Samba Notes
SAMBA
Extracted from http://lucasmanual.com/mywiki/SambaDomainController ...
Using samba in linux is easy. You get performance and stability right away. Linux should be your file hosting choice from day 1.
Contents
1. Install Samba 1. Status 2. Quick: Connect to samba share 3. Quick: Mount Shared Folder 4. Quick: Enable Writable Share Folder 5. Quick: Ping netbios names from linux 6. Print Server 1. Install CUPS 2. Add Printers 3. Enable samba Printer sharing 4. Upload Printer Drivers to Samba 7. Configure Samba for Domain 1. Root/Administrator user 2. Routs 3. pre-configuration 4. Add users 5. netlogon.bat 6. simple working smb.conf 7. Shared folder 8. test smb.conf 8. Explain smb.conf 1. smb.conf explained 1. WINS support 2. Share options 3. Homes 2. Add Shared Folder to Samba 3. Add Writable share Folder 4. Add Printer to Samba 9. More smb.conf 1. Profiles 2. Netlogon 1. Update hosts file on computers 3. smb.conf 10. Samba Status 1. What is available 11. User management 1. Manage users 1. pdbedit 2. Add user 3. Delete user 4. Change account 5. Reset password expiration for account 6. Account flag, disable 7. Default account settings 2. Unix passwords to samba passwords 3. Change password backend 4. Administrtor 1. Add unix group to samba 12. Migrate NT4 domain to Samba 1. Clean up NT4 Domain 2. smb.conf 3. Join the samba BDC to NT domain 4. Migrate User Accounts 13. Troubleshooting 1. Can't Join Samba Domain 1. The network path was not found 2. No mapping between account names and security IDs was done 3. Access is denied 4. Logon failure: unknown user name or bad password 5. domain could not be contacted 14. Webmin 1. Install Webmin 15. Performance 1. windows max tcp/ip speed windows speed 16. external samba 1. time 17. Samba LDAP, DC, Postfix, IMAP 1. Mysql 2. Mail server 1. maildir 2. Mutt 3. Imap 1. courier-imap 4. System tools 1. ntp 2. ssh server 5. LDAP Settings 1. samba 2. openldap 3. Configure samba 4. Configure unix to use ldap 18. References
Install Samba
Run the following commands as root:
apt-get update apt-get install samba
The default setup for samba is with user security. If you want to connect right away add user to samba smbpasswd -u username and try login in with that username and password.
Status
- To see what services are available on samba use this command.
- If samba is not running start it by /etc/init.d/samba start
- When prompted for password, hit enter to login anonymously.
smbclient -L servername
- You should see something like:
Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 3.0.24) Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Server Comment --------- ------- SERVERNAME Samba 3.0.24 Workgroup Master --------- ------- DEBIAN MSHOME NTSERVERNAME mydomainname DOMAINSERVER
- This means samba has installed properly and we are ready to configure what is available on it.
- To be able to use samba we have to change 2 things in samba, and add a user. Security and write permissions.
- Edit /etc/samba/smb.cfg
- Uncomment the security
security = user
- Find read only = yes and change it to
read only = no
- Now add a password for your username:
smbpasswd -a myusername
- Restart samaba
/etc/init.d/samba restart
- Now you can go and browse \\hostname.or.id.address.of.the.computer\lucas, or via linux file manager smb://hostname.or.id.address.of.the.computer/lucas
- Provide username and password. 'myusername' and password you entered.
- Above link points to your home drive. You can setup more shares later but your are done with initial samba settings.
- Enjoy.
Quick: Mount Shared Folder
- You need to have smbfs installed.This program enables you to mount via smbfs or cifs. If you don't do this:
apt-get update apt-get install smbfs
- [FYI]Older version of samba have used smbfs as driver to connect to windows. New driver called cifs is faster and is going to part of the kernel. We will use-t cifs instead of -t smbfs. We still need to install package smbfs because cifs uses parts of it.
- To mount windows share drive you need to create a folder:
mkdir somefolder
- As root or with root privileges (su root or sudo)
mount -t cifs -o username=administrator,password=password //windowsservername/folder /home/lucas/somefolder
or
mount -t cifs -o user=administrator //windowsservername/folder /home/lucas/somefolder
- The second one will prompt you for the password.
- If you would like to enable a non-privilege user to have write access to share add UID option.
- Option after -o separated by comma and no spaces or use quotation mark -o 'UID=lucas,username=administrator,password=password'
mount -t cifs -o UID=lucas,username=administrator,password=password //windowsservername/folder /home/lucas/somefolder
- If you are connection to a domain make sure you use domain option of samba:
mount -t cifs -o UID=lucas,username=administrator,password=password,domain=mydomainname //windowsservername/folder /home/lucas/somefolder
[Optional] You can replace administrator with your username. You can also replace windowsservername with ip address //192.168.1.10/folder ....
