Möglicherweise benötigen sie eine bestimmte Version von Samba. Diese ist aber u.U. nicht als Paket für ihre Linuxdistribution verfügbar.
Ferner bestehen bei der manuellen Installation weitere Möglichkeiten nur bestimmte Funktionen zu implementieren.
Das kann der zusätzlichen Sicherheit bei Produktionssystemen dienen (sog. Harding)
Im u.a. Beispiel wird die Version Samba 4.1.6 verwendet, auf Ubuntu 14.04
https://download.samba.org/pub/samba/stable/
Das auf dem o.g. Server heruntergeladene tar-Archiv entpacken, am besten in ein separates Installationsverzeichnis.
tar -xzf samba-4.1.6.tar.gz |
Zur Übersetzung des Quellcodes muss ein gcc-Compiler und entsprechende Tools, sowie das sog. "make"-Utility vorhanden sein.
apt-get install gcc make |
Ferner werden die "python development headers" benötigt.
Wenn man Support für einen samba-Betrieb als Active Domain Controller haben möchte wird auch das Paket "libldap2-dev" benötigt.
apt-get install python-dev apt-get install libldap2-dev apt-get install pkg-config apt-get install git apt-get install gdb |
Wechseln sie in das Installationsverzeichnis (welches nach dem Auspacken des o.g. tar-Archives entstanden ist) und geben sie nach folgende Befehle ein.
Das konfigurieren und compilieren ist sehr aufwändig und kann je nach Systemgeschwindigkeit über 1 Stunde dauern.
./configure make make install |
Nach der Installation müssen noch die Startscripte erstellt und die PATH-Einstellungen angepasst werden.
!/bin/sh
### BEGIN INIT INFO
# Provides: samba
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: ensure Samba daemons are started (nmbd and smbd)
### END INIT INFO
set -e
# start nmbd, smbd and samba-ad-dc unconditionally
# the init scripts themselves check if they are needed or not
case $1 in
start)
/etc/init.d/nmbd start
/etc/init.d/smbd start
/etc/init.d/samba-ad-dc start
;;
stop)
/etc/init.d/samba-ad-dc stop
/etc/init.d/smbd stop
/etc/init.d/nmbd stop
;;
reload)
/etc/init.d/smbd reload
;;
restart|force-reload)
/etc/init.d/nmbd "$1"
/etc/init.d/smbd "$1"
/etc/init.d/samba-ad-dc "$1"
;;
status)
status=0
NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null || true`
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1 || true`
if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
if [ "$NMBD_DISABLED" != "Yes" ]; then
/etc/init.d/nmbd status || status=$?
fi
/etc/init.d/smbd status || status=$?
else
/etc/init.d/samba-ad-dc status || status=$?
fi
exit $status
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload|status}"
exit 1
;;
esac |
#!/bin/sh
### BEGIN INIT INFO
# Provides: smbd
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Should-Start: slapd cups
# Should-Stop: slapd cups
# Short-Description: start Samba SMB/CIFS daemon (smbd)
### END INIT INFO
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
SMBDPID=$PIDDIR/smbd.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemons are there
test -x /usr/local/samba/sbin/smbd || exit 0
. /lib/lsb/init-functions
case $1 in
start)
#if init_is_upstart; then
#exit 1
#fi
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
log_daemon_msg "Starting SMB/CIFS daemon" smbd
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/smbd -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping SMB/CIFS daemon" smbd
start-stop-daemon --stop --quiet --pidfile $SMBDPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SMBDPID ] && ! ps h `cat $SMBDPID` > /dev/null
then
# Stale PID file, remove it (should be removed by
# smbd itself IMHO).
rm -f $SMBDPID
fi
log_end_msg 0
;;
reload)
log_daemon_msg "Reloading /etc/samba/smb.conf" smbd
start-stop-daemon --stop --quiet --signal HUP --pidfile $SMBDPID
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $SMBDPID /usr/local/samba/sbin/smbd smbd
exit $?
