samba - Dec 2014 - Multiple samba servers with AD integration

Hi all,

I have a CentOS 6.6 machine with samba 3.6.23-12 that is joined to a
Windows active directory domain.

My goal is to configure multiple samba servers on the CentOS machine that
will authenticate using domain controller of the active directory.

DC = 1.1.1.1
CentOS 6.6 = 1.1.1.2

This is my smb.conf:
[global]
        netbios aliases = development sales
        include = /etc/samba/smb.conf.%L
workgroup = TEST
server string = Samba Server Version %v
security = ads
realm = TEST.COM
domain master = no
local master = no
preferred master = no
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072
        use sendfile = true

idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
 winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
 client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
 log file = /var/log/samba/log.%m
max log size = 50

I've created additional two smb.conf.development and smb.conf.sales files
with the same content except the two first lines and added a share
definition(changed the names of the share and path) to both accordingly:

[XYZXYZYXYZX]
comment = Test share
path = /samba/XYZXYZYXYZX
read only = no
valid users = @"TEST+Domain Users"
force group = "Domain Users"
directory mode = 0770
force directory mode = 0770
create mode = 0660
force create mode = 0660
# Hide share from users who don't have access
access based share enum = yes
# Hide files/directories if user doesn't have read access
hide unreadable = yes

However, when I try access the server using Windows :
\\sales
I cannot get passed the authentication windows.. Tried both local and
active directory users and nothing works. It only works if I configure the
share on the main smb.conf.

Please help :)

Thank you,
Dennis.

On 02/12/14 13:36, Dennis Zheleznyak wrote:
> Hi all,
>
> I have a CentOS 6.6 machine with samba 3.6.23-12 that is joined to a
> Windows active directory domain.
>
> My goal is to configure multiple samba servers on the CentOS machine that
> will authenticate using domain controller of the active directory.
>
> DC = 1.1.1.1
> CentOS 6.6 = 1.1.1.2
>
> This is my smb.conf:
> [global]
>          netbios aliases = development sales
>          include = /etc/samba/smb.conf.%L
> workgroup = TEST
> server string = Samba Server Version %v
> security = ads
> realm = TEST.COM
> domain master = no
> local master = no
> preferred master = no
>          socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
> SO_SNDBUF=131072
>          use sendfile = true
>
> idmap config * : backend = tdb
> idmap config * : range = 100000-299999
> idmap config TEST : backend = rid
> idmap config TEST : range = 10000-99999
>   winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nested groups = yes
> winbind refresh tickets = yes
> template homedir = /home/%D/%U
> template shell = /bin/bash
>   client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> restrict anonymous = 2
>   log file = /var/log/samba/log.%m
> max log size = 50
>
> I've created additional two smb.conf.development and smb.conf.sales
files
> with the same content except the two first lines and added a share
> definition(changed the names of the share and path) to both accordingly:
>
> [XYZXYZYXYZX]
> comment = Test share
> path = /samba/XYZXYZYXYZX
> read only = no
> valid users = @"TEST+Domain Users"
> force group = "Domain Users"
> directory mode = 0770
> force directory mode = 0770
> create mode = 0660
> force create mode = 0660
> # Hide share from users who don't have access
> access based share enum = yes
> # Hide files/directories if user doesn't have read access
> hide unreadable = yes
>
> However, when I try access the server using Windows :
> \\sales
> I cannot get passed the authentication windows.. Tried both local and
> active directory users and nothing works. It only works if I configure the
> share on the main smb.conf.
>
> Please help :)
>
> Thank you,
> Dennis.
I think I understand what you are trying to do, you have an initial 
smb.conf which calls 2 other nearly identical smb.conf's and you want to 
run three different samba servers on the same machine.  I don't think 
this is going to work, I am fairly sure you can only run once instance 
of samba on a machine. What you can do, is run one smb.conf that can 
include another conf file, this extra conf file usually contains shares.

If you want to run multiple samba instances on one machine, then I 
suggest you investigate VM's, one instance of samba per VM.

Also I suggest that you remove the 'socket options' line, you are 
probably making things worse by having this.

