Learn Useful ‘Vi/Vim’ Editor Tips and Tricks to Enhance Your Skills – Part 1

The need to learn how to use text editors in Linux is indisputable. Every system administrator and engineer deal with configuration (plain text) files on a daily basis, and most times this is done purely using one or more tools from a command-line interface (such as nano, vim, or emacs).

While nano is perhaps more suitable for new users, vim or emacs are the tool of choice for more experienced users due to its advanced capabilities.

But there is yet another reason why learning how to use one of this text editors should be a top priority for you: you may either bump into a CLI-only server or run into an issue with the desktop manager in your GUI-based Linux server or desktop and the only resource to examine it and edit configuration files is the command line.

Between this article and the next of this 2-article series, we will review 15 tips and tricks for enhancing your vimskills. It is assumed that you are already familiar with this text editor. If not, do yourself a favor and become acquainted with vim before proceeding further: you may want to refer to How to Use vi/vim as a Full Text Editorfor a very detailed guide on starting with vim.

Part 2: 8 Interesting ‘Vi/Vim’ Editor Tips and Tricks

TIP #1: Using the online help

After you launch vim, press F1 or use :h in ex mode to enter the online help. You can jump to a specific section or topic by placing the cursor upon it and then pressing Ctrl+] (Ctrl, then the closing square bracket).

After you’re done, press Ctrl+t to return to the previous screen. Alternatively, you can look up a specific subject or command with :h <topic or command>.

For example,

:h x 

will display the help for the x (delete) command:

and

:h substitute

will bring up the help about the substitute command (our final tip in this article).

TIP #2: Jump back and forth using marks

If you find yourself editing a file that is larger than one screen, you will appreciate the functionality provided by marks. You can think of a mark in vim as a bookmark – once you place it somewhere, you can go back to it quickly and easily. Suppose you are editing a 300-word configuration file and for some reason need to repeatedly switch between lines 30 and 150 for example.

First, go to line #30 by entering :30 in ex mode, then return to command mode and hit ma (m, then a) to create a mark named “a” in line 30.

Then go to line 250 (with :250 in ex mode) and hit `a (backtick, then a) to return to mark a in line 30. You can use lowercase and uppercase letters to identify marks in vim (now repeat the process to create a mark named Ain line #250).

You can view your marks with

:marks aA

As you can see, each mark is referenced by a specific line / column position on the file, not just by line.

TIP #3: Repeat the last command

Suppose you’re editing a shell script and realize the previous developer was rather lousy when it comes to indentation. Let’s see how you can fix it with a couple of vim commands.

First, select a visual block by placing the cursor at the start of the block, then pressing Ctrl+v (Ctrl, then v).

1. To indentate to the left: press <j
2. To indentate to the right: press <j

Then press the . (dot) command to repeat either indentation. The selected block will either move to the right or to the left with only one keystroke.

Another classic example of using the dot command is when you need to delete a series of words: place the cursor on the first word you want to delete, then press dw. To continue deleting the next words, just press .(shorter and easier than repeating dw several times).

TIP #4: Inserting special Unicode characters

If your keyboard layout does not allow to easily insert special Unicode characters in a file, or if you find yourself in front of a server with different language settings than the one you are used to, this trick will come in handy.

To do this, press Ctrl+v in insert mode followed by the letter u and the hexadecimal numeric code for the character you want to insert. You can check the Unicode charts for a list of special characters and their corresponding numeric codes.

For example,

Ctrl+v followed by	returns
u0040	@
u00B5	μ
u20AC	€

TIP #5: Invoke external binaries from within vim

There will be times when you will need to insert the output of external commands directly into a file being edited with vim. For example, I often create a variable named DIR in my scripts to store the absolute path to the directory where the script resides in order to use it later in the script. To do that, I use:

:r! pwd 

in ex mode. Thus, the current working directory is inserted.

Another example: if you’re required to use the default gateway somewhere in a script, you can easily insert it in the current file without exiting vim as follows:

:!r ip route show | grep default | cut -f 3 -d " "

TIP #6: Insert existing file

If you need to append the contents of a separate file into the one you are currently editing, the syntax is similar to the previous tip. Just omit the exclamation sign and you’re good to go.

For example, to copy the contents of /etc/passwd:

:r /etc/passwd

You may found this tip useful when you need to modify configuration files but want to keep the original ones to roll back to “factory settings” so to speak.

TIP #7: Search and substitute (replace)

True story. Once during an exam, I was asked to open a large text file containing random data. The assigned task consisted of replacing each occurrence of the word Globe with Earth (yes, I still remember the exact words). For those familiar with sed, this will ring a bell – in ex mode, type:

:%s/old/new/g

where old is the pattern to search for and new is the string that will replace it.

In the case described above, I used:

:%s/Globe/Earth/g

to get the job done.

So what about you want to be prompted before making substitutions? Easy. Just add a c at the end of the above command, as follows:

:%s/old/new/gc

The occurrences of the pattern will be highlighted and you will be asked whether you want to replace it with the new string:

:%s/gacanepa/me/gc

where

1. y: yes
2. n: no
3. a: substitute all
4. q: quit
5. l: substitute this occurrence and quit
6. ^E (Ctrl+E): Scroll up one screen
7. ^Y (Ctrl+Y): Scroll down one screen

Summary

In this article we have started reviewing some vim tips and tricks to add to your text editing skills. You will probably think of several others, so please share them using the form below and I will consider covering them in the next and final article of this vim series. I look forward to hearing from you.

Addings: LFCS: How to Install and Use vi/vim as a Full Text Editor – Part 2

A couple of months ago, the Linux Foundation launched the LFCS (Linux Foundation Certified Sysadmin) certification in order to help individuals from all over the world to verify they are capable of doing basic to intermediate system administration tasks on Linux systems: system support, first-hand troubleshooting and maintenance, plus intelligent decision-making to know when it’s time to raise issues to upper support teams.

Please take a look at the below video that explains The Linux Foundation Certification Program.

This post is Part 2 of a 10-tutorial series, here in this part, we will cover the basic file editing operations and understanding modes in vi/m editor, that are required for the LFCS certification exam.

Perform Basic File Editing Operations Using vi/m

Vi was the first full-screen text editor written for Unix. Although it was intended to be small and simple, it can be a bit challenging for people used exclusively to GUI text editors, such as NotePad++, or gedit, to name a few examples.

To use Vi, we must first understand the 3 modes in which this powerful program operates, in order to begin learning later about the its powerful text-editing procedures.

Please note that most modern Linux distributions ship with a variant of vi known as vim (“Vi improved”), which supports more features than the original vi does. For that reason, throughout this tutorial we will use vi and vim interchangeably.

If your distribution does not have vim installed, you can install it as follows.

1. Ubuntu and derivatives: aptitude update && aptitude install vim
2. Red Hat-based distributions: yum update && yum install vim
3. openSUSE: zypper update && zypper install vim

Why should I want to learn vi?

There are at least 2 good reasons to learn vi.

1. vi is always available (no matter what distribution you’re using) since it is required by POSIX.

2. vi does not consume a considerable amount of system resources and allows us to perform any imaginable tasks without lifting our fingers from the keyboard.

In addition, vi has a very extensive built-in manual, which can be launched using the :help command right after the program is started. This built-in manual contains more information than vi/m’s man page.

Launching vi

To launch vi, type vi in your command prompt.

Then press i to enter Insert mode, and you can start typing. Another way to launch vi/m is.

# vi filename

Which will open a new buffer (more on buffers later) named filename, which you can later save to disk.

Understanding Vi modes

1. In command mode, vi allows the user to navigate around the file and enter vi commands, which are brief, case-sensitive combinations of one or more letters. Almost all of them can be prefixed with a number to repeat the command that number of times.

For example, yy (or Y) copies the entire current line, whereas 3yy (or 3Y) copies the entire current line along with the two next lines (3 lines in total). We can always enter command mode (regardless of the mode we’re working on) by pressing the Esc key. The fact that in command mode the keyboard keys are interpreted as commands instead of text tends to be confusing to beginners.

2. In ex mode, we can manipulate files (including saving a current file and running outside programs). To enter this mode, we must type a colon (:) from command mode, directly followed by the name of the ex-mode command that needs to be used. After that, vi returns automatically to command mode.

3. In insert mode (the letter i is commonly used to enter this mode), we simply enter text. Most keystrokes result in text appearing on the screen (one important exception is the Esc key, which exits insert mode and returns to command mode).

Vi Commands

The following table shows a list of commonly used vi commands. File edition commands can be enforced by appending the exclamation sign to the command (for example, <b.:q! enforces quitting without saving).

Key command	Description
h or left arrow	Go one character to the left
j or down arrow	Go down one line
k or up arrow	Go up one line
l (lowercase L) or right arrow	Go one character to the right
H	Go to the top of the screen
L	Go to the bottom of the screen
G	Go to the end of the file
w	Move one word to the right
b	Move one word to the left
0 (zero)	Go to the beginning of the current line
^	Go to the first nonblank character on the current line
$	Go to the end of the current line
Ctrl-B	Go back one screen
Ctrl-F	Go forward one screen
i	Insert at the current cursor position
I (uppercase i)	Insert at the beginning of the current line
J (uppercase j)	Join current line with the next one (move next line up)
a	Append after the current cursor position
o (lowercase O)	Creates a blank line after the current line
O (uppercase o)	Creates a blank line before the current line
r	Replace the character at the current cursor position
R	Overwrite at the current cursor position
x	Delete the character at the current cursor position
X	Delete the character immediately before (to the left) of the current cursor position
dd	Cut (for later pasting) the entire current line
D	Cut from the current cursor position to the end of the line (this command is equivalent to d$)
yX	Give a movement command X, copy (yank) the appropriate number of characters, words, or lines from the current cursor position
yy or Y	Yank (copy) the entire current line
p	Paste after (next line) the current cursor position
P	Paste before (previous line) the current cursor position
. (period)	Repeat the last command
u	Undo the last command
U	Undo the last command in the last line. This will work as long as the cursor is still on the line.
n	Find the next match in a search
N	Find the previous match in a search
:n	Next file; when multiple files are specified for editing, this commands loads the next file.
:e file	Load file in place of the current file.
:r file	Insert the contents of file after (next line) the current cursor position
:q	Quit without saving changes.
:w file	Write the current buffer to file. To append to an existing file, use :w >> file.
:wq	Write the contents of the current file and quit. Equivalent to x! and ZZ
:r! command	Execute command and insert output after (next line) the current cursor position.

Vi Options

The following options can come in handy while running vim (we need to add them in our ~/.vimrc file).

# echo set number >> ~/.vimrc
# echo syntax on >> ~/.vimrc
# echo set tabstop=4 >> ~/.vimrc
# echo set autoindent >> ~/.vimrc

1. set number shows line numbers when vi opens an existing or a new file.
2. syntax on turns on syntax highlighting (for multiple file extensions) in order to make code and config files more readable.
3. set tabstop=4 sets the tab size to 4 spaces (default value is 8).
4. set autoindent carries over previous indent to the next line.

Search and replace

vi has the ability to move the cursor to a certain location (on a single line or over an entire file) based on searches. It can also perform text replacements with or without confirmation from the user.

a). Searching within a line: the f command searches a line and moves the cursor to the next occurrence of a specified character in the current line.

For example, the command fh would move the cursor to the next instance of the letter h within the current line. Note that neither the letter f nor the character you’re searching for will appear anywhere on your screen, but the character will be highlighted after you press Enter.

For example, this is what I get after pressing f4 in command mode.

b). Searching an entire file: use the / command, followed by the word or phrase to be searched for. A search may be repeated using the previous search string with the n command, or the next one (using the N command). This is the result of typing /Jane in command mode.

c). vi uses a command (similar to sed’s) to perform substitution operations over a range of lines or an entire file. To change the word “old” to “young” for the entire file, we must enter the following command.

 :%s/old/young/g 

Notice: The colon at the beginning of the command.

The colon (:) starts the ex command, s in this case (for substitution), % is a shortcut meaning from the first line to the last line (the range can also be specified as n,m which means “from line n to line m”), old is the search pattern, while young is the replacement text, and g indicates that the substitution should be performed on every occurrence of the search string in the file.

Alternatively, a c can be added to the end of the command to ask for confirmation before performing any substitution.

:%s/old/young/gc

Before replacing the original text with the new one, vi/m will present us with the following message.

1. y: perform the substitution (yes)
2. n: skip this occurrence and go to the next one (no)
3. a: perform the substitution in this and all subsequent instances of the pattern.
4. q or Esc: quit substituting.
5. l (lowercase L): perform this substitution and quit (last).
6. Ctrl-e, Ctrl-y: Scroll down and up, respectively, to view the context of the proposed substitution.

Editing Multiple Files at a Time

Let’s type vim file1 file2 file3 in our command prompt.

# vim file1 file2 file3

First, vim will open file1. To switch to the next file (file2), we need to use the :n command. When we want to return to the previous file, :N will do the job.

In order to switch from file1 to file3.

a). The :buffers command will show a list of the file currently being edited.

:buffers

b). The command :buffer 3 (without the s at the end) will open file3 for editing.

In the image above, a pound sign (#) indicates that the file is currently open but in the background, while %amarks the file that is currently being edited. On the other hand, a blank space after the file number (3 in the above example) indicates that the file has not yet been opened.

Temporary vi buffers

To copy a couple of consecutive lines (let’s say 4, for example) into a temporary buffer named a (not associated with a file) and place those lines in another part of the file later in the current vi section, we need to…

1. Press the ESC key to be sure we are in vi Command mode.

2. Place the cursor on the first line of the text we wish to copy.

3. Type “a4yy” to copy the current line, along with the 3 subsequent lines, into a buffer named a. We can continue editing our file – we do not need to insert the copied lines immediately.

4. When we reach the location for the copied lines, use “a before the p or P commands to insert the lines copied into the buffer named a:

1. Type “ap to insert the lines copied into buffer a after the current line on which the cursor is resting.
2. Type “aP to insert the lines copied into buffer a before the current line.

If we wish, we can repeat the above steps to insert the contents of buffer a in multiple places in our file. A temporary buffer, as the one in this section, is disposed when the current window is closed.

Summary

As we have seen, vi/m is a powerful and versatile text editor for the CLI. Feel free to share your own tricks and comments below.

Reference Links

1. About the LFCS
2. Why get a Linux Foundation Certification?
3. Register for the LFCS exam

Update: If you want to extend your VI editor skills, then I would suggest you read following two guides that will guide you to some useful VI editor tricks and tips.

Part 1: Learn Useful ‘Vi/Vim’ Editor Tips and Tricks to Enhance Your Skills

Part 2: 8 Interesting ‘Vi/Vim’ Editor Tips and Tricks

8 Interesting ‘Vi/Vim’ Editor Tips and Tricks for Every Linux Administrator – Part 2

In the previous article of this series we reviewed 7 tips and tricks to add to your vi/m skills set. Besides the reasons given previously, learning how to use effectively a text editor in Linux in an essential ability for a system administrator or engineer and is a required competency to pass any major Linux certification program (such as LFCS, LFCE, RHCSA, and RHCE).

That said, let’s get started.

TIP #8: Create horizontal or vertical windows

This tip was shared by Yoander, one of our readers, in Part 1. You can launch vi/m with multiple horizontal or vertical divisions to edit separate files inside the same main window:

Launch vi/m with two horizontal windows, with test1 at the top and test2 at the bottom

# vim -o test1 test2 

Launch vi/m with two vertical windows, with test3 on the left and test4 on the right:

# vim -O test3 test4 

You can switch the cursor from one window to another with the usual vi/m movement routine (h: right, l: left, j:bottom, k: top):

1. Ctrl+w k – top
2. Ctrl+w j – bottom
3. Ctrl+w l – left
4. Ctrl+w h – right

TIP #9: Change letters, words, or entire lines to UPPERCASE or lowercase

Please note that this tip only works in vim. In the next examples, X is an integer number.

1. To change a series of letters to uppercase, position the cursor on the first letter, then type gUX in ex mode, and finally press the right arrow on the keyboard.
2. To change X number of words, place the cursor at the beginning of the word, and type gUXw in ex mode.
3. To change an entire line to uppercase, place the cursor anywhere on the line and type gUU in ex mode.

For example, to convert an entire lowercase line to uppercase, you should place the cursor anywhere on the line and type gUU:

For example, to convert 2 uppercase words to lowercase, you should place the cursor at the beginning of the first word and type gu2w:

TIP #10: Delete characters, words, or to the beginning of a line in INSERT mode

While you can delete characters or several words at once in ex mode (i.e. dw to delete a word), you can also do so in Insert mode as follows:

1. Ctrl + h: delete the previous character to the place where the cursor is currently located.
2. Ctrl + w: delete the previous word to the place where the cursor is currently located. For this to work correctly, the cursor must be placed in an empty space after the word that you need to delete.
3. Ctrl + u: delete the current line beginning at the character immediately to the left of the place where the cursor is.

TIP #11: Move or copy existing lines to another line of the document

While it is true that you can use the well-known dd, yy, and p commands in ex mode to delete, yank (copy) and paste lines, respectively, that only works when the cursor is placed where you want to perform those operations. The good news is that with the copy and move commands you can do the same regardless of where the cursor is currently placed.

For the next example we will use a short poem titled “Forever” by Terri Nicole Tharrington. To begin, we will have vim display the line numbers (:set nu in Command mode – consider this an extra tip). We will use :3copy5 (also in Command mode) to copy line 3 below line 5:

Now, undo last change (Esc + u – another bonus tip!) and type :1move7 to replace line 7 with line 1. Please note how lines 2 through 7 are shifted up and former line 1 now occupies line 7:

TIP #12: Count matches resulting from a search by pattern and move from one occurrence to another

This tip is based on the substitute command (tip #7 in Part 1 of this series), with the exception that it will not remove anything since the substitute behavior is overridden by the n option, resulting in the count of occurrences of the specified pattern:

Make sure that you don’t omit any of the forward slashes!

:%s/pattern//gn 

For example,

:%s/libero//gn

To move from one occurrence of the pattern to the next in ex mode, press n (lowercase N). To move to the previous instance, press N.

TIP #13: Directly open vi/m in a specified line

By default, when you launch vi/m, the cursor is initially placed in the last line that was edited. If you want to open the program and have the cursor be directly placed on a specified line, you can use the following trick:

# vim filename +line_number

For example, open forever.txt and place the cursor in line 6:

# vim forever.txt +6

Let’s tweak this example a little bit. Suppose we want to open the file on the line where the 3rd occurrence of the pattern appears:

# vim filename +$(grep -in pattern filename | sed -n 3p | cut -d: -f1)

Let’s take a closer look at what the above command does:

1. grep -in pattern filename – displays all lines from filename where pattern occurs, with the line number at the beginning of each output line.
2. sed -n 3p – displays the 3rd line from the preceding pipeline’s output.

Finally,

1. cut -d: -f1 returns the first field of the previous pipeline with the colon (:) is the field separator.

# grep -in forever forever.txt
# grep -in forever forever.txt | sed -n 3p
# grep -in forever forever.txt | sed -n 3p | cut -d: -f1

The result of the previous command is then passed to vi/m to open the program at the specified line.

