Twonkyserver and OwnCloud using Samba4 with Zentyal

Updated on Jan 01, 2015 | #zentyal, #owncloud, #samba4 | 5 User comments

Twonkyserver and OwnCloud using Samba4 with Zentyal

Samba 4 has been under development for 10 years and it brings an Active Directory functionality to the open source Server Message Block/Common Internet File System (SMB/CIFS) file and print server. Next to this, Samba 4.0 can provide DNS services, handle Kerberos-based authentication, and administer group policy. In this tutorial I'll show you an easy way to connect Samba4 with Apache2, Linux Network File System (NFS) and OwnCloud as well as the Universal Plug and Play (UPnP) TwonkyServer.

Twonkyserver and OwnCloud using your Samba4 shares

In a standard network environment a co-exist of Windows and Linux (Ubuntu/Debian etc.) machines is needed. Samba enables sharing between Linux and Windows filesystems, which is integrated in the latest Zentyal environment. Samba has long been able to act only as a Windows Domain Controller with an LDAP-Backend. With their 4th release it's possible to use the Microsoft Active Directory without Windows for your Linux and Windows ecosystem. In other words, you are able to use user rights as well as your shares on several platforms.

Therefore, Samba4 has a strict user rights system, which makes it not quit easy to use it with other tools like OwnCloud or TwonkyServer. This is my Samba4 infrastructure under /home/samba/shares, where the shares are defined in Samba4:

drwxrwx---+ 12 root root 4096 Nov 1 2013 books
drwxrwx---+ 12 root root 4096 Okt 31 2013 documents
drwxrwx---+ 11 root root 4096 Okt 30 2013 games
drwxrwx---+ 7 root root 4096 Sep 28 08:06 movies
drwxrwx---+ 8 root root 4096 Sep 28 08:06 music
drwxrwx---+ 22 root root 4096 Sep 28 08:06 pictures

As you can see, all folders are only accessible by the user root, where Samba4 is running under root. It's another topic if this is good, but Zentyal is giving Samba4 root access. Therefore, if you want to use other tools to access these files/folders, you have to use Access Control Lists (ACL) that provides an additional, more flexible permission mechanism for file systems in Ubuntu. For example, Apache2 (e.g. OwnCloud) is using the user/group www-data and my TwonkyServer is using the user/group upnp-mediaserver. These groups and users need to access your Samba4 shares on the file system. In order to realize this, you have to create a hook for Samba4 in Zentyal (Zentyal Blog).

Create a Zentyal hook for Samba4 ACLs

Zentyal Hooks are scripts that will be triggered during specific checkpoints of the life cycle of a module, for example adding a rule that marks certain types of traffic in the firewall after refreshing Zentyal's rules. E.g. if Samba4 is restarting the hooks script file will be run. You can do this by creating a hooks file called samba.postsetconf in /etc/zentyal/hooks/.

sudo apt-get install convmv
sudo cp /etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/samba.postsetconf
sudo nano /etc/zentyal/hooks/samba.postsetconf

After this, you have to copy and paste the following script into /etc/zentyal/hooks/samba.postsetconf. Please node, that you also have to change samba_folders and samba_user_groups in this script.

#!/bin/bash
#title : samba.postsetconf
#description : This is a Zentyal Samba4 postsetconf script for changing samba permissions to other services
#author : Thomas Ludwig
#website : https://ludwig.im
#date : 20131102
#version : 1
#notes : Postsetconf scripts are run after the configuration for a given module is
# written. Hook scripts need to be executable by root.
#=========================================================================================================================
# In this example I'm changing the permission for the following Users and Groups:
# upnp-mediaserver is for twonkyserver
# www-data is for OwnCloud and other web services (be careful!)
#
samba_home=/home/samba # Samba home folder
samba_home_shares="${samba_home}/shares" # Samba home share folders
samba_folders=( movies games music pictures documents books ) # Samba folders for access
samba_user_groups=( www-data upnp-mediaserver ) # ACL Groups
samba_GroupUser="root:Administrators" # Standard Unix Group/User for Directories and Files
#=========================================================================================================================
# Iterate per Group
for group in "${samba_user_groups[@]}"; do
# Samba root directories
if [ -d "${samba_home}" ]; then
echo "Modify ${group} ACLs (r-X) for ${samba_home}"
sudo setfacl -m d:g:"${group}":r-X,g:"${group}":r-X "${samba_home}"
echo "Modify ${group} ACLs (r-X) for ${samba_home_shares}"
sudo setfacl -m d:g:"${group}":r-X,g:"${group}":r-X "${samba_home_shares}"
fi
# Samba shares directories
for dir in "${samba_folders[@]}"; do
if [ -d "${samba_home_shares}/${dir}" ]; then
echo "Modify ${group} ACLs (rwX) for ${samba_home_shares}/${dir} and subdirectories"
sudo setfacl -Rm d:g:"${group}":rwX,g:"${group}":rwX "${samba_home_shares}/${dir}"
fi
# Set Standard User for all files and dirs
sudo chown -R "${samba_GroupUser}" "${samba_home_shares}/${dir}"
done
done
# Convert all folder- and filenames to UTF-8
#if [ -d "${samba_home}" ]; then
# sudo convmv --notest -r -t utf-8 "${samba_home}"
#fi
exit 0

After running this script, you should have access with your Twonkyserver/OwnCloud to your Samba shares.

