Likewise Open 6 & Samba - A Better Open Source File Server

Posted by Kyle on April 7, 2011

Likewise LogoMy last foray into an open source, Active Directory authenticated file server led to my post on how navigate Likewise CIFS's several quirks and configure it for Active Directory authentication.

There are, however, a few faults to this approach. Namely, Likewise CIFS is built on Likewise Open 5.4 instead of the most recent version - Likewise Open 6. I knew this going in, figuring that Likewise would release a newer version of CIFS built on Likewise Open 6.

There are no such plans in the works, though they will work this into their enterprise product.

That in mind, after some searching, I found a way to make Likewise Open 6 work with Samba, and I'd like to share it with you. Are you comfortable? Let's get started.

Before we jump all the way in, a quick disclaimer: I got a large portion of the information to make this possible from the Likewise support site. The specific article is at http://www.likewise.com/resources/documentation_library/manuals/lwe/likewise-samba-guide.html.

For this HowTo, I'm using a machine with Ubuntu 10.04.2 Desktop x64 installed and updated as of 04.06.2011.

First things first - get the prerequisites out of the way

You'll need a few software packages in particular. The first is Samba, which can be installed from the main Ubuntu repositories with apt-get:

$ sudo apt-get install samba

Next, you'll need Likewise Open 6.

Normally, if you download it from their website, Likewise will make you fill out a form with your name and email, then wait for the email from them with your download link.

Since I like you, though, I'll give it to you here:

http://www.likewise.com/community/index.php/download/

Or, if you're a command line ninja:

$ wget http://likewise.com/bits/6.0/8336/LikewiseOpen-6.0.0.8336-linux-amd64-deb.sh

*Quick note: I'm using the x64 version since I'm running a 64-bit OS. If you're using a 32-bit OS, just replace "amd64" with "i386" here and everywhere else you see it.

Once you've downloaded Likewise, make the installer executable and run it:

$ sudo chmod a+x LikewiseOpen-6.0.0.8336-linux-amd64-deb.sh
$ sudo ./LikewiseOpen-6.0.0.8336-linux-amd64-deb.sh

Accept the license agreement - all of the licenses are some flavor of open source - and type "yes" to proceed with the install.

Once you're done, reboot.

Join the Domain

Just like I mentioned in my last post, you need to edit some config files before you join the domain. Since I care more about your convenience than my pageviews, here's a near copy-paste from my last post. The process is exactly the same:

Before you ever fire off another Likewise executable, edit your /etc/hosts file (sudo nano /etc/hosts). You must do this for everything to work properly. Add this entry to the file just below the line beginning with "127.0.0.1":

[IP Address of your Domain Controller] [FQDN of you Domain Controller] 
[FQDN of your Domain]

You must also edit the /etc/nsswitch.conf file. The line that reads:

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

Should be changed to read:

# hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

Beneath that line, add this line:

hosts: files dns

Likewise AD SettingsWhen you install Likewise from the Ubuntu repositories, you get a fancy GUI you can get to by going to System > Administration > Active Directory Membership.

If all you want to do is authenticate to the domain, this is a fine solution. However, here I'm going to use the command line since I'm in it already and we'll be using it a lot more later, too:

$ /opt/likewise/bin/domainjoin-cli join
[FQDN of your Domain] [Domain Admin Account Name]

The program will ask you for your password. Go ahead and type it in.

If all goes as planned, you'll get the following message:

Warning: System restart requiredYour system has been configured to
authenticate to Active Directory for thefirst time. It is recommended
that you restart your system to ensure that allapplications recognize
the new settings.

SUCCESS

At this point, go ahead and reboot your machine.

Being thorough (and a bit paranoid), I like to also confirm on the Domain Controller the computer was added.

Computer Added Confirmation

Some Post-Join Configuration

Unlike the 5.x versions, Likewise Open 6 comes with a neet configuration utility called lwconfig, which we'll use along with a startup script to make everything work like it's supposed to.

When user login to this machine with a shell, we want them to use /bin/bash, and we want their home folder to be under /home/[DOMAIN]/username, so I ran these two commands:

$ /opt/likewise/bin/lwconfig LoginShellTemplate /bin/bash
$ /opt/likewise/bin/lwconfig HomeDirTemplate %H/%D/%U

Also, I want the machine to update the DNS every time it boots, so I created a script called "startup" in /etc/init.d. Here's the code:

#!/bin/bash
/opt/likewise/bin/lw-update-dns
exit

Once the script is created, make sure it is executable and make it run every time the machine is booted:

$ sudo chmod a+x /etc/init.d/startup
$ cd /etc/init.d
$ sudo update-rc.d -f startup defaults

Finally, in visudo, I added this line so the members of a group in my domain will have admin rights on the machine:

%[DOMAIN]\\[GROUP NAME] ALL=(ALL) ALL

Remember that this group cannot have any spaces in its name.

