Samba Homedirectory

From Wiki

Jump to:navigation, search

Samba Setup with winbind / AD integration on RHEL

Configure ntp to get time from AD server

copy to /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COLLEGE.INTERNAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 EXAMPLE.COLLEGE.INTERNAL = {
  kdc = server1.example.college.internal
  kdc = server2.example.college.internal

 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 example.college.internal = EXAMPLE.COLLEGE.INTERNAL
 .example.college.internal = EXAMPLE.COLLEGE.INTERNAL
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

copy to /etc/samba/smb.conf

[global]
	workgroup = DOMIAN
	realm = EXAMPLE.COLLEGE.INTERNAL
	server string = servername
	security = ADS
	password server = server1.example.college.internal  server2.example.college.internal
	passdb backend = tdbsam
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /sbin/nologin
	cups options = raw
	log file = /var/log/samba/log.%m	
	winbind use default domain = yes
	winbind enum users = yes
	obey pam restrictions = yes
	usershare allow guests = no	
	ea support =yes
        acl compatibility = Auto
        store dos attributes = yes
	map readonly = no
        map archive = no
        map system = no 	
	invalid users = root 
	msdfs root = no
	socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
	acl map full control = false
        hide files = /aquota.*/ 	

[homes]
	comment = Home Directories for %U
	read only = No
	browseable = yes
	path = /home/%D/%G/%U
	valid users = %D\%S
	admin users = @"DOMAIN\domain^admins", administrator
	comment = Home Directories
	inherit acls = Yes
	inherit permissions = yes
	map acl inherit = Yes
        veto files = /*.bat/*.cmd/*.com/*.exe/*.vbs/*.msi/*.pif/*.reg/
	root preexec = /usr/local/sbin/homedirperms.sh %U %G
	nt acl support = no
	hide unreadable = yes
	recycle:repository = recycle-bin
	recycle:keeptree = yes
	recycle:touch = Yes
	recycle:versions = Yes
	recycle:exclude = ?~$*,~$*,*.tmp,*.temp,*.TMP
	recycle:exclude_dir = /tmp,/temp,/cache
	recycle:directory_mode = 0770
	recycle:subdir_mode = 0770
	hide files =  /recycle-bin/
 	vfs objects = default_quota recycle

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[students]
	comment = All Home Directories  -admin share
	path = /home/DOMAIN
	write list = @DOMAIN\domain^admins
	read only = No
	inherit permissions = Yes
	inherit acls = Yes
	inherit owner = Yes
	map acl inherit = Yes
	force unknown acl user = yes
	acl check permissions = no
	nt acl support = yes


enable ACL support

install acl support with YUM

edit /etc/fstab

/dev/sdd1               /home/DOMAIN            ext3    acl,quota,user_xattr 1 2

Join Domain

do

net ads join -U administrator

enter administrator password:


Allow users access to filesystem

edit /etc/nsswitch.conf to contain:

passwd: compat winbind
group: compat winbind
shadow: compat

test domain

wbinfo -u

should display list of users

getent passwd


should display list of users

start servers

chkconfig winbind on
chkconfig smb  on
/etc/init.d/winbind start
/etc/init.d/smb start


copy directories

mount the remote windows share to /mnt then copy with rsync

rsync -rltD /mnt/users/07/ ./

Autocreate Home Directories and set Quotas

new student quotas are set when the home directory is created; the file can be adjusted to change the quota per yeargroup the file is /usr/local/sbin/homedirperms.sh

