Page tree

Wenn sie zu dieser Seite Bemerkungen haben klicken sie bitte hier: Kontaktformular

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

Warum ?

Möglicherweise benötigen sie eine bestimmte Version von Samba. Diese ist aber u.U. nicht als Paket für ihre Linuxdistribution verfügbar.
Ferner bestehen bei der manuellen Installation weitere Möglichkeiten nur bestimmte Funktionen zu implementieren.
Das kann der zusätzlichen Sicherheit bei Produktionssystemen dienen (sog. Harding)

Im u.a. Beispiel wird die Version Samba 4.1.6 verwendet, auf Ubuntu 14.04

Download

https://download.samba.org/pub/samba/stable/

Installationsvorbereitung

Das auf dem o.g. Server heruntergeladene tar-Archiv entpacken, am besten in ein separates Installationsverzeichnis.

tar -xzf samba-4.1.6.tar.gz

 

Zur Übersetzung des Quellcodes muss ein gcc-Compiler und entsprechende Tools, sowie das sog. "make"-Utility vorhanden sein.

apt-get install gcc make

Ferner werden die "python development headers" benötigt.
Wenn man Support für einen samba-Betrieb als Active Domain Controller haben möchte wird auch das Paket "libldap2-dev" benötigt.

apt-get install python-dev
apt-get install libldap2-dev
apt-get install pkg-config
apt-get install git
apt-get install gdb 

Installation

Wechseln sie in das Installationsverzeichnis (welches nach dem Auspacken des o.g. tar-Archives entstanden ist) und geben sie nach folgende Befehle ein.
Das konfigurieren und compilieren ist sehr aufwändig und kann je nach Systemgeschwindigkeit über 1 Stunde dauern.

./configure
make
make install

Nach der Installation müssen noch die Startscripte erstellt und die PATH-Einstellungen angepasst werden.

/etc/init.d/samba
!/bin/sh

### BEGIN INIT INFO
# Provides:          samba
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: ensure Samba daemons are started (nmbd and smbd)
### END INIT INFO

set -e

# start nmbd, smbd and samba-ad-dc unconditionally
# the init scripts themselves check if they are needed or not

case $1 in
        start)
                /etc/init.d/nmbd start
                /etc/init.d/smbd start
                /etc/init.d/samba-ad-dc start
                ;;
        stop)
                /etc/init.d/samba-ad-dc stop
                /etc/init.d/smbd stop
                /etc/init.d/nmbd stop
                ;;
        reload)
                /etc/init.d/smbd reload
                ;;
        restart|force-reload)
                /etc/init.d/nmbd "$1"
                /etc/init.d/smbd "$1"
                /etc/init.d/samba-ad-dc "$1"
                ;;
        status)
                status=0
                NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null || true`
                SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1 || true`
                if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
                        if [ "$NMBD_DISABLED" != "Yes" ]; then
                                /etc/init.d/nmbd status || status=$?
                        fi
                        /etc/init.d/smbd status || status=$?
                else
                        /etc/init.d/samba-ad-dc status || status=$?
                fi
                exit $status
                ;;
        *)
                echo "Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload|status}"
                exit 1
                ;;
esac
/etc/init.d/smbd
#!/bin/sh

### BEGIN INIT INFO
# Provides:          smbd
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Should-Start:      slapd cups
# Should-Stop:       slapd cups
# Short-Description: start Samba SMB/CIFS daemon (smbd)
### END INIT INFO

PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
SMBDPID=$PIDDIR/smbd.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH

# clear conflicting settings from the environment

unset TMPDIR

# See if the daemons are there
test -x /usr/local/samba/sbin/smbd || exit 0

. /lib/lsb/init-functions

case $1 in
        start)
                #if init_is_upstart; then
                        #exit 1
                #fi
                SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
                if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
                    exit 0
                fi
                log_daemon_msg "Starting SMB/CIFS daemon" smbd

                # Make sure we have our PIDDIR, even if it's on a tmpfs
                install -o root -g root -m 755 -d $PIDDIR

                if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/smbd -- -D; then
                        log_end_msg 1
                        exit 1
                fi
                log_end_msg 0
                ;;
        stop)
                #if init_is_upstart; then
                        #exit 0
                #fi

                log_daemon_msg "Stopping SMB/CIFS daemon" smbd

                start-stop-daemon --stop --quiet --pidfile $SMBDPID
                # Wait a little and remove stale PID file
                sleep 1
                if [ -f $SMBDPID ] && ! ps h `cat $SMBDPID` > /dev/null
                then
                        # Stale PID file, remove it (should be removed by
                        # smbd itself IMHO).
                        rm -f $SMBDPID
                fi
                log_end_msg 0
                ;;
        reload)
                log_daemon_msg "Reloading /etc/samba/smb.conf" smbd
                start-stop-daemon --stop --quiet --signal HUP --pidfile $SMBDPID
                log_end_msg 0
                ;;
        restart|force-reload)
                #if init_is_upstart; then
                        #exit 1
                #fi
                $0 stop
                sleep 1
                $0 start
                ;;
        status)
                status_of_proc -p $SMBDPID /usr/local/samba/sbin/smbd smbd
                exit $?
                ;;
        *)
                echo "Usage: /etc/init.d/smbd {start|stop|reload|restart|force-reload|status}"
                exit 1
                ;;
esac

exit 0 
/etc/init.d/nmbd
#!/bin/sh

### BEGIN INIT INFO
# Provides:          nmbd
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# X-Start-Before:    smbd
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start Samba NetBIOS nameserver (nmbd)
### END INIT INFO
 