TIP #14: Customizing your vi/m environment

If you use vi/m to edit configuration files or to write code, you will want to be able to display the line numbers when you first open the program and to set automatic indentation so that when you press the Enter key, the cursor will be automatically placed at the proper position. In addition, you may want to customize the number of white spaces a tab occupies.

While you can do that each time you launch vi/m, it’s easier to set these options in ~/.vimrc so that they will be automatically applied:

set number
set autoindent
set shiftwidth=4
set softtabstop=4
set expandtab

For further options to customize your vi/m environment, you can refer to the online vim documentation.

TIP #15: Get General Vim Help/Options with vimtutor

If at any time you need to brush up your general vi/m skills, you can launch vimtutor from the command line which will display a full vi/m help that you can refer to as often as you wish without the need to fire up a web browser to search how to accomplish a certain task in vi/m.

# vimtutor

Note that you can navigate or search the contents of vimtutor as if you were navigating a regular file in vi/m.

Summary

In this 2-article series I’ve shared several vi/m tips and tricks that should help you to be more effective when it comes to editing text using command line tools. I’m sure you must have other ones – so feel free to share them with the rest of the community by using the form below. As always, questions and comments are also welcome.

Source

Text editors can be used for writing code, editing text files such as configuration files, creating user instruction files and many more. In Linux, text editor are of two kinds that is graphical user interface (GUI) and command line text editors (console or terminal).

Don’t Miss:

 My Favorite Command Line Editors for Linux – What’s Your Editor?

In this article I am taking a look at some of the best 12 open source commonly used text editors in Linux on both server and desktops.

1. Vi/Vim Editor

Vim is a powerful command line based text editor that has enhanced the functionalities of the old Unix Vi text editor. It is one the most popular and widely used text editors among System Administrators and programmers that is why many users often refer to it as a programmer’s editor. It enables syntax highlighting when writing code or editing configuration files.

If you want to see our complete series on vi(m), please refer the links below:

1. Learn and Use Vi/Vim as a Full Text Editor in Linux
2. Learn ‘Vi/Vim’ Editor Tips and Tricks to Enhance Your Skills
3. 8 Interesting ‘Vi/Vim’ Editor Tips and Tricks

2. Gedit

This is a general purpose GUI based text editor and is installed by default text editor on Gnome desktop environment. It is simple to use, highly pluggable and a powerful editor with the following features:

1. Support for UTF-8
2. Use of configurable font size and colors
3. Highly customizable syntax highlighting
4. Undo and redo functionalities
5. Reverting of files
6. Remote editing of files
7. Search and replace text
8. Clipboard support functionalities and many more

3. Nano Editor

Nano is an easy to use text editor especially for both new and advanced Linux users. It enhances usability by providing customizable key binding.

Nano has the following features:

1. Highly customizable key bindings
2. Syntax highlighting
3. Undo and redo options
4. Full line display on the standard output
5. Pager support to read form standard input

You can check our complete guide for editing files with Nano editor at:

1. How to Use Nano Editor in Linux

4. GNU Emacs

This is a highly extensible and customizable text editor that also offers interpretation of the Lisp programming language at its core. Different extensions can be added to support text editing functionalities.

Emacs has the following features:

1. User documentation and tutorials
2. Syntax highlighting using colors even for plain text.
3. Unicode supports many natural languages.
4. Various extension including mail and news, debugger interface, calender and many more

5. Kate/Kwrite

Kate is a feature rich and highly pluggable text editor that comes with KDesktop Environment (KDE). The Kate project aims at development of two main products that is: KatePart and Kate.

KatePart is an advanced text editor component included in many KDE applications which may require users to edit text whereas Kate is an multiple document interface(MDI) text editor.

The following are some of its general features:

1. Extensible through scripting
2. Encoding support such as unicode mode
3. Text rendering in bi-directional mode
4. Line ending support with auto detection functionalities

Also remote file editing and many other features including advanced editor features, applications features, programming features, text highlighting features, backup features and search and replace features.

6. Lime Text

This is a powerful IDE-like text editor which is free and open-source successor of popular Sublime Text. It has a few frontends such as command-line interface that you can use with the pluggable backend.

7. Pico Editor

Pico is also a command line based text editor that comes with the Pine news and email client. It is a good editor for new Linux users because of its simplicity in relation to many GUI text editors.

8. Jed Editor

This is also another command line editor with support for GUI like features such as dropdown menus. It is developed purposely for software development and one of its important features is support of unicode mode.

9. gVim Editor

It is a GUI version of the popular Vim editor and it has similar functionalities as the command line Vim.

10. Geany Editor

Geany offers basic IDE-like features with a focus on software development using the GTK+ toolkit.

It has some basic features as listed below:

1. Syntax highlighting
2. Pluggable interface
3. Supports many file types
4. Enables code folding and code navigation
5. Symbol name and construct auto-completion
6. Supports auto-closing of HTML and XML tags
7. Elementary project management functionality plus many more

11. Leaf Pad

This is a GTK+ based, lightweight GUI based text editor which is also popular among Linux users today. It is easy to use by new Linux users.

It has the following features:

1. Codeset option
2. Allows auto detection of codeset
3. Options of undo and redo
4. Display file line numbers
5. Supports Drag and Drop options
6. Printing support

12. Bluefish

Bluefish is an easy-to-install and use text editor targeting Linux programmers and web developers. It offers a wide set of features as listed below:

1. Lightweight and fast
2. Integrates external Linux programs such as lint, weblint, make and many others and filters, piping such as sed, sort, awk and many more
3. Spelling check feature
4. Supports working on multiple projects
5. Remote file editing
6. Search and replace support
7. Undo and redo option
8. Auto-recovery of modified files

Concluding

I believe the list is more than what we have looked at, therefore if you have used other free and open source text editors, let us know by posting a comment.

 
Source

In this article, we shall review some of the best Markdown editors you can install and use on your Linux desktop. There are numerous Markdown editors you can find for Linux but here, we want to unveil possibly the best you may choose to work with.

For starters, Markdown is a simple and lightweight tool written in Perl, that enables users to write plain text format and covert it to valid HTML (or XHTML). It is literally an easy-to-read, easy-to-write plain text language and a software tool for text-to-HTML conversion.

Don’t Miss: 18 Best IDEs Programming or Source Code Editors on Linux

Don’t Miss: 12 Best Open Source Text Editors (GUI + CLI) I Found in 2015

Hoping that you have a slight understanding of what Markdown is, let us proceed to list the editors.

1. Atom

Atom is a modern, cross-platform, open-source and very powerful text editor that can work on Linux, Windows and Mac OS X operating systems. Users can customize it down to its base, minus altering any configuration files.

It is designed with some illustrious features and these include:

1. Comes with a built-in package manager
2. Smart auto-completion functionality
3. Offers multiple panes
4. Supports find and replace functionality
5. Includes a file system browser
6. Easily customizable themes
7. Highly extensible using open-source packages and many more

Visit Homepage: https://atom.io/

2. GNU Emacs

Emacs is one of the popular open-source text editors you can find on the Linux platform today. It is a great editor for Markdown language, which is highly extensible and customizable.

It’s comprehensively developed with the following amazing features:

1. Comes with an extensive built-in documentation including tutorials for beginners
2. Full Unicode support for probably all human scripts
3. Supports content-aware text-editing modes
4. Includes syntax coloring for multiple file types
5. Its highly customizable using Emacs Lisp code or GUI
6. Offers a packaging system for downloading and installing various extensions plus so much more

Visit Homepage: https://www.gnu.org/software/emacs/

3. Remarkable

Remarkable is possibly the best Markdown editor you can find on Linux, it also works on Windows operating system. It is indeed a remarkable and fully featured Markdown editor that offers users some exciting features.

Some of its remarkable features include:

1. Supports live preview
2. Supports exporting to PDF and HTML
3. Also offers Github Markdown
4. Supports custom CSS
5. It also supports syntax highlighting
6. Offers keyboard shortcuts
7. Highly customizable plus and many more

Visit Homepage: https://remarkableapp.github.io

4. Haroopad

Haroopad is an extensively built, cross-platform Markdown document processor for Linux, Windows and Mac OS X. It enables users to write expert-level documents of numerous formats including email, reports, blogs, presentations, blog posts and many more.

It is fully featured with the following notable features:

1. Easily imports content
2. Also exports to numerous formats
3. Broadly supports blogging and mailing
4. Supports several mathematical expressions
5. Supports Github flavored Markdown and extensions
6. Offers users some exciting themes, skins and UI components plus so much more

Visit Homepage: http://pad.haroopress.com/

5. ReText

ReText is a simple, lightweight and powerful Markdown editor for Linux and several other POSIX-compatible operating systems. It also doubles as a reStructuredText editor, and has the following attributes:

1. Simple and intuitive GUI
2. It is highly customizable, users can customize file syntax and configuration options
3. Also supports several color schemes
4. Supports use of multiple mathematical formulas
5. Enables export extensions and many more

Visit Homepage: https://github.com/retext-project/retext

6. UberWriter

UberWriter is a simple and easy-to-use Markdown editor for Linux, it’s development was highly influenced by iAwriter for Mac OS X. It is also feature rich with these remarkable features:

1. Uses pandoc to perform all text-to-HTML conversions
2. Offers a clean UI
3. Offers a distraction free mode, highlighting a users last sentence
4. Supports spellcheck
5. Also supports full screen mode
6. Supports exporting to PDF, HTML and RTF using pandoc
7. Enables syntax highlighting and mathematical functions plus many more

Visit Homepage: http://uberwriter.wolfvollprecht.de/

7. Mark My Words

Mark My Words is a also lightweight yet powerful Markdown editor. It’s a relatively new editor, therefore offers a handful of features including syntax highlighting, simple and intuitive GUI.

The following are some of the awesome features yet to be bundled into the application:

1. Live preview support
2. Markdown parsing and file IO
3. State management
4. Support for exporting to PDF and HTML
5. Monitoring files for changes
6. Support for preferences

Visit Homepage: https://github.com/voldyman/MarkMyWords

8. Vim-Instant-Markdown Plugin

Vim is a powerful, popular and open-source text editor for Linux that has stood the test of time. It is great for coding purposes. It is also highly pluggable to enable users add several other functionalities to it, including Markdown preview.

There are multiple Vim Markdown preview plugins, but you can use Vim-Instant-Markdown which offers the best performance.

9. Bracket-MarkdownPreview Plugin

Brackets is a modern, lightweight, open source and also cross-platform text editor. Built specifically for web designing and development purposes. Some of its notable features include: support for inline editors, live preview, preprocessor support and many more.

It is also highly extensible through plugins and you can use the Bracket-MarkdownPreview plugin to write and preview Markdown documents.

10. SublimeText-Markdown Plugin

Sublime Text is a refined, popular and cross-platform text editor for code, markdown and prose. It has a high performance enabled by the following exciting features:

1. Simple and slick GUI
2. Supports multiple selections
3. Offers a distraction free mode
4. Supports split editing
5. Highly pluggable through Python plugin API
6. Fully customizable and offers a command palette

SublimeText-Markdown plugin is a package that supports syntax highlighting and comes with some good color schemes.

Conclusion

Having walked through the list above, you probably know what Markdown editors and document processors to download and install on your Linux desktop for now.

Note that what we consider to be the best here may reasonably not be the best for you, therefore, you can reveal to us exciting Markdown editors that you think are missing in the list and have earned the right to be mentioned here by sharing your thoughts via the feedback section below.

Source

MySQL is one of the most popular database in the world. This database can be installed on the Microsoft Windows platform besides of Linux platform. Why this database is so popular? It may caused by its powerful feature and its free to use. As a database administrator, a database backup is really crucial to maintain the availability of the data. It will minimize the risk if something happens to our database.

Since MySQL is a popular database, there are many software that we can use to backup it. From the console mode to the web based software. Now we will give you a look of MySQLDumper as a tool for backup MySQL Database.

What is MySQLDumper?

MySQLDumper is a another open source web based tool for backing up MySQL databases. It built from PHP and Perl and can be easily dump and restore your MySQL data. It is especially suitable for shared hosting, where we don’t have access to Linux shell.

MySQLDumper Features

There are a lot of MySQLDumper features, but here are some features that may interest you.

1. Easy installation; just make sure that you have a working web server and point your browser to MySQLDumper installation file.
2. All parameters is shown before the backup is started; so you are sure what you are doing.
3. Database-Overview; look at running processes/
4. SQL-Browser: Access to your MySQL-Tables, delete tables, edit or insert data.
5. Two type of backup method, using PHP or Perl.
6. Complete log files.
7. Automatic file-deletion of your old backups.
8. Create directory protection.

Installation of MySQLDumper in Linux

Installing MySQLDumper is so easy. First we can download MySQLDumper from the following link.

1. Download MySQLDumper

At the time of writing this article, the latest version is 1.24. So, download latest version under your working web server directory (i.e. /var/www or /var/www/html). Once you have it, you can extract MySQLDumper1.24.4.zip.

$ unzip MySQLDumper1.24.4.zip

Then you will find a ‘msd1.24.4‘ folder. This folder contain all MySQLDumper files. The next step, you just need to point your browser to MySQLDumper installation file. The file is ‘msd1.24.4/install.php’. Here are the steps of super easy MySQLDumper.

1. We need to choose installation Language.

2. We need to fill some credentials such as hostname, user and MySQL password.

3. We can test the connection to the database by clicking Connect to MySQL button. If it succeed, then we will see a message saying that “Database connection was established”.

4. Once you got the message, click the ‘Save‘ and continue installation button. You will be taken into the home screen.

How to use MySQLDumper

As we can guess from its name, MySQLDumper main function is to backup your MySQL database. With this application, backup (and restore) MySQL database is very easy. Let’s start to take a look.

Backup Process using PHP

The function menu is located on the panel navigation on the left. First we need to select which database that we want to backup. We can see the option on the left menu.

In the screenshot above, we choose to backup a database named ‘employees‘.

Then we can select ‘Backup‘ menu on the left. Then choose ‘Backup PHP‘ on the top area. We will have a screen like this.

Then click on ‘Start New Backup‘. A progress of backup activity will show to you.

Once backup progress is finish, we can see the notification.

Backup Process using Perl

Another backup method that is supported by MySQLDumper is ‘Backup Perl’. With this method, we will use Perl as the backup engine.

Please notice that your web server must support ‘Perl/CGI‘ script before running this backup method. Otherwise, you will see an error like this when you click on Test Perl button.

Same with PHP backup method, we need to select which database that we want to backup. Then choose Backup menu from the left navigation panel. Then click Backup Perl button.

MySQLDumper will show you some active parameters on the bottom area. Then we can click ‘Run the Perl Cron‘ script button. Using this method, we will not see any progress bar appear. The duration of this backup process will be depend on the database which we are going to backup. If no error, then we will see a notification like this.

Restore Process

Restoring a backup is also easy using MySQLDumper. You can click on ‘Restore‘ menu from the navigation panel in the left. Unlike Backup activity, all backups are available at the bottom area of restore page.

When we need to select a backup, we can choose from there. At the above area is the selected backup which are ready to restore. If you want to do full restore, then click on the ‘Restore‘ button above. While if you want to restore some tables only, click on the ‘Choose tables‘ to be restored above.

Once it done, click ‘Restore‘. Just wait for a moment to complete the restore progress.

Create a Directory Protection

By default, the home page of MySQLDumper can be accessed by anyone who know its URL. Using Directory Protection, we can create a this home screen protected by password. This Directory Protection utilizes ‘.htaccess‘ function on Apache web server.

To create it, just click Create directory protection button on the home screen.

Then you will ask to provide some credential.

Once you finish with that, click Create directory protection button. After that, you will have a confirmation page about it.

If there is no error, a success message will be displayed.

Next time you visit the page, MySQLDumper will ask you a password before you see its home screen.

File Administration

This menu is used to maintain all available backups and restore.

Here are some activity that can be done in this page.

1. Delete backup(s) ; use the Delete buttons at the top area.
2. Download backup(s) ; click the backup name.
3. Select backup(s) ; click the Database name in the All Backups area.
4. Upload a big backup(s) to be restored.
5. Convert database into MySQLDumper (MSD) format.

Note: When we tried to convert database without using any compression, we found that MySQLDumper create a database with ‘part_1.sql’ name. The size is smaller than the original source.

SQL-Browser

If you want to run specific SQL command, you can do it in this SQL-Browser page. But please you should know what you are doing.

Configuration

All function above can be configured from Configuration menu. Here are some sections that we can configure.

General

Interface

Autodelete

Email

FTP

Cronscript

Log Management

MySQLDumper also provide basic logs for us. So we can know when the backup-restore activity occurred. To access log page, just click ‘Log’ menu from the navigation panel on the left.

There are 3 kind of logs. PHP-Log, Perl-Log and Perl-Complete Log.

Conclusion

MySQLDumper may not the best backup tool for MySQL. But with the ease of use of this application, people may start using this application. Unfortunately, I found that MySQLDumper is not equipped with offline documentation. But still, it is a great alternative tool for backup MySQL database.

http://www.mysqldumper.net/

Source

phpMyBackupPro is an open source very easy to use web based MySQL backup application, written in PHPlanguage released under the GNU GPL. It allows you to create schedule backups, restore and manage them, download, email, or upload backups to any FTP server and lot more. It also takes File directories backup and upload them on a FTP Server.

It supports three compression levels of backups (No compression, zip or gzip compression). It also supports two alternative security login methods, HTTP or HTML authentication.

Features

Following are some major key features of “phpMyBackupPro“.

1. Single or Multiple database backup support with or without data, table structure.
2. Three level of compression supported are no compression, gzip or zip compression.
3. Create scheduled backups without cron jobs using small PHP script.
4. Upload backups directly onto FTP server and posting of backups by email.
5. Only Apache and PHP needed to run on  platforms like Linux, Mac or Windows.
6. Shell interface to take backups manually or by using cron script.
7. Whole File directory backup and move them to any FTP server.
8. Take databases backup from different accounts on several MySQL servers.
9. Two security authentication methods supported HTTP or HTML login authentication.
10. Friendly interface and very easy to install and setup.
11. Multiple language supported.

Taking MySQL backups and restoring them from command line is always a good practice, but if what when you don’t have physical access to server. In that, situation phpMyBackupPro tool comes in handy.

How to Install phpMyBackupPro in RHEL/CentOS/Fedora and Debian/Ubuntu

For installing phpMyBackupPro application, you must have running Apache web server and PHP installed on the server. Let’s install these required packages on the server.

Install Apache and PHP

Install on Red Hat based systems using yum command.

# yum install httpd 
# yum install php php-mysql
# service httpd start

Install on Debian based systems using apt-get command.

# apt-get install apache2 
# apt-get install php5 libapache2-mod-auth-mysql php5-mysql
# service apache2 start

The newest phpMyBackupPro version can be downloaded from phpMyBackupPro website or you may use following “wget” command to download.

# cd /usr/share
# wget http://kaz.dl.sourceforge.net/project/phpmybackup/phpMyBackupPro/phpmyBackupPro%202.4/phpMyBackupPro-2.4.zip

Unzip the phpMyBackupPro zip file under /usr/share/ directory.

