Set up SAMBA+
Setting up a SAMBA+ as a standalone server
A standalone server provides file and print services and is useful if domain integration is not required or desired (e.g. in small networks). The services can be open for guests without any authentication, but as this has many security impacts, we skip this setup here and describe an authenticating standalone server only.
Please install at least the 'sernet-samba' package and its dependencies.
SAMBA+ can be run in different server modes, so you need to specify the role of your server before being able to start the services. This mode needs to be set with the "SAMBA_START_MODE" variable in the /etc/default/sernet-samba file. Set the mode to "classic" to run a standalone fileserver.
The services can be controlled with the usual systemd commands, like 'systemctl'. For a standalone file server, the following services are available:
- sernet-samba-smbd.service Samba SMB Daemon (file and print services)
- sernet-samba-nmbd.service Samba NMB Daemon (NetBIOS name resolution)
- sernet-samba-winbindd.service Samba Winbind Daemon (ID mapping, Name Service Switch daemon)
The further configuration needs to be done in /etc/samba/smb.conf.
A very basic configuration could look like:
[global]
netbios name = FILESRV1
workgroup = MYWORKGROUP
[share1]
path = /path/to/share1
read only = no
The "netbios name" specifies the name of the server and "workgroup" the name of your workgroup.
In the [global] section, global settings are defined. For each file share and printer, a separate section has to be added (see [share1] in the example).
Details on global and share specific parameters can be found in the smb.conf manual page ('man smb.conf').
To access your new SMB share, you need to create a Samba user. Samba needs also a UNIX account with exactly the same name to be able to check permissions on the underlying filesystem.
Add the UNIX user (if it does not exist yet):
sudo useradd -s /usr/sbin/nologin smbuser1
Add the Samba user:
sudo smbpasswd -a smbuser1
The passwords of both accounts can differ. When connecting to the share, the password of the Samba user is needed.
Also the shared directory must exist. If it's not existing yet, it can be created via 'sudo mkdir -p /path/to/share1' according to the example above. Make sure that the user has filesystem access to the shared directory.
Let's start the "smbd" and "nmbd" daemons and try to connect to the share:
Start the services:
sudo systemctl restart sernet-samba-smbd
sudo systemctl restart sernet-samba-nmbd
Connect to the share using smbclient:
smbclient //FILESRV1/share1 -U smbuser1
Connecting via a Windows and other SMB clients is of course possible as well.
Setting up a SAMBA+ AD domain controller (AD DC)
A domain controller provides the central Active Directory. Make sure to have at least two DCs for failover! Do not use your domain controllers as file servers.
Please install the "sernet-samba-ad" package and its dependencies.
- Debian/Ubuntu: apt-get install sernet-samba-ad
- RHEL/CentOS: yum install sernet-samba-ad
- SUSE/Leap: zypper in sernet-samba-ad
After that, please edit the SAMBA+ configuration file /etc/default/sernet-samba and set the "SAMBA_START_MODE" variable to "ad". Otherwise the 'samba' deamon won't start at all.
Now the domain has to be configured by running 'samba-tool domain provision'. Please enter your realm etc. This step creates the /etc/samba/smb.conf configuration file. Afterwards, the service can be started via the 'systemctl restart sernet-samba-ad' command.
Setting up a SAMBA+ domain member server
A domain member is part of a domain (domain users and groups are available), authenticating against DCs. A member server is usually used for file or print servers.
Please install at least the 'sernet-samba' and 'sernet-samba-winbind' package and its dependencies.
SAMBA+ can be run in different server modes, so you need to specify the role of your server before being able to start the services. This mode needs to be set with the "SAMBA_START_MODE" variable in the /etc/default/sernet-samba file. Set the mode to "classic" to run a member server.
The services can be controlled with the usual systemd commands, like 'systemctl'. For a domain member server, the following services are available:
- sernet-samba-smbd.service Samba SMB Daemon (file and print services)
- sernet-samba-nmbd.service Samba NMB Daemon (NetBIOS name resolution)
- sernet-samba-winbindd.service Samba Winbind Daemon (ID mapping, Name Service Switch daemon)
The further configuration needs to be done in /etc/samba/smb.conf.
A very basic configuration example is part of the SAMBA+ packages and placed at /etc/samba/smb.conf.member.
In the [global] section, global settings like domain membership and id-mapping are defined. For each file share and printer, a separate section has to be added (see [share1] in the example).
Details on global and share specific parameters can be found in the smb.conf manual page ('man smb.conf').
After making the settings in the smb.conf join the member server to the domain using the 'net ads join' command.
To access your new SMB share, it's required to make the AD users available on the system. The "passwd" and "group" option in the /etc/nsswitch.conf needs to include "winbind", similar to:
passwd: files winbind
group: files winbind
Let's start the "winbindd", "smbd" and "nmbd" daemons and try to connect to the share:
Start the services:
sudo systemctl restart sernet-samba-winbindd
sudo systemctl restart sernet-samba-smbd
sudo systemctl restart sernet-samba-nmbd
Connect to the share using smbclient, like:
smbclient //filesrv.samdom.example.com/share1 -U"SAMDOM\aduser1"
Connecting via a Windows and other SMB clients is of course possible as well.
Setting up a SAMBA+ CTDB cluster
CTDB is Samba's cluster management service. Combined with a cluster filesystem a SAMBA+ CTDB cluster can provide a highly available loadsharing Samba server.
This article describes which packages and services are required. The configuration of a CTDB cluster, especially the Samba configuration, highly depends on your requirements.
Please install at least the 'sernet-samba-ctdb', 'sernet-samba' and 'sernet-samba-winbind' packages and its dependencies on each node.
SAMBA+ can be run in different server modes, so you need to specify the role of your server before being able to start the services. This mode needs to be set with the "SAMBA_START_MODE" variable in the /etc/default/sernet-samba file. Set the mode to "classic" to run Samba with CTDB.
The CTDB service can be started and stopped with the usual systemd commands, like 'systemctl'. The service name is sernet-samba-ctdbd.service. Since CTDB can control and monitor the Samba services, the services can be disabled:
systemctl disable sernet-samba-nmbd.service
systemctl disable sernet-samba-smbd.service
systemctl disable sernet-samba-winbindd.service
systemctl disable sernet-samba-dcerpcd.service (SAMBA+ 4.20 and higher)
The management utility 'ctdb' can be used to specify which services should be managed by CTDB. For a Samba cluster usually 49.winbind and 50.samba are required. Use the following commands to enable the service management:
ctdb event script enable legacy 49.winbind
ctdb event script enable legacy 50.samba
If you want to use the new Witness Service, which is included since Samba version 4.20, you also need to enable 47.dcerpcd:
ctdb event script enable legacy 47.dcerpcd
In addition, you need the following option in your smb.conf global section:
rpc start on demand helpers = no
Please refer to the CTDB and clustered Samba article in the samba.org Wiki for further CTDB and Samba configuration: https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba
After the configuration you can start CTDB:
systemctl restart sernet-samba-ctdbd.service
