFILE`
if [ "$KEYPERMS" != "600" ]
then
echo "wrong permission on $KEYFILE, must be 600"
echo "samba will not start (CVE-2013-4475)"
echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
exit 1
fi
fi
log_daemon_msg "Starting Samba AD DC daemon" "samba"
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping Samba AD DC daemon" "samba"
start-stop-daemon --stop --quiet --pidfile $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
exit $?
;;
*)
echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0 |
Selbstverständlich müssen diese Scripte die passenden Berechtigungen aufweisen:
| Code Block |
|---|
root@lemaker:| Code Block |
|---|
| language | bash |
|---|
| title | /etc/init. |
|---|
| d# l smbd nmbd samba samba-ad-dc
-rwxr-xr-x 1 root root 2026 Nov 16 02:40 nmbd
-rwxr-xr-x 1 root root 1266 Nov 16 02:40 samba
-rwxr-xr-x 1 root root 2308 Nov 16 02:40 samba-ad-dc
-rwxr-xr-x 1 root root 2069 Nov 16 02:40 smbd
root@lemaker:/etc/init.d#
Für den Betrieb wird noch eine Konfigurationsdatei benötigt.
Diese sollte aus Kompatibilitätsgründen im Verzeichnis /etc/samba gespeichert werden.
| Code Block |
|---|
| language | bash |
|---|
| title | /etc/samba/smb.conf |
|---|
| collapse | true |
|---|
|
[global]
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[myshare]
comment = Persoenliche Freigabe fuer User myuser
guest ok = yes
browseable = yes
path = /var2/ablage
create mask = 0600
directory mask = 0700
valid users = myuser
read only = no |
...
| Code Block |
|---|
root@lemaker:/usr/local/samba/etc# ln -s /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc# l
total 8
drwxr-xr-x 2 root root 4096 Nov 16 02:53 .
drwxr-xr-x 10 root root 4096 Nov 16 02:17 ..
lrwxrwxrwx 1 root root 19 Nov 16 02:53 smb.conf -> /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc# |
Dann benötigen wir noch ein log-Verzeichnis, sowie ein Verzeichnis für das Handling des Druckers:
| Code Block |
|---|
mkdir /var/log/samba
mkdir -p /var/lib/samba/printers |
Test der Installation
Wenn nun alles perfekt ist kann die Installation mit dem samba-eigenen Tool "testparm" getestet werden.
| Code Block |
|---|
| title | Ausgabe des Befehls "testparm" |
|---|
| collapse | true |
|---|
|
root@lemaker:/etc/samba# testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[myshare]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
server string = %h server (Samba, Ubuntu)
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[myshare]
comment = Persoenliche Freigabe fuer User myuser
path = /var2/ablage
valid users = myuser
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
root@lemaker:/etc/samba# |
Start der Anwendung
| Code Block |
|---|
root@lemaker:/etc/init.d# service samba status
* nmbd is not running
* smbd is not running
root@lemaker:/etc/init.d# service samba start
* Starting NetBIOS name server nmbd |
#!/bin/sh
### BEGIN INIT INFO
# Provides: winbind
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: samba
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Winbind daemon
### END INIT INFO
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
#PATH=/sbin:/bin:/usr/sbin:/usr/bin
[ -r /etc/default/winbind ] && . /etc/default/winbind
DAEMON=/usr/local/samba/sbin/winbindd
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
WINBINDPID=$PIDDIR/winbindd.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon is there
test -x $DAEMON || exit 0
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
. /lib/lsb/init-functions
case "$1" in
start)
#if init_is_upstart; then
#exit 1
#fi
log_daemon_msg "Starting the Winbind daemon" "winbind"
mkdir -p $PIDDIR/winbindd_privileged || return 1
chgrp winbindd_priv $PIDDIR/winbindd_privileged/ || return 1
chmod 0750 $PIDDIR/winbindd_privileged/ || return 1
start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $WINBINDD_OPTS
log_end_msg $?
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping the Winbind daemon" "winbind"
start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
log_end_msg $?
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop && sleep 2 && $0 start
;;
status)
[ OK ]
* Starting SMB/CIFS daemon smbd status_of_proc -p $WINBINDPID $DAEMON winbind && exit 0 || exit $?