# unzip phpMyBackupPro-2.4.zip

For security reasons, it’s better to place the content of the folder under /usr/share/phpmybackup directory.

# cd phpMyBackupPro-2.4
# mv phpMyBackupPro/ /usr/share/phpmybackup
# mv documentation/ /usr/share/phpmybackup/

Next go to Apache “conf.d” directory and create a file named “phpmybackup.conf” under it. For Red Hat based systems path should be (/etc/httpd/conf.d/) and for Debain (/etc/apache2/conf.d).

# vi phpmybackup.conf

Append the following lines to it. Save and close. The below rules by default enable access to all, if you want to restrict the access to specific IP. Replace “all” with your IP address”. For example, the line should be “allow from 172.16.25.125“.

Alias /phpmybackup /usr/share/phpmybackup
<Directory /usr/share/phpmybackup>
   Options None
   Order allow,deny
   allow from all
</Directory>

Restart Apache service.

# /etc/init.d/httpd restart (On Red Hat systems)

# /etc/init.d/apache2 restart (On Debian systems)

On some systems, certain files must have write permissions for the file “global_conf.php” and for the “export” directory.

# cd /usr/share/

# chown -R root:apache phpmybackup (On Red Hat systems)

# chown -R root:www-data phpmybackup (On Debian systems)

# cd /usr/share/phpmybackup/
# chmod 0777 global_conf.php
# chmod 0777 export

Now you are almost ready to start phpMyBackupPro. Navigate to the browser and load the config.php file like this.

http://localhost/phpmybackup/config.php
OR
http://ip-address/phpmybackup/config.php

In the configuration tab insert your MySQL details, like hostname, username, password and database name. If you would like to setup FTP to save backups, enter FTP login details as shown below.

Next, click on “backup” tab to see list of your MySQL database and select the database name that you wish to take backup.

Schedule backup has two popular ways to schedule backups:

1. By including the schedule script into existing application.
2. By using a hidden frame in a HTML frameset.

To schedule a backup, you must first create a schedule script. Go to “schedule backup” tab.

Select how often you want a backup to be generated. Then you have to choose the directory of that PHP script which will include the schedule script later. After that select the name of the database to backup, enter a comment, select compression type and finally click on “Show script” button. On the next page you will see the newly created schedule script.

Instead of copying generated code to new file, you can save the code by giving a filename like “schedule_backup.php” in the text box and click on “Save data” to save. For more information read “SCHEDULED_BACKUPS.txt” file under documentation directory.

The “sql queries” tab build to run simple sql queries to the databases or import databases from the local computer.

The “start” tab display your current Apache, PHP and MySQL version information.

phpMyBackupPro is by far the easiest backup solution for MySQL. If you are handling MySQL server, then pMBP is a must needed application that can help you to save your precious data with minimum effort.

Reference Links

phpMyBackupPro Homepage

Source

This article shows you several practical examples on how to perform various backup operations of MySQLdatabases using mysqldump command and also we will see how to restore them with the help of mysql and mysqlimport command in Linux.

mysqldump is a command-line client program, it is used to dump local or remote MySQL database or collection of databases for backup into a single flat file.

We assume that you already have MySQL installed on Linux system with administrative privileges and we assume that you already have a small amount of knowledge on MySQL. If you don’t have MySQL installed or don’t have any exposure to MySQL then read our articles below.

1. Install MySQL Server on RHEL/CentOS 6-5, Fedora 17-12
2. 20 MySQL Commands for Database Administration

How to Backup MySQL Database?

To take a backup of MySQL database or databases, the database must exist in the database server and you must have access to it. The format of the command would be.

# mysqldump -u [username] –p[password] [database_name] > [dump_file.sql]

The parameters of the said command as follows.

1. [username] : A valid MySQL username.
2. [password] : A valid MySQL password for the user.
3. [database_name] : A valid Database name you want to take backup.
4. [dump_file.sql] : The name of backup dump file you want to generate.

How to Backup a Single MySQL Database?

To take a backup of single database, use the command as follows. The command will dump database [rsyslog] structure with data on to a single dump file called rsyslog.sql.

# mysqldump -u root -ptecmint rsyslog > rsyslog.sql

How to Backup Multiple MySQL Databases?

If you want to take backup of multiple databases, run the following command. The following example command takes a backup of databases [rsyslog, syslog] structure and data in to a single file called rsyslog_syslog.sql.

# mysqldump -u root -ptecmint --databases rsyslog syslog > rsyslog_syslog.sql

How to Backup All MySQL Databases?

If you want to take backup of all databases, then use the following command with option –all-database. The following command takes the backup of all databases with their structure and data into a file called all-databases.sql.

# mysqldump -u root -ptecmint --all-databases > all-databases.sql

How to Backup MySQL Database Structure Only?

If you only want the backup of database structure without data, then use the option –no-data in the command. The below command exports database [rsyslog] Structure into a file rsyslog_structure.sql.

# mysqldump -u root -ptecmint -–no-data rsyslog > rsyslog_structure.sql

How to Backup MySQL Database Data Only?

To backup database Data only without structure, then use the option –no-create-info with the command. This command takes the database [rsyslog] Data  into a file rsyslog_data.sql.

# mysqldump -u root -ptecmint --no-create-db --no-create-info rsyslog > rsyslog_data.sql

How to Backup Single Table of Database?

With the below command you can take backup of single table or certain tables of your database. For example, the following command only take backup of wp_posts table from the database wordpress.

# mysqldump -u root -ptecmint wordpress wp_posts > wordpress_posts.sql

How to Backup Multiple Tables of Database?

If you want to take backup of multiple or certain tables from the database, then separate each table with space.

# mysqldump -u root -ptecmint wordpress wp_posts wp_comments > wordpress_posts_comments.sql

How to Backup Remote MySQL Database

The below command takes the backup of remote server [172.16.25.126] database [gallery] into a local server.

# mysqldump -h 172.16.25.126 -u root -ptecmint gallery > gallery.sql

How to Restore MySQL Database?

In the above tutorial we have seen the how to take the backup of databases, tables, structures and data only, now we will see how to restore them using following format.

# # mysql -u [username] –p[password] [database_name] < [dump_file.sql]

How to Restore Single MySQL Database

To restore a database, you must create an empty database on the target machine and restore the database using msyql command. For example the following command will restore the rsyslog.sql file to the rsyslogdatabase.

# mysql -u root -ptecmint rsyslog < rsyslog.sql

If you want to restore a database that already exist on targeted machine, then you will need to use the mysqlimport command.

# mysqlimport -u root -ptecmint rsyslog < rsyslog.sql

In the same way you can also restore database tables, structures and data. If you liked this article, then do share it with your friends.

Source

Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1

Samba is a free Open Source software which provides a standard interoperability between Windows OS and Linux/Unix Operating Systems.

Samba can operate as a standalone file and print server for Windows and Linux clients through the SMB/CIFSprotocol suite or can act as an Active Directory Domain Controller or joined into a Realm as a Domain Member. The highest AD DC domain and forest level that currently Samba4 can emulate is Windows 2008 R2.

The series will be titled Setting Up Samba4 Active Directory Domain Controller, which covers following topics for Ubuntu, CentOS, and Windows:

This tutorial will start by explaining all the steps you need to take care off in order to install and configure Samba4 as a Domain Controller on Ubuntu 16.04 and Ubuntu 14.04.

This configuration will provide a central management point for users, machines, volume shares, permissions and other resources in a mixed-up Windows – Linux infrastructure.

Requirements:

1. Ubuntu 16.04 Server Installation.
2. Ubuntu 14.04 Server Installation.
3. A static IP Address configured for your AD DC server.

Step 1: Initial Configuration for Samba4

1. Before proceeding your Samba4 AD DC installation first let’s run a few pre-required steps. First make sure the system is up to date with the last security features, kernels and packages by issuing the below command:

$ sudo apt-get update 
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade

2. Next, open machine /etc/fstab file and assure that your partitions file system has ACLs enabled as illustrated on the below screenshot.

Usually, common modern Linux file systems such as ext3, ext4, xfs or btrfs support and have ACLs enabled by default. If that’s not the case with your file system just open /etc/fstab file for editing and add acl string at the end of third column and reboot the machine in order to apply changes.

3. Finally setup your machine hostname with a descriptive name, such as adc1 used in this example, by editing /etc/hostname file or by issuing.

$ sudo hostnamectl set-hostname adc1

A reboot is necessary after you’ve changed your machine name in order to apply changes.

Step 2: Install Required Packages for Samba4 AD DC

4. In order to transform your server into an Active Directory Domain Controller, install Samba and all the required packages on your machine by issuing the below command with root privileges in a console.

$ sudo apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

5. While the installation is running a series of questions will be asked by the installer in order to configure the domain controller.

On the first screen you will need to add a name for Kerberos default REALM in uppercase. Enter the name you will be using for your domain in uppercase and hit Enter to continue..

6. Next, enter the hostname of Kerberos server for your domain. Use the same name as for your domain, with lowercases this time and hit Enter to continue.

7. Finally, specify the hostname for the administrative server of your Kerberos realm. Use the same as your domain and hit Enter to finish the installation.

Step 3: Provision Samba AD DC for Your Domain

8. Before starting to configure Samba for your domain, first run the below commands in order to stop and disable all samba daemons.

$ sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
$ sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

9. Next, rename or remove samba original configuration. This step is absolutely required before provisioning Samba AD because at the provision time Samba will create a new configuration file from scratch and will throw up some errors in case it finds an old smb.conf file.

$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

10. Now, start the domain provisioning interactively by issuing the below command with root privileges and accept the default options that Samba provides you.

Also, make sure you supply the IP address for a DNS forwarder at your premises (or external) and choose a strong password for Administrator account. If you choose a week password for Administrator account the domain provision will fail.

$ sudo samba-tool domain provision --use-rfc2307 --interactive

11. Finally, rename or remove Kerberos main configuration file from /etc directory and replace it using a symlink with Samba newly generated Kerberos file located in /var/lib/samba/private path by issuing the below commands:

$ sudo mv /etc/krb5.conf /etc/krb5.conf.initial
$ sudo ln –s /var/lib/samba/private/krb5.conf /etc/

12. Start and enable Samba Active Directory Domain Controller daemons.

$ sudo systemctl start samba-ad-dc.service
$ sudo systemctl status samba-ad-dc.service
$ sudo systemctl enable samba-ad-dc.service

13. Next, use netstat command in order to verify the list of all services required by an Active Directory to run properly.

$ sudo netstat –tulpn| egrep ‘smbd|samba’

Step 4: Final Samba Configurations

14. At this moment Samba should be fully operational at your premises. The highest domain level Samba is emulating should be Windows AD DC 2008 R2.

It can be verified with the help of samba-tool utility.

$ sudo samba-tool domain level show

15. In order for DNS resolution to work locally, you need to open end edit network interface settings and point the DNS resolution by modifying dns-nameservers statement to the IP Address of your Domain Controller (use 127.0.0.1 for local DNS resolution) and dns-search statement to point to your realm.

$ sudo cat /etc/network/interfaces
$ sudo cat /etc/resolv.conf

When finished, reboot your server and take a look at your resolver file to make sure it points back to the right DNS name servers.

16. Finally, test the DNS resolver by issuing queries and pings against some AD DC crucial records, as in the below excerpt. Replace the domain name accordingly.

$ ping –c3 tecmint.lan       #Domain Name
$ ping –c3 adc1.tecmint.lan  #FQDN
$ ping –c3 adc1              #Host

Run following few queries against Samba Active Directory Domain Controller..

$ host –t A tecmint.lan
$ host –t A adc1.tecmint.lan
$ host –t SRV _kerberos._udp.tecmint.lan  # UDP Kerberos SRV record
$ host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

17. Also, verify Kerberos authentication by requesting a ticket for the domain administrator account and list the cached ticket. Write the domain name portion with uppercase.

$ kinit administrator@TECMINT.LAN
$ klist

That’s all! Now you have a fully operational AD Domain Controller installed in your network and you can start integrate Windows or Linux machines into Samba AD.

On the next series we’ll cover other Samba AD topics, such as how to manage you’re the domain controller from Samba command line, how to integrate Windows 10 into the domain name and manage Samba AD remotely using RSAT and other important topics.

How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2

This tutorial will cover some basic daily commands you need to use in order to manage Samba4 AD Domain Controller infrastructure, such as adding, removing, disabling or listing users and groups.

We’ll also take a look on how to manage domain security policy and how to bind AD users to local PAM authentication in order for AD users to be able to perform local logins on Linux Domain Controller.

Requirements

1. Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1
2. Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3
3. Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4

Step 1: Manage Samba AD DC from Command Line

1. Samba AD DC can be managed through samba-tool command line utility which offers a great interface for administrating your domain.

With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions.

To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter.

# samba-tool -h

2. Now, let’s start using samba-tool utility to administer Samba4 Active Directory and manage our users.

In order to create a user on AD use the following command:

# samba-tool user add your_domain_user

To add a user with several important fields required by AD, use the following syntax:

--------- review all options --------- 
# samba-tool user add -h  
# samba-tool user add your_domain_user --given-name=your_name --surname=your_username --mail-address=your_domain_user@tecmint.lan --login-shell=/bin/bash

3. A listing of all samba AD domain users can be obtained by issuing the following command:

# samba-tool user list

4. To delete a samba AD domain user use the below syntax:

# samba-tool user delete your_domain_user

5. Reset a samba domain user password by executing the below command:

# samba-tool user setpassword your_domain_user

6. In order to disable or enable an samba AD User account use the below command:

# samba-tool user disable your_domain_user
# samba-tool user enable your_domain_user

7. Likewise, samba groups can be managed with the following command syntax:

--------- review all options --------- 
# samba-tool group add –h  
# samba-tool group add your_domain_group

8. Delete a samba domain group by issuing the below command:

# samba-tool group delete your_domain_group

9. To display all samba domain groups run the following command:

# samba-tool group list

10. To list all the samba domain members in a specific group use the command:

# samba-tool group listmembers "your_domain group"

11. Adding/Removing a member from a samba domain group can be done by issuing one of the following commands:

# samba-tool group addmembers your_domain_group your_domain_user
# samba-tool group remove members your_domain_group your_domain_user

12. As mentioned earlier, samba-tool command line interface can also be used to manage your samba domain policy and security.

To review your samba domain password settings use the below command:

# samba-tool domain passwordsettings show

13. In order to modify samba domain password policy, such as the password complexity level, password ageing, length, how many old password to remember and other security features required for a Domain Controller use the below screenshot as a guide.

---------- List all command options ---------- 
# samba-tool domain passwordsettings -h 

Never use the password policy rules as illustrated above on a production environment. The above settings are used just for demonstration purposes.

Step 2: Samba Local Authentication Using Active Directory Accounts

14. By default, AD users cannot perform local logins on the Linux system outside Samba AD DC environment.

In order to login on the system with an Active Directory account you need to make the following changes on your Linux system environment and modify Samba4 AD DC.

First, open samba main configuration file and add the below lines, if missing, as illustrated on the below screenshot.

$ sudo nano /etc/samba/smb.conf

Make sure the following statements appear on the configuration file:

winbind enum users = yes
winbind enum groups = yes

15. After you’ve made the changes, use testparm utility to make sure no errors are found on samba configuration file and restart samba daemons by issuing the below command.

$ testparm
$ sudo systemctl restart samba-ad-dc.service

16. Next, we need to modify local PAM configuration files in order for Samba4 Active Directory accounts to be able to authenticate and open a session on the local system and create a home directory for users at first login.

Use the pam-auth-update command to open PAM configuration prompt and make sure you enable all PAM profiles using [space] key as illustrated on the below screenshot.

When finished hit [Tab] key to move to Ok and apply changes.

$ sudo pam-auth-update

17. Now, open /etc/nsswitch.conf file with a text editor and add winbind statement at the end of the password and group lines as illustrated on the below screenshot.

$ sudo vi /etc/nsswitch.conf

18. Finally, edit /etc/pam.d/common-password file, search for the below line as illustrated on the below screenshot and remove the use_authtok statement.

This setting assures that Active Directory users can change their password from command line while authenticated in Linux. With this setting on, AD users authenticated locally on Linux cannot change their password from console.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

Remove use_authtok option each time PAM updates are installed and applied to PAM modules or each time you execute pam-auth-update command.

19. Samba4 binaries comes with a winbindd daemon built-in and enabled by default.

For this reason you’re no longer required to separately enable and run winbind daemon provided by winbindpackage from official Ubuntu repositories.

In case the old and deprecated winbind service is started on the system make sure you disable it and stop the service by issuing the below commands:

$ sudo systemctl disable winbind.service
$ sudo systemctl stop winbind.service

Although, we no longer need to run old winbind daemon, we still need to install Winbind package from repositories in order to install and use wbinfo tool.

Wbinfo utility can be used to query Active Directory users and groups from winbindd daemon point of view.

The following commands illustrates how to query AD users and groups using wbinfo.

$ wbinfo -g
$ wbinfo -u
$ wbinfo -i your_domain_user

20. Apart from wbinfo utility you can also use getent command line utility to query Active Directory database from Name Service Switch libraries which are represented in /etc/nsswitch.conf file.

Pipe getent command through a grep filter in order to narrow the results regarding just your AD realm user or group database.

# getent passwd | grep TECMINT
# getent group | grep TECMINT

Step 3: Login in Linux with an Active Directory User

21. In order to authenticate on the system with a Samba4 AD user, just use the AD username parameter after su - command.

At the first login a message will be displayed on the console which notifies you that a home directory has been created on /home/$DOMAIN/ system path with the mane of your AD username.

Use id command to display extra information about the authenticated user.

# su - your_ad_user
$ id
$ exit

22. To change the password for an authenticated AD user type passwd command in console after you have successfully logged into the system.

$ su - your_ad_user
$ passwd

23. By default, Active Directory users are not granted with root privileges in order to perform administrative tasks on Linux.

To grant root powers to an AD user you must add the username to the local sudo group by issuing the below command.

Make sure you enclose the realm, slash and AD username with single ASCII quotes.

# usermod -aG sudo 'DOMAIN\your_domain_user'

To test if AD user has root privileges on the local system, login and run a command, such as apt-get update, with sudo permissions.

# su - tecmint_user
$ sudo apt-get update

24. In case you want to add root privileges for all accounts of an Active Directory group, edit /etc/sudoers file using visudo command and add the below line after root privileges line, as illustrated on the below screenshot:

%DOMAIN\your_domain\  group ALL=(ALL:ALL) ALL

Pay attention to sudoers syntax so you don’t break things out.

Sudoers file doesn’t handles very well the use of ASCII quotation marks, so make sure you use % to denote that you’re referring to a group and use a backslash to escape the first slash after the domain name and another backslash to escape spaces if your group name contains spaces (most of AD built-in groups contain spaces by default). Also, write the realm with uppercases.

That’s all for now! Managing Samba4 AD infrastructure can be also achieved with several tools from Windows environment, such as ADUC, DNS Manager, GPM or other, which can be obtained by installing RSAT package from Microsoft download page.

To administer Samba4 AD DC through RSAT utilities, it’s absolutely necessary to join the Windows system into Samba4 Active Directory.

Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3

In this part of the Samba4 AD DC infrastructure series we will talk on how join a Windows 10 machine into a Samba4 realm and how to administer the domain from a Windows 10 workstation.

Once a Windows 10 system has been joined to Samba4 AD DC we can create, remove or disable domain users and groups, we can create new Organizational Units, we can create, edit and manage domain policy or we can manage Samba4 domain DNS service.

All of the above functions and other complex tasks concerning domain administration can be achieved via any modern Windows platform with the help of RSAT – Microsoft Remote Server Administration Tools.

Requirements

1. Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1
2. Manage Samba4 AD Infrastructure from Linux Command Line – Part 2
3. Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4

Step 1: Configure Domain Time Synchronization

1. Before starting to administer Samba4 ADDC from Windows 10 with the help of RSAT tools, we need to know and take care of a crucial piece of service required for an Active Directory and this service refers to accurate time synchronization.

Time synchronization can be offered by NTP daemon in most of the Linux distributions. The default maximum time period discrepancy an AD can support is about 5 minutes.

If the divergence time period is greater than 5 minutes you should start experience various errors, most important concerning AD users, joined machines or share access.

To install Network Time Protocol daemon and NTP client utility in Ubuntu, execute the below command.

$ sudo apt-get install ntp ntpdate

2. Next, open and edit NTP configuration file and replace the default NTP pool server list with a new list of NTP servers which are geographically located near your current physical equipment location.

The list of NTP servers can be obtained by visiting official NTP Pool Project webpage http://www.pool.ntp.org/en/.

$ sudo nano /etc/ntp.conf

Comment the default server list by adding a # in front of each pool line and add the below pool lines with your proper NTP servers as illustrated on the below screenshot.

pool 0.ro.pool.ntp.org iburst
pool 1.ro.pool.ntp.org iburst
pool 2.ro.pool.ntp.org iburst

# Use Ubuntu's ntp server as a fallback.
pool 3.ro.pool.ntp.org

3. Now, don’t close the file yet. Move to the top at the file and add the below line after the driftfile statement. This setup allows the clients to query the server using AD signed NTP requests.

ntpsigndsocket /var/lib/samba/ntp_signd/

4. Finally, move to the bottom of the file and add the below line, as illustrated on the below screenshot, which will allow network clients only to query the time on the server.

restrict default kod nomodify notrap nopeer mssntp

5. When finished, save and close the NTP configuration file and grant NTP service with the proper permissions in order to read the ntp_signed directory.

This is the system path where Samba NTP socket is located. Afterwards, restart NTP daemon to apply changes and verify if NTP has open sockets in your system network table using netstat command combined with grep filter.

$ sudo chown root:ntp /var/lib/samba/ntp_signd/
$ sudo chmod 750 /var/lib/samba/ntp_signd/
$ sudo systemctl restart ntp
$ sudo netstat –tulpn | grep ntp

Use the ntpq command line utility to monitor NTP daemon along with the -p flag in order to print a summary of peers state.

$ ntpq -p

Step 2: Troubleshoot NTP Time Issues

6. Sometimes the NTP daemon gets stuck in calculations while trying to synchronize time with an upstream ntp server peer, resulting the following error messages when manually trying to force time synchronization by running ntpdate utility on a client side:

# ntpdate -qu adc1
ntpdate[4472]: no server suitable for synchronization found

when using ntpdate command with -d flag.

# ntpdate -d adc1.tecmint.lan
Server dropped: Leap not in sync

7. To circumvent this issue, use the following trick to solve the problem: On the server, stop the NTP service and use the ntpdate client utility to manually force time synchronization with an external peer using the -b flag as shown below:

# systemctl stop ntp.service
# ntpdate -b 2.ro.pool.ntp.org  [your_ntp_peer]
# systemctl start ntp.service
# systemctl status ntp.service

8. After the time has been accurately synchronized, start the NTP daemon on the server and verify from the client side if the service is ready to serve time for local clients by issuing the following command:

# ntpdate -du adc1.tecmint.lan    [your_adc_server]

By now, NTP server should work as expected.

Step 3: Join Windows 10 into Realm

9. As we saw in our previous tutorial, Samba4 Active Directory can be managed from command line using samba-tool utility interface which can be accessed directly from server’s VTY console or remotely connected through SSH.

Other, more intuitively and flexible alternative, would be to manage our Samba4 AD Domain Controller via Microsoft Remote Server Administration Tools (RSAT) from a Windows workstation integrated into the domain. These tools are available in almost all modern Windows systems.

The process of joining Windows 10 or older versions of Microsoft OS into Samba4 AD DC is very simple. First, make sure that your Windows 10 workstation has the correct Samba4 DNS IP address configured in order to query the proper realm resolver.

Open Control panel -> Network and Internet -> Network and Sharing Center -> Ethernet card -> Properties -> IPv4 -> Properties -> Use the following DNS server addresses and manually place Samba4 AD IP Address to the network interface as illustrated in the below screenshots.

Here, 192.168.1.254 is the IP Address of Samba4 AD Domain Controller responsible for DNS resolution. Replace the IP Address accordingly.

10. Next, apply the network settings by hitting on OK button, open a Command Prompt and issue a ping against the generic domain name and Samba4 host FQDN in order to test if the realm is reachable through DNS resolution.

ping tecmint.lan
ping adc1.tecmint.lan

11. If the resolver correctly responds to Windows client DNS queries, then, you need to assure that the time is accurately synchronized with the realm.

Open Control Panel -> Clock, Language and Region -> Set Time and Date -> Internet Time tab -> Change Settings and write your domain name on Synchronize with and Internet time server field.

Hit on Update Now button to force time synchronization with the realm and hit OK to close the window.

12. Finally, join the domain by opening System Properties -> Change -> Member of Domain, write your domain name, hit OK, enter your domain administrative account credentials and hit OK again.

A new pop-up window should open informing you’re a member of the domain. Hit OK to close the pop-up window and reboot the machine in order to apply domain changes.

The below screenshot will illustrate these steps.

13. After restart, hit on Other user and logon to Windows with a Samba4 domain account with administrative privileges and you should be ready to move to the next step.

Step 4: Administer Samba4 AD DC with RSAT

14. Microsoft Remote Server Administration Tools (RSAT), which will be further used to administer Samba4 Active Directory, can be downloaded from the following links, depending on your Windows version:

1. Windows 10: https://www.microsoft.com/en-us/download/details.aspx?id=45520
2. Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296
3. Windows 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972
4. Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887

Once the update standalone installer package for Windows 10 has been downloaded on your system, run the installer, wait for the installation to finish and restart the machine to apply all updates.

After reboot, open Control Panel -> Programs (Uninstall a Program) -> Turn Windows features on or off and check all Remote Server Administration Tools.

Click OK to start the installation and after the installation process finishes, restart the system.

15. To access RSAT tools go to Control Panel -> System and Security -> Administrative Tools.

The tools can also be found in the Administrative tools menu from start menu. Alternatively, you can open Windows MMC and add Snap-ins using the File -> Add/Remove Snap-in menu.

The most used tools, such as AD UC, DNS and Group Policy Management can be launched directly from Desktop by creating shortcuts using Send to feature from menu.

16. You can verify RSAT functionality by opening AD UC and list domain Computers (newly joined windows machine should appear in the list), create a new Organizational Unit or a new user or group.

Verify if the users or groups had been properly created by issuing wbinfo command from Samba4 server side.

That’s it! On the next part of this topic we will cover other important aspects of a Samba4 Active Directorywhich can be administered via RSAT, such as, how to manage DNS server, add DNS records and create a reverse DNS lookup zone, how to manage and apply domain policy and how to create an interactive logon banner for your domain users.

Manage Samba4 AD Domain Controller DNS and Group Policy from Windows – Part 4

Continuing the previous tutorial on how to administer Samba4 from Windows 10 via RSAT, in this part we’ll see how to remotely manage our Samba AD Domain controller DNS server from Microsoft DNS Manager, how to create DNS records, how to create a Reverse Lookup Zone and how to create a domain policy via Group Policy Management tool.

Requirements

1. Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1
2. Manage Samba4 AD Infrastructure from Linux Command Line – Part 2
3. Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3

Step 1: Manage Samba DNS Server

Samba4 AD DC uses an internal DNS resolver module which is created during the initial domain provision (if BIND9 DLZ module is not specifically used).

Samba4 internal DNS module supports the basic features needed for an AD Domain Controller. The domain DNS server can be managed in two ways, directly from command line through samba-tool interface or remotely from a Microsoft workstation which is part of the domain via RSAT DNS Manager.

Here, we’ll cover the second method because it’s more intuitive and not so prone to errors.

1. To administer the DNS service for your domain controller via RSAT, go to your Windows machine, open Control Panel -> System and Security -> Administrative Tools and run DNS Manager utility.

Once the tool opens, it will ask you on what DNS running server you want to connect. Choose The following computer, type your domain name in the field (or IP Address or FQDN can be used as well), check the box that says ‘Connect to the specified computer now’ and hit OK to open your Samba DNS service.

2. In order to add a DNS record (as an example we will add an A record that will point to our LAN gateway), navigate to domain Forward Lookup Zone, right click on the right plane and choose New Host (A or AAA).

3. On the New host opened window, type the name and the IP Address of your DNS resource. The FQDN will be automatically written for you by DNS utility. When finished, hit the Add Host button and a pop-up window will inform you that your DNS A record has been successfully created.

Make sure you add DNS A records only for those resources in your network configured with static IP Addresses. Don’t add DNS A records for hosts which are configured to acquire network configurations from a DHCP server or their IP Addresses change often.

To update a DNS record just double click on it and write your modifications. To delete the record right click on the record and choose delete from the menu.

In the same way you can add other types of DNS records for your domain, such as CNAME (also known as DNS alias record) MX records (very useful for mail servers) or other type of records (SPF, TXT, SRV etc).

Step 2: Create a Reverse Lookup Zone

By default, Samba4 Ad DC doesn’t automatically add a reverse lookup zone and PTR records for your domain because these types of records are not crucial for a domain controller to function correctly.

Instead, a DNS reverse zone and its PTR records are crucial for the functionality of some important network services, such as an e-mail service because these type of records can be used to verify the identity of clients requesting a service.

Practically, PTR records are just the opposite of standard DNS records. The clients know the IP address of a resource and queries the DNS server to find out their registered DNS name.

4. In order to a create a reverse lookup zone for Samba AD DC, open DNS Manager, right click on Reverse Lookup Zone from the left plane and choose New Zone from the menu.

5. Next, hit Next button and choose Primary zone from Zone Type Wizard.

6. Next, choose To all DNS servers running on domain controllers in this domain from the AD Zone Replication Scope, chose IPv4 Reverse Lookup Zone and hit Next to continue.

7. Next, type the IP network address for your LAN in Network ID filed and hit Next to continue.

All PTR records added in this zone for your resources will point back only to 192.168.1.0/24 network portion. If you want to create a PTR record for a server that does not reside in this network segment (for example mail server which is located in 10.0.0.0/24 network), then you’ll need to create a new reverse lookup zone for that network segment as well.

8. On the next screen choose to Allow only secure dynamic updates, hit next to continue and, finally hit on finishto complete zone creation.

9. At this point you have a valid DNS reverse lookup zone configured for your domain. In order to add a PTRrecord in this zone, right click on the right plane and choose to create a PTR record for a network resource.

In this case we’ve created a pointer for our gateway. In order to test if the record was properly added and works as expected from client’s point of view, open a Command Prompt and issue a nslookup query against the name of the resource and another query for its IP Address.

Both queries should return the correct answer for your DNS resource.

nslookup gate.tecmint.lan
nslookup 192.168.1.1
ping gate

Step 3: Domain Group Policy Management

10. An important aspect of a domain controller is its ability to control system resources and security from a single central point. This type of task can be easily achieved in a domain controller with the help of Domain Group Policy.

Unfortunately, the only way to edit or manage group policy in a samba domain controller is through RSAT GPMconsole provided by Microsoft.

In the below example we’ll see how simple can be to manipulate group policy for our samba domain in order to create an interactive logon banner for our domain users.

In order to access group policy console, go to Control Panel -> System and Security -> Administrative Tools and open Group Policy Management console.

Expand the fields for your domain and right click on Default Domain Policy. Choose Edit from the menu and a new windows should appear.

11. On Group Policy Management Editor window go to Computer Configuration -> Policies -> Windows Settings-> Security settings -> Local Policies -> Security Options and a new options list should appear in the right plane.

In the right plane search and edit with your custom settings following two entries presented on the below screenshot.

12. After finishing editing the two entries, close all windows, open an elevated Command prompt and force group policy to apply on your machine by issuing the below command:

gpupdate /force

13. Finally, reboot your computer and you’ll see the logon banner in action when you’ll try to perform logon.

That’s all! Group Policy is a very complex and sensitive subject and should be treated with maximum care by system admins. Also, be aware that group policy settings won’t apply in any way to Linux systems integrated into the realm.

Join an Additional Ubuntu DC to Samba4 AD DC for FailOver Replication – Part 5

This tutorial will show you how to add a second Samba4 domain controller, provisioned on Ubuntu 16.04 server, to the existing Samba AD DC forest in order to provide a degree of load balancing/failover for some crucial AD DC services, especially for services such as DNS and AD DC LDAP schema with SAM database.

Requirements

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu – Part 1

This article is a Part-5 of Samba4 AD DC series as follows:

Step 1: Initial Configuration for Samba4 Setup

1. Before you start to actually perform domain joining for the second DC, you need to take care of few initial settings. First, make sure the hostname of the system which will be integrated into Samba4 AD DC contains a descriptive name.

Assuming that the hostname of the first provisioned realm is called adc1, you can name the second DC with adc2 in order to provide a consistent naming scheme across your Domain Controllers.

To change the system hostname you can issue the below command.

# hostnamectl set-hostname adc2

else you can manually edit /etc/hostname file and add a new line with the desired name.

# nano /etc/hostname

Here add the hostname.

adc2

2. Next, open local system resolution file and add an entry with the IP address witch points to the short name and FQDN of the main domain controller, as illustrated in the below screenshot.

Through this tutorial, the primary DC name is adc1.tecmint.lan and it resolves to 192.168.1.254 IP address.

# nano /etc/hosts

Add the following line:

IP_of_main_DC		FQDN_of_main_DC 	short_name_of_main_DC

3. On the next step, open /etc/network/interfaces and assign a static IP address for your system as illustrated in the below screenshot.

Pay attention to dns-nameservers and dns-search variables. These values should be configured to point back to the IP address of the primary Samba4 AD DC and realm in order for DNS resolution to work correctly.

Restart the network daemon in order to reflect changes. Verify /etc/resolv.conf file to assure that both DNS values from your network interface are updated to this file.

# nano /etc/network/interfaces

Edit and replace with your custom IP settings:

auto ens33
iface ens33 inet static
        address 192.168.1.253
        netmask 255.255.255.0
        brodcast 192.168.1.1
        gateway 192.168.1.1
        dns-nameservers 192.168.1.254
        dns-search tecmint.lan

Restart network service and confirm changes.

# systemctl restart networking.service
# cat /etc/resolv.conf

The dns-search value will automatically append the domain name when you query a host by its short name (will form the FQDN).

4. In order to test if DNS resolution is working as expected, issue a series of ping commands against your domain short name, FQDN and realm as shown in the below screenshot.

In all these cases Samba4 AD DC DNS server should reply with the IP address of your main DC.

5. The final additional step that you need to take care off is time synchronization with your main Domain Controller. This can be accomplished by installing NTP client utility on your system by issuing the below command:

# apt-get install ntpdate

6. Assuming that you want to manually force time synchronization with samba4 AD DC, run ntpdate command against the primary DC by issuing the following command.

# ntpdate adc1

Step 2: Install Samba4 with Required Dependencies

7. In order to enroll Ubuntu 16.04 system into your domain, first install Samba4, Kerberos client and a few other important packages for later use from Ubuntu official repositories by issuing the below command:

# apt-get install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind

8. During the installation you will need to provide Kerberos realm name. Write your domain name with upper cases and press [Enter] key to finish the installation process.

9. After the packages installation finishes, verify the settings by requesting a Kerberos ticket for a domain administrator using kinit command. Use klist command to list granted Kerberos ticket.

# kinit domain-admin-user@YOUR_DOMAIN.TLD
# klist

Step 3: Join to Samba4 AD DC as a Domain Controller

10. Before integrating your machine into Samba4 DC, first make sure all Samba4 daemons running on your system are stopped and, also, rename the default Samba configuration file in order to start clean. While provisioning the domain controller, samba will create a new configuration file from scratch.

# systemctl stop samba-ad-dc smbd nmbd winbind
# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

11. In order to start the domain joining process, first start only samba-ad-dc daemon, after which you will run samba-tool command to join the realm using an account with administrative privileges on your domain.

# samba-tool domain join your_domain DC -U "your_domain_admin"

Domain integration excerpt:

# samba-tool domain join tecmint.lan DC -U"tecmint_user"

Sample Output

Finding a writeable DC for domain 'tecmint.lan'
Found DC adc1.tecmint.lan
Password for [WORKGROUP\tecmint_user]:
workgroup is TECMINT
realm is tecmint.lan
checking sAMAccountName
Deleted CN=ADC2,CN=Computers,DC=tecmint,DC=lan
Adding CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan
Adding CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan
Adding CN=NTDS Settings,CN=ADC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tecmint,DC=lan
Adding SPNs to CN=ADC2,OU=Domain Controllers,DC=tecmint,DC=lan
Setting account password for ADC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Provision OK for domain DN DC=tecmint,DC=lan
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=tecmint,DC=lan] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[402/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[804/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1206/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1608/1614] linked_values[0/0]
Partition[CN=Configuration,DC=tecmint,DC=lan] objects[1614/1614] linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=tecmint,DC=lan] objects[97/97] linked_values[24/0]
Partition[DC=tecmint,DC=lan] objects[380/283] linked_values[27/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=tecmint,DC=lan
Partition[DC=DomainDnsZones,DC=tecmint,DC=lan] objects[45/45] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=tecmint,DC=lan
Partition[DC=ForestDnsZones,DC=tecmint,DC=lan] objects[18/18] linked_values[0/0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain TECMINT (SID S-1-5-21-715537322-3397311598-55032968) as a DC

12. After the Ubuntu with samba4 software has been integrated into the domain, open samba main configuration file and add the following lines:

# nano /etc/samba/smb.conf

Add following excerpt to smb.conf file.

dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes

   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

Replace dns forwarder IP address with your own DNS forwarder IP. Samba will forward all DNS resolution queries that are outside your domain authoritative zone to this IP address.

13. Finally, restart samba daemon to reflect changes and check active directory replication by executing the following commands.

# systemctl restart samba-ad-dc
# samba-tool drs showrepl

14. Additionally, rename initial Kerberos configuration file from /etc path and replace it with the new krb5.confconfiguration file generated by samba while provisioning the domain.

The file is located in /var/lib/samba/private directory. Use Linux symlink to link this file to /etc directory.

# mv /etc/krb5.conf /etc/krb5.conf.initial
# ln -s /var/lib/samba/private/krb5.conf /etc/
# cat /etc/krb5.conf

15. Also, verify Kerberos authentication with samba krb5.conf file. Request a ticket for an administrator user and list the cached ticket by issuing the below commands.

