Warum ?
Möglicherweise benötigen sie eine bestimmte Version von Samba. Diese ist aber u.U. nicht als Paket für ihre Linuxdistribution verfügbar.
Ferner bestehen bei der manuellen Installation weitere Möglichkeiten nur bestimmte Funktionen zu implementieren.
Das kann der zusätzlichen Sicherheit bei Produktionssystemen dienen (sog. Harding)
Im u.a. Beispiel wird die Version Samba 4.1.6 verwendet, auf Ubuntu 14.04
Download
https://download.samba.org/pub/samba/stable/
Installationsvorbereitung
Das auf dem o.g. Server heruntergeladene tar-Archiv entpacken, am besten in ein separates Installationsverzeichnis.
tar -xzf samba-4.1.6.tar.gz
Zur Übersetzung des Quellcodes muss ein gcc-Compiler und entsprechende Tools, sowie das sog. "make"-Utility vorhanden sein.
Ferner werden die "python development headers" benötigt.
Wenn man Support für einen samba-Betrieb als Active Domain Controller haben möchte wird auch das Paket "libldap2-dev" benötigt.
apt-get install python-dev
apt-get install libldap2-dev
apt-get install pkg-config
apt-get install git
apt-get install gdb
Installation
Wechseln sie in das Installationsverzeichnis (welches nach dem Auspacken des o.g. tar-Archives entstanden ist) und geben sie nach folgende Befehle ein.
Das konfigurieren und compilieren ist sehr aufwändig und kann je nach Systemgeschwindigkeit über 1 Stunde dauern.
./configure
make
make install
Nach der Installation müssen noch die Startscripte erstellt und die PATH-Einstellungen angepasst werden.
!/bin/sh
### BEGIN INIT INFO
# Provides: samba
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: ensure Samba daemons are started (nmbd and smbd)
### END INIT INFO
set -e
# start nmbd, smbd and samba-ad-dc unconditionally
# the init scripts themselves check if they are needed or not
case $1 in
start)
/etc/init.d/nmbd start
/etc/init.d/smbd start
/etc/init.d/samba-ad-dc start
;;
stop)
/etc/init.d/samba-ad-dc stop
/etc/init.d/smbd stop
/etc/init.d/nmbd stop
;;
reload)
/etc/init.d/smbd reload
;;
restart|force-reload)
/etc/init.d/nmbd "$1"
/etc/init.d/smbd "$1"
/etc/init.d/samba-ad-dc "$1"
;;
status)
status=0
NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null || true`
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1 || true`
if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
if [ "$NMBD_DISABLED" != "Yes" ]; then
/etc/init.d/nmbd status || status=$?
fi
/etc/init.d/smbd status || status=$?
else
/etc/init.d/samba-ad-dc status || status=$?
fi
exit $status
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload|status}"
exit 1
;;
esac
#!/bin/sh
### BEGIN INIT INFO
# Provides: smbd
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Should-Start: slapd cups
# Should-Stop: slapd cups
# Short-Description: start Samba SMB/CIFS daemon (smbd)
### END INIT INFO
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
SMBDPID=$PIDDIR/smbd.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemons are there
test -x /usr/local/samba/sbin/smbd || exit 0
. /lib/lsb/init-functions
case $1 in
start)
#if init_is_upstart; then
#exit 1
#fi
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
log_daemon_msg "Starting SMB/CIFS daemon" smbd
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/smbd -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping SMB/CIFS daemon" smbd
start-stop-daemon --stop --quiet --pidfile $SMBDPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SMBDPID ] && ! ps h `cat $SMBDPID` > /dev/null
then
# Stale PID file, remove it (should be removed by
# smbd itself IMHO).
rm -f $SMBDPID
fi
log_end_msg 0
;;
reload)
log_daemon_msg "Reloading /etc/samba/smb.conf" smbd
start-stop-daemon --stop --quiet --signal HUP --pidfile $SMBDPID
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $SMBDPID /usr/local/samba/sbin/smbd smbd
exit $?
;;
*)
echo "Usage: /etc/init.d/smbd {start|stop|reload|restart|force-reload|status}"
exit 1
;;
esac
exit 0
#!/bin/sh
### BEGIN INIT INFO
# Provides: nmbd
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# X-Start-Before: smbd
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba NetBIOS nameserver (nmbd)
### END INIT INFO
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
NMBDPID=$PIDDIR/nmbd.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemons are there
test -x /usr/local/samba/sbin/nmbd || exit 0
. /lib/lsb/init-functions
case $1 in
start)
#if init_is_upstart; then
#exit 1
#fi
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
if [ -n `which testparm` ]
then
NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null`
fi
if [ "$NMBD_DISABLED" != Yes ]; then
log_daemon_msg "Starting NetBIOS name server" nmbd
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/nmbd -- -D
then
log_end_msg 1
exit 1
fi
log_end_msg 0
fi
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping NetBIOS name server" nmbd
start-stop-daemon --stop --quiet --pidfile $NMBDPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $NMBDPID ] && ! ps h `cat $NMBDPID` > /dev/null
then
# Stale PID file (nmbd was succesfully stopped),
# remove it (should be removed by nmbd itself IMHO.)
rm -f $NMBDPID
fi
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $NMBDPID /usr/local/samba/sbin/nmbd nmbd
exit $?
