Automatically manage Samba Shares in UCS and UCS@school

Whether you want to share files, printers or other services in your network – the Open Source software suite Samba is an incredible powerful tool which brings Linux, Windows and macOS client computers together. Samba can manage shares for users and groups, and since version 4, Samba can also take on the role of an Active Directory Domain Controller and thus replace the Windows directory service in a domain.File shares make data available in a central location – a real advantage, especially in large and heterogeneous environments with numerous computers and thousands of user accounts. Admins of a UCS or UCS@school domain can create shares in the Univention Management Console (UMC). Alternatively, the command line tool univention-directory-manager manages shares on the shell.

On top that, you can use LDAP queries to automate thigns. The directory service can provide information about existing shares of a domain and, based on this information, automatically mount these shares. This also applies to applications which are not directly based on UCS.

In this article, I’ll demonstrate how to create Samba shares via the UMC and on the command line. I’ll also explain how to query the LDAP directory service to get detailed information about shares. Finally, I’ll show you how to use that information to automate things.

UCS: OpenLDAP and Samba 4

If you manage Linux, Windows, and macOS clients in your UCS domain, you can use a second, AD-DS-compatible directory service in addition to the existing OpenLDAP: Samba 4. A blog post from May 2021 explains the differences between Samba and Active Directory and makes suggestions on how to combine the two solutions in your UCS domain. UCS synchronizes automatically between OpenLDAP (Linux and other Unix clients) and Samba 4 as an Active Directory compatible service. This way, both systems always have the same information.

As part of the UCS domain replication, shares can also be managed from a central point. This means that they are available on any computer in the UCS domain. The LDAP directory service handles the access rights for users, groups and everyone else (read, write, execute).

Samba’s main configuration file is /etc/samba/smb.conf. It defines, for example, which data the server shares with the users. Additionally, you’ll find several more configuration files in /etc/samba/shares.conf.d/ on your UCS machine. Those files are being created by a listener script which also takes care of the ACLs (Access Control List).

Creating Samba Shares in UMC

Using the module Domain / Shares in the Univention Management Console is an easy way to create shares for your domain:

In this dialog you enter the name of the share, the server name or IP, the path to the directory you want to export, the owner and the group. Using the checkboxes below, you can also specify permissions for the share’s root directory (read, write, access) of the owner, the group, and all other users in the domain.

You can adjust the general Samba settings after you’ve clicked Samba on the left. This includes the share’s name on Windows machines in your network, read-only and write access for users and guests, and more. For more information, please have a look at the corresponding chapter in our manual.

It’s also worth mentioning that shares in UCS can also be made available for the Network File System (NFS) at the same time. This is particularly interesting for Unix-based clients. However, a closer look at this is beyond the scope of this article – let’s focus on Samba instead.

Managing Shares with the Univention Directory Manager

The Univention Directory Manager (UDM) is the command line interface to the Univention Management Console. The UDM offers the same functionality as the web interface. It’s especially useful for admins who prefer working on the shell and, of course, the commands can be used in shell scripts.

You have to be root to use the univention-directory-manager command (or udm for short). The command expects the name of a module and an operation. In order to list available UDM modules, use the command udm modules. Every module supports up to five operations: list (prints a list of existing objects), create (creates a new object), modify (modifies existing objects), remove (removes an object), and move (moves objects to a different position in the LDAP directory service).

The following example shows an existing share’s details. You will notice that all attributes visible in the UMC have a UDM equivalent:

root@primary:~# udm shares/share list --filter cn=Freigabe1
cn=Freigabe1
DN: cn=Freigabe1,cn=shares,dc=training,dc=ucs
directorymode: 0755
group: 0
host: server-Berlin.training.ucs
name: Freigabe1
owner: 0
path: /data
printablename: Freigabe1 (server-Berlin.training.ucs)
root_squash: 1
sambaBlockSize: None
sambaBlockingLocks: 1
sambaBrowseable: 1
sambaCreateMode: 0744
sambaCscPolicy: manual
sambaDirectoryMode: 0755
sambaDirectorySecurityMode: 0777
sambaDosFilemode: 0
sambaFakeOplocks: 0
sambaForceCreateMode: 00
sambaForceDirectoryMode: 00
sambaForceDirectorySecurityMode: 00
sambaForceGroup: None
sambaForceSecurityMode: 00
sambaForceUser: None
sambaHideFiles: None
sambaHideUnreadable: 0
sambaInheritAcls: 1
sambaInheritOwner: 0
sambaInheritPermissions: 0
sambaInvalidUsers: None
sambaLevel2Oplocks: 1
sambaLocking: 1
sambaMSDFSRoot: 0
sambaName: Freigabe1
sambaNtAclSupport: 1
sambaOplocks: 1
sambaPostexec: None
sambaPreexec: None
sambaPublic: 0
sambaSecurityMode: 0777
sambaStrictLocking: Auto
sambaVFSObjects: None
sambaValidUsers: None
sambaWriteList: None
sambaWriteable: 1
subtree_checking: 1
sync: sync
writeable: 1