Rowland

On Tue, 2 Dec 2014, Rowland Penny wrote:
> I think I understand what you are trying to do, you have an initial
smb.conf
> which calls 2 other nearly identical smb.conf's and you want to run
three
> different samba servers on the same machine.  I don't think this is
going to
> work, I am fairly sure you can only run once instance of samba on a
machine.
> What you can do, is run one smb.conf that can include another conf file,
this
> extra conf file usually contains shares.
I don't really see why one would want to run separate samba servers using 
the same authentication source (DC) on the same machine either.  However, 
I do think it should be possible.
> If you want to run multiple samba instances on one machine, then I suggest 
> you investigate VM's, one instance of samba per VM.
I see there being two issues with running multiple samba servers on the 
same machine, and I think both are possible to fix.  You're going to need 
to run the servers on different IP addresseses.  You can bind to 
particular IP with the "interfaces = 1.1.1.1" option in the global
section
of your smb.conf.

The other problem is you're going to have multiple copies of samba trying 
to use the same tdb files.  This is probably going to cause severe 
breakage unless you run each copy with separate state dirs.  I don't know 
exactly what is needed, but looking at the smbd command line options, I 
would guess each running copy would need it's own --statedir --cachedir 
--piddir and --privatedir set.
> Also I suggest that you remove the 'socket options' line, you are
probably
> making things worse by having this.
Seconded.  First rule of optimization: don't do it unless you understand 
what your changes are supposed to do, and can test and verify the results. 
Most of the advice on the internet regarding samba socket options is old 
and out of date and will hurt more than it helps in most cases.

Hi Penny,

Thank you for your quick and informative response !! I really appreciate it
!

I think I may have found a solution to this issue:
By editing a propery named servicePrincipalName using ADSI Editor on the
Windows side, I'm not able to access all the virtual servers I configured
on the Linux side successfully.

Let me know what do you think about it :)

Thank you,
Dennis.

On Tue, Dec 2, 2014 at 4:33 PM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
> On 02/12/14 13:36, Dennis Zheleznyak wrote:
>
>> Hi all,
>>
>> I have a CentOS 6.6 machine with samba 3.6.23-12 that is joined to a
>> Windows active directory domain.
>>
>> My goal is to configure multiple samba servers on the CentOS machine
that
>> will authenticate using domain controller of the active directory.
>>
>> DC = 1.1.1.1
>> CentOS 6.6 = 1.1.1.2
>>
>> This is my smb.conf:
>> [global]
>>          netbios aliases = development sales
>>          include = /etc/samba/smb.conf.%L
>> workgroup = TEST
>> server string = Samba Server Version %v
>> security = ads
>> realm = TEST.COM
>> domain master = no
>> local master = no
>> preferred master = no
>>          socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
>> SO_SNDBUF=131072
>>          use sendfile = true
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 100000-299999
>> idmap config TEST : backend = rid
>> idmap config TEST : range = 10000-99999
>>   winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind nested groups = yes
>> winbind refresh tickets = yes
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>>   client use spnego = yes
>> client ntlmv2 auth = yes
>> encrypt passwords = yes
>> restrict anonymous = 2
>>   log file = /var/log/samba/log.%m
>> max log size = 50
>>
>> I've created additional two smb.conf.development and smb.conf.sales
files
>> with the same content except the two first lines and added a share
>> definition(changed the names of the share and path) to both
accordingly:
>>
>> [XYZXYZYXYZX]
>> comment = Test share
>> path = /samba/XYZXYZYXYZX
>> read only = no
>> valid users = @"TEST+Domain Users"
>> force group = "Domain Users"
>> directory mode = 0770
>> force directory mode = 0770
>> create mode = 0660
>> force create mode = 0660
>> # Hide share from users who don't have access
>> access based share enum = yes
>> # Hide files/directories if user doesn't have read access
>> hide unreadable = yes
>>
>> However, when I try access the server using Windows :
>> \\sales
>> I cannot get passed the authentication windows.. Tried both local and
>> active directory users and nothing works. It only works if I configure
the
>> share on the main smb.conf.
>>
>> Please help :)
>>
>> Thank you,
>> Dennis.
>>
>
> I think I understand what you are trying to do, you have an initial
> smb.conf which calls 2 other nearly identical smb.conf's and you want
to
> run three different samba servers on the same machine.  I don't think
this
> is going to work, I am fairly sure you can only run once instance of samba
> on a machine. What you can do, is run one smb.conf that can include another
> conf file, this extra conf file usually contains shares.
>
> If you want to run multiple samba instances on one machine, then I suggest
> you investigate VM's, one instance of samba per VM.
>
> Also I suggest that you remove the 'socket options' line, you are
probably
> making things worse by having this.
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>