# kinit administrator
# klist

Step 4: Additional Domain Services Validations

16. The first test you need to perform is Samba4 DC DNS resolution. To validate your domain DNS resolution, query the domain name using host command against a few crucial AD DNS records as presented on the below screenshot.

The DNS server should replay by now with a pair of two IP addresses for each query.

# host your_domain.tld
# host -t SRV _kerberos._udp.your_domain.tld  # UDP Kerberos SRV record
# host -t SRV _ldap._tcp.your_domain.tld  # TCP LDAP SRV record

17. These DNS records should also be visible from an enrolled Windows machine with RSAT tools installed. Open DNS Manager and expand to your domain tcp records as shown in the below image.

18. The next test should indicate if domain LDAP replication works as expected. Using samba-tool, create an account on the second domain controller and verify if the account is automatically replicated on the first Samba4 AD DC.

On adc2:

# samba-tool user add test_user

On adc1:

# samba-tool user list | grep test_user

19. You can also create an account from a Microsoft AD UC console and verify if the account appears on both domain controllers.

By default, the account should be automatically created on both samba domain controllers. Query the account name from adc1 using wbinfo command.

20. As a fact, open AD UC console from Windows, expand to Domain Controllers and you should see both enrolled DC machines.

Step 5: Enable Samba4 AD DC Service

21. In order to enable samba4 AD DC services system-wide, first disable some old and unused Samba daemons and enable only samba-ad-dc service by running the below commands:

# systemctl disable smbd nmbd winbind
# systemctl enable samba-ad-dc

22. If you remotely administer Samba4 domain controller from a Microsoft client or you have other Linux or Windows clients integrated into your domain, make sure you mention the IP address of the adc2 machine to their network interface DNS server IP settings in order to gain a level of redundancy.

The below screenshots illustrates the configurations required for a Windows or a Debian/Ubuntu client.

Assuming that the first DC with 192.168.1.254 goes offline, reverse the order of the DNS server IP addresses in the configuration file so it won’t try to query first an unavailable DNS server.

Finally, in case you want to perform local authentication on a Linux system with a Samba4 Active Directory account or grant root privileges for AD LDAP accounts in Linux, read the steps 2 and 3 from the tutorial Manage Samba4 AD Infrastructure from Linux Command Line.

Setup SysVol Replication Across Two Samba4 AD DC with Rsync – Part 6

This topic will cover SysVol replication across two Samba4 Active Directory Domain Controllers performed with the help of a few powerful Linux tools, such as Rsync file synchronization utility, Cron scheduling daemon and SSH protocol.

Requirements:

1. Join Ubuntu 16.04 as Additional Domain Controller to Samba4 AD DC – Part 5

Step 1: Accurate Time Synchronization Across DCs

1. Before starting to replicate the contents of the sysvol directory across both domain controllers you need to provide an accurate time for these machines.

If the delay is greater than 5 minutes on both directions and their clocks are not properly in sync, you should start experiencing various problems with AD accounts and domain replication.

To overcome the problem of time drifting between two or more domain controllers, you need to install and configure NTP server on your machine by executing the below command.

# apt-get install ntp

2. After NTP daemon has been installed, open the main configuration file, comment the default pools (add a # in front of each pool line) and add a new pool which will point back to the main Samba4 AD DC FQDN with NTPserver installed, as suggested on the below example.

# nano /etc/ntp.conf

Add following lines to ntp.conf file.

pool 0.ubuntu.pool.ntp.org iburst
#pool 1.ubuntu.pool.ntp.org iburst
#pool 2.ubuntu.pool.ntp.org iburst
#pool 3.ubuntu.pool.ntp.org iburst

pool adc1.tecmint.lan

# Use Ubuntu's ntp server as a fallback.
pool ntp.ubuntu.com

3. Don’t close the file yet, move to the bottom of the file and add the following lines in order for other clients to be able to query and sync the time with this NTP server, issuing signed NTP requests, in case the primary DC goes offline:

restrict source notrap nomodify noquery mssntp
ntpsigndsocket /var/lib/samba/ntp_signd/

4. Finally, save and close the configuration file and restart NTP daemon in order to apply the changes. Wait for a few seconds or minutes for the time to synchronize and issue ntpq command in order to print the current summary state of the adc1 peer in sync.

# systemctl restart ntp
# ntpq -p

Step 2: SysVol Replication with First DC via Rsync

By default, Samba4 AD DC doesn’t perform SysVol replication via DFS-R (Distributed File System Replication) or the FRS (File Replication Service).

This means that Group Policy objects are available only if the first domain controller is online. If the first DC becomes unavailable, the Group Policy settings and logon scripts will not apply further on Windows machines enrolled into the domain.

To overcome this obstacle and achieve a rudimentary form of SysVol replication we will schedule a Linux rsync command combined with a SSH encrypted tunnel with key-based SSH authentication in order to securely transfer GPO objects from the first domain controller to the second domain controller.

This method ensures GPO objects consistency across domain controllers, but has one huge drawback. It works only in one direction because rsync will transfer all changes from the source DC to the destination DC when synchronizing GPO directories.

Objects which no longer exist on the source will be deleted from the destination as well. In order to limit and avoid any conflicts, all GPO edits should be made only on the first DC.

5. To start the process of SysVol replication, first generate a SSH key on the first Samba AD DC and transfer the key to the second DC by issuing the below commands.

Do not use a passphrase for this key in order for the scheduled transfer to run without user interference.

# ssh-keygen -t RSA  
# ssh-copy-id root@adc2  
# ssh adc2 
# exit 

6. After you’ve assured that the root user from the first DC can automatically login on the second DC, run the following Rsync command with --dry-run parameter in order simulate SysVol replication. Replace adc2accordingly.

# rsync --dry-run -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/

7. If the simulation process works as expected, run the rsync command again without the --dry-run option in order to actually replicate GPO objects across your domain controllers.

# rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/

8. After SysVol replication process has finished, login to the destination domain controller and list the contents of one of the GPO objects directory by running the below command.

The same GPO objects from the first DC should be replicated here too.

# ls -alh /var/lib/samba/sysvol/your_domain/Policiers/

9. To automate the process of Group Policy replication (sysvol directory transport over network), schedule a root job to run the rsync command used earlier every 5 minutes by issuing the below command.

# crontab -e 

Add rsync command to run every 5 minutes and direct the output of the command, including the errors, to the log file /var/log/sysvol-replication.log .In case something doesn’t work as expected you should consult this file in order to troubleshoot the problem.

*/5 * * * * rsync -XAavz --chmod=775 --delete-after  --progress --stats  /var/lib/samba/sysvol/ root@adc2:/var/lib/samba/sysvol/ > /var/log/sysvol-replication.log 2>&1

10. Assuming that in future there will be some related issues with SysVol ACL permissions, you can run the following commands in order to detect and repair these errors.

# samba-tool ntacl sysvolcheck
# samba-tool ntacl sysvolreset

11. In case the first Samba4 AD DC with FSMO role as “PDC Emulator” becomes unavailable, you can force the Group Policy Management Console installed on a Microsoft Windows system to connect only to the second domain controller by choosing Change Domain Controller option and manually selecting the target machine as illustrated below.

While connected to the second DC from Group Policy Management Console, you should avoid making any modification to your domain Group Policy. When the first DC will become available again, rsync command will destroy all changes made on this second domain controller.

Create a Shared Directory on Samba AD DC and Map to Windows/Linux Clients – Part 7

This tutorial will guide you on how to create a shared directory on Samba AD DC system, map this Shared Volume to Windows clients integrated into the domain via GPO and manage share permissions from Windows domain controller perspective.

It will also cover how to access and mount the file share from a Linux machine enrolled into domain using a Samba4 domain account.

Requirements:

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Create Samba File Share

1. The process of creating a share on Samba AD DC is a very simple task. First create a directory you want to share via SMB protocol and add the below permissions on the filesystem in order to allow a Windows AD DCadmin acount to modify the share permissions accordingly to what permissions Windows clients should see.

Assuming that the new file share on the AD DC would be the /nas directory, run the below commands to assign the correct permissions.

# mkdir /nas
# chmod -R 775 /nas
# chown -R root:"domain users" /nas
# ls -alh | grep nas

2. After you’ve created the directory that will be exported as a share from Samba4 AD DC, you need to add the following statements to samba configuration file in order to make the share available via SMB protocol.

# nano /etc/samba/smb.conf

Go to the bottom of the file and add the following lines:

[nas]
	path = /nas
	read only = no

3. The last thing you need to do is to restart Samba AD DC daemon in order to apply the changes by issuing the below command:

# systemctl restart samba-ad-dc.service

Step 2: Manage Samba Share Permissions

4. Since we’re accessing this shared volume from Windows, using domain accounts (users and groups) that are created on Samba AD DC (the share is not meant to be accessed by Linux system users).

The process of managing permissions can be done directly from Windows Explorer, in the same way permissions are managed for any folder in Windows Explorer.

First, log on to Windows machine with a Samba4 AD account with administrative privileges on the domain. In order to access the share from Windows and set the permissions, type the IP address or host name or FQDN of the Samba AD DC machine in Windows Explorer path field, preceded by two back slashes, and the share should be visible.

\adc1
Or
\192.168.1.254
Or
\adc1.tecmint.lan

5. To modify permissions just right click on the share and choose Properties. Navigate to Security tab and proceed with altering domain users and group permissions accordingly. Use Advanced button in order to fine tune permissions.

Use the below screenshot as an excerpt on how to tune permissions for specific Samba AD DC authenticated accounts.

6. Other method you can use to manage the share permissions is from Computer Management -> Connect to another computer.

Navigate to Shares, right click on the share you want to modify permissions, choose Properties and move to Security tab. From here you can alter permissions in any way you want just as presented in the previous method using file share permissions.

Step 3: Map the Samba File Share via GPO

7. To automatically mount the exported samba file share via domain Group Policy, first on a machine with RSAT tools installed, open AD UC utility, right click on your domain name and, then, choose New -> Shared Folder.

8. Add a name for the shared volume and enter the network path where your share is located as illustrated on the below image. Hit OK when you’ve finished and the share should now be visible on the right plane.

9. Next, open Group Policy Management console, expand to your domain Default Domain Policy script and open the file for editing.

On the GPM Editor navigate to User Configuration -> Preferences -> Windows Settings and right click on Drive Maps and choose New -> Mapped Drive.

10. On the new window search and add the network location for the share by pressing the right button with three dots, check Reconnect checkbox, add a label for this share, choose the letter for this drive and hit OK button to save and apply configuration.

11. Finally, in order to force and apply GPO changes on your local machine without a system restart, open a Command Prompt and run the following command.

gpupdate /force

12. After the policy has been successfully applied on your machine, open Windows Explorer and the shared network volume should be visible and accessible, depending on what permissions you’ve granted for the share on previous steps.

The share will be visible for other clients on your network after they reboot or re-login onto their systems if the group policy will not forced from command line.

Step 4: Access the Samba Shared Volume from Linux Clients

13. Linux users from machines that are enrolled into Samba AD DC can also access or mount the share locally by authenticating into the system with a Samba account.

First, they need to assure that the following samba clients and utilities are installed on their systems by issuing the below command.

$ sudo apt-get install smbclient cifs-utils

14. In order to list the exported shares your domain provides for a specific domain controller machine use the below command:

$ smbclient –L your_domain_controller –U%
or
$ smbclient –L \adc1 –U%

15. To interactively connect to a samba share from command line with a domain account use the following command:

$ sudo smbclient //adc/share_name -U domain_user

On command line you can list the content of the share, download or upload files to the share or perform other tasks. Use ? to list all available smbclient commands.

16. To mount a samba share on a Linux machine use the below command.

$ sudo mount //adc/share_name /mnt -o username=domain_user

Replace the host, share name, mount point and domain user accordingly. Use mount command piped with grepto filter only by cifs expression.

As some final conclusions, shares configured on a Samba4 AD DC will work only with Windows access control lists (ACL), not POSIX ACLs.

Configure Samba as a Domain member with file shares in order to achieve other capabilities for a network share. Also, on an Additional Domain Controller configure Windbindd daemon – Step Two – before you start exporting network shares.

Integrate Ubuntu 16.04 to AD as a Domain Member with Samba and Winbind – Part 8

This tutorial describes how to join an Ubuntu machine into a Samba4 Active Directory domain in order to authenticate AD accounts with local ACL for files and directories or to create and map volume shares for domain controller users (act a as file server).

Requirements:

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Initial Configurations to Join Ubuntu to Samba4 AD

1. Before starting to join an Ubuntu host into an Active Directory DC you need to assure that some services are configured properly on local machine.

An important aspect of your machine represents the hostname. Setup a proper machine name before joining the domain with the help of hostnamectl command or by manually editing /etc/hostname file.

# hostnamectl set-hostname your_machine_short_name
# cat /etc/hostname
# hostnamectl

2. On the next step, open and manually edit your machine network settings with the proper IP configurations. The most important settings here are the DNS IP addresses which points back to your domain controller.

Edit /etc/network/interfaces file and add dns-nameservers statement with your proper AD IP addresses and domain name as illustrated on the below screenshot.

Also, make sure that the same DNS IP addresses and the domain name are added to /etc/resolv.conf file.

On the above screenshot, 192.168.1.254 and 192.168.1.253 are the IP addresses of the Samba4 AD DC and Tecmint.lan represents the name of the AD domain which will be queried by all machines integrated into realm.

3. Restart the network services or reboot the machine in order to apply the new network configurations. Issue a ping command against your domain name in order to test if DNS resolution is working as expected.

The AD DC should replay with its FQDN. In case you have configured a DHCP server in your network to automatically assign IP settings for your LAN hosts, make sure you add AD DC IP addresses to the DHCP server DNS configurations.

# systemctl restart networking.service
# ping -c2 your_domain_name

4. The last important configuration required is represented by time synchronization. Install ntpdate package, query and sync time with the AD DC by issuing the below commands.

$ sudo apt-get install ntpdate
$ sudo ntpdate -q your_domain_name
$ sudo ntpdate your_domain_name

5. On the next step install the software required by Ubuntu machine to be fully integrated into the domain by running the below command.

$ sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

While the Kerberos packages are installing you should be asked to enter the name of your default realm. Use the name of your domain with uppercases and press Enter key to continue the installation.

6. After all packages finish installing, test Kerberos authentication against an AD administrative account and list the ticket by issuing the below commands.

# kinit ad_admin_user
# klist

Step 2: Join Ubuntu to Samba4 AD DC

7. The first step in integrating the Ubuntu machine into the Samba4 Active Directory domain is to edit Samba configuration file.

Backup the default configuration file of Samba, provided by the package manager, in order to start with a clean configuration by running the following commands.

# mv /etc/samba/smb.conf /etc/samba/smb.conf.initial
# nano /etc/samba/smb.conf 

On the new Samba configuration file add the below lines:

[global]
        workgroup = TECMINT
        realm = TECMINT.LAN
        netbios name = ubuntu
        security = ADS
        dns forwarder = 192.168.1.1

idmap config * : backend = tdb        
idmap config *:range = 50000-1000000
	
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

Replace workgroup, realm, netbios name and dns forwarder variables with your own custom settings.

The winbind use default domain parameter causes winbind service to treat any unqualified AD usernames as users of the AD. You should omit this parameter if you have local system accounts names which overlap AD accounts.

8. Now you should restart all samba daemons and stop and remove unnecessary services and enable samba services system-wide by issuing the below commands.

$ sudo systemctl restart smbd nmbd winbind
$ sudo systemctl stop samba-ad-dc
$ sudo systemctl enable smbd nmbd winbind

9. Join Ubuntu machine to Samba4 AD DC by issuing the following command. Use the name of an AD DC account with administrator privileges in order for the binding to realm to work as expected.

$ sudo net ads join -U ad_admin_user

10. From a Windows machine with RSAT tools installed you can open AD UC and navigate to Computerscontainer. Here, your Ubuntu joined machine should be listed.

Step 3: Configure AD Accounts Authentication

11. In order to perform authentication for AD accounts on the local machine, you need to modify some services and files on the local machine.

First, open and edit The Name Service Switch (NSS) configuration file.

$ sudo nano /etc/nsswitch.conf

Next append winbind value for passwd and group lines as illustrated on the below excerpt.

passwd:         compat winbind
group:          compat winbind

12. In order to test if the Ubuntu machine was successfully integrated to realm run wbinfo command to list domain accounts and groups.

$ wbinfo -u
$ wbinfo -g

13. Also, check Winbind nsswitch module by issuing the getent command and pipe the results through a filter such as grep to narrow the output only for specific domain users or groups.

$ sudo getent passwd| grep your_domain_user
$ sudo getent group|grep 'domain admins'

14. In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-updatecommand with root privileges and add all the entries required for winbind service and to automatically create home directories for each domain account at the first login.

Check all entries by pressing [space] key and hit ok to apply configuration.

$ sudo pam-auth-update

15. On Debian systems you need to manually edit /etc/pam.d/common-account file and the following line in order to automatically create homes for authenticated domain users.

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

16. In order for Active Directory users to be able to change password from command line in Linux open /etc/pam.d/common-password file and remove the use_authtok statement from password line to finally look as on the below excerpt.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

17. To authenticate on Ubuntu host with a Samba4 AD account use the domain username parameter after su – command. Run id command to get extra info about the AD account.

$ su - your_ad_user

Use pwd command to see your domain user current directory and passwd command if you want to change password.

18. To use a domain account with root privileges on your Ubuntu machine, you need to add the AD username to the sudo system group by issuing the below command:

$ sudo usermod -aG sudo your_domain_user

Login to Ubuntu with the domain account and update your system by running apt-get update command to check if the domain user has root privileges.

19. To add root privileges for a domain group, open end edit /etc/sudoers file using visudo command and add the following line as illustrated on the below screenshot.

%YOUR_DOMAIN\your_domain\  group       		 ALL=(ALL:ALL) ALL

Use backslashes to escape spaces contained into your domain group name or to escape the first backslash. In the above example the domain group for TECMINT realm is named “domain admins”.

The preceding percent sign (%) symbol indicates that we are referring to a group, not a username.

20. In case you are running the graphical version of Ubuntu and you want to login on the system with a domain user, you need to modify LightDM display manager by editing /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, add the following lines and reboot the machine to reflect changes.

greeter-show-manual-login=true
greeter-hide-users=true

It should now be able to perform logins on Ubuntu Desktop with a domain account using either your_domain_username or your_domain_username@your_domain.tld or your_domain\your_domain_usernameformat.

Join CentOS 7 Desktop to Samba4 AD as a Domain Member – Part 9

This guide will describe how you can integrate CentOS 7 Desktop to Samba4 Active Directory Domain Controller with Authconfig-gtk in order to authenticate users across your network infrastructure from a single centralized account database held by Samba.

Requirements

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu
2. CentOS 7.3 Installation Guide

Step 1: Configure CentOS Network for Samba4 AD DC

1. Before starting to join CentOS 7 Desktop to a Samba4 domain you need to assure that the network is properly setup to query domain via DNS service.

