Ubuntu as file server for Mac and PC in AD environment
I wanted to create a storage set up for user data for a environment where Macs and PCs are mixed in an Active Directory structure. OS X doesn't yet have a very good implementation of SMB (samba) and performance is down quite a bit there. So I wanted a solution that would provide both APF and SMB for the same data (users might want to access their data from a Mac one day and a PC the next). There are solutions that do this, for example FreeNAS, but I wanted to give a "real" server a shot.
I have found several HowTo-s on how to set up either SMB/Samba, connect to Active Directory or setting up Netatalk/AFP (most of the latter aims at setting up a Time Machine server). But none that combines them, at least not for recent versions.
Along the way I took notes on how to do it (so I could replicate things) - and why not publish that as a how-to. (And perhaps get some feedback as well).
My set up was done in a test bed on a Windows Server 2012 Hyper-V VM with dynamic memory allocation starting at 512Mb and modest CPU resources.
When done - the windows clients get about the same file transfer performance as to a Windows can, but the Mac's went from a throughput of about 120 mbps to Windows (SMB) shares to about 800 mbps to the Netatalk (AFP) shares (on a Gbit LAN). A pretty good performance increase. And everything is accessed with Active Directory SSO.
Now, I don't have any long time data on stability, no in-depth security evaluation or any experience on how the solution scales. That's where feedback would be interesting…
Enough said. Here is the how-to on how to set up an Ubuntu 13.04 Server as a file server for SMB and AFP using AD SSO. It is more or less cut-n-paste and once the server is installed the procedure should not take more than 30 mins.
---
Active directory integration
1. Install Ubuntu 13.04. Standard installation, EXT4 file system (not LVM) and SAMBA file server as the only package when given choices for LAMP etc.
2. Set up networking. I prefer to use a static IP (it might work with DHCP as well, but that is not best practice for a server).
$> nano /etc/network/interfaces
#Loopback
/etc/network/interfaces like this:
auto lo
iface lo inet loopback
#Primary NIC
auto eth0
iface eth0 inet static
address 10.0.1.55
netmask 255.255.255.0
gateway 10.0.1.1
network 10.0.1.0
broadcast 10.0.1.255
dns-nameservers 10.0.1.2 10.0.1.3
#Search domain equals AD domain long name
dns-search demo.org
Restart the network service.
$> service networking restart
And as a precaution, for some reason Windows does not always handle a linux server going from DHCP to static well - so I prefer to manually remove the DHCP lease from the DHCP server in order not to confuse the DNS. (Supposing windows handles DHCP and since this is for AD integration you will have a windows DNS)
3. To make administration easier - install SSH-server
$> sudo apt-get install openssh-server
4. To make life easier still - since you will be installing and configuring and need root access, make yourself root for the session:
$> sudo su
5. Now it is time to join the domain. Use Beyond trust's PowerBroker Identity services (pbis, a newer version of likewise open) this can be found and downloaded as open source at www.beyondtrust.com. (You will have to provide your email, but it is free except for that.)
I find it easiest to do this via a GUI-browser and save the file to a network share that is accessible from the Ubuntu server. Since I only have windows shares, I use the following to transfer the file to Ubuntu:
Create directory to mount in:
$> mkdir /mnt/win_share
Mount the windows share
$> mount.cifs //[windows server]/[share name] /mnt/win_share -o user=[AD user with permissions to the share]
Create directory for the pbis files
$> mkdir /usr/pbis
And copy the installation file:
$> cp /mnt/win_share/pbis-open-… /usr/pbis
6. Install phis according to the documentation:
pbis conflicts with winbind, that is installed by default - so we'll have to un-install that:
$> apt-get remove winbind
Make the install script executable
$> chmod a+x pbis-open-…
and run the script
$> ./pbis-open-…
7. Now you are ready to join the domain:
$> /opt/pbis/bin/domainjoin-cli join [domainName] [account with permission to join]
And reboot the Ubuntu server
Then validate by logging in with [domain]\\[user]
(You will have to escape the backslash separator with another backslash, so for the domain DEMO with user john.doe on the server Skywalker, an ssh login will be ssh DEMO\\john.doe@skywalker)
8. You are now connected, but a few things make life much easier.
Start by loging out and back in with your "native" linux user to get sudo rights.
By default obis does not use bash shell. In order to configure that:
$> /opt/pbis/bin/config LoginShellTemplate /bin/bash
And if you are in a single domain env. set default domain to not have to provide the domain name all the time
$> /opt/pbis/bin/config AssumeDefaultDomain 1
Then to get sudo access for your domain users:
Edit the sudoers with
$> sudo visudo
To give all domain users sudo rights enter these line:
#For all domain users with DOMAIN-name provided
%[Your domain]\\domain^users ALL=(ALL) ALL
#For all domain users with default domain login
%domain^users ALL=(ALL) ALL
(For a single use, omit the % and change domain^users to your user name.
domain^users is the AD group and can be any group. You can view available groups by
$> /opt/pbis/bin/enum-groups)
Save and restart sudo
$> /etc/init.d/sudo restart
Now you can log in as domain user without providing [DOMAIN]\\, will be granted sudo rights and will have bash as shell.
