Samba Homedirectory
From Wiki
Contents |
Samba Setup with winbind / AD integration on RHEL
Configure ntp to get time from AD server
copy to /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COLLEGE.INTERNAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
EXAMPLE.COLLEGE.INTERNAL = {
kdc = server1.example.college.internal
kdc = server2.example.college.internal
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
example.college.internal = EXAMPLE.COLLEGE.INTERNAL
.example.college.internal = EXAMPLE.COLLEGE.INTERNAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
copy to /etc/samba/smb.conf
[global]
workgroup = DOMIAN
realm = EXAMPLE.COLLEGE.INTERNAL
server string = servername
security = ADS
password server = server1.example.college.internal server2.example.college.internal
passdb backend = tdbsam
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
cups options = raw
log file = /var/log/samba/log.%m
winbind use default domain = yes
winbind enum users = yes
obey pam restrictions = yes
usershare allow guests = no
ea support =yes
acl compatibility = Auto
store dos attributes = yes
map readonly = no
map archive = no
map system = no
invalid users = root
msdfs root = no
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
acl map full control = false
hide files = /aquota.*/
[homes]
comment = Home Directories for %U
read only = No
browseable = yes
path = /home/%D/%G/%U
valid users = %D\%S
admin users = @"DOMAIN\domain^admins", administrator
comment = Home Directories
inherit acls = Yes
inherit permissions = yes
map acl inherit = Yes
veto files = /*.bat/*.cmd/*.com/*.exe/*.vbs/*.msi/*.pif/*.reg/
root preexec = /usr/local/sbin/homedirperms.sh %U %G
nt acl support = no
hide unreadable = yes
recycle:repository = recycle-bin
recycle:keeptree = yes
recycle:touch = Yes
recycle:versions = Yes
recycle:exclude = ?~$*,~$*,*.tmp,*.temp,*.TMP
recycle:exclude_dir = /tmp,/temp,/cache
recycle:directory_mode = 0770
recycle:subdir_mode = 0770
hide files = /recycle-bin/
vfs objects = default_quota recycle
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[students]
comment = All Home Directories -admin share
path = /home/DOMAIN
write list = @DOMAIN\domain^admins
read only = No
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
map acl inherit = Yes
force unknown acl user = yes
acl check permissions = no
nt acl support = yes
enable ACL support
install acl support with YUM
edit /etc/fstab
/dev/sdd1 /home/DOMAIN ext3 acl,quota,user_xattr 1 2
Join Domain
do
net ads join -U administrator
enter administrator password:
Allow users access to filesystem
edit /etc/nsswitch.conf to contain:
passwd: compat winbind group: compat winbind shadow: compat
test domain
wbinfo -u
should display list of users
getent passwd
should display list of users
start servers
chkconfig winbind on
chkconfig smb on
/etc/init.d/winbind start
/etc/init.d/smb start
copy directories
mount the remote windows share to /mnt then copy with rsync
rsync -rltD /mnt/users/07/ ./
Autocreate Home Directories and set Quotas
new student quotas are set when the home directory is created; the file can be adjusted to change the quota per yeargroup the file is /usr/local/sbin/homedirperms.sh
copy to /usr/local/sbin/homedirperms.sh and make executable
#!/bin/bash
if [ "$2" = "08" -o "$2" = "07" -o "$2" = "06" -o "$2" = "05" -o "$2" = "04" -o "$2" = "03" -o "$2" = "02" -o "$2" = "adulted" -o "$2" = "exams" -o "$2" = "gueststudents" ] ; then
if [ ! -e /home/DOMAIN/$2/$1 ]; then
mkdir -p /home/DOMAIN/$2/$1
chown $1:"domain admins" /home/DOMAIN/$2/$1
chmod o-rwx /home/DOMAIN/$2/$1
chmod g+rwxs /home/DOMAIN/$2/$1
setfacl -m user:$1:rwx /home/DOMAIN/$2/$1
setfacl -m group:teachers:r-x /home/DOMAIN/$2/$1
setfacl -m group:"domain admins":rwx /home/DOMAIN/$2/$1
if [ "$2" = "03" -o "$2" = "02" ]; then
setquota -u $1 1048576 1228800 0 0 /home/DOMAIN/
elif [ "$2" = "08" ]; then
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
elif [ "$2" = "07" ]; then
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
elif [ "$2" = "06" ]; then
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
elif [ "$2" = "05" ]; then
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
elif [ "$2" = "04" ]; then
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
elif [ "$2" = "adulted" ]; then
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
else
setquota -u $1 614400 716800 0 0 /home/DOMAIN/
fi
fi
fi
exit 0
Student H:\ drives which reside on \\student have quota enforced.
The relevant line in \etc\fstab to switch on user quota is here:
/dev/VolGroup02/LogVol00 /home/DOMAIN ext3 defaults,usrquota,grpquota,acl,user_xattr 1 2
maintenance
quotacheck is run monthly from /etc/cron.monthly/quota this may not be necessary and could cause problems because the quotacheck dismounts the drive, on reboot a check may be forced. to circumvent this run fschk -f on /dev/VolGroup02/LogVol00 during downtime.