;;
*)
echo "Usage: /etc/init.d/nmbd {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
#! /bin/sh
### BEGIN INIT INFO
# Provides: samba-ad-dc
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons for the AD DC
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
SAMBAPID=$PIDDIR/samba.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /etc/samba/smb.conf || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
exit 0
fi
#if init_is_upstart; then
#exit 1
#fi
# CVE-2013-4475
KEYFILE=/var/lib/samba/private/tls/key.pem
if [ -e $KEYFILE ]
then
KEYPERMS=`stat -c %a $KEYFILE`
if [ "$KEYPERMS" != "600" ]
then
echo "wrong permission on $KEYFILE, must be 600"
echo "samba will not start (CVE-2013-4475)"
echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
exit 1
fi
fi
log_daemon_msg "Starting Samba AD DC daemon" "samba"
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping Samba AD DC daemon" "samba"
start-stop-daemon --stop --quiet --pidfile $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
exit $?
;;
*)
echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
#!/bin/sh
### BEGIN INIT INFO
# Provides: winbind
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: samba
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Winbind daemon
### END INIT INFO
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
#PATH=/sbin:/bin:/usr/sbin:/usr/bin
[ -r /etc/default/winbind ] && . /etc/default/winbind
DAEMON=/usr/local/samba/sbin/winbindd
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
WINBINDPID=$PIDDIR/winbindd.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon is there
test -x $DAEMON || exit 0
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
. /lib/lsb/init-functions
case "$1" in
start)
#if init_is_upstart; then
#exit 1
#fi
log_daemon_msg "Starting the Winbind daemon" "winbind"
mkdir -p $PIDDIR/winbindd_privileged || return 1
chgrp winbindd_priv $PIDDIR/winbindd_privileged/ || return 1
chmod 0750 $PIDDIR/winbindd_privileged/ || return 1
start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $WINBINDD_OPTS
log_end_msg $?
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping the Winbind daemon" "winbind"
start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
log_end_msg $?
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop && sleep 2 && $0 start
;;
status)
status_of_proc -p $WINBINDPID $DAEMON winbind && exit 0 || exit $?
;;
*)
echo "Usage: /etc/init.d/winbind {start|stop|restart|force-reload|status}"
exit 1
;;
esac
Selbstverständlich müssen diese Scripte die passenden Berechtigungen aufweisen:
root@lemaker:/etc/init.d# l smbd nmbd samba samba-ad-dc
-rwxr-xr-x 1 root root 2026 Nov 16 02:40 nmbd
-rwxr-xr-x 1 root root 1266 Nov 16 02:40 samba
-rwxr-xr-x 1 root root 2308 Nov 16 02:40 samba-ad-dc
-rwxr-xr-x 1 root root 2069 Nov 16 02:40 smbd
-rwxr-xr-x 1 root root 1771 Nov 17 02:36 winbind
root@lemaker:/etc/init.d#
Für den Betrieb wird noch eine Konfigurationsdatei benötigt.
Diese sollte aus Kompatibilitätsgründen im Verzeichnis /etc/samba gespeichert werden.
[global]
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[myshare]
comment = Persoenliche Freigabe fuer User myuser
guest ok = yes
browseable = yes
path = /var2/ablage
create mask = 0600
directory mask = 0700
valid users = myuser
read only = no
Unsere manuelle Installation erwartet die Konfigurationsdatei aber in /usr/local/samba/etc/smb.conf
Hier kann ein symbolischer Link helfen.
root@lemaker:/usr/local/samba/etc# ln -s /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc# l
total 8
drwxr-xr-x 2 root root 4096 Nov 16 02:53 .
drwxr-xr-x 10 root root 4096 Nov 16 02:17 ..
lrwxrwxrwx 1 root root 19 Nov 16 02:53 smb.conf -> /etc/samba/smb.conf
root@lemaker:/usr/local/samba/etc#
Dann benötigen wir noch ein log-Verzeichnis, sowie ein Verzeichnis für das Handling des Druckers und eine Winbind-Gruppe:
mkdir /var/log/samba
mkdir -p /var/lib/samba/printers
addgroup winbindd_priv
Test der Installation
Wenn nun alles perfekt ist kann die Installation mit dem samba-eigenen Tool "testparm" getestet werden.
root@lemaker:/etc/samba# testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[myshare]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
server string = %h server (Samba, Ubuntu)
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[myshare]
comment = Persoenliche Freigabe fuer User myuser
path = /var2/ablage
valid users = myuser
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
root@lemaker:/etc/samba#
Start der Anwendung
root@lemaker:/etc/init.d# service samba status
* nmbd is not running
* smbd is not running
root@lemaker:/etc/init.d# service samba start
* Starting NetBIOS name server nmbd [ OK ]
* Starting SMB/CIFS daemon smbd [ OK ]
root@lemaker:/etc/init.d# service samba status
* nmbd is running
* smbd is running
root@lemaker:/etc/init.d#
nss-Support
nss steht für Name-Switch-Service und bietet die Möglichkeit eine vollständige Liste aller Benutzer und Gruppen zu verwalten, unabhängig davon ob es lokale Benutzer/Gruppen sind oder Samba-Benutzer/Gruppen.
Im Normalbetrieb (also nicht als primärer Domaincontroller) wird nss in der Regel über den sogenannten "winbind"-Service bereitgestellt. (siehe Konfiguration winbind unter UBUNTU und Aufnahme in eine Domain )
Daher sind die u.a. Maßnahmen evtl. nicht erforderlich.
cp /root/install/samba-4.1.6/bin/default/nsswitch/libnss-winbind.so /lib
cd /lib
mv libnss-winbind.so libnss_winbind.so
ldconfig -v
#nss testen
/root/install/samba-4.1.6/bin/nsstest