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
NMBDPID=$PIDDIR/nmbd.pid

# clear conflicting settings from the environment

unset TMPDIR    

# See if the daemons are there

test -x /usr/local/samba/sbin/nmbd || exit 0

. /lib/lsb/init-functions

case $1 in      
        start)
                #if init_is_upstart; then
                        #exit 1
                #fi
                SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
                if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
                    exit 0
                fi

                if [ -n `which testparm` ]
                then
                        NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null`
                fi
                if [ "$NMBD_DISABLED" != Yes ]; then
                        log_daemon_msg "Starting NetBIOS name server" nmbd
                        # Make sure we have our PIDDIR, even if it's on a tmpfs
                        install -o root -g root -m 755 -d $PIDDIR
                        if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/nmbd -- -D
                        then
                                log_end_msg 1
                                exit 1
                        fi
                        log_end_msg 0
                fi
                ;;
        stop)
                #if init_is_upstart; then
                        #exit 0
                #fi


                log_daemon_msg "Stopping NetBIOS name server" nmbd
                start-stop-daemon --stop --quiet --pidfile $NMBDPID


                # Wait a little and remove stale PID file
                sleep 1
                if [ -f $NMBDPID ] && ! ps h `cat $NMBDPID` > /dev/null
                then
                        # Stale PID file (nmbd was succesfully stopped),
                        # remove it (should be removed by nmbd itself IMHO.)
                        rm -f $NMBDPID
                fi
                log_end_msg 0
                ;;
        restart|force-reload)
                #if init_is_upstart; then
                        #exit 1
                #fi
                $0 stop
                sleep 1
                $0 start
                ;;
        status)
                status_of_proc -p $NMBDPID /usr/local/samba/sbin/nmbd nmbd
                exit $?
                ;;
        *)
                echo "Usage: /etc/init.d/nmbd {start|stop|restart|force-reload|status}"
                exit 1
                ;;
esac

exit 0 
/etc/init.d/samba-ad-dc
#! /bin/sh

### BEGIN INIT INFO
# Provides:          samba-ad-dc
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start Samba daemons for the AD DC
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

PIDDIR=/usr/local/samba/var/run

#PIDDIR=/var/run/samba
SAMBAPID=$PIDDIR/samba.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH

# clear conflicting settings from the environment
unset TMPDIR

# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /etc/samba/smb.conf || exit 0

. /lib/lsb/init-functions

case "$1" in
        start)
                SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
                if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
                    exit 0
                fi
                #if init_is_upstart; then
                        #exit 1
                #fi
                # CVE-2013-4475
                KEYFILE=/var/lib/samba/private/tls/key.pem
                if [ -e $KEYFILE ]
                then
                                KEYPERMS=`stat -c %a $KEYFILE`
                                if [ "$KEYPERMS" != "600" ]
                                then
                                                echo "wrong permission on $KEYFILE, must be 600"
                                                echo "samba will not start (CVE-2013-4475)"
                                                echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
                                                exit 1
                                fi
                fi
                log_daemon_msg "Starting Samba AD DC daemon" "samba"
                # Make sure we have our PIDDIR, even if it's on a tmpfs
                install -o root -g root -m 755 -d $PIDDIR

                if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
                        log_end_msg 1
                        exit 1
                fi
                log_end_msg 0
                ;;
        stop)
                #if init_is_upstart; then
                        #exit 0
                #fi
                log_daemon_msg "Stopping Samba AD DC daemon" "samba"
                start-stop-daemon --stop --quiet --pidfile $SAMBAPID
                # Wait a little and remove stale PID file
                sleep 1
                if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
                then
                        # Stale PID file (samba was succesfully stopped),
                        # remove it (should be removed by samba itself IMHO.)
                        rm -f $SAMBAPID
                fi
                log_end_msg 0
                ;;
        restart|force-reload)
                #if init_is_upstart; then
                        #exit 1
                #fi
                $0 stop
                sleep 1
                $0 start
                ;;
        status)
                status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
                exit $?
                ;;
        *)
                echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
                exit 1
                ;;
esac

exit 0
/etc/init.d/winbind
#!/bin/sh

### BEGIN INIT INFO
# Provides:          winbind
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Should-Start:      samba
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start Winbind daemon
### END INIT INFO

PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
#PATH=/sbin:/bin:/usr/sbin:/usr/bin

[ -r /etc/default/winbind ] && . /etc/default/winbind

DAEMON=/usr/local/samba/sbin/winbindd
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
WINBINDPID=$PIDDIR/winbindd.pid

