Twonkyserver and OwnCloud using your Samba4 shares
In a standard network environment a co-exist of Windows and Linux (Ubuntu/Debian etc.) machines is needed. Samba enables sharing between Linux and Windows filesystems, which is integrated in the latest Zentyal environment. Samba has long been able to act only as a Windows Domain Controller with an LDAP-Backend. With their 4th release it's possible to use the Microsoft Active Directory without Windows for your Linux and Windows ecosystem. In other words, you are able to use user rights as well as your shares on several platforms.
Therefore, Samba4 has a strict user rights system, which makes it not quit easy to use it with other tools like OwnCloud or TwonkyServer. This is my Samba4 infrastructure under /home/samba/shares, where the shares are defined in Samba4:
- drwxrwx---+ 12 root root 4096 Nov 1 2013 books
- drwxrwx---+ 12 root root 4096 Okt 31 2013 documents
- drwxrwx---+ 11 root root 4096 Okt 30 2013 games
- drwxrwx---+ 7 root root 4096 Sep 28 08:06 movies
- drwxrwx---+ 8 root root 4096 Sep 28 08:06 music
- drwxrwx---+ 22 root root 4096 Sep 28 08:06 pictures
As you can see, all folders are only accessible by the user root, where Samba4 is running under root. It's another topic if this is good, but Zentyal is giving Samba4 root access. Therefore, if you want to use other tools to access these files/folders, you have to use Access Control Lists (ACL) that provides an additional, more flexible permission mechanism for file systems in Ubuntu. For example, Apache2 (e.g. OwnCloud) is using the user/group www-data and my TwonkyServer is using the user/group upnp-mediaserver. These groups and users need to access your Samba4 shares on the file system. In order to realize this, you have to create a hook for Samba4 in Zentyal (Zentyal Blog).
Create a Zentyal hook for Samba4 ACLs
Zentyal Hooks are scripts that will be triggered during specific checkpoints of the life cycle of a module, for example adding a rule that marks certain types of traffic in the firewall after refreshing Zentyal's rules. E.g. if Samba4 is restarting the hooks script file will be run. You can do this by creating a hooks file called samba.postsetconf in /etc/zentyal/hooks/.
- sudo apt-get install convmv
- sudo cp /etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/samba.postsetconf
- sudo nano /etc/zentyal/hooks/samba.postsetconf
After this, you have to copy and paste the following script into /etc/zentyal/hooks/samba.postsetconf. Please node, that you also have to change samba_folders and samba_user_groups in this script.
- #!/bin/bash
- #title : samba.postsetconf
- #description : This is a Zentyal Samba4 postsetconf script for changing samba permissions to other services
- #author : Thomas Ludwig
- #website : https://ludwig.im
- #date : 20131102
- #version : 1
- #notes : Postsetconf scripts are run after the configuration for a given module is
- # written. Hook scripts need to be executable by root.
- #=========================================================================================================================
- # In this example I'm changing the permission for the following Users and Groups:
- # upnp-mediaserver is for twonkyserver
- # www-data is for OwnCloud and other web services (be careful!)
- #
- samba_home=/home/samba # Samba home folder
- samba_home_shares="${samba_home}/shares" # Samba home share folders
- samba_folders=( movies games music pictures documents books ) # Samba folders for access
- samba_user_groups=( www-data upnp-mediaserver ) # ACL Groups
- samba_GroupUser="root:Administrators" # Standard Unix Group/User for Directories and Files
- #=========================================================================================================================
- # Iterate per Group
- for group in "${samba_user_groups[@]}"; do
- # Samba root directories
- if [ -d "${samba_home}" ]; then
- echo "Modify ${group} ACLs (r-X) for ${samba_home}"
- sudo setfacl -m d:g:"${group}":r-X,g:"${group}":r-X "${samba_home}"
- echo "Modify ${group} ACLs (r-X) for ${samba_home_shares}"
- sudo setfacl -m d:g:"${group}":r-X,g:"${group}":r-X "${samba_home_shares}"
- fi
- # Samba shares directories
- for dir in "${samba_folders[@]}"; do
- if [ -d "${samba_home_shares}/${dir}" ]; then
- echo "Modify ${group} ACLs (rwX) for ${samba_home_shares}/${dir} and subdirectories"
- sudo setfacl -Rm d:g:"${group}":rwX,g:"${group}":rwX "${samba_home_shares}/${dir}"
- fi
- # Set Standard User for all files and dirs
- sudo chown -R "${samba_GroupUser}" "${samba_home_shares}/${dir}"
- done
- done
- # Convert all folder- and filenames to UTF-8
- #if [ -d "${samba_home}" ]; then
- # sudo convmv --notest -r -t utf-8 "${samba_home}"
- #fi
- exit 0
After running this script, you should have access with your Twonkyserver/OwnCloud to your Samba shares.