Time to get the file servers running:
SAMBA for starters
(Be sure to make yourself root or use sudo for each step)
For an AD-domain named DEMO.ORG and the ubuntu server Skywalker with a directory ./share that you want to share with all domain users, do this:
Create the dir:
$> mkdir /share
$> chmod a+rx /share
$> chown [For example a domain administrator] /share (i.e. chown administrator /share)
1. Delete the default configuration file
$> rm /etc/samba/smb.conf
And make a new one:
$> nano /etc/samba/smb.conf
That looks like this
[global]
security = ADS
workgroup = DEMO
realm = SKYWALKER.DEMO.ORG
#Required for pbis:
machine password timeout = 0
[ubuntu_share]
comment = My share
path = /share
read only = no
valid users = @DEMO\domain^users
create mote = 0777
directory mode = 0777
writeable = yes
guest ok = no
Don't forget the machine password setting that is required by pbis-samba integration!!!
2. Then you will have to run the obis interoperability installer to fix things up with pbis/samba integration
$> /opt/pbis/bin/samba-interop-install --install
3. And restart the samba service
$> service smbd restart
Now you should be able to access the samba share from a windows or mac computer in the domain.
Google for samba documentation in order to do other stuff with your SMB shares...
And now for AFP
(Be sure to make yourself root or use sudo for each step)
At the time of writing - ubuntu does not have apt packages for netatalk version 3. - much preferable to version 2 - so we will have to compile for ourselves:
1. First install git
$> apt-get install git
2. Create a dir for the source files
$> mkdir /usr/source
$> cd /usr/source
3. And download the files with git:
$> git clone git://git.code.sf.net/p/netatalk/code netatalk-code
(This takes some time)
4. Now you need a few more packages to compile
$> apt-get install autoconf libtool automake pkg-config make build-essential
5. And the following packages are required for all options (except ACL and Kerberos - even though AD is a Kerberos implementation, pbis makes PAM use sufficient) with netatalk. This requires a bit more disk than is absolutely necessary, but better safe than sorry if you want to change your setup later on:
$> apt-get install libssl-dev libgcrypt11-dev libdb-dev libpam0g-dev libwrap0-dev libavahi-client-dev libldap2-dev libcrack2-dev systemtap-sdt-dev libdbus-1-dev libdbus-glib-1-dev libglib2.0-dev libevent-dev
6. We will also want the server to be announced via Bonjour (avahi) so:
$> apt-get install avahi-daemon
7. And we are ready to make and install
Go to the netatalk-code dir
$> cd /usr/source/netatalk-code/
8. Prepare scripts by
$> ./bootstrap
9. And configure the build
$> ./configure \
--with-init-style=debian \
--with-cracklib \
--without-libevent \
--with-pam-confdir=/etc/pam.d \
--with-dbus-sysconf-dir=/etc/dbus-1/system.d
Successful completion gives something like this:
Configure summary:
INIT STYLE:
debian
AFP:
Extended Attributes: ad | sys
ACL support: no
CNID:
backends: dbd last tdb
UAMS:
DHX (PAM SHADOW)
DHX2 (PAM SHADOW)
RANDNUM (afppasswd)
Kerberos V
clrtxt (PAM SHADOW)
guest
Options:
Zeroconf support: yes
tcp wrapper support: yes
quota support: yes
admin group support: yes
valid shell check: yes
cracklib support: yes
ACL support: no
Kerberos support: auto
LDAP support: yes
dbus support: yes
dtrace probes: yes
Paths:
Netatalk lockfile: /var/lock/netatalk
init directory: /etc/init.d
dbus system directory: /etc/dbus-1/system.d
pam config directory: /etc/pam.d
10. You are now ready to compile
$> make
and finally
$> make install
That's about it...
11. What remains is configuring netatalk. That is done in /usr/local/etc/afp.conf
Here is a minimal example - that works well.
;
; Netatalk 3.x configuration file
;
[Global]
mimic model = Xserve3,1
[my_share]
path = /share
valid users = @domain^users
In this case the directory /share (directly under root) is shared for all domain users. (And it is the very same directory we set unto share over SMB perviously) You can of course set individual users (valid users = john.doe) or fully open shares (omit the valid users). The mimic model in global settings makes your netatalk server appear as an Xserve in Finder (you can change this to for example iMac, MacMini, iPhone, etc.).
12. Restart services…
$> service netatalk restart
$> service avahi-daemon restart
Done! Happy fileshareing
Adv Reply
Bookmarks