Wiki source code of Samba

Last modified by Sebastian Marsching on 2022/03/27 15:23
Show last authors
1 {{toc/}}
2
3 # Kerberos Authentication
4
5 See [[Kerberos|doc:Linux.Kerberos.WebHome]].
6
7 # Using Samba in a Windows Environment
8
9 {{warning}}
10 This section was originally written on 2014-04-11 and has not been updated since, so the information presented here might be outdated.
11 {{/warning}}
12
13 This is a preliminary document on how to integrate Samba into a Windows environment. It is designed in a way, that the file shares provided by Samba are not access through different channels: This means that no users can log into the Linux box and the files are not shared through other channels (NFS, AFP, etc.). In the configuration examples, my.windows.domain is the Active Directory domain Samba is joined to, MYWINDOWS is the short domain name and MY.WINDOWS.DOMAIN is the corresponding Kerberos realm.
14
15 ## smb.conf
16
17 [global]
18 # Enable owning group to change permissions.
19 # Unfortunately, it is unclear, whether this applies to all files, or only
20 # those specifically set to be owned by a group in the Windows ACL editor.
21 #acl group control = yes
22 # Map "rwx" to "Full Control" in Windows ACL editor.
23 # We do not want this, if we are using the extended ACL support, because
24 # "Full Control" in windows means more than "rwx" in Linux.
25 acl map full control = no
26 # Configure the client to require NTMLv2.
27 # This might cause problems with older servers, however for security reasons
28 # it should be activated, if possible.
29 client ntlmv2 auth = yes
30 # Mark file whose names start with a dot as hidden.
31 # In Windows, hidden is a separate attribute, thus to be more like Windows,
32 # we disable this feature. Such files can still be hidden by setting the
33 # corresponding attribute.
34 hide dot files = no
35 # UID and GID ranges winbind uses for mapping ADS users and groups.
36 # The specific numbers are not really important. However, we have to ensure
37 # that these ranges do not collide with any local users or groups.
38 idmap gid = 10000 - 20000
39 idmap uid = 10000 - 20000
40 # Copy the ACLs from parent directories to newly created sub-directories.
41 # This option also used 0777 permissions for newly created directories, to
42 # ensure, that the ACLs are effective. When using the advanced ACL support
43 # (using xattr), this option probably should not be activated, because for
44 # Windows ACLs, the specific ACLs determine, which ACLs should be applied to
45 # newly created sub-directories.
46 #inherit acls = yes
47 # Enable kernel oplocks.
48 # We want to diable this option, because it will automatically set
49 # level2 oplocks = no. However, if file access is only performed through
50 # SMB, it is safe to let Samba handle the locking and thus profit from
51 # level 2 oplocks.
52 kernel oplocks = no
53 # Allow nmbd to become a local master browser on the subnet.
54 # If working in a Windows environment, we want to disable this, because
55 # the Active Directory domain controllers should act as master browsers.
56 local master = no
57 # Path to the log file.
58 # We just copied that from the default configuration for Ubuntu.
59 log file = /var/log/samba/log.%m
60 # Store Windows ACL inherit flag in extended attribute.
61 # We want to enable this, in order to have full Windows ACL support.
62 map acl inherit = yes
63 # Map Windows archive flag to permission bit.
64 # We want to deactivate this feature, because we are using xattr for this.
65 map archive = no
66 # Map Windows hidden flag to permission bit.
67 # Same as for map archive.
68 map hidden = no
69 # Map Windows read only flag to inverse write permission bits.
70 # Same as for map archive.
71 map read only = no
72 # Map Windows system file flag to permission bit.
73 # Same as for map archive.
74 map system = no
75 # Require a minimum SMB protocol version.
76 # As we do not support old auth mechanisms for security reasons,
77 # we can also deactivate support for old protocol versions altogether.
78 min protocol = NT1
79 # Active Directory domain.
80 # This should be set to the FQDN of the Active Directory domain, and - at the
81 # same time - is used as the Kerberos realm.
82 realm = my.windows.domain
83 # Kill old sessions when request for new session is received from the same IP.
84 # By activating this option, we ensure that all locks associated with an old
85 # session will be released when a new session is established. However, this
86 # has undesirable effects, if multiple clients share the same IP address
87 # (e.g. because NAT is in use). However, in the LAN it is usually safe to
88 # assume that every client will contact the server with its own IP address.