Quick: Enable Writable Share Folder
- If you want to create a shared folder that is writable by everybody you can do the following.
- Change security mode from user to shared. (First line is commmented out)
#; security = user security = share
Then at the buttom add the following lines.
[SHARED] comment = PMS files path = /home/lucas/Unique browseable = yes #printable = no guest account = nobody guest ok = yes write ok = yes force user = lucas #force group = lucas
* Replace lucas with your username or other user that you would like to use. * Your samba share SHARED folder is ready. On windows machine go to \\COMPUTERNAME\SHARED or \\192.168.1.1\SHARED (replace 192.168.1.1 with ip address of linux machine) and you are done.
Quick: Ping netbios names from linux
Keywords: linux to windows by "full computer name", netbios lookup, nslookup
1. Every pc can ping each other using the netbios name which corresponds to ip address. 2. In windows ping netbios names is working ping mycomputer2 will ping the ip behind the name mycomputer2 3. You are able to ping a pc that is on dhcp.
This will enable same feature in linux
- To enable linux pcs to ping netbios names you need to:
apt-get update apt-get install winbind
- Now edit this file:
vi /etc/nsswitch.conf
- Change the line that starts with hosts by adding wins at the end of it.
hosts: files dns to hosts: files dns wins
- In my Debian it looked like this:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 to hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
- Now ping any computer you want:
ping mycomputer2
- Done.
Print Server
Install CUPS
- The first thing you need to do is install all your printers via cups.
apt-get update apt-get install cupsys cupsys-client
- Start cups
/etc/init.d/cupsys start
Add Printers
- Go to localhost:631 and add all your printers.
This page tells you how to do it: DebianPrinting
Enable samba Printer sharing
- Then go to /etc/samba/smb.conf
- And make sure the [printers] and [Print$] section are uncommented.
- Now uncomment the :
printing = cups printcap name = cups
- This will load the cups system printers and make them available to you.
- Now type in
smbclient -L localhost password: [hit Enter] --password is empty
* You should see something like this:
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (faxserver server) Departent1-Kyocera-9520DN Printer Kyocera-9520DN Departent1-Kyocera-9500DN Printer Kyocera-9500DN Departent1-HP--8000 Printer HP-8000 Departent2-Kyocera-C5020DN Printer Kyocera-C5020N Departent2-Kyocera-9520DN Printer Kyocera-9520DN Departent2-HP-P3005 Printer HP-3005 Departent2-HP-4000 Printer HP-4000 Accounting-Kyocera-9520DN Printer Kyocera-9520DN Anonymous login successful
Upload Printer Drivers to Samba
- Now we need to upload our windows drivers to the samba [Print$] share so next windows client that wants to use this printer will automatically download the drivers.
Configure Samba for Domain
- First we need to know our server name
uname -n hostname -f
- You should see your server name. You will put that server name everywere you see servername in this document.
Root/Administrator user
- We need to add our first user.
smbpasswd -a root
- You should see something like this.
root# smbpasswd -a root New SMB password: XXXXXXXX Retype new SMB password: XXXXXXXX
- [page91]Now we need to map our user root to Administrator. This will allow our root account to be called administrator.
- In /etc/samba create a file smbusers. In it add
- vi /etc/samba/smbusers
##################### #File Format #Unix_ID = Windows_ID #Example: #root = Administrator #janes = "Jane Smith" ##################### root = Administrator
* Then and a line in your global settings that looks like this:
username map = /etc/samba/smbusers
- Restart samba
Routs
- We need to let the system know that when they look for a computer they will need to use these tools in that order.
- Edit /etc/nsswitch.conf and make sure it conatins:
hosts: files dns wins
pre-configuration
- We need to create a folder where we will keep our profiles and netlogons, as well as data and apps folder that will be used for sharing files
- Create following folders for netlogon scripts and profiles.
mkdir /home/samba mkdir -p /home/samba/{netlogon,profiles} chmod ug+rw /home/samba/profiles
- [Optional]Create these folders for programs share and company documents
mkdir /data mkdir /apps
Add users
- You need to add an account for each network user. You can do it by executing these commands.
- For each user you you create you need a profiles folder in /home/samba/profiles/. Replace username with the actual Login ID.
adduser username smbpasswd -a username mkdir /home/samba/profiles/username chown username:users /home/samba/profiles/username
netlogon.bat
- When each user logs in, the netlogon will be executed. It needs to be in a correctly terminated with DOS encoding so we will do just that.
