SAMBA

Extracted from http://lucasmanual.com/mywiki/SambaDomainController ...

Using samba in linux is easy. You get performance and stability right away. Linux should be your file hosting choice from day 1.

Contents

  1. Install Samba
        1. Status
  2. Quick: Connect to samba share
  3. Quick: Mount Shared Folder
  4. Quick: Enable Writable Share Folder
  5. Quick: Ping netbios names from linux
  6. Print Server
        1. Install CUPS
        2. Add Printers
        3. Enable samba Printer sharing
        4. Upload Printer Drivers to Samba
  7. Configure Samba for Domain
        1. Root/Administrator user
        2. Routs
        3. pre-configuration
        4. Add users
        5. netlogon.bat
        6. simple working smb.conf
        7. Shared folder
        8. test smb.conf
  8. Explain smb.conf
        1. smb.conf explained
              1. WINS support
              2. Share options
              3. Homes
        2. Add Shared Folder to Samba
        3. Add Writable share Folder
        4. Add Printer to Samba
  9. More smb.conf
        1. Profiles
        2. Netlogon
              1. Update hosts file on computers
        3. smb.conf
 10. Samba Status
        1. What is available
 11. User management
        1. Manage users
              1. pdbedit
              2. Add user
              3. Delete user
              4. Change account
              5. Reset password expiration for account
              6. Account flag, disable
              7. Default account settings
        2. Unix passwords to samba passwords
        3. Change password backend
        4. Administrtor
              1. Add unix group to samba
 12. Migrate NT4 domain to Samba
        1. Clean up NT4 Domain
        2. smb.conf
        3. Join the samba BDC to NT domain
        4. Migrate User Accounts
 13. Troubleshooting
        1. Can't Join Samba Domain
              1. The network path was not found
              2. No mapping between account names and security IDs was done
              3. Access is denied
              4. Logon failure: unknown user name or bad password
              5. domain could not be contacted
 14. Webmin
        1. Install Webmin
 15. Performance
        1. windows max tcp/ip speed windows speed
 16. external samba
        1. time
 17. Samba LDAP, DC, Postfix, IMAP
        1. Mysql
        2. Mail server
              1. maildir
              2. Mutt
        3. Imap
              1. courier-imap
        4. System tools
              1. ntp
              2. ssh server
        5. LDAP Settings
              1. samba
              2. openldap
              3. Configure samba
              4. Configure unix to use ldap
 18. References

Install Samba

Run the following commands as root:

apt-get update
apt-get install samba

The default setup for samba is with user security. If you want to connect right away add user to samba smbpasswd -u username and try login in with that username and password.

Status

• To see what services are available on samba use this command.
• If samba is not running start it by /etc/init.d/samba start
• When prompted for password, hit enter to login anonymously.

smbclient -L servername

• You should see something like:

Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 3.0.24)
Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        SERVERNAME         Samba 3.0.24

        Workgroup            Master
        ---------            -------
                             DEBIAN
        MSHOME               NTSERVERNAME
        mydomainname         DOMAINSERVER

• This means samba has installed properly and we are ready to configure what is available on it.

Quick: Connect to samba share

• To be able to use samba we have to change 2 things in samba, and add a user. Security and write permissions.
• Edit /etc/samba/smb.cfg
• Uncomment the security

   security = user

• Find read only = yes and change it to

read only = no

• Now add a password for your username:

smbpasswd -a myusername

• Restart samaba

/etc/init.d/samba restart

• Now you can go and browse \\hostname.or.id.address.of.the.computer\lucas, or via linux file manager smb://hostname.or.id.address.of.the.computer/lucas
• Provide username and password. 'myusername' and password you entered.
• Above link points to your home drive. You can setup more shares later but your are done with initial samba settings.
• Enjoy.