# clear conflicting settings from the environment

unset TMPDIR

# See if the daemon is there
test -x $DAEMON || exit 0
SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`

if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
    exit 0
fi

. /lib/lsb/init-functions

case "$1" in
        start)
                #if init_is_upstart; then
                        #exit 1
                #fi
                log_daemon_msg "Starting the Winbind daemon" "winbind"
                mkdir -p $PIDDIR/winbindd_privileged || return 1
                chgrp winbindd_priv $PIDDIR/winbindd_privileged/ || return 1
                chmod 0750 $PIDDIR/winbindd_privileged/ || return 1
                start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $WINBINDD_OPTS
                log_end_msg $?
                ;;
        stop)
                #if init_is_upstart; then
                        #exit 0
                #fi
                log_daemon_msg "Stopping the Winbind daemon" "winbind"
                start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
                log_end_msg $?
                ;;
        restart|force-reload)
                #if init_is_upstart; then
                        #exit 1
                #fi
                $0 stop && sleep 2 && $0 start
                ;;
        status)
                status_of_proc -p $WINBINDPID $DAEMON winbind && exit 0 || exit $?
                ;;
        *)
                echo "Usage: /etc/init.d/winbind {start|stop|restart|force-reload|status}"
                exit 1
                ;;
esac 

 

Selbstverständlich müssen diese Scripte die passenden Berechtigungen aufweisen:

root@lemaker:/etc/init.d# l smbd nmbd samba samba-ad-dc
-rwxr-xr-x 1 root root 2026 Nov 16 02:40 nmbd
-rwxr-xr-x 1 root root 1266 Nov 16 02:40 samba
-rwxr-xr-x 1 root root 2308 Nov 16 02:40 samba-ad-dc
-rwxr-xr-x 1 root root 2069 Nov 16 02:40 smbd
-rwxr-xr-x 1 root root 1771 Nov 17 02:36 winbind
root@lemaker:/etc/init.d#

Für den Betrieb wird noch eine Konfigurationsdatei benötigt.
Diese sollte aus Kompatibilitätsgründen im Verzeichnis /etc/samba gespeichert werden.

/etc/samba/smb.conf
[global]
   workgroup = WORKGROUP
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
[myshare]
   comment = Persoenliche Freigabe fuer User myuser
   guest ok = yes
   browseable = yes
   path = /var2/ablage
   create mask = 0600 
   directory mask = 0700 
   valid users = myuser
   read only = no 


Unsere manuelle Installation erwartet die Konfigurationsdatei aber in /usr/local/samba/etc/smb.conf
Hier kann ein symbolischer Link helfen. 

root@lemaker:/usr/local/samba/etc# ln -s /etc/samba/smb.conf 
root@lemaker:/usr/local/samba/etc# l
total 8
drwxr-xr-x  2 root root 4096 Nov 16 02:53 .
drwxr-xr-x 10 root root 4096 Nov 16 02:17 ..
lrwxrwxrwx  1 root root   19 Nov 16 02:53 smb.conf -> /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc#

Dann benötigen wir noch ein log-Verzeichnis, sowie ein Verzeichnis für das Handling des Druckers und eine Winbind-Gruppe:

mkdir /var/log/samba
mkdir -p /var/lib/samba/printers 
addgroup winbindd_priv

Test der Installation

Wenn nun alles perfekt ist kann die Installation mit dem samba-eigenen Tool "testparm" getestet werden.

Ausgabe des Befehls "testparm"
root@lemaker:/etc/samba# testparm

Load smb config files from /usr/local/samba/etc/smb.conf

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[myshare]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
	print ok = Yes
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
[myshare]
	comment = Persoenliche Freigabe fuer User myuser
	path = /var2/ablage
	valid users = myuser
	read only = No
	create mask = 0600
	directory mask = 0700
	guest ok = Yes
root@lemaker:/etc/samba#

Start der Anwendung

root@lemaker:/etc/init.d# service samba status
 * nmbd is not running
 * smbd is not running
root@lemaker:/etc/init.d# service samba start
 * Starting NetBIOS name server nmbd                                                                                      [ OK ] 
 * Starting SMB/CIFS daemon smbd                                                                                          [ OK ] 
root@lemaker:/etc/init.d# service samba status
 * nmbd is running
 * smbd is running
root@lemaker:/etc/init.d#

nss-Support

nss steht für Name-Switch-Service und bietet die Möglichkeit eine vollständige Liste aller Benutzer und Gruppen zu verwalten, unabhängig davon ob es lokale Benutzer/Gruppen sind oder Samba-Benutzer/Gruppen.

Im Normalbetrieb (also nicht als primärer Domaincontroller) wird nss in der Regel über den sogenannten "winbind"-Service bereitgestellt. (siehe Konfiguration winbind unter UBUNTU und Aufnahme in eine Domain )

Daher sind die u.a. Maßnahmen evtl. nicht erforderlich.

cp /root/install/samba-4.1.6/bin/default/nsswitch/libnss-winbind.so /lib
cd /lib
mv libnss-winbind.so libnss_winbind.so
ldconfig -v
#nss testen
/root/install/samba-4.1.6/bin/nsstest
  • No labels