- In file: /home/samba/netlogon/netlogon.bat write the following content(replace servername with your server name):
net time \\servername /set /yes net use h: /home
- Now we will convert it to proper DOS file:
- We need to install a tool that will do it for us.
apt-get update apt-get install tofrodos
- Then issue a command
todos /home/samba/netlogon/netlogon.bat
- If you replacing a current drive you might want to remvoe the unmount the old one and mount a new one
net use u: /delete net use u: \\SERVERNAME\SOME_FOLDER
- You also want to check out this link which tells you how to gave yourself mope options: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Logon/WindowsNTLoginScriptTricksandTips.html
simple working smb.conf
- It is time to create a smb.conf
- Copy and past this into your smb.conf. Change workgroup and netbios name.
- This configuration will get your domain up and running in 30 seconds.
[global] #Domain name workgroup = yourdomainname #The Server Name netbios name = servername #server string = Samba #Time server, Workstations will set their time by this server time server =yes passdb backend = tdbsam #SECURITY AND LOGIN SETTINGS #This must be a user in PDC security = user bind interfaces only = yes #Windows XP/2000 encrypt passwords = yes #Login in settings. domain logons = Yes #Error Logs, Comment it out when you in production. log level = 3 #PDC and MASTER BROWSER SETTINGS #os level = 64 #Windows for master PDC. Highers windows can get is 32 preferred master = yes #local master = yes domain master = yes ;This defines it as the Primary Domain Controller #Add delete users on linux and samba (keeps linux and samba accounts in sync) add user script = /usr/sbin/useradd -m %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u #User Profiles and Home directory. logon drive = H: logon path = logon home = logon script = netlogon.bat #Login script. Location is defined in [netlogon] #Define user mappings. root = Administrator #You don't need this if you have created Administrator SMB user. username map = /etc/samba/smbusers wins support = yes passwd program = /usr/bin/passwd %u # --- shares --- [netlogon] comment = Domain Logon Service path = /home/samba/netlogon valid users = %U admin users = Administrator read only = no browseable = no write list =@admins guest ok = Yes #For read only purposes. File is not locked per user. locking = no [homes] #If you want to set home directory somwhere other thean the unix home use below path. # path = \\otherservername\%U volume = %U Home comment = Home Folder valid users = %S read only = No browseable = No public = no create mode = 0750 [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No #These are Optional if you want to use them [apps] comment = Application Files path = /apps admin users = Administrator read only = No [data] comment = Application Files path = /data admin users = Administrator read only = No
- This samba file will allow a user to log into samba server. Each user will have its own H drive. Apps,Data folders are shared. TDBSAM database is used for authentication. It will use Local Profiles, which means the users settings are stored on his/her computer.
Shared folder
- If you need to quickly add a writable shared folder for anybody. You could add this to your samba config file.
[SHARED] comment = PMS files path = /home/lucas/shared browseable = yes #printable = no guest account = guest guest ok = yes write ok = yes force user = lucas #force group = lucas
test smb.conf
- To test smb.conf for proper structure, issue this command.
testparm
Explain smb.conf
smb.conf explained
- netbios name - Name by which the Samba server is known on the network. Same as the Windows NT Computer Name. If you don’t specify it, it will default to the server’s hostname.
- workgroup - This parameter tells samba which Window NT Domain or
Workgroup it will join. It is equivalent to the Windows NT Domain or Workgroup name.
- server string - The description string of the Samba server. It is equivalent to the Windows NT Description field.
- security - four possible values: share, user, server, domain
- Share - clients need to supply only the password for the resource. This mode of security is the default for the Windows 95 file/print server. It is not recommended for use in UNIX environments, because it violates the UNIX security scheme.
- User - the user/password validation is done on the server which is offering the resource. This mode is most widely used.
- Server - user/password validation is done on the specified authentication server. This server can be a Windows NT server or another Samba server.
- Domain - this security level is basically the same as server security, with the exception that the Samba server becomes a member of a Windows NT domain. In this case the Samba server can also participate in such things as trust relationships
- encrypt passwords - If set to yes, Samba uses the encrypted password protocol. It is used in Windows NT (starting with Service Pack 3) and Windows 95/98.
- smb passwd file - This tells Samba where encrypted passwords are saved. By default, it will use /etc/smbpasswd.
- name resolve order - This parameter specifies how the Samba server resolves NetBIOS names into IP addresses. The preferred value is wins lmhosts bcast.
WINS support
- Only one of the parameters (wins support or wins server) can be set at the same time. If
you specify the IP address of WINS server then, wins support must be set to “no”.
- wins server - With this parameter, you tell Samba which WINS server to use.
- wins support - This option tells Samba to act as a WINS server
Share options
- admin users - Specify the users who have administrative privileges for the share. When they access the share, they perform all operations as root.