Open Network Settings and turn off the Wired network interface if enabled. Hit on the lower Settings button as illustrated in the below screenshots and manually edit your network settings, especially the DNS IPs that points to your Samba4 AD DC.

When you finish, Apply the configurations and turn on your Network Wired Card.

2. Next, open your network interface configuration file and add a line at the end of file with the name of your domain. This line assures that the domain counterpart is automatically appended by DNS resolution (FQDN) when you use only a short name for a domain DNS record.

$ sudo vi /etc/sysconfig/network-scripts/ifcfg-eno16777736

Add the following line:

SEARCH="your_domain_name"

3. Finally, restart the network services to reflect changes, verify if the resolver configuration file is correctly configured and issue a series of ping commands against your DCs short names and against your domain name in order to verify if DNS resolution is working.

$ sudo systemctl restart network
$ cat /etc/resolv.conf
$ ping -c1 adc1
$ ping -c1 adc2
$ ping tecmint.lan

4. Also, configure your machine hostname and reboot the machine to properly apply the settings by issuing the following commands:

$ sudo hostnamectl set-hostname your_hostname
$ sudo init 6

Verify if hostname was correctly applied with the below commands:

$ cat /etc/hostname
$ hostname

5. The last setting will ensure that your system time is in sync with Samba4 AD DC by issuing the below commands:

$ sudo yum install ntpdate
$ sudo ntpdate -ud domain.tld

Step 2: Install Required Software to Join Samba4 AD DC

6. In order to integrate CentOS 7 to an Active Directory domain install the following packages from command line:

$ sudo yum install samba samba samba-winbind krb5-workstation

7. Finally, install the graphical interface software used for domain integration provided by CentOS repos: Authconfig-gtk.

$ sudo yum install authconfig-gtk

Step 3: Join CentOS 7 Desktop to Samba4 AD DC

8. The process of joining CentOS to a domain controller is very straightforward. From command line open Authconfig-gtk program with root privileges and make the following changes as described below:

$ sudo authconfig-gtk

On Identity & Authentication tab.

• User Account Database = select Winbind
• Winbind Domain = YOUR_DOMAIN
• Security Model = ADS
• Winbind ADS Realm = YOUR_DOMAIN.TLD
• Domain Controllers = domain machines FQDN
• Template Shell = /bin/bash
• Allow offline login = checked

On Advanced Options tab.

• Local Authentication Options = check Enable fingerprint reader support
• Other Authentication Options = check Create home directories on the first login

9. After you’ve added all required values, return to Identity & Authentication tab and hit on Join Domain button and the Save button from alert window to save settings.

10. After the configuration has been saved you will be asked to provide a domain administrator account in order to join the domain. Supply the credentials for a domain administrator user and hit OK button to finally join the domain.

11. After your machine has been integrated into the realm, hit on Apply button to reflect changes, close all windows and reboot the machine.

12. In order to verify if the system has been joined to Samba4 AD DC open AD Users and Computers from a Windows machine with RSAT tools installed and navigate to your domain Computers container.

The name of your CentOS machine should be listed on the right plane.

Step 4: Login to CentOS Desktop with a Samba4 AD DC Account

13. In order to login to CentOS Desktop hit on Not listed? link and add the username of a domain account preceded by the domain counterpart as illustrated below.

Domain\domain_account
or
Domain_user@domain.tld

14. To authenticate with a domain account from command line in CentOS use one of the following syntaxes:

$ su - domain\domain_user
$ su - domain_user@domain.tld

15. To add root privileges for a domain user or group, edit sudoers file using visudo command with root powers and add the following lines as illustrated on the below excerpt:

YOUR_DOMAIN\domain_username       		 ALL=(ALL:ALL) ALL  	#For domain users
%YOUR_DOMAIN\your_domain\  group      		 ALL=(ALL:ALL) ALL	#For domain groups

16. To display a summary about the domain controller use the following command:

$ sudo net ads info

17. In order to verify if the trust machine account created when CentOS was added to the Samba4 AD DC is functional and list domain accounts from command line install Winbind client by issuing the below command:

$ sudo yum install samba-winbind-clients

Then issue a series of checks against Samba4 AD DC by executing the following commands:

$ wbinfo -p #Ping domain
$ wbinfo -t #Check trust relationship
$ wbinfo -u #List domain users
$ wbinfo -g #List domain groups
$ wbinfo -n domain_account #Get the SID of a domain account

18. In case you want to leave the domain issue the following command against your domain name by using an domain account with administrator privileges:

$ sudo net ads leave your_domain -U domain_admin_username

That’s all! Although this procedure is focused on joining CentOS 7 to a Samba4 AD DC, the same steps described in this documentation are also valid for integrating a CentOS 7 Desktop machine to a Microsoft Windows Server 2008 or 2012 domain.

How to Install iRedMail on CentOS 7 for Samba4 AD Integration – Part 10

This series of tutorials will guide you on how to integrate iRedMail installed on a CentOS 7 machine with a Samba4 Active Directory Domain Controller in order for domain accounts to send or receive mail via Thunderbird desktop client or via Roundcube web interface.

The CentOS 7 server where iRedMail will be installed will allow SMTP or mail routing services via ports 25 and 587 and will also serve as a mail delivery agent through Dovecot, providing POP3 and IMAP services, both secured with self-signed certificates issued on the installation process.

The recipient mailboxes will be stored on the same CentOS server along with the webmail user agent provided by Roundcube. Samba4 Active Directory will be used by iRedMail to query and authenticate recipient accounts against the realm, to create mail lists with the help of Active Directory groups and to control the mail accounts via Samba4 AD DC.

Requirements:

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Install iRedMail in CentOS 7

1. Before starting with iRedMail installation first make sure you have a fresh CentOS 7 operating system installed on your machine using the instructions provided by this guide:

1. Fresh Installation of CentOS 7 Minimal

2. Also, assure that the system is up-to-date with the latest security and packages updates by issuing the below command.

# yum update

3. The system will also need a FQDN hostname set by issuing the below command. Replace mail.tecmint.lan variable with your own custom FQDN.

# hostnamectl set-hostname mail.tecmint.lan

Verify system hostname with the below commands.

# hostname -s   # Short name
# hostname -f   # FQDN
# hostname -d   # Domain
# cat /etc/hostname  # Verify it with cat command

4. Map the machine FQDN and short name against the machine loopback IP address by manually editing /etc/hosts file. Add the values as illustrated below and replace mail.tecmint.lan and mail values accordingly.

127.0.0.1   mail.tecmint.lan mail  localhost localhost.localdomain

5. iRedMail technicians recommends that SELinux should be completely disabled. Disable SELinux by editing /etc/selinux/config file and set SELINUX parameter from permissive to disabled as illustrated below.

SELINUX=disabled

Reboot the machine to apply new SELinux policies or run setenforce with 0 parameter to force SELinux to instantly disable.

# reboot
OR
# setenforce 0

6. Next, install the following packages that will come in-handy later for system administration:

# yum install bzip2 net-tools bash-completion wget

7. In order to install iRedMail, first go to the download page http://www.iredmail.org/download.html and grab the latest archive version of the software by issuing the below command.

# wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.6.tar.bz2

8. After the download finishes, extract the compressed archive and enter the extracted iRedMail directory by issuing the following commands.

# tar xjf iRedMail-0.9.6.tar.bz2 
# cd iRedMail-0.9.6/
# ls

9. Start the installation process by executing iRedMail shell script with the following command. From now on a series of questions will be asked by the installer.

# bash iRedMail.sh

10. On the first welcome prompt hit on Yes to proceed further with the installation.

11. Next, choose the location where all the mail will be stored. The default directory that iRedMail uses to store mailboxes is /var/vmail/ system path.

If this directory is located under a partition with enough storage to host mail for all your domain accounts then hit on Next to continue.

Otherwise change the default location with a different directory in case if you’ve configured a larger partition dedicated to mail storage.

12. On the next step choose the frontend web server through which you will interact with iRedMail. iRedMail administration panel will be completely disabled later, so we will use the frontend web server only to access accounts mail via Roundcube web panel.

If you don’t have thousands of mail accounts per hour accessing the webmail interface you should go with Apache web server do to its flexibility and easy management.

13. On this step choose OpenLDAP backend database for compatibility reasons with Samba4 domain controller and hit Next to continue, although we won’t use this OpenLDAP database later once we’ll integrate iRedMail to Samba domain controller.

14. Next, specify your Samba4 domain name for LDAP suffix as illustrated on the image below and hit Next to continue.

15. On the next prompt enter your domain name only and hit Next to move on. Replace tecmint.lan value accordingly.

16. Now, setup a password for postmaster@yourdomain.tld administrator and hit Next to continue.

17. Next, choose from the list the optional components you want to integrate with your mail server. I strongly recommend to install Roundcube in order to provide a web interface for domain accounts to access mail, although Roundcube can be installed and configured on a different machine for this task in order to free mail server resources in case of high loads.

For local domains with restricted internet access and especially while we’re using domain integration the other components are not very useful, except Awstats in case you need mail analysis.

18. On the next review screen type Y in order to apply configuration and start the installation process.

19. Finally, accept iRedMail scripts to automatically configure your machine firewall and MySQL configuration file by typing yes for all questions.

20. After the installation finishes the installer will provide some sensitive information, such as iRedAdmin credentials, web panel URL addresses and the file location with all parameters used at the installation process.

Read the displayed information above carefully and reboot the machine in order to enable all mail services by issuing the following command.

# init 6

21. After the system reboots, login with an account with root privileges or as root and list all network sockets and their associated programs your mail server listens on by issuing the following command.

From the socket list you will see that your mail server covers almost all services required by a mail server to properly function: SMTP/S, POP3/S, IMAP/S and antivirus along with spam protection.

# netstat -tulpn

22. In order to view the location of all configuration files iRedMail has modified and the credentials used by iRedMail during the installation process for database administration, mail admin account and other accounts, display the contents of iRedMail.tips file.

The file is located in the directory where you’ve initially extracted the installation archive. Be aware that you should move and protect this file because it contains sensitive information about your mail server.

# less iRedMail-0.9.6/iRedMail.tips

23. The file mentioned above which contain details about your mail server will also be automatically mailed to the mail server administrator account, represented by the postmaster account.

The webmail can be accessed securely via HTTPS protocol by typing your machine IP address in a browser. Accept the error generated in browser by the iRedMail self-signed web certificate and log in with the password chosen for postmaster@your_domain.tld account during the initial installation. Read and store this e-mail to a safe mailbox.

https://192.168.1.254

That’s all! By now, you’ll have a full mail server configured on your premises which operates on its own, but not yet integrated with Samba4 Active Directory Domain Controller services.

On the next part we will see how to tamper iRedMail services (postfix, dovecot and roundcube configuration files) in order to query domain accounts, send, receive and read mail.

How to Configure and Integrate iRedMail Services to Samba4 AD DC – Part 11

In this tutorial will learn how to modify iRedMail main daemons which provide mail services, respectively, Postfix used for mail transfer and Dovecot which delivers mail to accounts mailboxes, in order to integrate them both in Samba4 Active Directory Domain Controller.

By integrating iRedMail to a Samba4 AD DC you will benefit from the following features: user authentication, management, and status via Samba AD DC, create mail lists with the help of AD groups and Global LDAP Address Book in Roundcube.

Requirements

1. Install iRedMail on CentOS 7 for Samba4 AD Integration

Step 1: Prepare iRedMail System for Sama4 AD Integration

1. On the first step, you need to assign a static IP address for your machine in case you’re using a dynamic IP address provided by a DHCP server.

Run ifconfig command to list your machine network interfaces names and edit the proper network interface with your custom IP settings by issuing nmtui-edit command against the correct NIC.

Run nmtui-edit command with root privileges.

# ifconfig
# nmtui-edit eno16777736

2. Once the network interface is opened for editing, add the proper static IP settings, make sure you add the DNS servers IP addresses of your Samba4 AD DC and the name of your domain in order to query the realm from your machine. Use the below screenshot as a guide.

3. After you finish configuring the network interface, restart the network daemon to apply changes and issue a series of ping commands against the domain name and samba4 domain controllers FQDNs.

# systemctl restart network.service
# cat /etc/resolv.conf     # verify DNS resolver configuration if the correct DNS servers IPs are queried for domain resolution
# ping -c2 tecmint.lan     # Ping domain name
# ping -c2 adc1            # Ping first AD DC
# ping -c2 adc2            # Ping second AD DC

4. Next, sync time with samba domain controller by installing the ntpdate package and query Samba4 machine NTP server by issuing the below commands:

# yum install ntpdate
# ntpdate -qu tecmint.lan      # querry domain NTP servers
# ntpdate tecmint.lan          # Sync time with the domain

5. You might want the local time to be automatically synchronized with samba AD time server. In order to achieve this setting, add a scheduled job to run every hour by issuing crontab -e command and append the following line:

0   */1	  *   *   *   /usr/sbin/ntpdate tecmint.lan > /var/log/ntpdate.lan 2>&1

Step 2: Prepare Samba4 AD DC for iRedMail Integration

6. Now, move to a Windows machine with RSAT tools installed to manage Samba4 Active Directory as described in this tutorial here.

Open DNS Manager, go to your domain Forward Lookup Zones and add a new A record, an MX record and a PTR record to point to your iRedMail system IP address. Use the below screenshots as a guide.

Add A record (replace the name and the IP Address of iRedMail machine accordingly).

Add MX record (leave child domain blank and add a 10 priority for this mail server).

Add PTR record by expanding to Reverse Lookup Zones (replace IP address of iRedMail server accordingly). In case you haven’t configured a reverse zone for your domain controller so far, read the following tutorial:

1. Manage Samba4 DNS Group Policy from Windows

7. After you’ve added the basic DNS records which make a mail server to function properly, move to the iRedMail machine, install bind-utils package and query the newly added mail records as suggested on the below excerpt.

Samba4 AD DC DNS server should respond with the DNS records added in the previous step.

# yum install bind-utils
# host tecmint.lan
# host mail.tecmint.lan
# host 192.168.1.245

From a Windows machine, open a Command Prompt window and issue nslookup command against the above mail server records.

8. As a final pre-requirement, create a new user account with minimal privileges in Samba4 AD DC with the name vmail, choose a strong password for this user and make sure the password for this user never expires.

The vmail user account will be used by iRedMail services to query Samba4 AD DC LDAP database and pull the email accounts.

To create the vmail account, use ADUC graphical tool from a Windows machine joined to the realm with RSAT tools installed as illustrated on the below screenshots or use samba-tool command line directly from a domain controller as explained on the following topic.

1. Manage Samba4 Active Directory from Linux Command Line

In this guide, we’ll use the first method mentioned above.

9. From iRedMail system, test the vmail user ability to query Samba4 AD DC LDAP database by issuing the below command. The returned result should be a total number of objects entries for your domain as illustrated on the below screenshots.

# ldapsearch -x -h tecmint.lan -D 'vmail@tecmint.lan' -W -b 'cn=users,dc=tecmint,dc=lan'

Note: Replace the domain name and the LDAP base dn in Samba4 AD (‘cn=users,dc=tecmint,dc=lan‘) accordingly.

Step 3: Integrate iRedMail Services to Samba4 AD DC

10. Now it’s time to tamper with iRedMail services (Postfix, Dovecot and Roundcube) in order to query Samba4 Domain Controller for mail accounts.

The first service to be modified will be the MTA agent, Postfix. Issue the following commands to disable a series of MTA settings, add your domain name to Postfix local domain and mailbox domains and use Dovecot agent to deliver received mails locally to user mailboxes.

# postconf -e virtual_alias_maps=' '
# postconf -e sender_bcc_maps=' '
# postconf -e recipient_bcc_maps= ' '
# postconf -e relay_domains=' '
# postconf -e relay_recipient_maps=' '
# postconf -e sender_dependent_relayhost_maps=' '
# postconf -e smtpd_sasl_local_domain='tecmint.lan'	#Replace with your own domain
# postconf -e virtual_mailbox_domains='tecmint.lan'	#Replace with your own domain	
# postconf -e transport_maps='hash:/etc/postfix/transport'
# postconf -e smtpd_sender_login_maps='proxy:ldap:/etc/postfix/ad_sender_login_maps.cf'  # Check SMTP senders
# postconf -e virtual_mailbox_maps='proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf'  # Check local mail accounts
# postconf -e virtual_alias_maps='proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf'  # Check local mail lists
# cp /etc/postfix/transport /etc/postfix/transport.backup	# Backup transport conf file
# echo "tecmint.lan dovecot" > /etc/postfix/transport		# Add your domain with dovecot transport
# cat /etc/postfix/transport					# Verify transport file
# postmap hash:/etc/postfix/transport

11. Next, create Postfix /etc/postfix/ad_sender_login_maps.cf configuration file with your favorite text editor and add the below configuration.

server_host     = tecmint.lan
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail@tecmint.lan
bind_pw         = ad_vmail_account_password
search_base     = dc=tecmint,dc=lan
scope           = sub
query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel      = 0

12. Create /etc/postfix/ad_virtual_mailbox_maps.cf with the following configuration.

server_host     = tecmint.lan
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail@tecmint.lan
bind_pw         = ad_vmail_account_password
search_base     = dc=tecmint,dc=lan
scope           = sub
query_filter    = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format   = %d/%u/Maildir/
debuglevel      = 0

13. Create /etc/postfix/ad_virtual_group_maps.cf with the below configuration.

server_host     = tecmint.lan
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail@tecmint.lan
bind_pw         = ad_vmail_account_password
search_base     = dc=tecmint,dc=lan
scope           = sub
query_filter    = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel      = 0

On all three configuration files replace the values from server_host, bind_dn, bind_pw and search_base to reflect your own domain custom settings.

14. Next, open Postfix main configuration file and search and disable iRedAPD check_policy_service and smtpd_end_of_data_restrictions by adding a comment # in front of the following lines.

# nano /etc/postfix/main.cf

Comment the following lines:

#check_policy_service inet:127.0.0.1:7777
#smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777

15. Now, verify Postfix binding to Samba AD using an existing domain user and a domain group by issuing a series of queries as presented in the following examples.

The result should be similar as illustrated on the bellow screenshot.

# postmap -q tecmint_user@tecmint.lan ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
# postmap -q tecmint_user@tecmint.lan ldap:/etc/postfix/ad_sender_login_maps.cf
# postmap -q linux_users@tecmint.lan ldap:/etc/postfix/ad_virtual_group_maps.cf

Replace AD user and group accounts accordingly. Also, assure that the AD group you’re using has some AD users members assigned to it.

16. On the next step modify Dovecot configuration file in order to query Samba4 AD DC. Open file /etc/dovecot/dovecot-ldap.conf for editing and add the following lines.

hosts           = tecmint.lan:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail@tecmint.lan
dnpass          = ad_vmail_password
base            = dc=tecmint,dc=lan
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/

The mailbox of a Samba4 AD account will be stored in /var/vmail/vmail1/your_domain.tld/your_domain_user/Maildir/ location on the Linux system.

17. Make sure pop3 and imap protocols are enabled in dovecot main configuration file. Verify if quota and acl mail plugins are also enabled by opening file /etc/dovecot/dovecot.conf and check if these values are present.

