Updated on | #zentyal, #owncloud, #samba4 | 5 User comments

Twonkyserver and OwnCloud using Samba4 with Zentyal

Samba 4 has been under development for 10 years and it brings an Active Directory functionality to the open source Server Message Block/Common Internet File System (SMB/CIFS) file and print server. Next to this, Samba 4.0 can provide DNS services, handle Kerberos-based authentication, and administer group policy. In this tutorial I'll show you an easy way to connect Samba4 with Apache2, Linux Network File System (NFS) and OwnCloud as well as the Universal Plug and Play (UPnP) TwonkyServer.

Twonkyserver and OwnCloud using your Samba4 shares

In a standard network environment a co-exist of Windows and Linux (Ubuntu/Debian etc.) machines is needed. Samba enables sharing between Linux and Windows filesystems, which is integrated in the latest Zentyal environment. Samba has long been able to act only as a Windows Domain Controller with an LDAP-Backend. With their 4th release it's possible to use the Microsoft Active Directory without Windows for your Linux and Windows ecosystem. In other words, you are able to use user rights as well as your shares on several platforms.

Therefore, Samba4 has a strict user rights system, which makes it not quit easy to use it with other tools like OwnCloud or TwonkyServer. This is my Samba4 infrastructure under /home/samba/shares, where the shares are defined in Samba4:

  1. drwxrwx---+ 12 root root  4096 Nov  1  2013 books
  2. drwxrwx---+ 12 root root  4096 Okt 31  2013 documents
  3. drwxrwx---+ 11 root root  4096 Okt 30  2013 games
  4. drwxrwx---+  7 root root  4096 Sep 28 08:06 movies
  5. drwxrwx---+  8 root root  4096 Sep 28 08:06 music
  6. drwxrwx---+ 22 root root  4096 Sep 28 08:06 pictures

As you can see, all folders are only accessible by the user root, where Samba4 is running under root. It's another topic if this is good, but Zentyal is giving Samba4 root access. Therefore, if you want to use other tools to access these files/folders, you have to use Access Control Lists (ACL) that provides an additional, more flexible permission mechanism for file systems in Ubuntu. For example, Apache2 (e.g. OwnCloud) is using the user/group www-data and my TwonkyServer is using the user/group upnp-mediaserver. These groups and users need to access your Samba4 shares on the file system. In order to realize this, you have to create a hook for Samba4 in Zentyal (Zentyal Blog).

Create a Zentyal hook for Samba4 ACLs

Zentyal Hooks are scripts that will be triggered during specific checkpoints of the life cycle of a module, for example adding a rule that marks certain types of traffic in the firewall after refreshing Zentyal's rules. E.g. if Samba4 is restarting the hooks script file will be run. You can do this by creating a hooks file called samba.postsetconf in /etc/zentyal/hooks/.

  1. sudo apt-get install convmv
  2. sudo cp /etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/samba.postsetconf
  3. sudo nano /etc/zentyal/hooks/samba.postsetconf

After this, you have to copy and paste the following script into /etc/zentyal/hooks/samba.postsetconf. Please node, that you also have to change samba_folders and samba_user_groups in this script.

  1. #!/bin/bash
  2. #title           : samba.postsetconf
  3. #description     : This is a Zentyal Samba4 postsetconf script for changing samba permissions to other services
  4. #author          : Thomas Ludwig
  5. #website         : https://ludwig.im
  6. #date            : 20131102
  7. #version         : 1
  8. #notes           : Postsetconf scripts are run after the configuration for a given module is
  9. #                  written. Hook scripts need to be executable by root.
  10. #=========================================================================================================================
  11.  
  12. # In this example I'm changing the permission for the following Users and Groups:
  13. # upnp-mediaserver is for twonkyserver
  14. # www-data is for OwnCloud and other web services (be careful!)
  15. #
  16. samba_home=/home/samba                                          # Samba home folder
  17. samba_home_shares="${samba_home}/shares"                        # Samba home share folders
  18. samba_folders=( movies games music pictures documents books )   # Samba folders for access
  19. samba_user_groups=( www-data upnp-mediaserver )                 # ACL Groups
  20. samba_GroupUser="root:Administrators"                           # Standard Unix Group/User for Directories and Files
  21. #=========================================================================================================================
  22. # Iterate per Group
  23. for group in "${samba_user_groups[@]}"; do
  24.  
  25.         # Samba root directories
  26.         if [ -d "${samba_home}" ]; then
  27.                 echo "Modify ${group} ACLs (r-X) for ${samba_home}"
  28.                 sudo setfacl -m d:g:"${group}":r-X,g:"${group}":r-X "${samba_home}"
  29.                 echo "Modify ${group} ACLs (r-X) for ${samba_home_shares}"
  30.                 sudo setfacl -m d:g:"${group}":r-X,g:"${group}":r-X "${samba_home_shares}"
  31.         fi
  32.  
  33.         # Samba shares directories
  34.         for dir in "${samba_folders[@]}"; do
  35.                 if [ -d "${samba_home_shares}/${dir}" ]; then
  36.                         echo "Modify ${group} ACLs (rwX) for ${samba_home_shares}/${dir} and subdirectories"
  37.                         sudo setfacl -Rm d:g:"${group}":rwX,g:"${group}":rwX "${samba_home_shares}/${dir}"
  38.                 fi
  39.  
  40.                 # Set Standard User for all files and dirs
  41.                 sudo chown -R "${samba_GroupUser}" "${samba_home_shares}/${dir}"
  42.         done
  43.  
  44. done
  45.  
  46.  
  47. # Convert all folder- and filenames to UTF-8
  48. #if [ -d "${samba_home}" ]; then
  49. #        sudo convmv --notest -r -t utf-8 "${samba_home}"
  50. #fi
  51.  
  52. exit 0

After running this script, you should have access with your Twonkyserver/OwnCloud to your Samba shares.