- printable - This parameter specifies if the share is a print share. If the share is printable, then it is also writable by default
- write list - Specifies the list of people who have write access to the share. If the name begins with @ it means a group name.
- writable -This parameter specifies if the share is writable. (yes/no)
- read list -List of people who have read access to the share. If the name begins with @ it means a group name.
- read only -If this is set to yes, the share is read only.
- valid users -This parameter specifies which users can access the share.
- create mask -This is used for file creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0744
- directory mask -This is used for directory creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0755
Homes
- Special share section called [homes] will affect all home folders. You don't need to create one seperate for each user.
- When client requests a connection to a file share, existing file shares are scanned. If a match is found, that share is used. If no match is found, the requested share is treated as a username and validated by security. If the name exists and the password is correct, a share with that name is created by cloning the [homes] section.
- Home Folder Structure in smb.conf
[homes] comment = Home Directories path = %H valid users = %S browseable = no writable = yes create mode = 0700 directory mode = 0700
- %H - Represents the home directory of the user.
- %S - Represents the name of the current service which, in the case of home share,
is equal to the username.
Add Shared Folder to Samba
- Here is a sample share folder structure.
[share] path = /path/to/data comment = Data Directory on servername read only= yes valid users = @users write list = manager
- This shares the data in a directory as a share. You can access this share by \\servername\share. Only valid users who are part of users group are permited to read this data. The user named manager is allowed to write.
Add Writable share Folder
- Following previous procedure. Add this to the smb.conf
[everybody] comment = Everybody files path = /path/to/folder browseable = yes printable = no writable = yes write list = @users
Add Printer to Samba
- You need to have printers installed. If you don't have them installed follow directions on DebianPrinting.
- When done installing printer add these lines and you will be able to print to them.
- Add this to your globals
[global] ... printcap name = cups printer admin = admin printing = cups * Add this to the bottom of smb.conf [printers] path = /var/lib/samba/printers create maske = 0600 printable = yes browseable = no
- Now open windows explorer on your client machine and go to \\servername
- You should see the printers that you have installed in cups.
More smb.conf
Profiles
- There is a choice of methods here
- For each user to continue using their existing profile, always using the same machine with its own applications installed
after having created an account for them on the server, simply logon to the server and the existing Windows profile on the local machine will be used (as there won't be one already on the server) and copied over to the server. This is fine if they only ever use the same computer but beware, the profile may have references to software installed only on their machine, so if they want to login from other machines it is probably worth starting over with a fresh profile and setting up each machine exactly the same; see the next method
or
- [We will use the first option for under 50 users in same location]for each user to have their own profile, which they can alter, donated to them efficiently using a single template profile; and that they can roam with from one machine to another; each machine having the same applications installed, or installed on the server
configure a Windows user account on a workstation the way you want it (if you try to create a user account after you've created a machine account for this machine on the Samba server, creating the account on the workstation will fail and elicit a message saying you can't create accounts in that domain. We don't know what this is about but to work around it you can use Users and Passwords' Advanced → Advanced → Users → Action → New User... option (or create the account without the workstation being part of a domain (do so before-hand, or temporarily revert back to a workgroup).
This will be a 'Restricted User' account. This account will be the template user profile. (We use TWEAK - The Windows Environment and Application Konfigurator, available from http://thegoldenear.org/tweak/, to configure the template user account quickly and easily (you only need run the per-user options (including Roaming Computing System specific options, A → P → P)). create the template without running any applications, that will be done later; consider where you're going to keep icons for applications by reading the section on applications further on. Any applications that require their preferences pre-installing manually (rather than dealing with it themselves) in the Windows profile will want that doing so now (see applications section further on)
- Create a profiles folder
- Lets change permissions on our profiles folder
mkdir /home/samba mkdir /home/samba/profiles chmod 1757 /home/samba/profiles
- Let's create an initial template
mkdir /home/samba/profiles/template
- In Windows Explorer log into your server by going to \\yourservername
Netlogon
- We need to create a netlogon script that will be used to mount extra drives on client machines.