;;
*)
echo "Usage: /etc/init.d/smbd {start|stop|reload|restart|force-reload|status}"
exit 1
;;
esac
exit 0 |
#!/bin/sh
### BEGIN INIT INFO
# Provides: nmbd
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# X-Start-Before: smbd
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba NetBIOS nameserver (nmbd)
### END INIT INFO
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
NMBDPID=$PIDDIR/nmbd.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemons are there
test -x /usr/local/samba/sbin/nmbd || exit 0
. /lib/lsb/init-functions
case $1 in
start)
#if init_is_upstart; then
#exit 1
#fi
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
if [ -n `which testparm` ]
then
NMBD_DISABLED=`testparm -s --parameter-name='disable netbios' 2>/dev/null`
fi
if [ "$NMBD_DISABLED" != Yes ]; then
log_daemon_msg "Starting NetBIOS name server" nmbd
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/nmbd -- -D
then
log_end_msg 1
exit 1
fi
log_end_msg 0
fi
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping NetBIOS name server" nmbd
start-stop-daemon --stop --quiet --pidfile $NMBDPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $NMBDPID ] && ! ps h `cat $NMBDPID` > /dev/null
then
# Stale PID file (nmbd was succesfully stopped),
# remove it (should be removed by nmbd itself IMHO.)
rm -f $NMBDPID
fi
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $NMBDPID /usr/local/samba/sbin/nmbd nmbd
exit $?
;;
*)
echo "Usage: /etc/init.d/nmbd {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0 |
#! /bin/sh
### BEGIN INIT INFO
# Provides: samba-ad-dc
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Samba daemons for the AD DC
### END INIT INFO
#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
SAMBAPID=$PIDDIR/samba.pid
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
export PATH
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /etc/samba/smb.conf || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
exit 0
fi
#if init_is_upstart; then
#exit 1
#fi
# CVE-2013-4475
KEYFILE=/var/lib/samba/private/tls/key.pem
if [ -e $KEYFILE ]
then
KEYPERMS=`stat -c %a $KEYFILE`
if [ "$KEYPERMS" != "600" ]
then
echo "wrong permission on $KEYFILE, must be 600"
echo "samba will not start (CVE-2013-4475)"
echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
exit 1
fi
fi
log_daemon_msg "Starting Samba AD DC daemon" "samba"
# Make sure we have our PIDDIR, even if it's on a tmpfs
install -o root -g root -m 755 -d $PIDDIR
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
log_end_msg 1
exit 1
fi
log_end_msg 0
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping Samba AD DC daemon" "samba"
start-stop-daemon --stop --quiet --pidfile $SAMBAPID
# Wait a little and remove stale PID file
sleep 1
if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
then
# Stale PID file (samba was succesfully stopped),
# remove it (should be removed by samba itself IMHO.)
rm -f $SAMBAPID
fi
log_end_msg 0
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop
sleep 1
$0 start
;;
status)
status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
exit $?
;;
*)
echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0 |
#!/bin/sh
### BEGIN INIT INFO
# Provides: winbind
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: samba
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start Winbind daemon
### END INIT INFO
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
#PATH=/sbin:/bin:/usr/sbin:/usr/bin
[ -r /etc/default/winbind ] && . /etc/default/winbind
DAEMON=/usr/local/samba/sbin/winbindd
PIDDIR=/usr/local/samba/var/run
#PIDDIR=/var/run/samba
WINBINDPID=$PIDDIR/winbindd.pid
# clear conflicting settings from the environment
unset TMPDIR
# See if the daemon is there
test -x $DAEMON || exit 0
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
exit 0
fi
. /lib/lsb/init-functions
case "$1" in
start)
#if init_is_upstart; then
#exit 1
#fi
log_daemon_msg "Starting the Winbind daemon" "winbind"
mkdir -p $PIDDIR/winbindd_privileged || return 1
chgrp winbindd_priv $PIDDIR/winbindd_privileged/ || return 1
chmod 0750 $PIDDIR/winbindd_privileged/ || return 1
start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $WINBINDD_OPTS
log_end_msg $?
;;
stop)
#if init_is_upstart; then
#exit 0
#fi
log_daemon_msg "Stopping the Winbind daemon" "winbind"
start-stop-daemon --stop --quiet --oknodo --exec $DAEMON
log_end_msg $?