Quick: Mount Shared Folder

• You need to have smbfs installed.This program enables you to mount via smbfs or cifs. If you don't do this:

apt-get update
apt-get install smbfs

• [FYI]Older version of samba have used smbfs as driver to connect to windows. New driver called cifs is faster and is going to part of the kernel. We will use-t cifs instead of -t smbfs. We still need to install package smbfs because cifs uses parts of it.
• To mount windows share drive you need to create a folder:

mkdir somefolder

• As root or with root privileges (su root or sudo)

mount -t cifs -o username=administrator,password=password
//windowsservername/folder /home/lucas/somefolder

or

mount -t cifs -o user=administrator //windowsservername/folder /home/lucas/somefolder

• The second one will prompt you for the password.
• If you would like to enable a non-privilege user to have write access to share add UID option.
• Option after -o separated by comma and no spaces or use quotation mark -o 'UID=lucas,username=administrator,password=password'

mount -t cifs -o UID=lucas,username=administrator,password=password //windowsservername/folder /home/lucas/somefolder

• If you are connection to a domain make sure you use domain option of samba:

mount -t cifs -o UID=lucas,username=administrator,password=password,domain=mydomainname //windowsservername/folder /home/lucas/somefolder

[Optional] You can replace administrator with your username. You can also replace windowsservername with ip address //192.168.1.10/folder ....

Quick: Enable Writable Share Folder

• If you want to create a shared folder that is writable by everybody you can do the following.
• Change security mode from user to shared. (First line is commmented out)

#;   security = user
   security = share

Then at the buttom add the following lines.

[SHARED]
comment = PMS files
path = /home/lucas/Unique
browseable = yes
#printable = no
guest account = nobody
guest ok = yes
write ok = yes
force user = lucas
#force group = lucas

   * Replace lucas with your username or other user that you would like to use.
   * Your samba share SHARED folder is ready. On windows machine go to \\COMPUTERNAME\SHARED or \\192.168.1.1\SHARED (replace 192.168.1.1 with ip address of linux machine) and you are done. 

Quick: Ping netbios names from linux

Keywords: linux to windows by "full computer name", netbios lookup, nslookup

1. Every pc can ping each other using the netbios name which corresponds to ip address. 2. In windows ping netbios names is working ping mycomputer2 will ping the ip behind the name mycomputer2 3. You are able to ping a pc that is on dhcp.

This will enable same feature in linux

• To enable linux pcs to ping netbios names you need to:

apt-get update
apt-get install winbind

• Now edit this file:

vi /etc/nsswitch.conf

• Change the line that starts with hosts by adding wins at the end of it.

hosts: files dns
to
hosts: files dns wins

• In my Debian it looked like this:

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 
to
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 wins

• Now ping any computer you want:

ping mycomputer2

• Done.

Print Server

Install CUPS

• The first thing you need to do is install all your printers via cups.

apt-get update
apt-get install cupsys cupsys-client

• Start cups

/etc/init.d/cupsys start

Add Printers

• Go to localhost:631 and add all your printers.

This page tells you how to do it: DebianPrinting

Enable samba Printer sharing

• Then go to /etc/samba/smb.conf
• And make sure the [printers] and [Print$] section are uncommented.
• Now uncomment the :

 printing = cups
 printcap name = cups

• This will load the cups system printers and make them available to you.
• Now type in

smbclient -L localhost
password: [hit Enter]  --password is empty

   * You should see something like this: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (faxserver server)
        Departent1-Kyocera-9520DN Printer   Kyocera-9520DN
        Departent1-Kyocera-9500DN Printer   Kyocera-9500DN
        Departent1-HP--8000 Printer   HP-8000
        Departent2-Kyocera-C5020DN Printer   Kyocera-C5020N
        Departent2-Kyocera-9520DN Printer   Kyocera-9520DN
        Departent2-HP-P3005 Printer   HP-3005
        Departent2-HP-4000  Printer   HP-4000
        Accounting-Kyocera-9520DN Printer   Kyocera-9520DN
Anonymous login successful

Upload Printer Drivers to Samba

• Now we need to upload our windows drivers to the samba [Print$] share so next windows client that wants to use this printer will automatically download the drivers.

Configure Samba for Domain

• First we need to know our server name

uname -n
hostname -f

• You should see your server name. You will put that server name everywere you see servername in this document.

Root/Administrator user

• We need to add our first user.

smbpasswd -a root

• You should see something like this.

root# smbpasswd -a root
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX

• [page91]Now we need to map our user root to Administrator. This will allow our root account to be called administrator.
• In /etc/samba create a file smbusers. In it add
• vi /etc/samba/smbusers

#####################
#File Format
#Unix_ID = Windows_ID
#Example:
#root = Administrator
#janes = "Jane Smith"
#####################

root = Administrator

   * Then and a line in your global settings that looks like this: 

username map = /etc/samba/smbusers

• Restart samba

Routs

• We need to let the system know that when they look for a computer they will need to use these tools in that order.
• Edit /etc/nsswitch.conf and make sure it conatins:

hosts:    files dns wins

pre-configuration

• We need to create a folder where we will keep our profiles and netlogons, as well as data and apps folder that will be used for sharing files
• Create following folders for netlogon scripts and profiles.

