Skip to content

Install Zentyal 5.1

Zentyal is a set of tool to manage a Samba 4 Domain based on Ubuntu distro

  • DNS
  • Manage Users
  • Share directory
  • Groups
  • Compatible with RSAT!

Installation

  1. Download iso Zentyal 5.1 from here
  2. Create a virtual machine to your server/pc or use a real machine
  3. Define a static IP address for Zentyal and a name
  4. Start installation like this video

After reboot, start the configuration of the domain controller

For us, the Zentyal server is named “dc1”, and our domain is named “EUROPE.lan”

After the first setup we can do our first operation:

  • Create an admin user and a standard user
  • Add client to our domain
  • Create a shared directory for the user and for the organization
  • Install the RSAT tools to the client
  • Create users and group from RSAT
  • Create a Group Policies

Create users and sharing folder

We can make this with two way: web GUI, and shell

Manage users from web gui

Go to Zentyal web page with https://<zentyal ip>:8443 and login

Zentyal login page

After that, we can see the dashboard

Zentyal Dashboard

For security reason setup the Logs in the “Logs” menu and change the default rotation setup with this:

  • Configuration changes: two years
  • Samba access: thirty days

NB: The Samba access logs can help you to get more information for suspect access

Logs rotations configuration suggest

Setup or show the default letter for network users directory, in this setup the letter is “H”.

Show default letter for network directory

When you manage the users, you need to understand: group and user entity

A group is a collection of users, and there are two types of groups: distribution and security.

The basic difference between Security groups and distribution group is

Security groups can be used to assign security rights on resources inside a domain. By using a security group, we can collect a group of user accounts in a department and assign them access to a shared folder. We cannot use distribution groups for this purpose and a security group has all the capabilities of a distribution group.

A distribution group can be used for sending emails to a group of users. We cannot use a distribution group for assigning security permissions.

A user’s membership in many security groups could result in slow logon performance. Therefore distribution groups should be used wherever possible.

Share resources

For default setup, the users can see only their personal folder on the network

In this example, we add a network folder for the group “office1”

Go to the “File Sharing” section

Share directory sections

After that, create a shared folder under “Zentyal folder”, the default path of this shared is /home/samba/shares/<name>

share directory creation

Now we can grant the permission to the folder

Go to the “File Sharing” section, select the settings button in the “Access Control” column to your shared folder. Click to “ADD new” button.

Setting ACL for shared folder

You can define an ACL for a single user or for a group.

You can define more than one ACL

Manage users from a shell

Add-user

samba-tool user create mario password --use-username-as-cn --userou='OU=employee' --home-drive=H --home-directory='\\dc1.EUROPE.lan\mario'  --unix-home='/home/mario' --given-name=mario --surname=rossi --login-shell=/bin/bash

Add-group

samba-tool group add office2 --group-type=Security --group-scope=Domain --groupou='CN=Groups'

Add user to a group

use samba-tool addmember <group name> user1,user2

samba-tool group addmember "office2" mario

Remove user from a group

samba-tool group removemembers "office2" mario

List something

List of users domain

samba-tool users list

List of groups

samba-tool group list

List of users into a group

samba-tool group listmembers "office2" 

Home folder

The home folder settings are defined in /etc/samba/smb.conf in [HOME] section.

create a folder in /home/ directory with the same name of the username

Use setfactl to apply permissions:

setfacl -m d:u:mario:rxw /home/mario

Understand the shared folder

The shared folder settings are defined in /etc/samba/shares.conf

create a folder in /home/samba/shares directory with the same name of groups

mkdir -p /home/samba/shares/office2

Use setfactl to confirm the permissions:

setfacl -m d:g:office2:rxw /home/samba/shares/office2

edit /etc/samba/shares.conf and add these sections

[office2]
    comment = share di rete
    path = /home/samba/shares/office2
    browseable = yes
    force create mode = 0660
    force directory mode = 0660
    valid users = 
    read list = 
    write list = 
    admin users = 
    vfs objects = acl_xattr full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

restart samba

Manage users from RSAT

The best tool to manage a SAMBA4 domain is Microsoft RSAT (Remote Server Administration Tools). You can download it from this link

Some Windows update can remove the RSAT, in this case, you need to reinstall it

Open “Users and Computer of Active Directory” or digit “dsa.msc” and follow this video istructions.

Zentyal is compatible with Active Directory tool, and after your changes, you can see the result in Zentyal Dashboard

Changes after RSAT

Group policy for automounting

With RSAT, we can define a group policy for automounting the network folder

Open Group Policy Editor with gpmc.msc

  • be sure that the ACLs for the shared folder is correct setup
  • reboot the client or force upgrade with gpupdate.exe

Your domain is done!