Owncloud

Installation

You have to choose the right OwnCloud Version for you. I'm using the latest testing version on my private server. This version you can find here. If you are working in a company, it would be better to use the stable version, which you can find here. Follow the description on this site for your Ubuntu version.

After the installation you have to change the owner of the owncloud directory:

sudo chown -R www-data:www-data /var/www/owncloud

Open your Browser and go to your WebServer. A guide will help you to install OwnCloud.

Setting up Data-Directory

After an update of Owncloud, the data directory could be empty. Therefore create an external data directory in /usr/share/:

sudo mkdir /usr/share/owncloud-data
sudo cp -R /var/www/owncloud/data/* /usr/share/owncloud-data/
sudo chown -R www-data:www-data /usr/share/owncloud-data

and change the datadirectory entry in the /var/www/owncloud/config/config.php

$CONFIG = array (
'datadirectory' => '/usr/share/owncloud-data'
);

Setting up Zentyal's LDAP Interface for OwnCloud

Zentyal <= 3.4

Server Settings:
- IP: 127.0.0.1 and Port: 390
- DN: cn=zentyalro,dc={DOMAIN},dc={TLD}
- Password: Your LDAP-Password for zentyalro
- Basis-DN: dc={DOMAIN},dc={TLD}
User-Filter: (&(|(objectclass=posixAccount))(|(memberof=cn=owncloud,ou=Groups,dc={DOMAIN},dc={TLD})))
Login-Filter: LDAP-Username (in german: LDAP-Benutzername)
Group Filter: (&(|(objectclass=zentyalSambaLink))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
Advanced:
- User-Login-Filter: (&(&(|(objectclass=posixAccount))(|(memberof=cn=owncloud,ou=Groups,dc={DOMAIN},dc={TLD})))(uid=%uid))
- Directory Settings
  - User Display Name Field: cn
  - Base User Tree: ou=Users,dc={DOMAIN},dc={TLD}
  - Group Display Name Field: cn
  - Base Group Tree: ou=Groups,dc={DOMAIN},dc={TLD}
Expert:
- Override UUID detection (UUID Attribute): uid
- Internal Username (Internal Username Attribute): uid

Zentyal > 3.4 and <= 3.5~124

Server Settings:
- IP: 127.0.0.1 and Port: 389
- DN: CN=Administrator,CN=Users,DC={DOMAIN},DC={TLD}
- Password: Your LDAP-Password for Administrator
- Basis-DN: dc={DOMAIN},dc={TLD}
User-Filter: (&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))
Login-Filter: (&(&(|(objectclass=user))(|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))
Group Filter: (&(|(objectclass=group))(|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))
Advanced:
- Directory Settings
  - User Display Name Field: displayname
  - Base User Tree: CN=Users,DC={DOMAIN},DC={TLD}
  - Group Display Name Field: samaccountname
  - Base Group Tree: CN=Groups,DC={DOMAIN},DC={TLD}
Expert:
- Override UUID detection (UUID Attribute): sAMAccountName
- Internal Username (Internal Username Attribute): sAMAccountName

Zentyal >= 3.5

Zentyal changed from openldap to samba ldap. Furthermore, they implemented a new ldap user called zentyal-mail-XXX. The XXX is the hostname of the server. You can find out the right user with the following way: 1. List the users with

ls -lta /var/lib/zentyal/conf/zentyal-mail-*.passwd

-rw------- 1 ebox ebox 20 Jul 3 21:19 /var/lib/zentyal/conf/zentyal-mail-mediaserver.passwd The filename is the DN-User. In this case, the user is called zentyal-mail-mediaserver 2. Get the user password with cat /var/lib/zentyal/conf/zentyal-mail-mediaserver.passwd

Hint: You can also create your own zentyal-owncloud-XXX user in Zentyal.

Menu	Function	Value
Server	IP	127.0.0.1
	Port	389
	DN	CN=zentyal-mail-XXX,CN=Users,DC={DOMAIN},DC={TLD}
	Password	Your LDAP-Password for zentyal-mail-XXX
	Basis-DN	dc={DOMAIN},dc={TLD}

User-Filter	Custom	`(&(\|(objectclass=user))(\|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))`

Login-Filter	Custom	`(&(&(\|(objectclass=user))(\|(memberof=CN=owncloud,OU=Groups,DC={DOMAIN},DC={TLD})))(\|(samaccountname=%uid)(\|(mailPrimaryAddress=%uid)(mail=%uid)))`

Group Filter	Custom	`(&(\|(objectclass=group))(\|(cn=samba_books)(cn=samba_documents)(cn=samba_games)(cn=samba_movies)(cn=samba_music)(cn=samba_pictures)))`

Advanced	User Display Name Field	displayname
	Base User Tree	CN=Users,DC={DOMAIN},DC={TLD}
	Group Display Name Field	samaccountname
	Base Group Tree	CN=Groups,DC={DOMAIN},DC={TLD}


Expert	Override UUID detection	sAMAccountName
	Internal Username	sAMAccountName

If you have already UUIDs in your OwnCloud User Settings Table then you have to press the 'Clear Username-LDAP User Mapping' button in the expert tab.