mkdir /home/samba
mkdir -p /home/samba/{netlogon,profiles}
chmod ug+rw /home/samba/profiles

• [Optional]Create these folders for programs share and company documents

mkdir /data
mkdir /apps

Add users

• You need to add an account for each network user. You can do it by executing these commands.
• For each user you you create you need a profiles folder in /home/samba/profiles/. Replace username with the actual Login ID.

adduser username
smbpasswd -a username

mkdir /home/samba/profiles/username
chown username:users /home/samba/profiles/username

netlogon.bat

• When each user logs in, the netlogon will be executed. It needs to be in a correctly terminated with DOS encoding so we will do just that.
• In file: /home/samba/netlogon/netlogon.bat write the following content(replace servername with your server name):

net time \\servername /set /yes
net use h: /home

• Now we will convert it to proper DOS file:
• We need to install a tool that will do it for us.

apt-get update
apt-get install tofrodos

• Then issue a command

todos /home/samba/netlogon/netlogon.bat

• If you replacing a current drive you might want to remvoe the unmount the old one and mount a new one

net use u: /delete
net use u: \\SERVERNAME\SOME_FOLDER

• You also want to check out this link which tells you how to gave yourself mope options: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Logon/WindowsNTLoginScriptTricksandTips.html

simple working smb.conf

• It is time to create a smb.conf
• Copy and past this into your smb.conf. Change workgroup and netbios name.
• This configuration will get your domain up and running in 30 seconds.

[global]
  #Domain name
  workgroup = yourdomainname
  #The Server Name
  netbios name = servername
  #server string = Samba
  #Time server, Workstations will set their time by this server
  time server =yes
  passdb backend = tdbsam

  #SECURITY AND LOGIN SETTINGS
  #This must be a user in PDC
  security = user
  bind interfaces only = yes
  #Windows XP/2000
  encrypt passwords = yes
  #Login in settings.
  domain logons = Yes
  #Error Logs, Comment it out when you in production.
  log level = 3

  #PDC and MASTER BROWSER SETTINGS
  #os level = 64 #Windows for master PDC. Highers windows can get is 32
  preferred master = yes
  #local master = yes
  domain master = yes ;This defines it as the Primary Domain Controller
  #Add delete users on linux and samba (keeps linux and samba accounts in sync)
  add user script = /usr/sbin/useradd -m %u
  add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
  delete user script = /usr/sbin/userdel -r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -G %g %u

  #User Profiles and Home directory.
  logon drive = H:
  logon path =
  logon home =
  logon script = netlogon.bat   #Login script. Location is defined in [netlogon]

  #Define user mappings. root = Administrator
  #You don't need this if you have created Administrator SMB user.
  username map = /etc/samba/smbusers
  wins support = yes

  passwd program = /usr/bin/passwd %u

  # ---   shares ---

[netlogon]
  comment = Domain Logon Service
  path = /home/samba/netlogon
  valid users = %U
  admin users = Administrator
  read only = no
  browseable = no
  write list =@admins
  guest ok = Yes
  #For read only purposes. File is not locked per user.
  locking = no 


[homes]
  #If you want to set home directory somwhere other thean the unix home use below path.
  # path = \\otherservername\%U
  volume = %U Home
  comment = Home Folder
  valid users = %S
  read only = No
  browseable = No
  public = no
  create mode = 0750

[printers]
  comment = All Printers
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  browseable = No

#These are Optional if you want to use them
[apps]
  comment = Application Files
  path = /apps
  admin users = Administrator
  read only = No

[data]
  comment = Application Files
  path = /data
  admin users = Administrator
  read only = No

• This samba file will allow a user to log into samba server. Each user will have its own H drive. Apps,Data folders are shared. TDBSAM database is used for authentication. It will use Local Profiles, which means the users settings are stored on his/her computer.

Shared folder

• If you need to quickly add a writable shared folder for anybody. You could add this to your samba config file.

[SHARED]
comment = PMS files
path = /home/lucas/shared
browseable = yes
#printable = no
guest account = guest
guest ok = yes
write ok = yes
force user = lucas
#force group = lucas

test smb.conf

• To test smb.conf for proper structure, issue this command.

testparm

Explain smb.conf

smb.conf explained

• netbios name - Name by which the Samba server is known on the network. Same as the Windows NT Computer Name. If you don’t specify it, it will default to the server’s hostname.
• workgroup - This parameter tells samba which Window NT Domain or

Workgroup it will join. It is equivalent to the Windows NT Domain or Workgroup name.