- First we need to create a directory for that. Samba folder should exists already
cd /home/samba ls mkdir netlogon chmod 0755 /home/samba/netlogon cd /home/samba/netlogon
- Here is a sample NETLOGON.BAT that we will put into /home/netlogon/NETLOGON.BAT
- You will need to create this file on windows because windows will be the one reading it. (We need CR/LF as end of line character)
rem ########################################### rem logon script rem version 0.7.0 rem rem remember this file needs DOS CR/LF to work rem ########################################### rem Change Log rem 0.7.0 13-Dec-2003 rem - added a new system and user TEMP location of e:\%username%\windows and e:\windows rem - changed 'cooledit' directory name to 'audition' to reflect that program's name change rem - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively rem 0.6.5 08-April-2003 rem - renamed 'server' to 'file-server' rem - removed '/PERSISTANT:YES' rem ------------------------------------------- net use P: \\file-server\programs rem (only admins group can write there in our Samba configuration) rem make mappings to shared areas, i.e.: rem H: is made by smb.conf net use S: \\file-server\shared rem sync the workstation's time to that of the file-server net time \\file-server /set /yes rem make connections to any printer(s): rem net use LPT1: rem create temporary directories for %USERNAME% on TEMP partition rem (remove any for applications not used on your system): if not exist "e:\%username%" md "e:\%username%" if not exist "e:\%username%\winnt" md "e:\%username%\winnt" if not exist "e:\%username%\windows" md "e:\%username%\windows" rem ('winnt' remains for backwards compatibility. we changed to 'windows' on 12 Dec 03 / TWEAK 0.8.32) if not exist "e:\%username%\ie" md "e:\%username%\ie" if not exist "e:\%username%\ie\Temporary Internet Files" md "e:\%username%\ie\Temporary Internet Files" if not exist "e:\%username%\mozilla" md "e:\%username%\mozilla" if not exist "e:\%username%\java" md "e:\%username%\java" if not exist "e:\%username%\nero" md "e:\%username%\nero" if not exist "e:\%username%\audacity" md "e:\%username%\audacity" if not exist "e:\%username%\audition" md "e:\%username%\audition" :EOF
- Now allow users to read that file
chmod a+r /home/samba/netlogon/NETLOGON.BAT
Update hosts file on computers
- Add this script to your logonscript.bat. Replace "MYPDC" with your domain computer name.
copy \\MYPDC\netlogon\hosts %systemroot%\system32\drivers\etc\hosts
smb.conf
- Here is a final smb.conf that you can just paste into your smb.conf file.
- YOU will need to change the workgroup name, hosts allowed/deny ip address,
netbios name
- Before you start, lets make a copy of smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf-original
- Now clear the old file and paste this in.
# Smb.conf, samba domain controller # Replacing windows nt domain controller # Need to change workgroup, netbios name, allowed host allow/deny [global] #Domain name workgroup = domainname #The Server Name netbios name = domainserver #server string = Samba #Time server, Workstations will set their time by this server time server =yes passdb backend = tdbsam #SECURITY AND LOGIN SETTINGS #This must be a user in PDC security = user #Allow connection from specified addresses 10.1.1.* #Change it to your ip network, example: 192.168.0. #hosts allow = 127.0.0.1 10.1.1. #Deny others #hosts deny 0.0.0.0/0 #Only allow connection through network card #interfaces =eth* lo #bind interfaces only = yes #Windows XP/2000 encrypt passwords = yes #Login in settings. domain logons = Yes #Error Logs, Comment it out when you in production. log level = 5 #PDC and MASTER BROWSER SETTINGS #os level = 64 #Windows for master PDC. Highers windows can get is 32 preferred master = yes #preferred master = auto local master = yes domain master = yes ;This defines it as the Primary Domain Controller #Add delete users on linux and samba (keeps linux and samba accounts in sync) add user script = /usr/sbin/useradd -m %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u #User Profiles and Home directory. logon path = \\%L\profiles\%U logon home = \\%L\%U logon script = netlogon.bat #Login script. Location is defined in [netlogon] #Define user mappings between this system and windows system. #Without this you get ask for password. #You don't need this if you have created SMB user here. username map = /etc/samba/smbusers wins support = yes admin users = root #Keep the case in file/directory names.Matching is done without regard to case. #It allows transition from non-case system (windows) to case system(unix) preserve case = yes short preserve case = yes case sensitive = no #Sync Unix passwords from windows workstation using PAM #Allow users to change their password unix password sync = yes #pam password change = yes #Optimized of samba for increased speed #SO_KEEPALIVE -sends a probe every 4 hours to check that a connection is still active #TCP_NODELAY #IPTOS_LOWDELAY #SO_SNDBUF=14596 -14596 is roughly the best in most circumstances, # it may be optimized better for your system. #SO_RCVBUF = 14596 socket options =TCP_NODELAY,IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596 #lpq command = %p #name resolve order = wins bcast hosts #passwd chat debug = Yes #idmap gid = 15000-20000 #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n #lprm command = passwd program = /usr/bin/passwd %u #print command = #printing = cups #idmap uid = 15000-20000 #printcap name = CUPS #null passwords = yes # --- shares --- [netlogon] comment = Domain Logon Service path = /home/samba/netlogon valid users = %U admin users = Administrator read only = no browseable = no write list =@admins guest ok = Yes #For read only purposes. File is not locked per user. locking = No [profiles] comment = Network PRofiles Share path = /home/samba/profiles browseable = yes guest ok = yes writeable = yes read only = no profile acls = yes csc policy = disable create mode = 0600 directory mode = 0700 [homes] #If you want to set home directory somwhere other thean the unix home use below path. # path = volume = %U Home comment = Home Folder valid users = %S read only = No browseable = No public = no create mode = 0750 [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No #These are Optional [apps] comment = Application Files path = /apps admin users = Administrator read only = No [data] comment = Application Files path = /data admin users = Administrator read only = No
Samba Status
What is available
* To see what services are available on samba use this command * If no password is set, hit enter to login anonymously.
