Martin's Blog

Programming, Boats and Stuff

AD for Debian with SaltStack – Part 2 – Samba

Posted on 12th May 2018 by martinwbrown

Continuing AD with SaltStack; onwards with Samba!

Installs Samba for SMB support for AD

samba-pkg:
  pkg.installed:
    - pkgs:
      - samba
      - samba-common

Installs Samba smb.conf configuration file

The file is shown below.

samba-conf:
  file.managed:
    - name: /etc/samba/smb.conf
    - source: salt://common/ad/smb.conf
    - user: root
    - group: root
    - mode: '0644'
    - template: jinja

Check that the smb.conf file is correct

Running the check might save issues later

samba-conf-check:
  cmd.run:
    - name: /usr/bin/testparm --suppress-prompt
    - onchanges:
      - file: /etc/samba/smb.conf

Ensure that the extra Samba services aren’t running

samba-nmbd-dead:
  service.dead:
    - name: nmbd
    - enable: False
samba-samba-dead:
  service.dead:
    - name: samba
    - enable: False
samba-samba-ad-dc:
  service.dead:
    - name: samba-ad-dc
    - enable: False

Configuration Files

/srv/salt/common/ad/smb.conf

# Configures Samba suite for AD
# These parameters seem to work on the devtest domain.

[global]
# Netbios name for the AD domain
workgroup={{ pillar['ad_netbios'] | upper }}

# This controls whether the client is allowed or required to use SMB
# signing. Possible values are auto, mandatory and disabled.
#
# When set to auto, SMB signing is offered, but not enforced. When
# set to mandatory, SMB signing is required and if set to disabled,
# SMB signing is not offered either.
#
# Default: client signing = auto
client signing = auto

# This variable controls whether Samba clients will try to use Simple
# and Protected NEGOciation (as specified by rfc2478) with supporting
# servers (including WindowsXP, Windows2000 and Samba 3.0) to agree
# upon an authentication mechanism. This enables Kerberos authentication
# in particular.
#
# Default: client use spnego = yes
client use spnego = yes

# This option specifies the kerberos realm to use. The realm is used as the
# ADS equivalent of the NT4 domain. It is usually set to the DNS name of the
# kerberos server. Since it is kerberos it is in capital letters.
realm={{ pillar['ad_domain'] | upper }}

# In this mode, Samba will act as a domain member in an ADS realm. To operate
# in this mode, the machine running Samba will need to have Kerberos
# installed and configured and Samba will need to be joined to the ADS realm
# using the net utility.
security=ads

# Use the keytab to store secrets for authenticating against kerberos
# and to identify the kerberos server.
kerberos method = secrets and keytab

# Logging settings

# This option allows you to override the name of the Samba log file (also
# known as the debug file).
#
# This option takes the standard substitutions, allowing you to have separate
# log files for each user or machine.
#
# No default
#
# Example: log file = /usr/local/samba/var/log.%m
log file = /var/log/samba/smbd.log

# The value of the parameter (a astring) allows the debug level (logging
# level) to be specified in the smb.conf file.
# Values seem to be 0 to 10.
#
# Default: log level = 0
log level = 10

# This option (an integer in kilobytes) specifies the max size the log file
# should grow to. Samba periodically checks the size and if it is exceeded it
# will rename the file, adding a .old extension.
#
# A size of 0 means no limit.
#
# Default: max log size = 5000
max log size = 500

# Turn off printing to avoid log spam
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

Pillar values

The full pillar file now looks like this:

ad_netbios:adex
ad_domain:ad.example.com
ad_dc:dc01.ad.example.com

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.