#!/bin/bash /etc/init.d/smb stop /sbin/quotaoff /home/DOMAIN /sbin/quotacheck -avug /sbin/quotaon /home/DOMAIN /etc/init.d/smb start
quota violations
Students are warned daily of their quota violations by email /etc/cron.daily/quota
#!/bin/bash /usr/sbin/warnquota -d
new students
new student quotas are set when the home directory is created; the file can be adjusted to change the quota per yeargroup the file is /usr/local/sbin/homedirperms.sh
changing quota per yeargroup
edit the top of the file as necessary and run on student server
#!/usr/bin/python
# GPL
# Variables can be changed here:
yeargroup="03"
# lowerquota - soft limit (kbytes)
soft = "1048576"
# upper quota - hard limit (kbytes)
hard = "1228800"
ldap_domain='ou=example,dc=college,dc=internal'
domain = "example.college.internal" # "example.com"
ldapserver="server1"
#ldap server
port="389"
#ldap port (389 default)
ldapbinddomain="DOMAIN"
#the domain of the ldap bind account
ldapbind="ldapaccount"
#the account name of the account to bind to ldap
ldappassword="PASSWORD"
#the ldap password
oldserveruncpath="\\\\student\\"
chown = "/bin/chown"
chmod = "/bin/chmod"
setfacl = "/usr/bin/setfacl"
setquota = "/usr/sbin/setquota"
#--------------------------------------------------------------------------------------------------
import ldap, string, time, sys, os, shutil
#from mod_python import apache
if yeargroup == "01":
year = "year 01"
elif yeargroup == "02":
year = "year 02"
elif yeargroup == "03":
year = "year 03"
elif yeargroup == "04":
year = "year 04"
elif yeargroup == "05":
year = "year 05"
elif yeargroup == "06":
year = "year 06"
elif yeargroup == "07":
year = "year 07"
elif yeargroup == "08":
year = "year 08"
elif yeargroup == "09":
year = "year 09"
elif yeargroup == "10":
year = "year 10"
elif yeargroup == "11":
year = "year 11"
elif yeargroup == "12":
year = "year 12"
elif yeargroup == "ACRES Students":
year = "ACRES Students"
else:
print " update script, yeargroup out of range"
scope = 'ou=' + year + ',' + ldap_domain
l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port)
l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword) #bind to the ldap server using name/password
try:
res = l.search_s(scope,
ldap.SCOPE_SUBTREE, "(&(ObjectCategory=user) )", ['sAMAccountName','givenName','sn','memberOf','homeDirectory'])
#userAccountControl 512 = normal , 514 = disabled account
for (dn, vals) in res:
accountname = vals['sAMAccountName'][0].lower()
try:
sirname = vals['sn'][0].lower()
except:
sirname = vals['sAMAccountName'][0].lower()
try:
givenname = vals['givenName'][0]
except:
givenname = vals['sAMAccountName'][0].lower()
try:
groups = vals['memberOf']
except:
groups = 'none'
try:
homeDirectory = vals['homeDirectory'][0].lower()
except:
homeDirectory = 'none'
initial = givenname[:1].upper()
sirname = sirname.replace('-', '')
sirname = sirname.capitalize()
accountname = accountname.replace(' ', '')
name = initial + "." + sirname
sys.stdout.flush()
os.system(setquota + ' -u %s %s %s 0 0 /home/DOMAIN/' % (accountname,soft,hard))
print accountname + " " + soft + " " + hard
except ldap.LDAPError, error_message:
print error_message
l.unbind_s()
Snap Shotting Volumes
In order to use this facility the share you want to snapshot will have to be placed on a LVM that is used to hold the share that will be copied. Future snapshots will then be stored in new Logical Volumes.
To enable shadow copies on your samba share add the following line to your share configuration.
Edit /etc/samba/smb.conf or equivalent
Add following option to the share you want to shadow copy vfs objects = shadow_copy
The following script creates a snapshot of SNAPVOLSOURCE and stores the new volume as a timestamp (SNAPNAME)
It then creates a folder in root (You may want to place this somewhere else) with @GMT- in front of SNAPNAME. The @GMT- is required to identify the folder as a snapshot to Samba. It then creates a link to the folder SNAPFOLDERSOURCE which is the mount point of the SNAPVOLSOURCE. This avoid having the shadow copied volumes mounted within the same folder as the source. (this part was more of a personal preference)
This script only created small 32MB volumes (lvcreate -L32M -s -n) and you may want to create bigger volumes than this, depending how often your data will be changing. The script is designed to show the function works, as the script on the Samba site did not work for me.
You may also want to make a script like this part of a cron job, that would include todying out volumes that are older than a certain date etc.
#!/bin/bash # Test script amended from samaba example # Script assumes that you have created Volume Group(s) # for volume to be copied and shadowed. SNAPNAME=`date +%Y.%m.%d-%H.%M.%S` SNAPVOLSOURCE="/dev/VolGroup01/data" SNAPVOLGRP="/dev/VolGroup01" SNAPFOLDERSOURCE="/timbo" $SNAPNAME $SNAPSOURCE mkdir /@GMT-$SNAPNAME ln -s /@GMT-$SNAPNAME $SNAPFOLDERSOURCE/@GMT-$SNAPNAME mount $SNAPVOLGRP/$SNAPNAME /@GMT-$SNAPNAME -r
Problems
If users cannot access drives, the most likely cause is kerberos due to time synchronisation issues. Active Directory must have time in sync with the server +-5 minutes (300 sec)
to manually adjust time on server as a quick fix do:
/etc/init.d/ntpd stop /usr/sbin/ntpdate 172.16.x.x
- make sure install VmWare tools on the linux server to fix time issues
allow cdrom access
net groupmap add unixgroup=cdrom type=domain ntgroup="DOMAIN\Domain Users" comment="Allow Domain Users to use local CD drives."