89 reset on zero vc = yes
90 # Control level of anonymous access.
91 # We want to set this the most restrictive (do not accept any anonymous
92 # connections) for security considerations.
93 restrict anonymous = 2
94 # Security mode.
95 # For Active Directory integration, we set this to "ads".
96 security = ads
97 # Configure signing support in the SMB client.
98 # We want to use signing for servers, which support it, but still be able to
99 # access old servers not supporting it. For enhanced security, it should be
100 # set to "mandatory".
101 server signing = auto
102 # Descriptive server name.
103 # If this option is empty, Windows clients will just display the hostname,
104 # which is okay for most purposes.
105 server string =
106 # Store Windows attributes (hidden, archive, system, read-only) using xattr.
107 # We want to activate this option, because it is much better than the old
108 # options, which tried to map these attributes to permissions.
109 store dos attributes = yes
110 # Enforce locks.
111 # By default, this option is set to auto, which means Samba will only
112 # check for locks in files, which are not oplocked by the client. For
113 # oplocked files, it will omit these checks for performance reasons.
114 # However, if you do not want to rely on a correct client implementation,
115 # you should set this option to "yes".
116 #strict locking = yes
117 # Do a sync to disk, each time it is requested by a client.
118 # By default, Samba does not perform a sync on a file, when it is requested
119 # to do so, because there are a lot of badly written clients, which request
120 # a sync, when they really just want to flush the buffer. Therefore, doing
121 # a sync each time requested, will slow down SMB access considerably.
122 # The problem with this option is, that - if no sync is performed - and the
123 # Linux system, Samba is running on, crashes before the data has been written
124 # to the disk, it is lost. This is very bad, if a client relied on the data
125 # having been written to disk, because it sent the sync request (e.g. it could
126 # corrupt database files stored on a SMB share).
127 # Therefore, if we want to be really save, we have to enable this option.
128 strict sync = yes
129 # Control which messages are written to syslog.
130 # We set this to 0, so that messages will only be written to the Samba
131 # logfiles. We copied that from the default configuration for Ubuntu.
132 syslog = 0
133 # Configure the homedir set for users added by winbind.
134 # As we do not allow login of Windows users, except through Samba, this
135 # option does not really matter. However, it is still nice, to have this
136 # set to something sensible.
137 template homedir = /home/winbind/%D/%U
138 # Configure the shell set for users added by winbind.
139 # Users added by winbind should not be able to log into the Linux machine,
140 # thus we set the shell to "/bin/false".
141 template shell = /bin/false
142 # Enable the CIFS UNIX extensions.
143 # This option enables features interesting for UNIX clients, like support
144 # for symlinks, etc. However, it might be problematic, if the UNIX permissions
145 # are supplied in a way, that is not consistent with the permissions Windows
146 # clients see with the extended ACL support. By default, the UNIX extensions
147 # are enabled.
148 #unix extensions = no
149 # Use sendfile() system call under specific circumstances.
150 # If this option is enabled, Samba can speedup things by using a special
151 # system calls to sent data from files, which are oplocked. However, we
152 # should be sure about the implication this option has, before enabling it,
153 # as it is disabled by default.
154 #use sendfile = yes
155 # Configure VFS modules which should be enabled.
156 # We want to add the "acl_xattr" option, which brings full support for
157 # Windows ACLs to Samba. The ACLs which cannot be mapped to POSIX ACLs are
158 # stored in an extended file attribute.
159 # We also might want to enable one of streams_depot and streams_xattr.
160 # This modules enable the use of alternate data streams, a feature of NTFS,
161 # which allows to save different, independent data streams for a single file.
162 # The streams_xattr module is easier to use, because it just saves the
163 # alternate data streams in extended attributes. However, this might not
164 # work for large data streams, because xattr is not designed to keep huge
165 # amounts of data. In this case, streams_depot might be preferred, which
166 # stores the alternate data streams in separate files in a directory
167 # configured using the streams_depot:directory option.
168 vfs objects = acl_xattr streams_xattr
169 # Enable user / group enumeration for winbind.
170 # This options should not be activated if a large number of users or groups
171 # exist in Active Directory, because they will cause performance issues.
