Samba 4 Quickstart for UCS 3.2
From Univention Wiki
Samba 4 is the next generation of the Samba suite. The most important innovation of Samba 4 is the support of domain, directory and authentication services which are compatible with Microsoft Active Directory. Domains realized with Samba 4 allow the use of the tools provided by Microsoft for the management of users or group policies (GPOs).
Univention offers with Univention Corporated Server a tried-and-tested version of Samba 4 for productive operation.
This quickstart guide serves as a basis for the use of Samba 4 with UCS and describes the setup of a domain controller with Samba 4, the setup of a member server for file and print services and the joining of a Microsoft Windows 7 system in the Samba domain.
This quickstart guide needs the DVD-ISO of Univention Corporate Server for installation. It can be downloaded for free from the Univention website. The installation of UCS is described in the UCS quickstart guide. This tutorial describes the settings differing from the UCS quickstart guide in the section Installation below.
The UCS manual describes the extensive possibilities of Univention Corporate Server. A pre-installed system is available as VMware or VirtualBox image in the download area of the Univention website, as well.
The Samba 4 environment described in this quickstart guide is composed of two systems: a Windows domain controller and a member server. In principle, the Windows domain controller can also adopt the services of a member server. As a general rule, it is recommended to separate domain controllers and file/print services in Samba environments. This ensures that a high system load on a file server does not result in disruptions to the authentication service. For smaller environments in which it is not possible to run two servers, file and print services can also be run on a domain controller.
Each UCS system is assigned to a system role. The following table shows which system roles can be used for which components within the Samba 4 environment.
Further information on the system roles can be found in the UCS manual.
|DC Master||DC Backup||DC Slave||Member server|
|Windows domain controller||X||X||X|
|Windows member server||X|
This quickstart guide sets up a new UCS environment and begins with the installation of a DC master on which the Windows domain controller is operated.
Installation of the domain controller
Please select the following different settings for the installation:
- System role: Master domain controller
- Fully qualified domain name: master.samba4.test
- Software selection: Select Active Directory compatible domain controller (Samba 4). Unrequired software can be removed from the selection here.
Following the confirmation in the installer, UCS is installed as the DC master of the UCS domain. The system restarts automatically once a key is pressed after the installation.
Installation of the member server
Please select the following different settings for the installation:
- System role: Member server
- Fully qualified domain name: member.samba4.test
- Domain DNS Server: IP address of the master domain controller
- Join settings: The options Start join at the end of installation and Search Domain Controller Master in DNS need to be activated. Administrator must be used as the join account and the root password configued on the domain controller master as the Password
- Software selection: Windows memberserver (Samba 3 / Samba 4) and Print server (CUPS). Unrequired software can be removed from the selection here.
Following the confirmation in the installer, UCS is installed as a member server and joins the UCS domain automatically. The system restarts automatically once a key is pressed after the installation.
Domain join of a Microsoft Windows 7 client
A Microsoft Windows 7 client now joins the UCS domain. The join can only be performed with a domain-compatible version, e.g., not with Microsoft Windows 7 Home.
The Windows client must be able to resolve DNS entries from the DNS zone of the UCS domain, e.g., the UCS domain controller should be entered as the DNS server in the network settings of the Windows client.
The current time must be configured on the Windows system. If you are working with virtualization, it must be taken into account that suspend/resume cycles can result in incorrect computer clocks.
The basic configuration dialogue is found under Start → Control Panel → System and Security → System. Change settings must now be selected and Change clicked.
samba4.test must be entered under Domain for the domain join. Following a click on the OK button, Administrator must be entered under name in the input field and the Administrator password used during setup of the DC master entered in the Password input field. The process for joining the domain can now be started by clicking on OK.
The client must then be restarted.
When the Microsoft Windows client joins the domain, an host entry is automatically created in the Univention Management Console computer management as are DNS entries. Further information can be found in the UCS manual.
Configuration of a group policy
This step defines a group policy. This step can also be skipped if the user desktops are not going to be configured centrally.
The group policy must be configured with Administrator rights. This is done via a domain login (in other words as the SAMBA4\Administrator user) on the Microsoft Windows 7 system.
The Remote Server Administration Tools for Windows 7 must now be downloaded and installed on the Windows 7 system.
The group policy function must not be activated. To do so, the following steps must be done in the Control Panel: Programs → Turn Windows features on or off → Remote Server Administration Tools → Feature Administration Tools → activate Group Policy Management Tools → OK
The group policy editor can now be opened and a standard policy defined. The following example activates a policy which hides the volume control in the Windows taskbar for all users. Group polices are a powerful tool; the following example links the policy with the standard domain policy and thus it applies for all users:
The standard domain policy can be accessed via Domains → samba4.test → Default Domain Policy and edited with Edit via a right click.
The policy can be opened with a double-click under User Configuration → Policies → Administrative Templates → Start Menu and Task Bar → Remove the volume control icon. This must be turned on with Enabled and confirmed with OK.
The group policy editor can now be exited via File → Exit.
Creating a user
A login is now performed on the Univention Management Console, which can be reached at https://IP-ADDRESS-OF-MASTER/univention-management-console/.
The login is performed with the Administrator account and the password entered during the installation of the master domain controller.
Add user must now be clicked in the Users module. The suggested container can be confirmed with Add. At least the following entries must be completed in the General tab:
- Last name
- User name (in this example smith)
- Password (twice)
If the user's home directory is to be stored on the member server and not locally on the Microsoft Windows 7 client, \\member\smith must be set in the Windows home path input field in the Account tab and I: entered as the drive for the Windows home drive.
The setting can also be defined in a user template so that the entry for the Windows home path is automatically derived from the user name and does not need to be set manually. How to create a template is described in the UCS manual.
The user is completely created by clicking on Save changes.
The user can now log on to the Microsoft Windows 7 client with smith. If the group policy has been set, the volume control is now hidden on the Windows desktop.
Some Samba 3 features - e.g. trust relationships - are not yet supported in Samba 4. The feature differences between Samba 3 and Samba 4 are described here.
A detailed description of UCS and the Microsoft Windows integration can be found in the UCS manual.
Help on UCS is offered in the Univention Forum and useful information can be found in the Univention support and knowledge base (SDB). Errors in the documentation or programs can be entered directly in the Univention Bugzilla.