• server string - The description string of the Samba server. It is equivalent to the Windows NT Description field.
• security - four possible values: share, user, server, domain
• Share - clients need to supply only the password for the resource. This mode of security is the default for the Windows 95 file/print server. It is not recommended for use in UNIX environments, because it violates the UNIX security scheme.
• User - the user/password validation is done on the server which is offering the resource. This mode is most widely used.
• Server - user/password validation is done on the specified authentication server. This server can be a Windows NT server or another Samba server.
• Domain - this security level is basically the same as server security, with the exception that the Samba server becomes a member of a Windows NT domain. In this case the Samba server can also participate in such things as trust relationships
• encrypt passwords - If set to yes, Samba uses the encrypted password protocol. It is used in Windows NT (starting with Service Pack 3) and Windows 95/98.
• smb passwd file - This tells Samba where encrypted passwords are saved. By default, it will use /etc/smbpasswd.
• name resolve order - This parameter specifies how the Samba server resolves NetBIOS names into IP addresses. The preferred value is wins lmhosts bcast.

WINS support

• Only one of the parameters (wins support or wins server) can be set at the same time. If

you specify the IP address of WINS server then, wins support must be set to “no”.

• wins server - With this parameter, you tell Samba which WINS server to use.
• wins support - This option tells Samba to act as a WINS server

Share options

• admin users - Specify the users who have administrative privileges for the share. When they access the share, they perform all operations as root.
• printable - This parameter specifies if the share is a print share. If the share is printable, then it is also writable by default
• write list - Specifies the list of people who have write access to the share. If the name begins with @ it means a group name.
• writable -This parameter specifies if the share is writable. (yes/no)
• read list -List of people who have read access to the share. If the name begins with @ it means a group name.
• read only -If this is set to yes, the share is read only.
• valid users -This parameter specifies which users can access the share.
• create mask -This is used for file creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0744
• directory mask -This is used for directory creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0755

Homes

• Special share section called [homes] will affect all home folders. You don't need to create one seperate for each user.
• When client requests a connection to a file share, existing file shares are scanned. If a match is found, that share is used. If no match is found, the requested share is treated as a username and validated by security. If the name exists and the password is correct, a share with that name is created by cloning the [homes] section.
• Home Folder Structure in smb.conf

[homes]
comment = Home Directories
path = %H
valid users = %S
browseable = no
writable = yes
create mode = 0700
directory mode = 0700

• %H - Represents the home directory of the user.
• %S - Represents the name of the current service which, in the case of home share,

is equal to the username.

Add Shared Folder to Samba

• Here is a sample share folder structure.

[share]
  path = /path/to/data
  comment = Data Directory on servername
  read only= yes
  valid users = @users
  write list = manager

• This shares the data in a directory as a share. You can access this share by \\servername\share. Only valid users who are part of users group are permited to read this data. The user named manager is allowed to write.

Add Writable share Folder

• Following previous procedure. Add this to the smb.conf

[everybody]
comment = Everybody files
path = /path/to/folder
browseable = yes
printable = no
writable = yes
write list = @users

Add Printer to Samba

• You need to have printers installed. If you don't have them installed follow directions on DebianPrinting.
• When done installing printer add these lines and you will be able to print to them.
• Add this to your globals

[global]
...
printcap name = cups
printer admin = admin
printing = cups

    * Add this to the bottom of smb.conf 

[printers]
path = /var/lib/samba/printers
create maske = 0600
printable = yes
browseable = no

• Now open windows explorer on your client machine and go to \\servername
• You should see the printers that you have installed in cups.

More smb.conf

Profiles

• There is a choice of methods here
• For each user to continue using their existing profile, always using the same machine with its own applications installed

after having created an account for them on the server, simply logon to the server and the existing Windows profile on the local machine will be used (as there won't be one already on the server) and copied over to the server. This is fine if they only ever use the same computer but beware, the profile may have references to software installed only on their machine, so if they want to login from other machines it is probably worth starting over with a fresh profile and setting up each machine exactly the same; see the next method

or

• [We will use the first option for under 50 users in same location]for each user to have their own profile, which they can alter, donated to them efficiently using a single template profile; and that they can roam with from one machine to another; each machine having the same applications installed, or installed on the server

configure a Windows user account on a workstation the way you want it (if you try to create a user account after you've created a machine account for this machine on the Samba server, creating the account on the workstation will fail and elicit a message saying you can't create accounts in that domain. We don't know what this is about but to work around it you can use Users and Passwords' Advanced → Advanced → Users → Action → New User... option (or create the account without the workstation being part of a domain (do so before-hand, or temporarily revert back to a workgroup).