copy to /usr/local/sbin/homedirperms.sh and make executable

#!/bin/bash
if [ "$2" = "08" -o "$2" = "07" -o "$2" = "06" -o "$2" = "05" -o "$2" = "04" -o "$2" = "03" -o "$2" = "02" -o "$2" = "adulted" -o "$2" = "exams"  -o "$2" = "gueststudents" ] ; then     
	if [ ! -e /home/DOMAIN/$2/$1 ]; then
		mkdir -p  /home/DOMAIN/$2/$1
		chown $1:"domain admins" /home/DOMAIN/$2/$1
		chmod o-rwx /home/DOMAIN/$2/$1
		chmod g+rwxs /home/DOMAIN/$2/$1
		setfacl -m user:$1:rwx /home/DOMAIN/$2/$1
		setfacl -m group:teachers:r-x /home/DOMAIN/$2/$1 
		setfacl -m group:"domain admins":rwx /home/DOMAIN/$2/$1
		if [ "$2" = "03" -o "$2" = "02" ]; then
			setquota -u $1 1048576 1228800 0 0 /home/DOMAIN/
                elif [ "$2" = "08" ]; then
                        setquota -u $1 614400 716800 0 0 /home/DOMAIN/               
		elif [ "$2" = "07" ]; then
		        setquota -u $1 614400 716800 0 0 /home/DOMAIN/
                elif [ "$2" = "06" ]; then
                        setquota -u $1 614400 716800 0 0 /home/DOMAIN/
                elif [ "$2" = "05" ]; then
                        setquota -u $1 614400 716800 0 0 /home/DOMAIN/
                elif [ "$2" = "04" ]; then
                        setquota -u $1 614400 716800 0 0 /home/DOMAIN/
                elif [ "$2" = "adulted"  ]; then
                        setquota -u $1 614400 716800 0 0 /home/DOMAIN/                            		                                                
		else
		  	setquota -u $1 614400 716800 0 0 /home/DOMAIN/
		fi
	fi
fi
exit 0


Student H:\ drives which reside on \\student have quota enforced. The relevant line in \etc\fstab to switch on user quota is here:

/dev/VolGroup02/LogVol00 /home/DOMAIN            ext3  defaults,usrquota,grpquota,acl,user_xattr 1 2

maintenance

quotacheck is run monthly from /etc/cron.monthly/quota this may not be necessary and could cause problems because the quotacheck dismounts the drive, on reboot a check may be forced. to circumvent this run fschk -f on /dev/VolGroup02/LogVol00 during downtime.

#!/bin/bash
/etc/init.d/smb stop
/sbin/quotaoff /home/DOMAIN
/sbin/quotacheck -avug
/sbin/quotaon /home/DOMAIN
/etc/init.d/smb start

quota violations

Students are warned daily of their quota violations by email /etc/cron.daily/quota

#!/bin/bash
/usr/sbin/warnquota -d

new students

new student quotas are set when the home directory is created; the file can be adjusted to change the quota per yeargroup the file is /usr/local/sbin/homedirperms.sh

changing quota per yeargroup

edit the top of the file as necessary and run on student server

#!/usr/bin/python
# GPL 
# Variables can be changed here:

yeargroup="03"
# lowerquota - soft limit (kbytes)
soft = "1048576"
# upper quota - hard limit (kbytes)
hard = "1228800"
ldap_domain='ou=example,dc=college,dc=internal'
domain = "example.college.internal" # "example.com"
ldapserver="server1"
#ldap server
port="389" 
#ldap port (389 default)
ldapbinddomain="DOMAIN"
#the domain of the ldap bind account
ldapbind="ldapaccount"
#the account name of the account to bind to ldap
ldappassword="PASSWORD"
#the ldap password
oldserveruncpath="\\\\student\\"
chown = "/bin/chown"
chmod = "/bin/chmod"
setfacl = "/usr/bin/setfacl"
setquota = "/usr/sbin/setquota"
#--------------------------------------------------------------------------------------------------
import ldap, string, time, sys, os, shutil
#from mod_python import apache
if yeargroup == "01":
	year = "year 01"
elif yeargroup == "02":
	year = "year 02"
elif yeargroup == "03":
        year = "year 03"
elif yeargroup == "04":
        year = "year 04"
elif yeargroup == "05":
        year = "year 05"
elif yeargroup == "06":
        year = "year 06"
elif yeargroup == "07":
        year = "year 07"
elif yeargroup == "08":
        year = "year 08"
elif yeargroup == "09":
        year = "year 09"
elif yeargroup == "10":
        year = "year 10"
elif yeargroup == "11":
        year = "year 11"
elif yeargroup == "12":
        year = "year 12"
elif yeargroup == "ACRES Students":
        year = "ACRES Students"
        