18. Optionally, if you want to set a global hard quota to not exceed the maximum of 500 MB of storage for each domain user, add the following line in /etc/dovecot/dovecot.conf file.

quota_rule = *:storage=500M 

19. Finally, in order to apply all changes made so far, restart and verify the status of Postfix and Dovecot daemons by issuing the below commands with root privileges.

# systemctl restart postfix dovecot
# systemctl status postfix dovecot

20. In order to test mail server configuration from the command line using IMAP protocol use telnet or netcat command as presented in the below example.

# nc localhost 143
a1 LOGIN ad_user@your_domain.tld ad_user_password
a2 LIST “” “*”
a3 LOGOUT

If you can perform an IMAP login from the command line with a Samba4 user account then iRedMail server seems ready to send and receive mail for Active Directory accounts.

On the next tutorial will discuss how to integrate Roundcube webmail with Samba4 AD DC and enable Global LDAP Address Book, customize Roudcube, access Roundcube web interface from a browser and disable some unneeded iRedMail services.

How to Integrate iRedMail Roundcube with Samba4 AD DC – Part 12

Roundcube, one of the most used webmail user agent in Linux, offers a modern web interface for end users to interact with all mail services in order to read, compose and send e-mails. Roundcube supports a variety of mail protocols, including the secured ones, such IMAPS, POP3S or submission.

In this topic we’ll discuss how to configure Roundcube in iRedMail with IMAPS and submission secured ports to retrieve and send emails for Samba4 AD accounts, how to access iRedMail Roundcube web interface from a browser and add a web address alias, how to enable Samba4 AD integration for Global LDAP Address Book and how to disable some unneeded iRedMail services.

Requirements

1. How to Install iRedMail on CentOS 7 for Samba4 AD Integration
2. Configure iRedMail on CentOS 7 for Samba4 AD Integration

Step 1: Declare E-mail Address for Domain Accounts in Samba4 AD DC

1. In order send and receive mail for Samba4 AD DC domain accounts, you need to edit each user account and explicitly set email filed with the proper e-mail address by opening ADUC tool from a Windows machine with RSAT tools installed and joined to Samba4 AD as illustrated in the below image.

2. Similarly, to use mail lists, you need to create groups in ADUC, add the corresponding e-mail address for each group and assign the proper user accounts as members of the group.

With this setup created as a mail list, all members mailboxes of a Samba4 AD group will receive mail destined for an AD group e-mail address. Use the below screenshots as a guide to declare e-mail filed for a Samba4 group account and add domain users as members of the group.

Make sure all accounts members added to a group have their e-mail address declared.

In this example, all mails sent to admins@tecmint.lan e-mail address declared for ‘Domain Admins’ group will be received by each member mailbox of this group.

3. An alternative method that you can use to declare the e-mail address for a Samba4 AD account is by creating a user or a group with samba-tool command line directly from one of the AD DC console and specify the e-mail address with the --mail-address flag.

Use one of the following command syntax to create a user with e-mail address specified:

# samba-tool user add  --mail-address=user_email@domain.tld  --surname=your_surname  --given-name=your_given_name  your_ad_user

Create a group with e-mail address specified:

# samba-tool group add  --mail-address=group_email@domain.tld  your_ad_group

To add members to a group:

# samba-tool group addmembers your_group user1,user2,userX

To list all available samba-tool command fields for a user or a group use the following syntax:

# samba-tool user add -h
# samba-tool group add -h

Step 3: Secure Roundcube Webmail

4. Before modifying Roundcube configuration file, first, use netstat command piped through egrep filter to list the sockets that Dovecot and Postfix listen to and assure that the properly secured ports (993 for IMAPS and 587 for submission) are active and enabled.

# netstat -tulpn| egrep 'dovecot|master'

5. To enforce mail reception and transfer between Roundcube and iRedMail services on secured IMAP and SMTP ports, open Roundcube configuration file located in /var/www/roundcubemail/config/config.inc.php and make sure you change the following lines, for localhost in this case, as shown in the below excerpt:

// For IMAPS
$config['default_host'] = 'ssl://127.0.0.1';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'LOGIN';

// For SMTP
$config['smtp_server'] = 'tls://127.0.0.1';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';

This setup is highly recommended in case Roudcube is installed on a remote host than the one that provides mail services (IMAP, POP3 or SMTP daemons).

6. Next, don’t close the configuration file, search and make the following small changes in order for Roundcube to be visited only via HTTPS protocol, to hide the version number and to automatically append the domain name for accounts who login in the web interface.

$config['force_https'] = true;
$config['useragent'] = 'Your Webmail'; // Hide version number
$config['username_domain'] = 'domain.tld'

7. Also, disable the following plugins: managesieve and password by adding a comment (//) in front of the line that starts with $config[‘plugins’].

Users will change their password from a Windows or Linux machine joined to Samba4 AD DC once they login and authenticate to the domain. A sysadmin will globally manage all sieve rules for domain accounts.

// $config['plugins'] = array('managesieve', 'password');

8. Finally, save and close the configuration file and visit Roundcube Webmail by opening a browser and navigate to iRedMail IP address or FQDN/mail location via HTTPS protocol.

The first time when you visit Roundcube an alert should appear on the browser due to the Self-Signed Certificate the web server uses. Accept the certificate and login with a Samba AD account credentials.

https://iredmail-FQDN/mail

Step 3: Enable Samba AD Contacts in Roundcube

9. To configure Samba AD Global LDAP Address Book to appear Roundcube Contacts, open Roundcube configuration file again for editing and make the following changes:

Navigate to the bottom of the file and identify the section that begins with ‘# Global LDAP Address Book with AD’, delete all its content until the end of the file and replace it with the following code block:

# Global LDAP Address Book with AD.
#
$config['ldap_public']["global_ldap_abook"] = array(
    'name'          => 'tecmint.lan',
    'hosts'         => array("tecmint.lan"),
    'port'          => 389,
    'use_tls'       => false,
    'ldap_version'  => '3',
    'network_timeout' => 10,
    'user_specific' => false,

    'base_dn'       => "dc=tecmint,dc=lan",
    'bind_dn'       => "vmail@tecmint.lan",
    'bind_pass'     => "your_password",
    'writable'      => false,

    'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
	
    'fieldmap' => array(
        'name'        => 'cn',
        'surname'     => 'sn',
        'firstname'   => 'givenName',
        'title'       => 'title',
        'email'       => 'mail:*',
        'phone:work'  => 'telephoneNumber',
        'phone:mobile' => 'mobile',

        'department'  => 'departmentNumber',
        'notes'       => 'description',

    ),
    'sort'          => 'cn',
    'scope'         => 'sub',
    'filter' => '(&(mail=*)(|(&(objectClass=user)(!(objectClass=computer)))(objectClass=group)))',
    'fuzzy_search'  => true,
    'vlv'           => false,
    'sizelimit'     => '0',
    'timelimit'     => '0',
    'referrals'     => false,
);

On this block of code replace name, hosts, base_dn, bind_dn and bind_pass values accordingly.

10. After you’ve made all the required changes, save and close the file, login to Roundcube webmail interface and go to Address Book menu.

Hit on your Global Address Book chosen name and a contact list of all domain accounts (users and groups) with their specified e-mail address should be visible.

Step 4: Add an Alias for Roundcube Webmail Interface

11. To visit Roundcube at a web address with the following form https://webmail.domain.tld instead of the old address provided by default by iRedMail you need to make the following changes.

From a joined Windows machine with RSAT tools installed, open DNS Manager and add a new CNAME record for iRedMail FQDN, named webmail, as illustrated in the following image.

12. Next, on iRedMail machine, open Apache web server SSL configuration file located in /etc/httpd/conf.d/ssl.conf and change DocumentRoot directive to point to /var/www/roundcubemail/ system path.

file /etc/httpd/conf.d/ssl.conf excerpt:

DocumentRoot “/var/www/roundcubemail/”

Restart Apache daemon to apply changes.

# systemctl restart httpd

13. Now, point the browser to the following address and Roundcube interface should appear. Accept the Self-Signed Cerificate error to continue to login page. Replace domain.tld from this example with your own domain name.

https://webmail.domain.tld

Step 5: Disable iRedMail Unused Services

14. Since iRedMail daemons are configured to query Samba4 AD DC LDAP server for account information and other resources, you can safely stop and disable some local services on iRedMail machine, such as LDAP database server and iredpad service by issuing the following commands.

# systemctl stop slapd iredpad
# systemctl disable slapd iredpad

15. Also, disable some scheduled tasks performed by iRedMail, such as LDAP database backup and iRedPad tracking records by adding a comment (#) in front of each line from crontab file as illustrated on the below screenshot.

# crontab -e

Step 6: Use Mail Alias in Postfix

16. To redirect all locally generated mail (destined for postmaster and subsequently redirected to root account) to a specific Samba4 AD account, open Postfix aliases configuration file located in /etc/postfix/aliases and modify root line as follows:

root: 	your_AD_email_account@domain.tld

17. Apply the aliases configuration file so that Postfix can read it in its own format by executing newaliases command and test if the mail gets sent to the proper domain e-email account by issuing the following command.

# echo “Test mail” | mail -s “This is root’s email” root

18. After the mail has been sent, login to Roundcube webmail with the domain account you’ve setup for mail redirection and verify the previously sent mail should be received in your account Inbox.

That’all! Now, you have a fully working mail server integrated with Samba4 Active Directory. Domain accounts can send and receive mail for their internal domain or for other external domains.

The configurations used in this tutorial can be successfully applied to integrate an iRedMail server to a Windows Server 2012 R2 or 2016 Active Directory.

How to Configure Thunderbird with iRedMail for Samba4 AD – Part 13

This tutorial will guide you on how to configure Mozilla Thunderbird client with an iRedMail server in order to send and receive mail via IMAPS and SMTP submission protocols, how to setup contacts database with Samba AD LDAP server and how to configure other related mail features, such as enabling Thunderbird contacts via LDAP database offline replica.

The process of installing and configuring Mozilla Thunderbird client described here is valid for Thunderbird clients installed on Windows or Linux operating systems.

Requirements

1. How to Configure and Integrate iRedMail Services to Samba4 AD DC
2. Integrate iRedMail Roundcube with Samba4 AD DC

Step 1: Configure Thunderbird for iRedMail Server

1. After installing Thunderbird mail client, hit on the launcher or shortcut to open the program and on the first screen check E-mail System Integration and click on Skip Integration button to continue.

2. On the welcome screen hit on Skip this and use my existing mail button and add your name, your Samba account e-mail address and password, check Remember password field and hit on Continue button to start your mail account setup.

After Thunderbird client tries to identify the correct IMAP settings provided by iRedMail server hit on Manualconfig button to manually setup Thunderbird.

3. After the Mail Account Setup window expands, manually edit IMAP and SMTP settings by adding your proper iRedMail server FQDN, add secured ports for both mail services (993 for IMAPS and 587 for submission), select the proper SSL communication channel for each port and authentication and hit Done to complete the setup. Use the below image as a guide.

4. A new Security Exception window should appear on your screen due to the Self-Signed Certificates your iRedMail server enforces. Check on Permanently store this exception and hit on Confirm Security Exceptionbutton to add this security exception and the Thunderbird client should be successfully configured.

You will see all received mail for your domain account and you should be able to send or receive mail to and from your domain or other domain accounts.

Step 2: Setup Thunderbird Contacts Database with Samba AD LDAP

5. In order for Thunderbird clients to query Samba AD LDAP database for contacts, hit on Settings menu by right clicking on your account from the left plane and navigate to Composition & Addressing → Addressing → Use a different LDAP server → Edit Directories button as illustrated on the below images.

6. The LDAP Directory Servers windows should open by now. Hit on Add button and fill Directory Server Properties windows with the following content:

On General tab add descriptive name for this object, add the name of your domain or the FQDN of a Samba domain controller, the base DN of your domain in the form dc=your_domain,dc=tld, LDAP port number 389 and the vmail Bind DN account used to query the Samba AD LDAP database in the form vmail@your_domain.tld.

Use the below screenshot as a guide.

7. On the next step, move to Advanced tab from Directory Server Properties, and add the following content in Search filter filed:

(&(mail=*)(|(&(objectClass=user)(!(objectClass=computer)))(objectClass=group)))

Leave the rest of the settings as default and hit on OK button to apply changes and again on OK button to close LDAP Directory Servers window and OK button again on Account Settings to close the window.

8. To test if Thunderbird client can query Samba AD LDAP database for contacts, hit on the upper Address Bookicon, select the name of the LDAP database created earlier.

Add the password for the Bind DN account configured to interrogate the AD LDAP server (vmail@your_domain.tld), check Use Password Manager to remember the password and hit OK button to reflect changes and close the window.

9. Search for a Samba AD contact by using the upper search filed and suppling a domain account name. Be aware that Samba AD accounts with no e-mail address declared in their AD E-mail field will not be listed in Thunderbird Address Book searches.

10. To search for a contact while composing an e-mail, click on View → Contacts Sidebar or press F9 key to open Contacts panel.

11. Select the proper Address Book and you should be able to search and add an e-mail address for your recipient. When sending the first mail, a new security alert window should appear. Hit on Confirm Security Exception and the mail should be sent to your recipient e-mail address.

12. In case you want to search contacts through Samba LDAP database only for a specific AD Organizational Unit, edit the Address Book for your Directory Server name from the left plane, hit on Properties and add the custom Samba AD OU as illustrated on the below example.

ou=your_specific_ou,dc=your_domain,dc=tld 

Step 3: Setup LDAP Offline Replica

13. To configure Samba AD LDAP offline replica for Thunderbird hit on Address Book button, select your LDAP Address Book, open Directory Server Properties -> General tab and change the port number to 3268.

Then switch to Offline tab and hit on Download Now button to start replicate Samba AD LDAP database locally.

When the process of synchronizing contacts finishes you will be informed with the message Replication succeeded. Hit OK and close all windows. In case Samba domain controller cannot be reached you can still search for LDAP contacts by working in offline mode.

Integrate CentOS 7 to Samba4 AD from Commandline – Part 14

This guide will show you how you can integrate a CentOS 7 Server with no Graphical User Interface to Samba4 Active Directory Domain Controller from command line using Authconfig software.

This type of setup provides a single centralized account database held by Samba and allows the AD users to authenticate to CentOS server across the network infrastructure.

Requirements

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu
2. CentOS 7.3 Installation Guide

Step 1: Configure CentOS for Samba4 AD DC

1. Before starting to join CentOS 7 Server into a Samba4 DC you need to assure that the network interface is properly configured to query domain via DNS service.

Run ip address command to list your machine network interfaces and choose the specific NIC to edit by issuing nmtui-edit command against the interface name, such as ens33 in this example, as illustrated below.

# ip address
# nmtui-edit ens33

2. Once the network interface is opened for editing, add the static IPv4 configurations best suited for your LAN and make sure you setup Samba AD Domain Controllers IP addresses for the DNS servers.

Also, append the name of your domain in search domains filed and navigate to OK button using [TAB] key to apply changes.

The search domains filed assures that the domain counterpart is automatically appended by DNS resolution (FQDN) when you use only a short name for a domain DNS record.

3. Finally, restart the network daemon to apply changes and test if DNS resolution is properly configured by issuing series of ping commands against the domain name and domain controllers short names as shown below.

# systemctl restart network.service
# ping -c2 tecmint.lan
# ping -c2 adc1
# ping -c2 adc2

4. Also, configure your machine hostname and reboot the machine to properly apply the settings by issuing the following commands.

# hostnamectl set-hostname your_hostname
# init 6

Verify if hostname was correctly applied with the below commands.

# cat /etc/hostname
# hostname

5. Finally, sync local time with Samba4 AD DC by issuing the below commands with root privileges.

# yum install ntpdate
# ntpdate domain.tld

Step 2: Join CentOS 7 Server to Samba4 AD DC

6. To join CentOS 7 server to Samba4 Active Directory, first install the following packages on your machine from an account with root privileges.

# yum install authconfig samba-winbind samba-client samba-winbind-clients

7. In order to integrate CentOS 7 server to a domain controller run authconfig-tui graphical utility with root privileges and use the below configurations as described below.

# authconfig-tui

At the first prompt screen choose:

• On User Information:
  • Use Winbind

• On Authentication tab select by pressing [Space] key:
  • Use Shadow Password
  • Use Winbind Authentication
  • Local authorization is sufficient

8. Hit Next to continue to the Winbind Settings screen and configure as illustrated below:

• Security Model: ads
• Domain = YOUR_DOMAIN (use upper case)
• Domain Controllers = domain machines FQDN (comma separated if more than one)
• ADS Realm = YOUR_DOMAIN.TLD
• Template Shell = /bin/bash

9. To perform domain joining navigate to Join Domain button using [tab] key and hit [Enter] key to join domain.

At the next screen prompt, add the credentials for a Samba4 AD account with elevated privileges to perform the machine account joining into AD and hit OK to apply settings and close the prompt.

Be aware that when you type the user password, the credentials won’t be shown in the password screen. On the remaining screen hit OK again to finish domain integration for CentOS 7 machine.

To force adding a machine into a specific Samba AD Organizational Unit, get your machine exact name using hostname command and create a new Computer object in that OU with the name of your machine.

The best way to add a new object into a Samba4 AD is by using ADUC tool from a Windows machine integrated into the domain with RSAT tools installed on it.

Important: An alternate method of joining a domain is by using authconfig command line which offers extensive control over the integration process.

However, this method is prone to errors do to its numerous parameters as illustrated on the below command excerpt. The command must be typed into a single long line.

# authconfig --enablewinbind --enablewinbindauth --smbsecurity ads --smbworkgroup=YOUR_DOMAIN --smbrealm YOUR_DOMAIN.TLD --smbservers=adc1.yourdomain.tld --krb5realm=YOUR_DOMAIN.TLD --enablewinbindoffline --enablewinbindkrb5 --winbindtemplateshell=/bin/bash--winbindjoin=domain_admin_user --update  --enablelocauthorize   --savebackup=/backups

10. After the machine has been joined to domain, verify if winbind service is up and running by issuing the below command.

# systemctl status winbind.service

11. Then, check if CentOS machine object has been successfully created in Samba4 AD. Use AD Users and Computers tool from a Windows machine with RSAT tools installed and navigate to your domain Computers container. A new AD computer account object with name of your CentOS 7 server should be listed in the right plane.

12. Finally, tweak the configuration by opening samba main configuration file (/etc/samba/smb.conf) with a text editor and append the below lines at the end of the [global] configuration block as illustrated below:

winbind use default domain = true
winbind offline logon = true

13. In order to create local homes on the machine for AD accounts at their first logon run the below command.

# authconfig --enablemkhomedir --update

14. Finally, restart Samba daemon to reflect changes and verify domain joining by performing a logon on the server with an AD account. The home directory for the AD account should be automatically created.

# systemctl restart winbind
# su - domain_account

15. List the domain users or domain groups by issuing one of the following commands.

# wbinfo -u
# wbinfo -g

16. To get info about a domain user run the below command.

# wbinfo -i domain_user

17. To display summary domain info issue the following command.

# net ads info

Step 3: Login to CentOS with a Samba4 AD DC Account

18. To authenticate with a domain user in CentOS, use one of the following command line syntaxes.

# su - ‘domain\domain_user’
# su - domain\domain_user

Or use the below syntax in case winbind use default domain = true parameter is set to samba configuration file.