           This will be a 'Restricted User' account.
           This account will be the template user profile. (We use TWEAK - The Windows Environment and Application Konfigurator, available from http://thegoldenear.org/tweak/, to configure the template user account quickly and easily (you only need run the per-user options (including Roaming Computing System specific options, A → P → P)).
           create the template without running any applications, that will be done later; consider where you're going to keep icons for applications by reading the section on applications further on.
           Any applications that require their preferences pre-installing manually (rather than dealing with it themselves) in the Windows profile will want that doing so now (see applications section further on)

• Create a profiles folder
• Lets change permissions on our profiles folder

mkdir /home/samba
mkdir /home/samba/profiles
chmod 1757 /home/samba/profiles

• Let's create an initial template

mkdir /home/samba/profiles/template

• In Windows Explorer log into your server by going to \\yourservername

Netlogon

• We need to create a netlogon script that will be used to mount extra drives on client machines.
• First we need to create a directory for that. Samba folder should exists already

cd /home/samba
ls
mkdir netlogon
chmod 0755 /home/samba/netlogon
cd /home/samba/netlogon

• Here is a sample NETLOGON.BAT that we will put into /home/netlogon/NETLOGON.BAT
• You will need to create this file on windows because windows will be the one reading it. (We need CR/LF as end of line character)

rem ###########################################
rem logon script
rem version 0.7.0
rem
rem remember this file needs DOS CR/LF to work
rem ###########################################
rem Change Log
rem 0.7.0 13-Dec-2003
rem  - added a new system and user TEMP location of e:\%username%\windows and e:\windows
rem  - changed 'cooledit' directory name to 'audition' to reflect that program's name change
rem  - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively
rem 0.6.5 08-April-2003
rem  - renamed 'server' to 'file-server'
rem  - removed '/PERSISTANT:YES'
rem -------------------------------------------

net use P: \\file-server\programs
rem (only admins group can write there in our Samba configuration)

rem make mappings to shared areas, i.e.:
rem H: is made by smb.conf
net use S: \\file-server\shared

rem sync the workstation's time to that of the file-server
net time \\file-server /set /yes

rem make connections to any printer(s):
rem net use LPT1:

rem create temporary directories for %USERNAME% on TEMP partition
rem (remove any for applications not used on your system):
if not exist "e:\%username%" md "e:\%username%"

if not exist "e:\%username%\winnt" md "e:\%username%\winnt"
if not exist "e:\%username%\windows" md "e:\%username%\windows"
rem ('winnt' remains for backwards compatibility. we changed to 'windows' on 12 Dec 03 / TWEAK 0.8.32)

if not exist "e:\%username%\ie" md "e:\%username%\ie"
if not exist "e:\%username%\ie\Temporary Internet Files" md "e:\%username%\ie\Temporary Internet Files"
if not exist "e:\%username%\mozilla" md "e:\%username%\mozilla"
if not exist "e:\%username%\java" md "e:\%username%\java"
if not exist "e:\%username%\nero" md "e:\%username%\nero"
if not exist "e:\%username%\audacity" md "e:\%username%\audacity"
if not exist "e:\%username%\audition" md "e:\%username%\audition"

:EOF

• Now allow users to read that file

chmod a+r /home/samba/netlogon/NETLOGON.BAT

Update hosts file on computers

• Add this script to your logonscript.bat. Replace "MYPDC" with your domain computer name.

copy \\MYPDC\netlogon\hosts %systemroot%\system32\drivers\etc\hosts

smb.conf

• Here is a final smb.conf that you can just paste into your smb.conf file.
• YOU will need to change the workgroup name, hosts allowed/deny ip address,

netbios name

• Before you start, lets make a copy of smb.conf

cp /etc/samba/smb.conf /etc/samba/smb.conf-original

• Now clear the old file and paste this in.