172 winbind enum groups = yes
173 winbind enum users = yes
174 # Set number of levels to resolve for nested groups.
175 # In contrast to UNIX, in Windows groups can be member of groups. In order
176 # to map these kind of groups to UNIX groups, winbind has to resolve them
177 # to the actual users being part of the group. This option set the number
178 # of steps, winbind will use at maximum to resolve groups. Setting this
179 # number to large, will cause bad performance. However, setting it to low,
180 # will cause groups nested in multiple levels not to be resolved correctly.
181 winbind expand groups = 2
182 # List of WINS servers.
183 # This option should be set refer to the WINS servers run for the Active
184 # Directory. Most likely, the domain controllers will also act as WINS
185 # servers.
186 wins server = 192.168.0.32 192.168.0.36
187 # Workgroup / domain name.
188 # This should be set to the short name of the Active Directory domain
189 # (the same you see as a prefix to full usernames, preceding the backslash).
190 workgroup = MYWINDOWS
191
192 # Directory for streams_depot VFS module.
193 # If the streams_depot modules is activated in the vfs objects option,
194 # you have to configure the directory, which stores the files with the
195 # alternate data streams.
196 #streams_depot:directory = /home/samba/.streams_depot
197
198 # This is a sample share configuration, which might be used to store
199 # roaming profiles.
200 [Profile]
201 # Configure offline caching policy.
202 # For a share storing roaming profiles, you have diable this explicitly,
203 # otherwise you might experience data-loss for the profiles.
204 # Believe me, I learned the hard way. :-)
205 csc policy = disable
206 # Path to the directory that is shared
207 path = /home/samba/Profile
208 # Users which might connect to this share.
209 # Use a plus sign followed by group name to allow access for all members
210 # of a group. File permissions are still checked, thus a user, who does not
211 # have permission to access a specific file or directory, will still be
212 # denied access.
213 valid users = "+MYWINDOWS\\Domain Users"
214 # Enable write access.
215 # By default, only read access is allowed.
216 writeable = yes
217
218 ## Setup
219
220 Aside from adjusting the Samba configuration file, a few more steps must be taken care of:
221
222 1. Kerberos support has to be installed and the default Kerberos realm should be set to match the ADS realm. Usually, the Kerberos realm is the ADS domain name in capital letters (e.g. MY.WINDOWS.DOMAIN).`WARNING: The "syslog" option is deprecated
223 `
224 1. The Linux box has to be joined to the ADS domain: `net ads join -U Administrator`
225 1. `/etc/nsswitch.conf` has to be changed to include the `winbind` service for user and group resolution.
226
227 # smbclient timeout for IPv6 enabled servers
228
229 When using smbclient with Windows Server 2012 R2, I came across a funny problem. If the Windows server has both an IPv4 and an IPv6 address registered in DNS `smbclient -L` connects to this server successfully, but then gets stuck for a very long time. After enabling debugging, it becomse clear that the first connection on port 445 is successful, but later `smbclient` tries to connect to port 139. This is the port used for NetBIOS and NetBIOS over IPv6 clearly is not supported by the Windows server. This actually makes sense, because NetBIOS should only be used by old clients which certainly do not support IPv6.
230
231 Unfortunately, working around this issue is not that simple: For quite some time, using the `-I` option with smbclient and explicitly specifying the IPv4 address of the server worked, but with recent versions of `smbclient` that results in an `NT_STATUS_LOGON_FAILURE` error. Setting `disable netbios = yes` in `smb.conf` unfortunately does not help either.
232
233 The only solution I found was blocking outgoing connections to TCP port 139 over IPv6 using `ip6tables`:
234
235 ```bash
236 ip6tables -A OUTPUT -p tcp --destination-port 139 -j REJECT
237 ```
238
239 With this workaround, `smbclient` will still report an error (after first connecting successfully), but at least it will report this error quickly instead of waiting for a long time.
240
241 ## Fixing the smbclient syslog warning
242
243 If the `syslog` option is present in `smb.conf`, recent versions of `smbclient` will issue the following warning:
244
245 WARNING: The "syslog" option is deprecated
246
247 Unfortunately, the default configuration in Ubuntu 14.04 LTS still uses this option. This can easily be fixed by removing the `syslog` and `syslog only` options and adding the following option instead:
248
249 logging = syslog@0 file