Zentyal is a set of tool to manage a Samba 4 Domain based on Ubuntu distro
- Manage Users
- Share directory
- Compatible with RSAT!
- Download iso Zentyal 5.1 from here
- Create a virtual machine to your server/pc or use a real machine
- Define a static IP address for Zentyal and a name
- Start installation like this video
After reboot, start the configuration of the domain controller
For us, the Zentyal server is named “dc1”, and our domain is named “EUROPE.lan”
After the first setup we can do our first operation:
- Create an admin user and a standard user
- Add client to our domain
- Create a shared directory for the user and for the organization
- Install the RSAT tools to the client
- Create users and group from RSAT
- Create a Group Policies
Create users and sharing folder
We can make this with two way: web GUI, and shell
Manage users from web gui
Go to Zentyal web page with https://<zentyal ip>:8443 and login
After that, we can see the dashboard
For security reason setup the Logs in the “Logs” menu and change the default rotation setup with this:
- Configuration changes: two years
- Samba access: thirty days
NB: The Samba access logs can help you to get more information for suspect access
Setup or show the default letter for network users directory, in this setup the letter is “H”.
When you manage the users, you need to understand: group and user entity
A group is a collection of users, and there are two types of groups: distribution and security.
The basic difference between Security groups and distribution group is
Security groups can be used to assign security rights on resources inside a domain. By using a security group, we can collect a group of user accounts in a department and assign them access to a shared folder. We cannot use distribution groups for this purpose and a security group has all the capabilities of a distribution group.
A distribution group can be used for sending emails to a group of users. We cannot use a distribution group for assigning security permissions.
A user’s membership in many security groups could result in slow logon performance. Therefore distribution groups should be used wherever possible.
For default setup, the users can see only their personal folder on the network
In this example, we add a network folder for the group “office1”
Go to the “File Sharing” section
After that, create a shared folder under “Zentyal folder”, the default path of this shared is /home/samba/shares/<name>
Now we can grant the permission to the folder
Go to the “File Sharing” section, select the settings button in the “Access Control” column to your shared folder. Click to “ADD new” button.
You can define an ACL for a single user or for a group.
You can define more than one ACL
Manage users from a shell
samba-tool user create mario password --use-username-as-cn --userou='OU=employee' --home-drive=H --home-directory='\\dc1.EUROPE.lan\mario' --unix-home='/home/mario' --given-name=mario --surname=rossi --login-shell=/bin/bash
samba-tool group add office2 --group-type=Security --group-scope=Domain --groupou='CN=Groups'
Add user to a group
use samba-tool addmember <group name> user1,user2
samba-tool group addmember "office2" mario
Remove user from a group
samba-tool group removemembers "office2" mario
List of users domain
samba-tool users list
List of groups
samba-tool group list
List of users into a group
samba-tool group listmembers "office2"
The home folder settings are defined in /etc/samba/smb.conf in [HOME] section.
create a folder in /home/ directory with the same name of the username
Use setfactl to apply permissions:
setfacl -m d:u:mario:rxw /home/mario
Understand the shared folder
The shared folder settings are defined in /etc/samba/shares.conf
create a folder in /home/samba/shares directory with the same name of groups
mkdir -p /home/samba/shares/office2
Use setfactl to confirm the permissions:
setfacl -m d:g:office2:rxw /home/samba/shares/office2
edit /etc/samba/shares.conf and add these sections
[office2] comment = share di rete path = /home/samba/shares/office2 browseable = yes force create mode = 0660 force directory mode = 0660 valid users = read list = write list = admin users = vfs objects = acl_xattr full_audit full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename
Manage users from RSAT
The best tool to manage a SAMBA4 domain is Microsoft RSAT (Remote Server Administration Tools). You can download it from this link
Some Windows update can remove the RSAT, in this case, you need to reinstall it
Open “Users and Computer of Active Directory” or digit “dsa.msc” and follow this video istructions.
Zentyal is compatible with Active Directory tool, and after your changes, you can see the result in Zentyal Dashboard
Group policy for automounting
With RSAT, we can define a group policy for automounting the network folder
Open Group Policy Editor with gpmc.msc
- be sure that the ACLs for the shared folder is correct setup
- reboot the client or force upgrade with gpupdate.exe
Your domain is done!