Owncloud

Installation

You have to choose the right OwnCloud Version for you. I'm using the latest testing version on my private server. This version you can find here. If you are working in a company, it would be better to use the stable version, which you can find here. Follow the description on this site for your Ubuntu version.

After the installation you have to change the owner of the owncloud directory:

  1. sudo chown -R www-data:www-data /var/www/owncloud

Open your Browser and go to your WebServer. A guide will help you to install OwnCloud.

Setting up Data-Directory

After an update of Owncloud, the data directory could be empty. Therefore create an external data directory in /usr/share/:

  1. sudo mkdir /usr/share/owncloud-data
  2. sudo cp -R /var/www/owncloud/data/* /usr/share/owncloud-data/
  3. sudo chown -R www-data:www-data /usr/share/owncloud-data

and change the datadirectory entry in the /var/www/owncloud/config/config.php

  1. $CONFIG = array (
  2.        'datadirectory' => '/usr/share/owncloud-data'
  3. );

Setting up Zentyal's LDAP Interface for OwnCloud

Zentyal <= 3.4

  • Server Settings:
    • IP: 127.0.0.1 and Port: 390
    • DN: cn=zentyalro,dc={DOMAIN},dc={TLD}
    • Password: Your LDAP-Password for zentyalro
    • Basis-DN: dc={DOMAIN},dc={TLD}
  • User-Filter: (&(|(objectclass=posixAccount))(|(memberof=cn=owncloud,ou=Groups,dc={DOMAIN},dc={TLD})))
  • Login-Filter: LDAP-Username (in german: LDAP-Benutzername)
  • Group Filter: (&(|(objectclass=zentyalSambaLink))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
  • Advanced:
    • User-Login-Filter: (&(&(|(objectclass=posixAccount))(|(memberof=cn=owncloud,ou=Groups,dc={DOMAIN},dc={TLD})))(uid=%uid))
    • Directory Settings
      • User Display Name Field: cn
      • Base User Tree: ou=Users,dc={DOMAIN},dc={TLD}
      • Group Display Name Field: cn
      • Base Group Tree: ou=Groups,dc={DOMAIN},dc={TLD}
  • Expert:
    • Override UUID detection (UUID Attribute): uid
    • Internal Username (Internal Username Attribute): uid

Zentyal > 3.4 and <= 3.5~124

  • Server Settings:
    • IP: 127.0.0.1 and Port: 389
    • DN: CN=Administrator,CN=Users,DC={DOMAIN},DC={TLD}
    • Password: Your LDAP-Password for Administrator
    • Basis-DN: dc={DOMAIN},dc={TLD}
  • User-Filter: (&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))
  • Login-Filter: (&(&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
  • Group Filter: (&(|(objectclass=group))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
  • Advanced:
    • Directory Settings
      • User Display Name Field: displayname
      • Base User Tree: CN=Users,DC={DOMAIN},DC={TLD}
      • Group Display Name Field: samaccountname
      • Base Group Tree: CN=Groups,DC={DOMAIN},DC={TLD}
  • Expert:
    • Override UUID detection (UUID Attribute): sAMAccountName
    • Internal Username (Internal Username Attribute): sAMAccountName

Zentyal >= 3.5

Zentyal changed from openldap to samba ldap. Furthermore, they implemented a new ldap user called zentyal-mail-XXX. The XXX is the hostname of the server. You can find out the right user with the following way: 1. List the users with

  1. ls -lta /var/lib/zentyal/conf/zentyal-mail-*.passwd

-rw------- 1 ebox ebox 20 Jul 3 21:19 /var/lib/zentyal/conf/zentyal-mail-mediaserver.passwd The filename is the DN-User. In this case, the user is called zentyal-mail-mediaserver 2. Get the user password with cat /var/lib/zentyal/conf/zentyal-mail-mediaserver.passwd

Hint: You can also create your own zentyal-owncloud-XXX user in Zentyal.

MenuFunctionValue
ServerIP127.0.0.1
Port389
DNCN=zentyal-mail-XXX,CN=Users,DC={DOMAIN},DC={TLD}
PasswordYour LDAP-Password for zentyal-mail-XXX
Basis-DNdc={DOMAIN},dc={TLD}
User-FilterCustom(&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))
Login-FilterCustom(&(&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))
Group FilterCustom(&(|(objectclass=group))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
AdvancedUser Display Name Fielddisplayname
Base User TreeCN=Users,DC={DOMAIN},DC={TLD}
Group Display Name Fieldsamaccountname
Base Group TreeCN=Groups,DC={DOMAIN},DC={TLD}
ExpertOverride UUID detectionsAMAccountName
Internal UsernamesAMAccountName

If you have already UUIDs in your OwnCloud User Settings Table then you have to press the 'Clear Username-LDAP User Mapping' button in the expert tab.

Well, what do you think?

Fabian Lazarte said
You rock! After searching the entire web, this is the only article that addressed LDAP on Zentyal 3.5!!
THank you!
Fabian Lazarte said
After successfully connected, the users don't show up in Owncloud. Am I missing something? I created my "owncloud" group and added my users there.Any suggestion?
Thomas Ludwig said
You solved it?
Fabian Lazarte said
I did actually. I did not put any of the settings for "User, Login and Group Filter", instead I chose the options available from the "only those object classes:" drop down many. I chose "Domain users" and it viola! But thank you so much for the type on the Zentyal-mail-xxx name. I could not get the "server" part going. So, big help! Thank you.
Ya said
Hi
I am following up the Tutorial with Owncloud 9 integrate Zentyal 2.2(very old version), it is not work.
Please help to fix
Comments powered by LudwigDisqus for ModX