Save money with Samba as the domain controller on a legacy Windows NT-style domain

Cost Control

Nested Groups

On Windows, it is common to collect users on the domain controller in a group and then assign this group to a local group on a file server. The local groups are then granted filesystem permissions. This also works with Samba; the procedure is known as nested groups. To use it, you must have a domain and Winbind must be configured. The steps also include modifying the /etc/nsswitch.conf file as follows:

passwd:    compat winbind
group:     compat winbind

In the [global] section of your smb.conf file, add winbind nested groups **= yes. Afterwards, you can set up nested groups (Listing 12). All of these steps are the responsibility of the domain administrator.

Listing 12

Nested Groups

root@samba:~# net rpc group add localgroup -L -Uadministrator
Enter administrator's password:
Added alias 'localgroup'.
root@samba:~# net rpc group addmem localgroup domainusers -Uadministrator
Enter administrator's password:
root@samba:~# net rpc group members localgroup -Uadministrator
Enter administrator's password:
ADMINDOM\Domainusers

The first step uses the -L parameter to create a local group to which the domain groups are then added as members. The second step adds the domainusers group as a member of the localgroup. The third step checks the success. Now, when you assign rights for the filesystem to the local group, all members of the domainusers group also inherit this right for the filesystem. Because Linux does not support nested groups, getent group or wbinfo -g does not show the local group. All actions concerning the group need the net rpc group command.

An LDAPsam Back End

As promised, I will now look at configuring LDAP as a passdb back end. This undertaking requires a working LDAP server with the samba.schema in place because, in addition to POSIX attributes, you also need to create Samba attributes for the users.

The great benefit of using LDAP is that the users and groups only need to be created once. For user management, you can then use the smbldap-tools script collection [3] or do things graphically with the LDAP Account Manager [4], a web-based tool. Listing 13 shows how to modify the [global] section for the use of LDAP on both the PDC and all BDCs.

Listing 13

LDAP Changes

  passdb backend = ldapsam:ldap://samba.example.net
  ldap admin dn = cn=admin,dc=example,dc=net
  ldap suffix = dc=example,dc=net
  ldap group suffix = ou=groups
  ldap machine suffix = ou=hosts
  ldap user suffix = ou=users
  ldap passwd sync = yes
  ldap ssl = no

Samba now uses LDAP as the passdb back end. To also allow Samba to add the objects to LDAP, you need to add the password for the LDAP administrator to the secrets.tdb file. The command for this is smbpasswd -W. Samba will then create an LDAP object for the Samba domain. From this time on, Samba uses the LDAP server for user management.

The Future

Following the December release of version 4 of Samba, many things changed. Besides setting up Primary or Backup Domain Controllers, you can now also create Active Directory domain controllers, and you can set up Samba 4 as an additional AD controller. It is even possible to set up an entire Active Directory forest without the use of a Windows domain controller by Microsoft with Samba 4's own LDAP server that manages all the objects.

User and group management can also be handled with the Microsoft Windows Remote Server Administration Tools. You will need a Windows 7 machine to run the tools, but the software can be downloaded free of charge [5].

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Samba 4 appliances by SerNet and Univention
    Shortly after the Samba team finalized Samba 4 in December 2012, SerNet and Univention integrated the new Samba into their appliances that give administrators an easy way to set up and test a Samba 4-based Active Directory domain controller.
  • What's new in Samba 4
    In December 2012, the open source world received the first, and very long awaited, release of the Samba 4.x series.
  • Samba domain controller in a heterogeneous environment
    The open source Samba service can act as an Active Directory domain controller in a heterogeneous environment.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • Samba pitfalls in daily operation
    Once you install Samba, you can still encounter errors, problems, and inconsistencies that plague your file server. We address some of these issues.
comments powered by Disqus