smbclient -L servername
- You should see something like:
Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 3.0.24) Dept1-HP-P3005N Printer Dept1 Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Server Comment --------- ------- DOMAINSERVER Samba 3.0.24 Workgroup Master --------- ------- DEBIAN MSHOME NTSERVERNAME mydomainname DOMAINSERVER
User management
Manage users
- There are two tools to manage users. We will use the second one because it gives us more control.
- smbpasswd
- pdbedit
smbpasswd:
1. add user or machine accounts. 2. delete user or machine accounts. 3. enable user or machine accounts. 4. disable user or machine accounts. 5. set to NULL user passwords. 6. manage interdomain trust accounts.
pdbedit:
1. add, remove, or modify user accounts. 2. list user accounts. 3. migrate user accounts. 4. migrate group accounts. 5. manage account policies. 6. manage domain access policy settings.
pdbedit
- Find the details on user:
pdbedit -Lv username
- Or to see all users:
pdbedit -Lv |less
space to view next page. q to quit Add user
- Two options.
smbpasswd: Add username to debian linux account and samba account.
adduser 'username' smbpasswd -a 'username'
Add user with pdbedit. Unix account need to exist already:
pdbedit -a username
Delete user
Delete samba account:
pdbedit -x username
Change account
- Change user account information
pdbedit -r --fullname="First Last name" username
Reset password expiration for account
pdbedit -z username
Account flag, disable
- Available flags
D Account is disabled. H A home directory is required. I An inter-domain trust account. L Account has been auto-locked. M An MNS (Microsoft network service) logon account. N Password not required. S A server trust account. T Temporary duplicate account entry. U A normal user account. W A workstation trust account. X Password does not expire.
- To change a flag do this:
pdbedit -r -c "[DLX]" username
- To reset to default:
pdbedit -r -c "[]" username
Default account settings
- Acount policies must be set individually on each PDC and BDC.
- See what is the default now.
pdbedit -P ?
- Change a default:
pdbedit -P "min password length" -C 8
- Replace "min password length" with other options you saw in pdbedut -P ?
Unix passwords to samba passwords
cat /etc/passwd | /usr/sbin/mksmbpasswd > /etc/samba.d/smbpasswd
Change password backend
- This will migrate passwords from smbpasswd to tdbsam
pdbedit -i smbpasswd -e tdbsam
- Make sure your remove smbpasswd from smb.cof
passdb backend = tdbsam:/etc/samba/passdb.tdb
- You should be done. Your user should be able to log into your domain.
Administrtor
- The Administrator user is a member of the Administrators group, and thus inherits dministrators group privileges. When an MS Windows NT4/200x/XP machine is made a domain member, the “Domain Admins” group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Admins group inherits the rights of the local Administrators group when logging on the workstation.
- The following steps describe how to make Samba PDC users members of the Domain Admins group.
- Create a UNIX group (usually in /etc/group); let's call it domainadmin.
addgroup domainadmin
1. Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:
domainadmin:x:502:joe,john,mary
1. Map this domadm group to the “Domain Admins” group by executing the command:
root# net groupmap add ntgroup="Domain Admins" unixgroup=domainadmin rid=512 type=d
- Now joe, john, and mary are domain administrators.
Add unix group to samba
- It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:
root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d
* Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you.
Migrate NT4 domain to Samba
- We start from a begining.
- Clean up or delete the passdb.tdb. Located: /var/lib/samba/passdb.tdb
Clean up NT4 Domain
- Clean up the NT domain. Make sure all groups are lowercase, delete any accounts that you don't want to transfer.
smb.conf
- Add this to replace smb.conf
- Replace [domainname], netbios name, wins server ip address. If you don't have wins server. Comment it out.
[global] workgroup = [domainname] netbios name = SAMBASERVER passdb backend = tdbsam domain master = No domain logons = Yes os level = 33 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' wins server = [IP of wins server]
- Restart Samba
/etc/init.d/samba restart
- Test your settings in smb.conf. You should see no errors.
testparm
Join the samba BDC to NT domain
- Replace with proper names
net rpc join -S [NT netbios name or IP] -U Administrator
- Replace domaincomputername or user ip address instead.
net rpc join -S domaincomputername -U Administrator
- You should see something like.
server:/etc/samba# net rpc join -S domaincomputername -U Administrator Password: Joined domain LIABILITY.