else:
	print " update script, yeargroup out of range"        
		
scope =  'ou=' + year + ',' + ldap_domain
         
l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port) 
l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword) #bind to the ldap server using name/password                             


try:
    res = l.search_s(scope, 
    ldap.SCOPE_SUBTREE, "(&(ObjectCategory=user) )", ['sAMAccountName','givenName','sn','memberOf','homeDirectory'])
#userAccountControl  512 = normal , 514 = disabled account
    for (dn, vals) in res:
      accountname = vals['sAMAccountName'][0].lower()
      try:
        sirname = vals['sn'][0].lower()
      except: 
        sirname = vals['sAMAccountName'][0].lower()
      try:
        givenname = vals['givenName'][0]          
      except:
        givenname = vals['sAMAccountName'][0].lower()
      try:
        groups = vals['memberOf']
      except:
        groups = 'none'
      try:
      	homeDirectory = vals['homeDirectory'][0].lower()
      except:
      	homeDirectory = 'none'
      initial = givenname[:1].upper()
      sirname = sirname.replace('-', '')
      sirname = sirname.capitalize()
      accountname = accountname.replace(' ', '')
      name = initial + "." + sirname
      sys.stdout.flush()
      
  
   	
		        			

      os.system(setquota + ' -u %s %s %s 0 0 /home/DOMAIN/' % (accountname,soft,hard))  
      print accountname + " " + soft + "  " + hard
				
         
                          

                                             
           
except ldap.LDAPError, error_message:
  print error_message          

l.unbind_s() 
         

Snap Shotting Volumes

In order to use this facility the share you want to snapshot will have to be placed on a LVM that is used to hold the share that will be copied. Future snapshots will then be stored in new Logical Volumes.

To enable shadow copies on your samba share add the following line to your share configuration.

Edit /etc/samba/smb.conf or equivalent

Add following option to the share you want to shadow copy vfs objects = shadow_copy

The following script creates a snapshot of SNAPVOLSOURCE and stores the new volume as a timestamp (SNAPNAME)

It then creates a folder in root (You may want to place this somewhere else) with @GMT- in front of SNAPNAME. The @GMT- is required to identify the folder as a snapshot to Samba. It then creates a link to the folder SNAPFOLDERSOURCE which is the mount point of the SNAPVOLSOURCE. This avoid having the shadow copied volumes mounted within the same folder as the source. (this part was more of a personal preference)

This script only created small 32MB volumes (lvcreate -L32M -s -n) and you may want to create bigger volumes than this, depending how often your data will be changing. The script is designed to show the function works, as the script on the Samba site did not work for me.

You may also want to make a script like this part of a cron job, that would include todying out volumes that are older than a certain date etc.

#!/bin/bash
# Test script amended from samaba example
# Script assumes that you have created Volume Group(s)
# for volume to be copied and shadowed.
SNAPNAME=`date +%Y.%m.%d-%H.%M.%S`
SNAPVOLSOURCE="/dev/VolGroup01/data"
SNAPVOLGRP="/dev/VolGroup01"
SNAPFOLDERSOURCE="/timbo"
 $SNAPNAME $SNAPSOURCE
mkdir /@GMT-$SNAPNAME
ln -s /@GMT-$SNAPNAME $SNAPFOLDERSOURCE/@GMT-$SNAPNAME
mount $SNAPVOLGRP/$SNAPNAME  /@GMT-$SNAPNAME -r

Problems

If users cannot access drives, the most likely cause is kerberos due to time synchronisation issues. Active Directory must have time in sync with the server +-5 minutes (300 sec)

to manually adjust time on server as a quick fix do:

/etc/init.d/ntpd stop
/usr/sbin/ntpdate 172.16.x.x
    • make sure install VmWare tools on the linux server to fix time issues

allow cdrom access

net groupmap add unixgroup=cdrom type=domain ntgroup="DOMAIN\Domain Users" comment="Allow Domain Users to use local CD drives."