Now the Good Part

Just to be safe, let's make sure our version of Samba will work with Likewise:

$ /opt/likewise/bin/samba-interop-install --check-version

You should receive something like:

Found smbd version 3.4.7
Samba version supported

Next, you'll want to make a copy of your existing Samba config file at /etc/samba/smb.conf. Here's what you'll want your config file to look like:

#======================= Global Settings =======================
[global]
   workgroup = [DOMAIN]
   realm = [DOMAIN FQDN - EXAMPLE.LOCAL]
   server string = %h server
   wins server = 10.0.0.10
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = no
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

   idmap uid = 10000-33554431
   idmap gid = 10000-33554431

   usershare allow guests = yes

#======================= Share Definitions =======================

[Share]
  path = /share
  read only = no
  guest ok = no
  browseable = yes
  valid users = @[DOMAIN]\[GROUP NAME]

Remembe not to have any spaces in your group name. If you want to name individual users (a sysadmin no-no, by the way) just omit the '@.'

Also, make sure the local permissions on the directory are open enough for that group to use:

$ chmod -R -c 766 /share

Test the config file:

$ testparm /etc/samba/smb.conf

Finally, run the Samba Interoperability installer and restart the Samba and Winbind daemons:

$ ./samba-interop-install --install
$ service smbd restart
$ service winbind restart

...and wiz-bang, you're done!

Got questions? Leave a comment.

Comments:

Posted by Chris on
Thank you for this walkthru. No one else had mentioned scripting bash on startup and I thank you for that. Fixed a host of minor issues I hadn't been arsed to fix yet.

Only thing that's not working for me is the /share folder. Very good guide elsewise.
Posted by Kyle on
Thanks Chris!

On that /share folder, make sure your local permissions are right. I usually just chmod them to 766 and make sure only admin accounts can login locally.

-Kyle
Posted by Chris on
Couple Notes I've found that would round this out:

# Use this so you don't have to type DOMAIN\user to log in...
# Just use user
sudo /opt/likewise/bin/lwconfig AssumeDefaultDomain true

# Add AD Groups to Sudoers. Must have for my desired setup where my
# IS shop needs access, but I don't want to manually setup each box
sudo visudo:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^users ALL=(ALL) ALL
%DOMAIN\\domain^users ALL=(ALL) ALL

And for the shared folder... it does seem it was permissions issues for me. Simple chmod didn't seem to do it for me, so I...

sudo useradd shared
sudo chown shared:shared /share

# smb.conf
[Share]
...
force user = shared

My default domain might be whats causing the permission issues... not 100% sure, obviously.

Thanks tons again for the walkthru... Its worth many internet dollars! :)
Posted by Nicholas Lee on
You could use /etc/rc.local rather than custom /etc/init.d/startup.
Posted by Soleil Golden on
Thank you so much for this writeup; it was immensely helpful. One note to make, though:


>Remember that this group cannot have any spaces in its name.

That's not true. I was able to add groups to smb.conf with spaces like so:
valid users = @"DOMAIN\Marketing", @"DOMAIN\Domain Admins"

Also permissions:
sudo chgrp "DOMAIN\Domain Users" /storage/* -R

That worked a charm. :D

I've seen others say you can also replace spaces with the caret like so:
valid users = @"DOMAIN\Marketing", @"DOMAIN\Domain^Admins"
sudo chgrp "DOMAIN\Domain^Users" /storage/* -R

I didn't try this myself, but for those it did, winbind was storing those groups with the caret in place of a space. Running the following should help one determine which they should use :
wbinfo -g | grep Domain

If there are spaces in the groups, use spaces! :D

Hope that's as helpful to someone else as it was to me!
Posted by Chris on
Couple Notes I've found that would round this out:

# Use this so you don't have to type DOMAIN\user to log in...
# Just use user
sudo /opt/likewise/bin/lwconfig AssumeDefaultDomain true

# Add AD Groups to Sudoers. Must have for my desired setup where my
# IS shop needs access, but I don't want to manually setup each box
sudo visudo:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domain^users ALL=(ALL) ALL
%DOMAIN\\domain^users ALL=(ALL) ALL

And for the shared folder... it does seem it was permissions issues for me. Simple chmod didn't seem to do it for me, so I...

sudo useradd shared
sudo chown shared:shared /share

# smb.conf
[Share]
...
force user = shared

My default domain might be whats causing the permission issues... not 100% sure, obviously.

Thanks tons again for the walkthru... Its worth many internet dollars! :)
Posted by shurkes on
can you help me?
the link to download is no longer existed, how can i download the file?
Posted by Kyle on
Hi Shurkes!

The link doesn't work because Likewise was acquired by BeyondTrust almost a year ago. The software is now called PowerBroker Identity Services Open. I talked about it in a later post: http://lordandhooks.com/blog/likewise-is-no-more-sorta/

The software works basically the same. The link in the latter post doesn't work anymore, either. You can go to http://www.beyondtrust.com/Products/PowerBroker-Identity-Services-Open-Edition/ to get it, but they're going to ask you for a name now.

Hope that helps!

-Kyle
Leave a Reply



(Your email will not be publicly displayed.)


Captcha Code

Click the image to see another captcha.