Migrate User Accounts
- We will user a script to migrate the user accounts
net rpc vampire -S [NT netbios name or IP] -W [domainname] -U Administrator
- So in my case it would be:
net rpc vampire -S domaincomputername -W xyzdomain -U Administrator
- You should see something like:
Fetching DOMAIN database Creating unix group: 'Domain Admins' Creating unix group: 'Domain Users' Creating unix group: 'Domain Guests' Creating unix group: 'Claims' Creating unix group: 'Accounting' Creating account: Administrator Creating account: Guest ... Creating unix group: 'Administrators' Creating unix group: 'Backup Operators' Creating unix group: 'Guests' Creating unix group: 'Print Operators' Creating unix group: 'Replicator' Creating unix group: 'Server Operators' Creating unix group: 'Users'
- Double check your users have created. Use this command.
pdbedit -L
- Shutdown your old domain. You might need it later so don't distroy it just yet.
- Edit smb.conf and change or add these two things.
Template:Domain master = yes wins support = yes}
- Now restart Samba
/etc/init.d/samba restart
- Now Login with your client workstation.
Troubleshooting
Can't Join Samba Domain
The network path was not found
The following error occurred attempting to join the domain "DOMAINNAME": The network path was not found.
- This happens usually on Windows XP when incorrect gateway and/or route entry in the registry. You can solve this by changing your IP address, subnet and gateway to something different, and then change it back again. This usually fixes the issue.
No mapping between account names and security IDs was done
The following error occurred attempting to join the domain "DOMAINNAME": No mapping between account names and security IDs was done
- This error can be fixed by using lowercase names of the workstations in /etc/passwd and smbpasswd and on the Windows XP clients.
Access is denied
The following error occurred attempting to join the domain "DOMAINNAME": Access is denied.
- There machine account entered in smbpasswd is missing, is disabled, or you're trying to join the domain using an account name other than root.
- To add username run:
smbpasswd -a root
- To add machine run(not the $ at the end):
smbpasswd -a -m <machine-name>$
Logon failure: unknown user name or bad password
The following error occurred attempting to join the domain "DOMAINNAME": Logon failure: unknown user name or bad password.
- In this case either root doesn't exist in the smbpasswd database or you've typed in an incorrect password.
- To add root run:
smbpasswd -a root
domain could not be contacted
A domain controller for the domain "DOMAINNAME" could not be contacted.
- Domain name you are typing in is not the one samba uses. Your domain name is the value of the workgroup parameter from smb.conf. Another reason might be that nmbd is not running and it can't asnwer NetBIOS name queries.
- Check the smb.conf for correct domain name then run:
smbclient -L localhost
- When promted for password just hit enter:
Password: Domain=[DOMAINNAME] OS=[Unix] Server=[Samba 3.0.24]
- Check if nmbs is listening:
ps ax|grep nmbd
you will see:
3589 ? Ss 0:00 /usr/sbin/nmbd -D
Webmin
Install Webmin
- Install Administrative webfronted app
- http://www.webmin.com/deb.html
- Install prerequisites
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
- Download the deb file.
- Check for newer version on the website.
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.350_all.deb
- Install downloaded file
dpkg --install webmin_1.350_all.deb </pre. Performance <pre> windows max tcp/ip speed windows speed
The problem is in the old tcp/ip setting in windows. Back in the beging windows had a small tcp window size and it never changed. By adding the following to the registry you can increase it to something more apropriate for 100M nic's
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "GlobalMaxTcpWindowsSize"=dword:00020148 "TcpWindowsSize"=dword:00020148 "Tcp1323Opts"=dword:00000003
This help me no end with my backups. Increased network thru put by a factor of 30. So give it ago.
http://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm will explain it a bit more.
external samba
time
The relationship of "net time" and a real ntp server seems to be a one time sync only anyway. However, you can have the PC really use ntp:
:: setup ntp client :: need to be an admin - one time setup sc stop w32time w32tm /unregister w32tm /register net time /setsntp:ntpd-server sc config w32time start= auto sc start w32time w32tm /resync w32tm /stripchart /computer:ntpd-server /samples:1
Could instead use a real Policy or manually jam it into the registry:
:: setup ntp client :: need to be an admin - one time setup reg add HKLM\SOFTWARE\Policies\microsoft\w32time /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v NtpServer /d ntpd-server /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v Type /d NTP /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v Enabled /t REG_DWORD /d 0x1 /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v CrossSiteSyncFlags /t REG_DWORD /d 0x2 reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v ResolvePeerBackoffMinutes /t REG_DWORD /d 0xf reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v ResolvePeerBackoffMaxTimes /t REG_DWORD /d 0x7 reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 0xe10 reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v EventLogFlags /t REG_DWORD /d 0x0 gpudate /target:computer /force
- These might be usefull as well
"How to configure an authoritative time server in Windows XP: Configuring the Windows Time service to use an external time source"
http://support.microsoft.com/kb/314054/EN-US/#EXTERNAL or http://support.microsoft.com/kb/314054/EN-US
Samba LDAP, DC, Postfix, IMAP
Mysql
aptitude update aptitude install mysql-server
Mail server
aptitude install postfix
Pick internet site and provide your http address for your mail host. You will need to add this address to your domain.