;;
restart|force-reload)
#if init_is_upstart; then
#exit 1
#fi
$0 stop && sleep 2 && $0 start
;;
status)
status_of_proc -p $WINBINDPID $DAEMON winbind && exit 0 || exit $?
;;
*)
echo "Usage: /etc/init.d/winbind {start|stop|restart|force-reload|status}"
exit 1
;;
esac |
Selbstverständlich müssen diese Scripte die passenden Berechtigungen aufweisen:
root@lemaker:/etc/init.d# l smbd nmbd samba samba-ad-dc -rwxr-xr-x 1 root root 2026 Nov 16 02:40 nmbd -rwxr-xr-x 1 root root 1266 Nov 16 02:40 samba -rwxr-xr-x 1 root root 2308 Nov 16 02:40 samba-ad-dc -rwxr-xr-x 1 root root 2069 Nov 16 02:40 smbd -rwxr-xr-x 1 root root 1771 Nov 17 02:36 winbind root@lemaker:/etc/init.d# |
Für den Betrieb wird noch eine Konfigurationsdatei benötigt.
Diese sollte aus Kompatibilitätsgründen im Verzeichnis /etc/samba gespeichert werden.
[global] workgroup = WORKGROUP server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [myshare] comment = Persoenliche Freigabe fuer User myuser guest ok = yes browseable = yes path = /var2/ablage create mask = 0600 directory mask = 0700 valid users = myuser read only = no |
Unsere manuelle Installation erwartet die Konfigurationsdatei aber in /usr/local/samba/etc/smb.conf
Hier kann ein symbolischer Link helfen.
root@lemaker:/usr/local/samba/etc# ln -s /etc/samba/smb.conf root@lemaker:/usr/local/samba/etc# l total 8 drwxr-xr-x 2 root root 4096 Nov 16 02:53 . drwxr-xr-x 10 root root 4096 Nov 16 02:17 .. lrwxrwxrwx 1 root root 19 Nov 16 02:53 smb.conf -> /etc/samba/smb.conf root@lemaker:/usr/local/samba/etc# |
Dann benötigen wir noch ein log-Verzeichnis, sowie ein Verzeichnis für das Handling des Druckers und eine Winbind-Gruppe:
mkdir /var/log/samba mkdir -p /var/lib/samba/printers addgroup winbindd_priv |
Wenn nun alles perfekt ist kann die Installation mit dem samba-eigenen Tool "testparm" getestet werden.
root@lemaker:/etc/samba# testparm Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[printers]" Processing section "[print$]" Processing section "[myshare]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] server string = %h server (Samba, Ubuntu) server role = standalone server map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [myshare] comment = Persoenliche Freigabe fuer User myuser path = /var2/ablage valid users = myuser read only = No create mask = 0600 directory mask = 0700 guest ok = Yes root@lemaker:/etc/samba# |
Start der Anwendung
root@lemaker:/etc/init.d# service samba status * nmbd is not running * smbd is not running root@lemaker:/etc/init.d# service samba start * Starting NetBIOS name server nmbd [ OK ] * Starting SMB/CIFS daemon smbd [ OK ] root@lemaker:/etc/init.d# service samba status * nmbd is running * smbd is running root@lemaker:/etc/init.d# |
nss steht für Name-Switch-Service und bietet die Möglichkeit eine vollständige Liste aller Benutzer und Gruppen zu verwalten, unabhängig davon ob es lokale Benutzer/Gruppen sind oder Samba-Benutzer/Gruppen.
Im Normalbetrieb (also nicht als primärer Domaincontroller) wird nss in der Regel über den sogenannten "winbind"-Service bereitgestellt. (siehe Konfiguration winbind unter UBUNTU und Aufnahme in eine Domain )
Bei samba-Installationen die aus dem Quellcode erstellt wurden müssen einige Links erstellt werden um die libnss-winbind Bibliothek einzubinden.
Hierzu beachten sie bitte die folgende Samba-Dokumentation:
https://wiki.samba.org/index.php/Libnss_winbind_Links
#nss testen /root/install/samba-4.1.6/bin/nsstest |