[Samba] howto domain controller with home shares on file server

niya levi niyalevi at gmail.com
Fri Mar 18 02:34:20 UTC 2016 

hi
i have two active domain controllers dc1 and dc2 and i have a domain
member which is a file server fs1,
my home and profile shares are on fs1 and i mount the on dc1 and dc2 for
admin purposes i.e. to create user home shares,
fs1 uses the btrfs filesystem and snapper.

this is my smb.conf on the file server
[global]
   workgroup = ADOMAIN
   security = ADS
   realm = AD.ADOMAIN.COM
   server string = %h home directory file server
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   netbios name = tardis
   host msdfs = no
   client signing = yes
   client use spnego = yes
   encrypt passwords = yes

   ## map id's outside to domain to tdb files.
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   ## map ids from the domain  the range may not overlap !
   idmap config ADOMAIN:backend = ad
   idmap config ADOMAIN:schema_mode = rfc2307
   idmap config ADOMAIN:range = 3000000-4000000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind refresh tickets = yes
   winbind expand groups = 4
   winbind offline logon = yes
   winbind cache time = 300

   # For ACL support on member server
   inherit acls = yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   acl group control = yes
   store dos attributes = Yes

   admin users = ADOMAIN/Administrator
   username map = /etc/samba/samba_usermapping

   # Share Setting Globally
   usershare allow guests = no
   unix extensions = no
   wide links = no
   reset on zero vc = yes
   veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
   hide unreadable = yes

   map to guest = Bad User

   log file = /var/log/samba/%m.log
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   load printers = yes
   printcap name = cups
   show add printer wizard = No
   rpc_server:spoolss = external
   rpc_daemon:spoolssd = fork
   debuglevel = 3
   use sendfile = no

   # FSRVP server : snapper remote snapshot creation
   rpc_daemon:fssd = fork
   registry shares = yes
   include registry

[printers]
                comment = All Printers
                path = /var/spool/samba
                printable = Yes
                printing = cups
                browseable = no
                guest ok = Yes
                acl_xattr:ignore system acl = yes
                admin users = @"ADOMAIN\Domain Admins"

[print$]
                comment = Printer Drivers
                path = /smb/Printer_drivers
                browseable = yes
                read only = yes
                guest ok = Yes
                acl_xattr:ignore system acl = yes
                writeable = yes
                admin users = @"ADOMAIN\Domain Admins"
[home]
                path = /smb/home
                read only = no
                guest ok = no
                vfs objects = snapper
#   
                shadow: snapdir = ./snapshot
#               shadow: sort = desc
#               shadow: format = @GMT_%Y.%m.%d-%H.%M.%S
#               shadow: localtime = no
                admin users = @"ADOMAIN\Domain Admins"

[profiles]
                path = /smb/profiles
                read only = no
                admin users = @"ADOMAIN\Domain Admins"
                profile acls = yes
                csc policy = disable


this is my smb.conf on the dc1
# Global parameters
[global]
        workgroup = ADOMAIN
        realm = AD.ADOMAIN.COM
        netbios name = ASHANTI
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        server services = -dns

# Disable printing completely
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

## setup bind to interface and time and wins server
        interfaces = lo eth0
        bind interfaces only = yes
        time server = yes
        wins support = yes

## Add AD backend.
        idmap config * :backend = tdb
        idmap config * :range = 2000-9999
        idmap config ADOMAIN : backend = ad
        idmap config ADOMAIN : range = 10000-3999999
        winbind use default domain = yes

#       nsupdate command = /usr/sbin/samba_dnsupdate
        nsupdate command =  /usr/bin/nsupdate -g
        allow dns updates = nonsecure and secure
        client ldap sasl wrapping = sign

        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

        log file = /var/log/samba/log.%m
        max log size = 50
        encrypt passwords = yes
        map to guest = Bad User

[netlogon]
        path = /var/lib/samba/sysvol/ad.adomain.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


what is the best method to access user share when i logon using a
windows client,
without losing the snapshot capability from snapper.

do i,
1  add the share definition to smb.conf on the domain controllers and
remove them from the file server
2  leave the share definition in smb.conf on the file server and use the
microsoft rsat to connect clients to their home share

or is there a better way i have not thought of ?

shadrock

More information about the samba mailing list