maildir
- To use maildir format in your mailbox which creates separate files for each email you can use the following commands:
- Maildir has few advantages over mbox format. (keeps emails in separate files, allows for multiple application to read mail, etc)
- Issue these commands:
postconf -e "home_mailbox = Maildir/" postconf -e "mailbox_command ="
- You are done. Now your mail goes to Maildir format.
Mutt
- If you want to read your new maildir format you have to tell mutt to use it as well. Edit this file:
vi /etc/Muttrc
- Add these lines to the bottom of the file:
set folder="~/Maildir" set mask="!^\\.[^.]" set mbox="~/Maildir" set record="+.Sent" set postponed="+.Drafts" set spoolfile="~/Maildir"
*
Now start mutt and send an email to yourself to see if it all works.
Imap
courier-imap
* Install curier-imap over ssl.
aptitude install courier-imap courier-imap-ssl
*
Say no to web baseded direcotories.
System tools
ntp
* Instll ntp so your server always has the right time
date aptitude install ntp /etc/init.d/ntp start date
ssh server
- Install ssh server
aptitude install openssh-server
LDAP Settings
samba
aptitude install samba samba-doc aptitude instal smbldap-tools
Domain Name: nomis52 Use Password Encryption: Yes Modify smb.conf to use WINS settings via DHCP: No How to run Samba: daemons Create password database: Yes
openldap
- slapd is a daemon(service) that runs while the comptuer is on. ldap-utils is a set of helper tools for running ldap.
aptitude install slapd ldap-utls
- Set administrative password for ldap.
- Lets reconfigure the slapd and give it proper domain names:
dpkg-reconfigure slapd
- You can keep all the other settings as default
- Omit OpenLDAP server configuration? No
- DNS domain name: example.com
- Organization name: example.com
- Administrator password: CHANGE
- Database backend to use: HDB
- Do you want the database to be removed when slapd is purged? No
- Allow LDAPv2 protocol? No
- slapd needs the Samba schema to work. Do the following:
cd /usr/share/doc/samba-doc/examples/LDAP gunzip samba.schema.gz cp samba.schema /etc/ldap/schema/
- Now add the following line to /etc/ldap/slapd.conf after the other includes:
include /etc/ldap/schema/samba.schema
- And restart slapd:
/etc/init.d/slapd restart
Configure samba
- Replace the follwing in /etc/samba/smb.conf
passdb backend = tdbsam guest
- With
passdb backend = ldapsam:ldap://127.0.0.1 ldap suffix = dc=nomis52,dc=net ldap machine suffix = ou=machines ldap user suffix = ou=users ldap group suffix = ou=groups ldap admin dn = cn=admin,dc=nomis52,dc=net ldap delete dn = no # be a PDC domain logons = yes # allow user privileges enable privileges = yes
- Test samba settings
testparm
- Restart samba
/etc/init.d/samba restart
Configure unix to use ldap
- Install libnss
aptitude install libnss-ldap
- Change example to your domain name
LDAP Server Host: 127.0.0.1 DN of Search Base: dc=nomis52,dc=net LDAP Version: 3 Database requires login: no Make config readable by owner only: yes
- Edit the file /etc/nsswitch.conf to look like the following:
passwd: compat ldap group: compat ldap shadow: compat ldap
- This will search the local database (/etc/passwd) first, then LDAP. You may want it the other way round.
getent group ssh:x:103: users:x:20001: guests:x:20002: admins:x:20000: .....
- Edit PAM settings
vi /etc/pam.d/common-account
- Comment out the next line
- account required pam_unix.so
- and add these two
account sufficient pam_ldap.so account required pam_unix.so try_first_pass
vi /etc/pam.d/common-auth # comment out the next line #auth required pam_unix.so nullok_secure # and add these two auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass vi /etc/pam.d/common-password # comment out the next line #password required pam_unix.so nullok obscure min=4 max=8 md5 # and add these two password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass
* Restart samba and ssh
/etc/init.d/ssh restart /etc/init.d/samba restart
References
Based on: