« Previous 1 2 3 4
Save money with Samba as the domain controller on a legacy Windows NT-style domain
Cost Control
Nested Groups
On Windows, it is common to collect users on the domain controller in a group and then assign this group to a local group on a file server. The local groups are then granted filesystem permissions. This also works with Samba; the procedure is known as nested groups. To use it, you must have a domain and Winbind must be configured. The steps also include modifying the /etc/nsswitch.conf
file as follows:
passwd: compat winbind group: compat winbind
In the [global]
section of your smb.conf
file, add winbind nested groups **= yes
. Afterwards, you can set up nested groups (Listing 12). All of these steps are the responsibility of the domain administrator.
Listing 12
Nested Groups
root@samba:~# net rpc group add localgroup -L -Uadministrator Enter administrator's password: Added alias 'localgroup'. root@samba:~# net rpc group addmem localgroup domainusers -Uadministrator Enter administrator's password: root@samba:~# net rpc group members localgroup -Uadministrator Enter administrator's password: ADMINDOM\Domainusers
The first step uses the -L
parameter to create a local group to which the domain groups are then added as members. The second step adds the domainusers
group as a member of the localgroup
. The third step checks the success. Now, when you assign rights for the filesystem to the local group
, all members of the domainusers
group also inherit this right for the filesystem. Because Linux does not support nested groups, getent group
or wbinfo -g
does not show the local group. All actions concerning the group need the net rpc group
command.
An LDAPsam Back End
As promised, I will now look at configuring LDAP as a passdb back end. This undertaking requires a working LDAP server with the samba.schema
in place because, in addition to POSIX attributes, you also need to create Samba attributes for the users.
The great benefit of using LDAP is that the users and groups only need to be created once. For user management, you can then use the smbldap-tools
script collection [3] or do things graphically with the LDAP Account Manager [4], a web-based tool. Listing 13 shows how to modify the [global]
section for the use of LDAP on both the PDC and all BDCs.
Listing 13
LDAP Changes
passdb backend = ldapsam:ldap://samba.example.net ldap admin dn = cn=admin,dc=example,dc=net ldap suffix = dc=example,dc=net ldap group suffix = ou=groups ldap machine suffix = ou=hosts ldap user suffix = ou=users ldap passwd sync = yes ldap ssl = no
Samba now uses LDAP as the passdb back end. To also allow Samba to add the objects to LDAP, you need to add the password for the LDAP administrator to the secrets.tdb
file. The command for this is smbpasswd -W
. Samba will then create an LDAP object for the Samba domain. From this time on, Samba uses the LDAP server for user management.
The Future
Following the December release of version 4 of Samba, many things changed. Besides setting up Primary or Backup Domain Controllers, you can now also create Active Directory domain controllers, and you can set up Samba 4 as an additional AD controller. It is even possible to set up an entire Active Directory forest without the use of a Windows domain controller by Microsoft with Samba 4's own LDAP server that manages all the objects.
User and group management can also be handled with the Microsoft Windows Remote Server Administration Tools. You will need a Windows 7 machine to run the tools, but the software can be downloaded free of charge [5].
Infos
- Disabling the warning message: http://www.gtkdb.de/index_7_1240.html
- Registry patch: http://wiki.samba.org/index.php/Windows7
- SMB-LDAP tools: http://sourceforge.net/projects/smbldap-tools
- LDAP Account Manager: https://www.ldap-account-manager.org
- Remote Server Administration Tools: http://www.microsoft.com/download/en/details.aspx?id=7887
« Previous 1 2 3 4