So, we know everything about existing attributes. Next, let’s modify the path:

root@primary:~# udm shares/share modify --dn
cn=Freigabe1,cn=shares,dc=training,dc=ucs --set path=/newdata

Object modified: cn=Freigabe1,cn=shares,dc=training,dc=ucs

root@primary:~# udm shares/share list --filter cn=Freigabe1 | grep path
   path: /newdata

You can find additional information about the command line interface in our manual.

LDAP Queries on the Command Line

There is another shell command you can use to query the UCS directory service: the tool univention-ldapsearch also requires root privileges since it reads data which should be available to admins only. It uses the ldapsearch tool in the background and transmits correct information about the LDAP server, the base, and authentication. As a result, all root users on all UCS machines can access the directory service with the account of the current system. The tool expects a search filter as an argument:

root@dns:~# univention-ldapsearch -LLL "(&(objectClass=univentionShareSamba)
(name=Freigabe1))"
dn: cn=Freigabe1,cn=shares,dc=training,dc=ucs
cn: Freigabe1
univentionShareHost: server-Berlin.training.ucs
univentionShareUid: 0
univentionShareGid: 0
univentionShareDirectoryMode: 0755
univentionShareWriteable: yes
univentionShareNFSSync: sync
univentionShareNFSSubTree: yes
univentionShareNFSRootSquash: yes
univentionShareSambaWriteable: yes
univentionShareSambaName: Freigabe1
univentionShareSambaBrowseable: yes
univentionShareSambaPublic: no
univentionShareSambaDosFilemode: no
univentionShareSambaHideUnreadable: no
univentionShareSambaCreateMode: 0744
univentionShareSambaDirectoryMode: 0755
univentionShareSambaForceCreateMode: 00
univentionShareSambaForceDirectoryMode: 00
univentionShareSambaSecurityMode: 0777
univentionShareSambaDirectorySecurityMode: 0777
univentionShareSambaForceSecurityMode: 00
univentionShareSambaForceDirectorySecurityMode: 00
univentionShareSambaLocking: 1
univentionShareSambaBlockingLocks: 1
univentionShareSambaStrictLocking: Auto
univentionShareSambaOplocks: 1
univentionShareSambaLevel2Oplocks: 1
univentionShareSambaFakeOplocks: 0
univentionShareSambaCscPolicy: manual
univentionShareSambaNtAclSupport: 1
univentionShareSambaInheritAcls: 1
univentionShareSambaMSDFS: no
univentionShareSambaInheritOwner: no
univentionShareSambaInheritPermissions: no
objectClass: univentionShareSamba
objectClass: univentionObject
objectClass: univentionShare
objectClass: univentionShareNFS
objectClass: top
univentionObjectType: shares/share
univentionSharePath: /newdata

This listing shows basically the same, now updated information as the udm command of the previous listing – but from the OpenLDAP’s point of view with slightly different names of the attributes used there.

Automation

Now, you can use the information you retrieve from the LDAP query to mount shares automatically. We’ve published an article in November 2019, showing how to achieve that with UCS@school and Nextcloud. The setup makes use of the Directory Listener which receives notifications from the Univention Directory Notifier about changes in the identity management and reacts accordingly. In our example a new Samba share is generated automatically whenever there is a new user account or class/working group in UCS@school.

The automatic removal of shares after deleting an account or group works similarly.

Basically, all data stored in LDAP can also be queried from systems which don’t run UCS. We’ve published an article in our Cool Solutions section explaining how you can approach this task.

Conclusion

I hope this article has give you some ideas on how to use LDAP queries to retrieve information about Samba shares in a domain to automatically mount them. If you have any questions, please feel free to get in touch or join the discussion in the UCS forum.