# Smb.conf, samba domain controller
# Replacing windows nt domain controller
# Need to change workgroup, netbios name, allowed host allow/deny
[global]
  #Domain name
  workgroup = domainname
  #The Server Name
  netbios name = domainserver
  #server string = Samba  
  #Time server, Workstations will set their time by this server
  time server =yes
  passdb backend = tdbsam

  #SECURITY AND LOGIN SETTINGS
  #This must be a user in PDC
  security = user
  #Allow connection from specified addresses 10.1.1.*
  #Change it to your ip network, example: 192.168.0.
  #hosts allow = 127.0.0.1 10.1.1.
  #Deny others
  #hosts deny 0.0.0.0/0
  #Only allow connection through network card
  #interfaces =eth* lo
  #bind interfaces only = yes
  #Windows XP/2000
  encrypt passwords = yes
  #Login in settings.
  domain logons = Yes
  #Error Logs, Comment it out when you in production.
  log level = 5

  #PDC and MASTER BROWSER SETTINGS
  #os level = 64 #Windows for master PDC. Highers windows can get is 32
  preferred master = yes
  #preferred master = auto
  local master = yes
  domain master = yes ;This defines it as the Primary Domain Controller
  #Add delete users on linux and samba (keeps linux and samba accounts in sync)
  add user script = /usr/sbin/useradd -m %u
  add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
  delete user script = /usr/sbin/userdel -r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -G %g %u

  #User Profiles and Home directory.
  logon path = \\%L\profiles\%U
  logon home = \\%L\%U 
  logon script = netlogon.bat   #Login script. Location is defined in [netlogon]

  #Define user mappings between this system and windows system.
  #Without this you get ask for password.
  #You don't need this if you have created SMB user here.
  username map = /etc/samba/smbusers
  wins support = yes
  admin users = root

  #Keep the case in file/directory names.Matching is done without regard to case.
  #It allows transition from non-case system (windows) to case system(unix)
  preserve case = yes
  short preserve case = yes
  case sensitive = no

  #Sync Unix passwords from windows workstation using PAM
  #Allow users to change their password
  unix password sync = yes
  #pam password change = yes

  #Optimized of samba for increased speed
  #SO_KEEPALIVE -sends a probe every 4 hours to check that a connection is still active
  #TCP_NODELAY
  #IPTOS_LOWDELAY
  #SO_SNDBUF=14596 -14596 is roughly the best in most circumstances,
  # it may be optimized better for your system.
  #SO_RCVBUF = 14596
  socket options =TCP_NODELAY,IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596

  #lpq command = %p
  #name resolve order = wins bcast hosts
  #passwd chat debug = Yes
  #idmap gid = 15000-20000
  #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n
  #lprm command =
  passwd program = /usr/bin/passwd %u
  #print command =
  #printing = cups
  #idmap uid = 15000-20000
  #printcap name = CUPS
  #null passwords = yes

  # ---   shares ---

[netlogon]
  comment = Domain Logon Service
  path = /home/samba/netlogon
  valid users = %U
  admin users = Administrator
  read only = no
  browseable = no
  write list =@admins
  guest ok = Yes
  #For read only purposes. File is not locked per user.
  locking = No 

[profiles]
comment = Network PRofiles Share
path = /home/samba/profiles
browseable = yes
guest ok = yes
writeable = yes
read only = no
profile acls = yes
csc policy = disable
create mode = 0600
directory mode = 0700

[homes]
  #If you want to set home directory somwhere other thean the unix home use below path.
  # path =
  volume = %U Home 
  comment = Home Folder
  valid users = %S
  read only = No
  browseable = No
  public = no
  create mode = 0750

[printers]
  comment = All Printers
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  browseable = No

#These are Optional
[apps]
  comment = Application Files
  path = /apps
  admin users = Administrator
  read only = No

[data]
  comment = Application Files
  path = /data
  admin users = Administrator
  read only = No

Samba Status

What is available

   * To see what services are available on samba use this command
   * If no password is set, hit enter to login anonymously. 

smbclient -L servername

• You should see something like:

Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 3.0.24)
        Dept1-HP-P3005N Printer   Dept1
Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        DOMAINSERVER         Samba 3.0.24

        Workgroup            Master
        ---------            -------
                             DEBIAN
        MSHOME               NTSERVERNAME
        mydomainname         DOMAINSERVER

User management

Manage users

• There are two tools to manage users. We will use the second one because it gives us more control.

