Continuing AD with SaltStack; onwards with Samba!
Installs Samba for SMB support for AD
samba-pkg: pkg.installed: - pkgs: - samba - samba-common
Installs Samba smb.conf configuration file
The file is shown below.
samba-conf: file.managed: - name: /etc/samba/smb.conf - source: salt://common/ad/smb.conf - user: root - group: root - mode: '0644' - template: jinja
Check that the smb.conf file is correct
Running the check might save issues later
samba-conf-check: cmd.run: - name: /usr/bin/testparm --suppress-prompt - onchanges: - file: /etc/samba/smb.conf
Ensure that the extra Samba services aren’t running
samba-nmbd-dead: service.dead: - name: nmbd - enable: False samba-samba-dead: service.dead: - name: samba - enable: False samba-samba-ad-dc: service.dead: - name: samba-ad-dc - enable: False
Configuration Files
/srv/salt/common/ad/smb.conf
# Configures Samba suite for AD # These parameters seem to work on the devtest domain. [global] # Netbios name for the AD domain workgroup={{ pillar['ad_netbios'] | upper }} # This controls whether the client is allowed or required to use SMB # signing. Possible values are auto, mandatory and disabled. # # When set to auto, SMB signing is offered, but not enforced. When # set to mandatory, SMB signing is required and if set to disabled, # SMB signing is not offered either. # # Default: client signing = auto client signing = auto # This variable controls whether Samba clients will try to use Simple # and Protected NEGOciation (as specified by rfc2478) with supporting # servers (including WindowsXP, Windows2000 and Samba 3.0) to agree # upon an authentication mechanism. This enables Kerberos authentication # in particular. # # Default: client use spnego = yes client use spnego = yes # This option specifies the kerberos realm to use. The realm is used as the # ADS equivalent of the NT4 domain. It is usually set to the DNS name of the # kerberos server. Since it is kerberos it is in capital letters. realm={{ pillar['ad_domain'] | upper }} # In this mode, Samba will act as a domain member in an ADS realm. To operate # in this mode, the machine running Samba will need to have Kerberos # installed and configured and Samba will need to be joined to the ADS realm # using the net utility. security=ads # Use the keytab to store secrets for authenticating against kerberos # and to identify the kerberos server. kerberos method = secrets and keytab # Logging settings # This option allows you to override the name of the Samba log file (also # known as the debug file). # # This option takes the standard substitutions, allowing you to have separate # log files for each user or machine. # # No default # # Example: log file = /usr/local/samba/var/log.%m log file = /var/log/samba/smbd.log # The value of the parameter (a astring) allows the debug level (logging # level) to be specified in the smb.conf file. # Values seem to be 0 to 10. # # Default: log level = 0 log level = 10 # This option (an integer in kilobytes) specifies the max size the log file # should grow to. Samba periodically checks the size and if it is exceeded it # will rename the file, adding a .old extension. # # A size of 0 means no limit. # # Default: max log size = 5000 max log size = 500 # Turn off printing to avoid log spam load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
Pillar values
The full pillar file now looks like this:
ad_netbios:adex ad_domain:ad.example.com ad_dc:dc01.ad.example.com