.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Setting up a Samba File Server on Debian
  :keywords: File Server, Debian, Samba, documentation
  
.. _fileserver_install_debian:

****************************************
Setting up a Samba File Server on Debian
****************************************

.. note::

  This documentation is based on the Debian distribution.

  The version of the Samba-AD package in the Debian distribution is up-to-date enough to provide optimal file service.
  Therefore, there is no need to recompile Samba from source.

.. note::

  In this documentation, it is assumed:

  * That you have installed the system base of your fileserver by following the :ref:`Debian base installation documentation <install_base_debian>` and that your server is called *srvfiles*.

  * That the IP address of your domain controller is *192.168.1.11*.

  * That the domain is called *mydomain.lan*.

Preparing the host
==================

Prepare the network configuration of the machine by following the same :ref:`documentation as for a new domain controller <server_prepare_debian>`.
Remember to configure the Active Directory server as DNS server in the file :file:`/etc/resolv.conf`.

.. hint::

  Add ``domain`` ``mydomain.lan`` in the :file:`/etc/resolv.conf` file is necessary because in the :file:`smb.conf`, the winbind ``default domain`` = **yes** option relies on it.
  If this is not done, it causes the following problems:

  * Problem with the command :command:`net ads testjoin` that says it can’t find the domain controller.

  * The command :command:`chown userad1 myfile` does not work.

  * A :command:`wbinfo -u / -g / -i` does not return a result.

Installing the dependencies
===========================

.. code-block:: bash

  apt-get update
  export DEBIAN_FRONTEND=noninteractive
  apt-get install samba winbind krb5-user libnss-winbind
  unset DEBIAN_FRONTEND

Joining the file server to the domain
=====================================

* Edit the :file:`/etc/krb5.conf` file and replace the whole file by the lines below:

.. code-block:: ini

    [libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = MYDOMAIN.LAN

* Ensure that the DNS configuration in :file:`/etc/nsswitch.conf` has not been modified by installing any package.
  If the host line looks like the line below, change it to look like the line just after:
  
  .. code-block:: ini

    hosts: files dns mdns4_minimal [NOTFOUND=return] mdns    # BAD!!!
    hosts: files dns                                         # GOOD

* Ensure that kerberos is well configured (administrator is the default account created by Samba-AD, if you want to use the *administrateur* account, do not forget to change it);

  .. code-block:: bash

    kinit administrator
    klist

.. include:: samba_fileserver-smb_conf.rst.inc

Joining the file server to the domain
=====================================

.. code-block:: bash

  net ads join -U administrator

* Configure the :file:`/etc/nsswitch.conf` file, modify the following three lines to match the documentation:

  .. code-block:: ini

     passwd:         compat winbind
     group:          compat winbind
     shadow:         compat winbind

* Reboot with a :command:`reboot` command in order to empty the nsswitch caches:

  .. code-block:: bash

    reboot

* Check the correct connection to the domain:

  * The following 3 commands should return users, groups and AD account informations as received by :program:`winbindd`:

    .. code-block:: bash

      wbinfo -u
      wbinfo -g
      wbinfo -i administrator

  * The 2 following commands should return users and groups with their *uidNumber* as interpreted by the Linux system.
    Make sure that you can see the users of the AD: administrator, krbtgt, etc:

  .. code-block:: bash

    getent passwd administrator

Creating shares
===============

.. code-block:: bash

  mkdir /home/shares
  chown administrator:"domain users" /home/shares
  chmod 770 /home/shares