• smbpasswd
• pdbedit

smbpasswd:

  1. add user or machine accounts.
  2. delete user or machine accounts.
  3. enable user or machine accounts.
  4. disable user or machine accounts.
  5. set to NULL user passwords.
  6. manage interdomain trust accounts. 

pdbedit:

  1. add, remove, or modify user accounts.
  2. list user accounts.
  3. migrate user accounts.
  4. migrate group accounts.
  5. manage account policies.
  6. manage domain access policy settings. 

pdbedit

• Find the details on user:

pdbedit -Lv username

• Or to see all users:

pdbedit -Lv |less

space to view next page. q to quit Add user

• Two options.

smbpasswd: Add username to debian linux account and samba account.

adduser 'username'
smbpasswd -a 'username'

Add user with pdbedit. Unix account need to exist already:

pdbedit -a username

Delete user

Delete samba account:

pdbedit -x username

Change account

• Change user account information

pdbedit -r --fullname="First Last name" username

Reset password expiration for account

pdbedit -z username

Account flag, disable

• Available flags

D       Account is disabled.
H       A home directory is required.
I       An inter-domain trust account.
L       Account has been auto-locked.
M       An MNS (Microsoft network service) logon account.
N       Password not required.
S       A server trust account.
T       Temporary duplicate account entry.
U       A normal user account.
W       A workstation trust account.
X       Password does not expire.

• To change a flag do this:

pdbedit -r -c "[DLX]" username

• To reset to default:

pdbedit -r -c "[]" username

Default account settings

• Acount policies must be set individually on each PDC and BDC.
• See what is the default now.

pdbedit -P ?

• Change a default:

pdbedit -P "min password length" -C 8

• Replace "min password length" with other options you saw in pdbedut -P ?

Unix passwords to samba passwords

cat /etc/passwd | /usr/sbin/mksmbpasswd > /etc/samba.d/smbpasswd

Change password backend

• This will migrate passwords from smbpasswd to tdbsam

pdbedit -i smbpasswd -e tdbsam

• Make sure your remove smbpasswd from smb.cof

passdb backend = tdbsam:/etc/samba/passdb.tdb

• You should be done. Your user should be able to log into your domain.

Administrtor

• The Administrator user is a member of the Administrators group, and thus inherits dministrators group privileges. When an MS Windows NT4/200x/XP machine is made a domain member, the “Domain Admins” group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Admins group inherits the rights of the local Administrators group when logging on the workstation.
• The following steps describe how to make Samba PDC users members of the Domain Admins group.
• Create a UNIX group (usually in /etc/group); let's call it domainadmin.

addgroup domainadmin

1. Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:

domainadmin:x:502:joe,john,mary

1. Map this domadm group to the “Domain Admins” group by executing the command:

root# net groupmap add ntgroup="Domain Admins" unixgroup=domainadmin rid=512 type=d

• Now joe, john, and mary are domain administrators.

Add unix group to samba

• It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:

root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d

   * Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you. 

Migrate NT4 domain to Samba

• We start from a begining.
• Clean up or delete the passdb.tdb. Located: /var/lib/samba/passdb.tdb

Clean up NT4 Domain

• Clean up the NT domain. Make sure all groups are lowercase, delete any accounts that you don't want to transfer.

smb.conf

• Add this to replace smb.conf
• Replace [domainname], netbios name, wins server ip address. If you don't have wins server. Comment it out.

[global]
    workgroup = [domainname]
    netbios name = SAMBASERVER
    passdb backend = tdbsam
    domain master = No
    domain logons = Yes
    os level = 33
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
    wins server = [IP of wins server]

• Restart Samba

/etc/init.d/samba restart

• Test your settings in smb.conf. You should see no errors.

testparm

Join the samba BDC to NT domain

• Replace with proper names

net rpc join -S [NT netbios name or IP] -U Administrator

• Replace domaincomputername or user ip address instead.

net rpc join -S domaincomputername -U Administrator

• You should see something like.

server:/etc/samba#  net rpc join -S domaincomputername -U Administrator
Password:
Joined domain LIABILITY.

Migrate User Accounts

• We will user a script to migrate the user accounts

net rpc vampire -S [NT netbios name or IP] -W [domainname] -U Administrator

• So in my case it would be:

net rpc vampire -S domaincomputername -W xyzdomain -U Administrator

• You should see something like:

Fetching DOMAIN database
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Claims'
Creating unix group: 'Accounting'
Creating account: Administrator
Creating account: Guest
...
Creating unix group: 'Administrators'
Creating unix group: 'Backup Operators'
Creating unix group: 'Guests'
Creating unix group: 'Print Operators'
Creating unix group: 'Replicator'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'

• Double check your users have created. Use this command.

pdbedit -L  

• Shutdown your old domain. You might need it later so don't distroy it just yet.
• Edit smb.conf and change or add these two things.

