Continuing AD with SaltStack; onwards with Samba!
Installs Samba for SMB support for AD
samba-pkg: pkg.installed: - pkgs: - samba - samba-common
Installs Samba smb.conf configuration file
The file is shown below.
samba-conf: file.managed: - name: /etc/samba/smb.conf - source: salt://common/ad/smb.conf - user: root - group: root - mode: '0644' - template: jinja
Check that the smb.conf file is correct
Running the check might save issues later
samba-conf-check: cmd.run: - name: /usr/bin/testparm --suppress-prompt - onchanges: - file: /etc/samba/smb.conf
Ensure that the extra Samba services aren’t running
samba-nmbd-dead: service.dead: - name: nmbd - enable: False samba-samba-dead: service.dead: - name: samba - enable: False samba-samba-ad-dc: service.dead: - name: samba-ad-dc - enable: False
Configuration Files
/srv/salt/common/ad/smb.conf
# Configures Samba suite for AD
# These parameters seem to work on the devtest domain.
[global]
# Netbios name for the AD domain
workgroup={{ pillar['ad_netbios'] | upper }}
# This controls whether the client is allowed or required to use SMB
# signing. Possible values are auto, mandatory and disabled.
#
# When set to auto, SMB signing is offered, but not enforced. When
# set to mandatory, SMB signing is required and if set to disabled,
# SMB signing is not offered either.
#
# Default: client signing = auto
client signing = auto
# This variable controls whether Samba clients will try to use Simple
# and Protected NEGOciation (as specified by rfc2478) with supporting
# servers (including WindowsXP, Windows2000 and Samba 3.0) to agree
# upon an authentication mechanism. This enables Kerberos authentication
# in particular.
#
# Default: client use spnego = yes
client use spnego = yes
# This option specifies the kerberos realm to use. The realm is used as the
# ADS equivalent of the NT4 domain. It is usually set to the DNS name of the
# kerberos server. Since it is kerberos it is in capital letters.
realm={{ pillar['ad_domain'] | upper }}
# In this mode, Samba will act as a domain member in an ADS realm. To operate
# in this mode, the machine running Samba will need to have Kerberos
# installed and configured and Samba will need to be joined to the ADS realm
# using the net utility.
security=ads
# Use the keytab to store secrets for authenticating against kerberos
# and to identify the kerberos server.
kerberos method = secrets and keytab
# Logging settings
# This option allows you to override the name of the Samba log file (also
# known as the debug file).
#
# This option takes the standard substitutions, allowing you to have separate
# log files for each user or machine.
#
# No default
#
# Example: log file = /usr/local/samba/var/log.%m
log file = /var/log/samba/smbd.log
# The value of the parameter (a astring) allows the debug level (logging
# level) to be specified in the smb.conf file.
# Values seem to be 0 to 10.
#
# Default: log level = 0
log level = 10
# This option (an integer in kilobytes) specifies the max size the log file
# should grow to. Samba periodically checks the size and if it is exceeded it
# will rename the file, adding a .old extension.
#
# A size of 0 means no limit.
#
# Default: max log size = 5000
max log size = 500
# Turn off printing to avoid log spam
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Pillar values
The full pillar file now looks like this:
ad_netbios:adex ad_domain:ad.example.com ad_dc:dc01.ad.example.com
Martin's Blog 