Owncloud
Installation
You have to choose the right OwnCloud Version for you. I'm using the latest testing version on my private server. This version you can find here. If you are working in a company, it would be better to use the stable version, which you can find here. Follow the description on this site for your Ubuntu version.
After the installation you have to change the owner of the owncloud directory:
- sudo chown -R www-data:www-data /var/www/owncloud
Open your Browser and go to your WebServer. A guide will help you to install OwnCloud.
Setting up Data-Directory
After an update of Owncloud, the data directory could be empty. Therefore create an external data directory in /usr/share/:
- sudo mkdir /usr/share/owncloud-data
- sudo cp -R /var/www/owncloud/data/* /usr/share/owncloud-data/
- sudo chown -R www-data:www-data /usr/share/owncloud-data
and change the datadirectory entry in the /var/www/owncloud/config/config.php
- $CONFIG = array (
- 'datadirectory' => '/usr/share/owncloud-data'
- );
Setting up Zentyal's LDAP Interface for OwnCloud
Zentyal <= 3.4
- Server Settings:
- IP: 127.0.0.1 and Port: 390
- DN: cn=zentyalro,dc={DOMAIN},dc={TLD}
- Password: Your LDAP-Password for zentyalro
- Basis-DN: dc={DOMAIN},dc={TLD}
- User-Filter: (&(|(objectclass=posixAccount))(|(memberof=cn=owncloud,ou=Groups,dc={DOMAIN},dc={TLD})))
- Login-Filter: LDAP-Username (in german: LDAP-Benutzername)
- Group Filter: (&(|(objectclass=zentyalSambaLink))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
- Advanced:
- User-Login-Filter: (&(&(|(objectclass=posixAccount))(|(memberof=cn=owncloud,ou=Groups,dc={DOMAIN},dc={TLD})))(uid=%uid))
- Directory Settings
- User Display Name Field: cn
- Base User Tree: ou=Users,dc={DOMAIN},dc={TLD}
- Group Display Name Field: cn
- Base Group Tree: ou=Groups,dc={DOMAIN},dc={TLD}
- Expert:
- Override UUID detection (UUID Attribute): uid
- Internal Username (Internal Username Attribute): uid
Zentyal > 3.4 and <= 3.5~124
- Server Settings:
- IP: 127.0.0.1 and Port: 389
- DN: CN=Administrator,CN=Users,DC={DOMAIN},DC={TLD}
- Password: Your LDAP-Password for Administrator
- Basis-DN: dc={DOMAIN},dc={TLD}
- User-Filter: (&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))
- Login-Filter: (&(&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
- Group Filter: (&(|(objectclass=group))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
- Advanced:
- Directory Settings
- User Display Name Field: displayname
- Base User Tree: CN=Users,DC={DOMAIN},DC={TLD}
- Group Display Name Field: samaccountname
- Base Group Tree: CN=Groups,DC={DOMAIN},DC={TLD}
- Directory Settings
- Expert:
- Override UUID detection (UUID Attribute): sAMAccountName
- Internal Username (Internal Username Attribute): sAMAccountName
Zentyal >= 3.5
Zentyal changed from openldap to samba ldap. Furthermore, they implemented a new ldap user called zentyal-mail-XXX. The XXX is the hostname of the server. You can find out the right user with the following way: 1. List the users with
- ls -lta /var/lib/zentyal/conf/zentyal-mail-*.passwd
-rw------- 1 ebox ebox 20 Jul 3 21:19 /var/lib/zentyal/conf/zentyal-mail-mediaserver.passwd
The filename is the DN-User. In this case, the user is called zentyal-mail-mediaserver
2. Get the user password with cat /var/lib/zentyal/conf/zentyal-mail-mediaserver.passwd
Hint: You can also create your own zentyal-owncloud-XXX user in Zentyal.
Menu | Function | Value |
---|---|---|
Server | IP | 127.0.0.1 |
Port | 389 | |
DN | CN=zentyal-mail-XXX,CN=Users,DC={DOMAIN},DC={TLD} | |
Password | Your LDAP-Password for zentyal-mail-XXX | |
Basis-DN | dc={DOMAIN},dc={TLD} | |
User-Filter | Custom | (&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD}))) |
Login-Filter | Custom | (&(&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))) |
Group Filter | Custom | (&(|(objectclass=group))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures))) |
Advanced | User Display Name Field | displayname |
Base User Tree | CN=Users,DC={DOMAIN},DC={TLD} | |
Group Display Name Field | samaccountname | |
Base Group Tree | CN=Groups,DC={DOMAIN},DC={TLD} | |
Expert | Override UUID detection | sAMAccountName |
Internal Username | sAMAccountName |
If you have already UUIDs in your OwnCloud User Settings Table then you have to press the 'Clear Username-LDAP User Mapping' button in the expert tab.