Build Samba 4.6.x with Time Machine support on Ubuntu 16.04

You’ve managed to find this tutorial before my commentary or other helpful notes have been added. This means it hasn’t been fully tested. Hopefully you’ll be able to reproduce the same results, but just because I have a working setup doesn’t mean you will. Think before you type; even more so before hitting enter. If you decide to follow this guide – please leave a comment with your feedback, questions, fixes or anything else that could be help others.

Samba is the standard Windows interoperability suite of programs for Linux and Unix.

Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others.

Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

Samba is a software package that gives network administrators flexibility and freedom in terms of setup, configuration, and choice of systems and equipment. Because of all that it offers, Samba has grown in popularity, and continues to do so, every year since its release in 1992.

With Time Machine, you can back up your entire Mac, including system files, apps, music, photos, emails, and documents. When Time Machine is turned on, it automatically backs up your Mac and performs hourly, daily, and weekly backups of your files.

When you use Time Machine on a portable computer, Time Machine not only keeps a copy of everything on your backup disk, it also saves “local snapshots” of files that have changed on your internal disk, so you can recover previous versions. These local snapshots are made hourly, unless you deselect Back Up Automatically, and they’re stored on your portable computer’s internal disk.

Install required package dependencies.

apt-get update && apt-get --yes install build-essential acl attr \
  autoconf bison debhelper dnsutils docbook-xml docbook-xsl flex \
  gdb krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev \
  libbsd-dev libcap-dev libcups2-dev libgnutls28-dev libjson-perl \
  libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
  libpopt-dev libreadline-dev perl perl-modules pkg-config \
  python-all-dev python-dev cups python-dnspython python-crypto \
  xsltproc zlib1g-dev libsystemd-dev libgpgme11-dev python-gpgme \
  python-m2crypto libtracker-sparql-1.0-dev

Download and extract the current release of Samba.

mkdir /build
cd /build
curl -L https://download.samba.org/pub/samba/stable/samba-4.6.5.tar.gz -o samba-4.6.5.tar.gz
tar xvf samba-4.6.5.tar.gz
cd samba-4.6.5/

Patch the downloaded Samba source code with Time Machine support. This patch is currently a Github pull request awaiting acceptance from the Samba-Team developers.

curl -L https://github.com/samba-team/samba/pull/64.patch -o time_machine-fullsync.patch
patch -p 1 < time_machine-fullsync.patch

Configure the source code in preparation for make and install.

./configure \
 --enable-spotlight \
 --with-systemd \
 --prefix=/usr \
 --exec-prefix=/usr \
 --sysconfdir=/etc \
 --libdir=/usr/lib/aarch64-linux-gnu \
 --localstatedir=/var \
 --with-smbpasswd-file=/etc/samba/smbpasswd \
 --enable-fhs

Make and install.

make -j 2
make -j 2 install

Prepare the configuration files and CUPS print server SMB spooler support.

touch /etc/samba/lmhosts
touch /etc/samba/smb.conf
touch /etc/samba/smbpasswd
cp /build/samba-4.6.5/examples/smb.conf.default /etc/samba/smb.conf.default
ln -v -sf /usr/bin/smbspool /usr/lib/cups/backend/smb

Move systemd services into place.

cd /build/samba-4.6.5/packaging/systemd/
cp *.service /lib/systemd/system/

Start and enable the defaut Samaba services.

systemctl start nmb.service
systemctl enable nmb.service
systemctl start smb.service
systemctl enable smb.service
systemctl start winbind.service
systemctl enable winbind.service

Check the status of our enabled Samba install.

smbd -b

 

Advertisements

StrongSwan IPSec IKEv2 VPN with LEDE Reboot 17.01.4

You’ve managed to find this tutorial before my commentary or other helpful notes have been added. This means it hasn’t been fully tested. Hopefully you’ll be able to reproduce the same results, but just because I have a working setup doesn’t mean you will. Think before you type; even more so before hitting enter. If you decide to follow this guide – please leave a comment with your feedback, questions, fixes or anything else that could be help others.

strongSwan is an OpenSource IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005.

Since then a new IKE daemon has been written in a modern object-oriented coding style so that the current code base does not share code with its ancestor anymore. Initially that daemon only supported IKEv2, while IKEv1 was handled by an extended version of FreeS/WAN’s pluto daemon. But because adoption of IKEv2 by other vendors took longer than anticipated support for IKEv1 was added to the new daemon with strongSwan 5.0.0.

strongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, macOS, Windows and many other platforms.

Install  strongSwan with opkg.

opkg update && opkg install strongswan-full

Make your our private root certificate authority and server certificate.

cd /etc/ipsec.d/

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/LEDE_Root_CA.key
chmod 600 private/LEDE_Root_CA.key
ipsec pki --self --ca \
    --lifetime 3650 \
    --in private/LEDE_Root_CA.key \
    --type rsa \
    --dn "C=DE, O=LEDE Project, CN=LEDE Root certAuthority" \
    --outform pem \
    > cacerts/LEDE_Root_CA.crt

ipsec pki --gen --type rsa --size 4096 --outform pem \
    > private/server.example.com.key
chmod 600 private/server.example.com.key
ipsec pki --pub --in private/server.example.com.key --type rsa | \
    ipsec pki --issue --lifetime 1825 \
    --cacert cacerts/LEDE_Root_CA.crt \
    --cakey private/LEDE_Root_CA.key \
    --dn "C=US, OU=Domain Validated, CN=server.example.com" \
    --san "server.example.com" \
    --san "lede.lan" \
    --san "lede.local" \
    --san "lede.private" \
    --flag serverAuth --flag ikeIntermediate \s
    --outform pem > certs/server.example.com.crt

Validate your newly created certificates.

ipsec pki --print --in /etc/ipsec.d/cacerts/LEDE_Root_CA.crt
ipsec pki --print --in /etc/ipsec.d/certs/server.example.com.crt

Edit /etc/strongswan.conf with your favorite text editor.

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    dns1 = 192.168.1.1
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
        dhcp {
            server = 192.168.1.1
            force_server_address = yes
            identity_lease = yes
        }
    }
}
# include strongswan.d/*.conf

Edit /etc/ipsec.conf with your favorite text editor.

# ipsec.conf - strongSwan IPsec configuration file

config setup
	strictcrlpolicy=no
	uniqueids=yes

conn rw-base
	fragmentation=yes
	dpdaction=clear
	dpdtimeout=120s
	dpddelay=30s
	compress=yes

conn rw-config
	also=rw-base
	rightsourceip=%dhcp
	rightdns=192.168.1.1
	leftsubnet=0.0.0.0/0
	leftid=@server.example.com
	leftcert=server.example.com.crt
	reauth=no
	rekey=no
	ike=aes256-sha256-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
	esp=aes256-sha256,aes256-sha1,3des-sha1!
	leftsendcert=always

conn rw-local-network
	also=rw-config
	leftfirewall=yes
	lefthostaccess=yes

conn ikev2-eap-mschapv2
	also=rw-local-network
	keyexchange=ikev2
	rightauth=eap-mschapv2
	eap_identity=%identity
	auto=add

Edit /etc/ipsec.secrets with your favorite text editor.

# /etc/ipsec.secrets - strongSwan IPsec secrets file

server.example.com : RSA server.example.com.key

Username1 : EAP "Password"
Username2 : EAP "Password"

Edit /etc/config/firewall with your favorite text editor.

config rule
	option name 'Allow-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option proto 'udp'
	option dest_port '500'
	option target 'ACCEPT'

config rule
	option name 'Allow-IKEv2'
	option src 'wan'
	option proto 'udp'
	option dest_port '4500'
	option target 'ACCEPT'

config rule
	option name 'Allow-AH'
	option src 'wan'
	option proto 'ah'
	option target 'ACCEPT'

Restart the firewall and strongSwan to effect changes. Check the status of strongSwan to ensure it has started properly.

/etc/init.d/firewall reload
ipsec restart
ipsec statusall

Make a backup of the root certificate.

cp /etc/ipsec.d/cacerts/LEDE_Root_CA.crt /root/.

The recently generated strongSwan server certificate will work perfect with LuCi. This next step is optional and requires the luci-ssl package be installed. Make sure the LEDE_Root_CA.crt is installed and trusted on your connecting device.

rm /etc/uhttpd.key && rm /etc/uhttpd.crt
cp private/server.example.com.key /etc/uhttpd.key
cp certs/server.example.com.crt /etc/uhttpd.crt
/etc/init.d/uhttpd restart