;;
*)
echo "Usage: /etc/init.d/winbind {start|stop|restart|force-reload|status}"
exit 1
;;
esac |
Selbstverständlich müssen diese Scripte die passenden Berechtigungen aufweisen:
| Code Block |
|---|
root@lemaker:/etc/init.d# l smbd nmbd samba samba-ad-dc
-rwxr-xr-x 1 root root [ OK ]
root@lemaker:/etc/init.d# service samba status
* nmbd is running
* smbd is running
root@lemaker:/etc/init.d#2026 Nov 16 02:40 nmbd
-rwxr-xr-x 1 root root 1266 Nov 16 02:40 samba
-rwxr-xr-x 1 root root 2308 Nov 16 02:40 samba-ad-dc
-rwxr-xr-x 1 root root 2069 Nov 16 02:40 smbd
-rwxr-xr-x 1 root root 1771 Nov 17 02:36 winbind
root@lemaker:/etc/init.d# |
Für den Betrieb wird noch eine Konfigurationsdatei benötigt.
Diese sollte aus Kompatibilitätsgründen im Verzeichnis /etc/samba gespeichert werden.
| Code Block |
|---|
| language | bash |
|---|
| title | /etc/samba/smb.conf |
|---|
| collapse | true |
|---|
|
[global]
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[myshare]
comment = Persoenliche Freigabe fuer User myuser
guest ok = yes
browseable = yes
path = /var2/ablage
create mask = 0600
directory mask = 0700
valid users = myuser
read only = no |
Unsere manuelle Installation erwartet die Konfigurationsdatei aber in /usr/local/samba/etc/smb.conf
Hier kann ein symbolischer Link helfen.
| Code Block |
|---|
root@lemaker:/usr/local/samba/etc# ln -s /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc# l
total 8
drwxr-xr-x 2 root root 4096 Nov 16 02:53 .
drwxr-xr-x 10 root root 4096 Nov 16 02:17 ..
lrwxrwxrwx 1 root root 19 Nov 16 02:53 smb.conf -> /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc# |
Dann benötigen wir noch ein log-Verzeichnis, sowie ein Verzeichnis für das Handling des Druckers und eine Winbind-Gruppe:
| Code Block |
|---|
mkdir /var/log/samba
mkdir -p /var/lib/samba/printers
addgroup winbindd_priv |
Test der Installation
Wenn nun alles perfekt ist kann die Installation mit dem samba-eigenen Tool "testparm" getestet werden.
| Code Block |
|---|
| title | Ausgabe des Befehls "testparm" |
|---|
| collapse | true |
|---|
|
root@lemaker:/etc/samba# testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[myshare]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
server string = %h server (Samba, Ubuntu)
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[myshare]
comment = Persoenliche Freigabe fuer User myuser
path = /var2/ablage
valid users = myuser
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
root@lemaker:/etc/samba# |
Start der Anwendung
| Code Block |
|---|
root@lemaker:/etc/init.d# service samba status
* nmbd is not running
* smbd is not running
root@lemaker:/etc/init.d# service samba start
* Starting NetBIOS name server nmbd [ OK ]
* Starting SMB/CIFS daemon smbd [ OK ]
root@lemaker:/etc/init.d# service samba status
* nmbd is running
* smbd is running
root@lemaker:/etc/init.d# |
nss-Support
nss steht für Name-Switch-Service und bietet die Möglichkeit eine vollständige Liste aller Benutzer und Gruppen zu verwalten, unabhängig davon ob es lokale Benutzer/Gruppen sind oder Samba-Benutzer/Gruppen.
Im Normalbetrieb (also nicht als primärer Domaincontroller) wird nss in der Regel über den sogenannten "winbind"-Service bereitgestellt. (siehe Konfiguration winbind unter UBUNTU und Aufnahme in eine Domain )
Daher sind die u.a. Maßnahmen evtl. nicht erforderlich.
| Code Block |
|---|
cp /root/install/samba-4.1.6/bin/default/nsswitch/libnss-winbind.so /lib
cd /lib
mv libnss-winbind.so libnss_winbind.so
ldconfig -v
#nss testen
/root/install/samba-4.1.6/bin/nsstest |