# su - domain_user
# su - domain_user@domain.tld

19. In order to add root privileges for a domain user or group, edit sudoers file using visudo command and add the following lines as illustrated on the below screenshot.

YOUR_DOMAIN\domain_username       		 ALL=(ALL:ALL) ALL  	#For domain users
%YOUR_DOMAIN\your_domain\  group       	 ALL=(ALL:ALL) ALL	#For domain groups

Or use the below excerpt in case winbind use default domain = true parameter is set to samba configuration file.

domain_username 	        	 ALL=(ALL:ALL) ALL  	#For domain users
%your_domain\  group       		 ALL=(ALL:ALL) ALL	#For domain groups

20. The following series of commands against a Samba4 AD DC can also be useful for troubleshooting purposes:

# wbinfo -p #Ping domain
# wbinfo -n domain_account #Get the SID of a domain account
# wbinfo -t  #Check trust relationship

21. To leave the domain run the following command against your domain name using a domain account with elevated privileges. After the machine account has been removed from the AD, reboot the machine to revert changes before the integration process.

# net ads leave -w DOMAIN -U domain_admin
# init 6

That’s all! Although this procedure is mainly focused on joining a CentOS 7 server to a Samba4 AD DC, the same steps described here are also valid for integrating a CentOS server into a Microsoft Windows Server 2012 Active Directory.

Integrate Ubuntu to Samba4 AD DC with SSSD and Realm – Part 15

This tutorial will guide you on how to join an Ubuntu Desktop machine into a Samba4 Active Directory domain with SSSD and Realmd services in order to authenticate users against an Active Directory.

Requirements:

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Initial Configurations

1. Before starting to join Ubuntu into an Active Directory make sure the hostname is properly configured. Use hostnamectl command to set the machine name or manually edit /etc/hostname file.

$ sudo hostnamectl set-hostname your_machine_short_hostname
$ cat /etc/hostname
$ hostnamectl

2. On the next step, edit machine network interface settings and add the proper IP configurations and the correct DNS IP server addresses to point to the Samba AD domain controller as illustrated in the below screenshot.

If you have configured a DHCP server at your premises to automatically assign IP settings for your LAN machines with the proper AD DNS IP addresses then you can skip this step and move forward.

On the above screenshot, 192.168.1.254 and 192.168.1.253 represents the IP addresses of the Samba4 Domain Controllers.

3. Restart the network services to apply the changes using the GUI or from command line and issue a series of ping command against your domain name in order to test if DNS resolution is working as expected. Also, use host command to test DNS resolution.

$ sudo systemctl restart networking.service
$ host your_domain.tld
$ ping -c2 your_domain_name
$ ping -c2 adc1
$ ping -c2 adc2

4. Finally, make sure that machine time is in sync with Samba4 AD. Install ntpdate package and sync time with the AD by issuing the below commands.

$ sudo apt-get install ntpdate
$ sudo ntpdate your_domain_name

Step 2: Install Required Packages

5. On this step install the necessary software and required dependencies in order to join Ubuntu into Samba4 AD DC: Realmd and SSSD services.

$ sudo apt install adcli realmd krb5-user samba-common-bin samba-libs samba-dsdb-modules sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1 

6. Enter the name of the default realm with uppercases and press Enter key to continue the installation.

7. Next, create the SSSD configuration file with the following content.

$ sudo nano /etc/sssd/sssd.conf

Add following lines to sssd.conf file.

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = tecmint.lan
config_file_version = 2
services = nss, pam
default_domain_suffix = TECMINT.LAN


[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

Make sure you replace the domain name in following parameters accordingly:

domains = tecmint.lan
default_domain_suffix = TECMINT.LAN
[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN

8. Next, add the proper permissions for SSSD file by issuing the below command:

$ sudo chmod 700 /etc/sssd/sssd.conf

9. Now, open and edit Realmd configuration file and add the following lines.

$ sudo nano /etc/realmd.conf

Realmd.conf file excerpt:

[active-directory]
os-name = Linux Ubuntu
os-version = 17.04

[service]
automatic-install = yes

 [users]
default-home = /home/%d/%u
default-shell = /bin/bash

[tecmint.lan]
user-principal = yes
fully-qualified-names = no

10. The last file you need to modify belongs to Samba daemon. Open /etc/samba/smb.conf file for editing and add the following block of code at the beginning of the file, after the [global] section as illustrated on the image below.

 workgroup = TECMINT
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = TECMINT.LAN
   security = ads

Make sure you replace the domain name value, especially the realm value to match your domain name and run testparm command in order to check if the configuration file contains no errors.

$ sudo testparm

11. After you’ve made all the required changes, test Kerberos authentication using an AD administrative account and list the ticket by issuing the below commands.

$ sudo kinit ad_admin_user@DOMAIN.TLD
$ sudo klist

Step 3: Join Ubuntu to Samba4 Realm

12. To join Ubuntu machine to Samba4 Active Directory issue following series of commands as illustrated below. Use the name of an AD DC account with administrator privileges in order for the binding to realm to work as expected and replace the domain name value accordingly.

$ sudo realm discover -v DOMAIN.TLD
$ sudo realm list
$ sudo realm join TECMINT.LAN -U ad_admin_user -v
$ sudo net ads join -k

13. After the domain binding took place, run the below command to assure that all domain accounts are permitted to authenticate on the machine.

$ sudo realm permit --all

Subsequently, you can allow or deny access for a domain user account or a group using realm command as presented on the below examples.

$ sudo realm deny -a
$ realm permit --groups ‘domain.tld\Linux Admins’
$ realm permit user@domain.lan
$ realm permit DOMAIN\User2

14. From a Windows machine with RSAT tools installed you can open AD UC and navigate to Computerscontainer and check if an object account with the name of your machine has been created.

Step 4: Configure AD Accounts Authentication

15. In order to authenticate on Ubuntu machine with domain accounts you need to run pam-auth-updatecommand with root privileges and enable all PAM profiles including the option to automatically create home directories for each domain account at the first login.

Check all entries by pressing [space] key and hit ok to apply configuration.

$ sudo pam-auth-update

16. On systems manually edit /etc/pam.d/common-account file and the following line in order to automatically create homes for authenticated domain users.

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

17. If Active Directory users can’t change their password from command line in Linux, open /etc/pam.d/common-password file and remove the use_authtok statement from password line to finally look as on the below excerpt.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

18. Finally, restart and enable Realmd and SSSD service to apply changes by issuing the below commands:

$ sudo systemctl restart realmd sssd
$ sudo systemctl enable realmd sssd

19. In order to test if the Ubuntu machine was successfully integrated to realm run install winbind package and run wbinfo command to list domain accounts and groups as illustrated below.

$ sudo apt-get install winbind
$ wbinfo -u
$ wbinfo -g

20. Also, check Winbind nsswitch module by issuing the getent command against a specific domain user or group.

$ sudo getent passwd your_domain_user
$ sudo getent group ‘domain admins’

21. You can also use Linux id command to get info about an AD account as illustrated on the below command.

$ id tecmint_user

22. To authenticate on Ubuntu host with a Samba4 AD account use the domain username parameter after su – command. Run id command to get extra info about the AD account.

$ su - your_ad_user

Use pwd command to see your domain user current working directory and passwd command if you want to change password.

23. To use a domain account with root privileges on your Ubuntu machine, you need to add the AD username to the sudo system group by issuing the below command:

$ sudo usermod -aG sudo your_domain_user@domain.tld

Login to Ubuntu with the domain account and update your system by running apt update command to check root privileges.

24. To add root privileges for a domain group, open end edit /etc/sudoers file using visudo command and add the following line as illustrated.

%domain\ admins@tecmint.lan       		 ALL=(ALL:ALL) ALL

25. To use domain account authentication for Ubuntu Desktop modify LightDM display manager by editing /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file, append the following two lines and restart lightdm service or reboot the machine apply changes.

greeter-show-manual-login=true
greeter-hide-users=true

Log in to Ubuntu Desktop with a domain account using either your_domain_username or your_domain_username@your_domain.tld syntax.

26. To use short name format for Samba AD accounts, edit /etc/sssd/sssd.conf file, add the following line in [sssd] block as illustrated below.

full_name_format = %1$s

and restart SSSD daemon to apply changes.

$ sudo systemctl restart sssd

You will notice that the bash prompt will change to the short name of the AD user without appending the domain name counterpart.

27. In case you cannot login due to enumerate=true argument set in sssd.conf you must clear sssd cached database by issuing the below command:

$ rm /var/lib/sss/db/cache_tecmint.lan.ldb

That’s all! Although this guide is mainly focused on integration with a Samba4 Active Directory, the same steps can be applied in order to integrate Ubuntu with Realmd and SSSD services into a Microsoft Windows Server Active Directory.

Integrate VMware ESXI to Samba4 AD Domain Controller – Part 16

This guide will describe how to integrate a VMware ESXI host into a Samba4 Active Directory Domain Controllerin order to authenticate in VMware vSphere Hypervisors across network infrastructure with accounts provided by a single centralized database.

Requirements

1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Configure VMware ESXI Network for Samba4 AD DC

1. Preliminary steps before joining a VMware ESXI to a Samba4 require that the hypervisor has the proper Samba4 AD IP addresses configured in order to query the domain via DNS service.

To accomplish this step from VMware ESXI direct console, reboot the hypervisor, press F2 to open the direct console (also called DCUI) and authenticate with the root credentials assigned for the host.

Then, using the keyboard arrows navigate to Configure Management Network -> DNS Configuration and add the IP addresses of your Samba4 Domain Controllers in Primary and Alternate DNS Server fields.

Also, configure the hostname for the hypervisor with a descriptive name and press [Enter] to apply changes. Use the below screenshots as a guide.

2. Next, go to Custom DNS Suffixes, add the name of your domain and press [Enter] key to write changes and return to main menu.

Then, go to Restart Management Network and press [Enter] key restart the network service in order to apply all changes made so far.

3. Finally, make sure that gateway and Samba DNS IPs are reachable from the hypervisor and test if the DNS resolution works as expected by selecting Test Management Network from the menu.

Step 2: Join VMware ESXI to Samba4 AD DC

4. All the steps performed from now on will be made through the VMware vSphere Client. Open VMware vSphere Client and login to your hypervisor IP address with the default root account credentials or with other account with root privileges on the hypervisor if that’s the case.

5. Once you’ve entered the vSphere console, before actually joining to the domain, make sure that the hypervisor’s time is in sync with Samba domain controllers.

To accomplish this, navigate to the upper menu and hit on Configuration tab. Then, go to left box Software -> Time Configuration and hit Properties button from upper right plane and the Time Configuration window should open as illustrated below.

6. On Time Configuration window hit on Options button, navigate to NTP Settings and add the IP addresses of your domain time providers (usually the IP addresses of your Samba domain controllers).

Then go to General menu and start the NTP daemon and choose to start and stop the NTP service with the hypervisor as illustrated below. Press OK button to apply changes and close both windows.

7. Now you can join VMware ESXI hypervisor to Samba domain. Open Directory Services Configuration window by hitting on Configuration -> Authentication Services –> Properties.

From the window prompt select Active Directory as Directory Service Type, write the name of your domain with uppercase click on Join Domain button to perform the domain binding.

On the new prompt you will be asked to add the credentials of a domain account with elevated privileges to perform the joining. Add the username and password of a domain account with administrative privileges and hit Join Domain button to integrate into the realm and OK button to close the window.

8. In order to verify if the ESXI hypervisor has been integrated to Samba4 AD DC, open AD Users and Computersfrom a Windows machine with RSAT tools installed and navigate to your domain Computers container.

The hostname of VMware ESXI machine should be listed on the right plane as illustrated below.

Step 3: Assign Permissions for Domain Accounts to ESXI Hypervisor

9. In order to manipulate different aspects and services of the VMware hypervisor you might want to assign certain permissions and roles for domain accounts in VMware ESXI host.

To add permissions hit on upper Permissions tab, right-click anywhere in the permissions plane and choose Add Permission from the menu.

10. In the Assign Permissions window hit on the below left Add button, select your domain and type the name of a domain account in search filed.

Choose the proper username from the list and hit Add button to add the account. Repeat the step if you want to add other domain users or groups. When you finish adding the domain users hit OK button to close the window and return previous setting.

11. To assign a role for a domain account, select the desired name from the left plane and choose a predefined role, such as Read-only or Administrator from the right plane.

Check the proper privileges you want to grant for this user and hit OK when you finish in order to reflect changes.

12. That’s all! The authentication process in VMware ESXI hypervisor from VSphere Client with a Samba domain account is pretty straightforward now.

Just add the username and the password of a domain account in the login screen as shown in the below picture. Depending on level of permissions grated for the domain account you should be able to manage the hypervisor completely or just some parts of it.

Although this tutorial mainly included only the steps required to join a VMware ESXI hypervisor into a Samba4 AD DC, the same procedure as described in this tutorial applies for integrating a VMware ESXI host into a Microsoft Windows Server 2012/2016 realm.

Source

The locate is a command line utility for finding files by name in Linux, just like find command. However, it works more efficiently compared to its counterpart; it uses one or more databases populated by the updatedb program and prints file names matching at least one of the patterns (a user provides) to standard output.

Locate package is provided by the GNU findutils or mlocate packages. These packages are known to provide the same implementation of the program. On most CentOS/RHEL systems, findutils comes pre-installed, however, if you try to run a locate command, you may encounter the error:

-bash: locate: command not found

In this article, we will show you how to install mlocate package which provides the locate and updatedbcommands to find files in Linux systems.

Below is a sample output showing the above error and querying findutils package.

$ locate bash_completion.sh
$ rpm -qa | grep findutils

To install mlocate, use the YUM or APT package manager as per your Linux distribution as shown.

$ sudo yum install mlocate    [On CentOS/RHEL]
$ sudo apt install mlocate    [On Debian/Ubuntu]     

After installing mlocate, you need to update the updatedb, which is used by locate command as root user with the sudo command, otherwise you will get an error. The default database storage location is /var/lib/mlocate/mlocate.db.

$ sudo updatedb

Once the database is updated, now try to run the locate command, which should work this time around.

$ locate bash_completion.sh

To find an exact match according to pattern you enter, use this -b option and the \ globbing option as in the following syntax.

$ locate -b '\bash_completion.sh'

Note: You can use the LOCATE_PATH environmental variable to set a path to extra databases, which are read after the default database or any databases listed using the –database flag on the command line.

That’s all! In this guide, we showed you how to install mlocate package which offers the locate and updatedbcommands on a Linux system. Share your views with us through the feedback form below.

Source

Let’s say you have a large ISO file on your Linux server and you wanted to access, extract or copy one single file from it. How do you do it? Well in Linux there are couple ways do it.

Read Also: A Bash Script to Create a Bootable USB from ISO in Linux

For example, you can use standard mount command to mount an ISO image in read-only mode using the loop device and then copy the files to another directory.

Mount or Extract ISO File in Linux

To do so, you must have an ISO file (I used ubuntu-16.10-server-amd64.iso ISO image) and mount point directory to mount or extract ISO files.

First create an mount point directory, where you will going to mount the image as shown:

$ sudo mkdir /mnt/iso

Once directory has been created, you can easily mount ubuntu-16.10-server-amd64.iso file and verify its content by running following command.

$ sudo mount -o loop ubuntu-16.10-server-amd64.iso /mnt/iso
$ ls /mnt/iso/

Now you can go inside the mounted directory (/mnt/iso) and access the files or copy the files to /tmp directory using cp command.

$ cd /mnt/iso
$ sudo cp md5sum.txt /tmp/
$ sudo cp -r ubuntu /tmp/

Note: The -r option used to copy directories recursively, if you want you can also monitor progress of copy command.

Extract ISO Content Using 7zip Command

If you don’t want to mount ISO file, you can simply install 7zip, is an open source archive program used to pack or unpack different number of formats including TAR, XZ, GZIP, ZIP, BZIP2, etc..

$ sudo apt-get install p7zip-full p7zip-rar [On Debian/Ubuntu systems]
$ sudo yum install p7zip p7zip-plugins      [On CentOS/RHEL systems]

Once 7zip program has been installed, you can use 7z command to extract ISO file contents.

$ 7z x ubuntu-16.10-server-amd64.iso

Note: As compared to Linux mount command, 7zip seems much faster and smart enough to pack or unpack any archive formats.

Extract ISO Content Using isoinfo Command

The isoinfo command is used for directory listings of iso9660 images, but you can also use this program to extract files.

As I said isoinfo program perform directory listing, so first list the content of ISO file.

$ isoinfo -i ubuntu-16.10-server-amd64.iso -l

Now you can extract a single file from an ISO image like so:

$ isoinfo -i ubuntu-16.10-server-amd64.iso -x MD5SUM.TXT > MD5SUM.TXT

Note: The redirection is needed as -x option extracts to stdout.

Well, there are many ways to do, if you know any useful command or program to extract or copy files from ISO file do share us via comment section.

Source

Todo.txt (todo.txt-cli) is an easy and extensible shell script for managing your todo.txt file. It allows you to add todos, list added todos, mark an entry as done, appends text to existing lines, and remove duplicate lines from todo.txt all from the Linux command line.

It also supports archiving (moves all done tasks from todo.txt to done.txt and removes blank lines), de-prioritizing (removes the priority) from the task(s) and so much more.

Todo.txt-cli is part of the todo.txt apps which are minimal, open source and cross-platform, todo.txt-focusededitors which assist you manage your tasks with a few keystrokes and taps possible. Todo.txt CLI and Todo.txt Touch are built for CLI, iOS, and Android.

How to Install Todo.txt CLI in Linux

To install todo.txt-cli, first you need to clone the git repository on your system using following git command.

$ cd ~/bin
$ git clone https://github.com/todotxt/todo.txt-cli.git
$ cd todo.txt-cli/

Then run the following commands to build and install todo.txt-cli.

$ make
$ sudo make install

Note: The Makefile makes several default paths for installed files. You can use the following variables to make adjustments on your system:

• INSTALL_DIR: PATH for executables (default /usr/local/bin).
• CONFIG_DIR: PATH for todo.txt config.
• BASH_COMPLETION: PATH for auto-completion scripts (default to /etc/bash_completion.d).

For example:

$ make install CONFIG_DIR=$HOME/.todo INSTALL_DIR=$HOME/bin BASH_COMPLETION_DIR=/usr/share/bash-completion/completions

How to Use Todo.txt CLI in Linux

To add a todo task to your todo.txt file, run the following commands.

$ sudo todo.sh add "setup new linode server"
$ sudo todo.sh add "discuss fosswork.com site with Ravi"

To list added todo tasks, use the following command.

$ todo.sh ls

You can marks task as done in todo.txt using following command.

$ sudo todo.sh do 1

You can also delete a todo item, for example.

$ sudo todo.sh del 1

For more usage and command options, run the following command.

$ todo.sh -h

Todo.txt Homepage: http://todotxt.org/

That’s all! Todo.txt is a simple shell script for creating and managing all your tasks from the Linux terminal. Share your thoughts about it or ask any questions via the feedback form below.

Source