Template:Domain master = yes wins support = yes}

• Now restart Samba

/etc/init.d/samba restart

• Now Login with your client workstation.

Troubleshooting

Can't Join Samba Domain

The network path was not found

The following error occurred attempting to join the domain "DOMAINNAME": The network path was not found.

• This happens usually on Windows XP when incorrect gateway and/or route entry in the registry. You can solve this by changing your IP address, subnet and gateway to something different, and then change it back again. This usually fixes the issue.

No mapping between account names and security IDs was done

The following error occurred attempting to join the domain "DOMAINNAME": No mapping between account names and security IDs was done

• This error can be fixed by using lowercase names of the workstations in /etc/passwd and smbpasswd and on the Windows XP clients.

Access is denied

The following error occurred attempting to join the domain "DOMAINNAME": Access is denied.

• There machine account entered in smbpasswd is missing, is disabled, or you're trying to join the domain using an account name other than root.
• To add username run:

smbpasswd -a root

• To add machine run(not the $ at the end):

smbpasswd -a -m <machine-name>$

Logon failure: unknown user name or bad password

The following error occurred attempting to join the domain "DOMAINNAME": Logon failure: unknown user name or bad password.

• In this case either root doesn't exist in the smbpasswd database or you've typed in an incorrect password.
• To add root run:

smbpasswd -a root

domain could not be contacted

A domain controller for the domain "DOMAINNAME" could not be contacted.

• Domain name you are typing in is not the one samba uses. Your domain name is the value of the workgroup parameter from smb.conf. Another reason might be that nmbd is not running and it can't asnwer NetBIOS name queries.
• Check the smb.conf for correct domain name then run:

smbclient -L localhost

• When promted for password just hit enter:

Password: 
Domain=[DOMAINNAME] OS=[Unix] Server=[Samba 3.0.24]

• Check if nmbs is listening:

ps ax|grep nmbd

you will see:

3589 ?        Ss     0:00 /usr/sbin/nmbd -D

Webmin

Install Webmin

• Install Administrative webfronted app
• http://www.webmin.com/deb.html
• Install prerequisites

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

• Download the deb file.
• Check for newer version on the website.

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.350_all.deb

• Install downloaded file

dpkg --install webmin_1.350_all.deb
</pre.

Performance

<pre>
windows max tcp/ip speed windows speed

The problem is in the old tcp/ip setting in windows. Back in the beging windows had a small tcp window size and it never changed. By adding the following to the registry you can increase it to something more apropriate for 100M nic's

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"GlobalMaxTcpWindowsSize"=dword:00020148
"TcpWindowsSize"=dword:00020148
"Tcp1323Opts"=dword:00000003

This help me no end with my backups. Increased network thru put by a factor of 30. So give it ago.

http://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm will explain it a bit more.

external samba

time

The relationship of "net time" and a real ntp server seems to be a one time sync only anyway. However, you can have the PC really use ntp:

:: setup ntp client
:: need to be an admin - one time setup
sc stop w32time
w32tm /unregister
w32tm /register
net time /setsntp:ntpd-server
sc config w32time start= auto
sc start w32time
w32tm /resync
w32tm /stripchart /computer:ntpd-server /samples:1

Could instead use a real Policy or manually jam it into the registry:

:: setup ntp client
:: need to be an admin - one time setup
reg add HKLM\SOFTWARE\Policies\microsoft\w32time /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v NtpServer
/d ntpd-server /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v Type /d
NTP /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v Enabled /t REG_DWORD /d 0x1 /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v CrossSiteSyncFlags /t REG_DWORD /d 0x2
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v ResolvePeerBackoffMinutes /t REG_DWORD /d 0xf
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v ResolvePeerBackoffMaxTimes /t REG_DWORD /d 0x7
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v SpecialPollInterval /t REG_DWORD /d 0xe10
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v EventLogFlags /t REG_DWORD /d 0x0
gpudate /target:computer /force

• These might be usefull as well

"How to configure an authoritative time server in Windows XP: Configuring the Windows Time service to use an external time source"

http://support.microsoft.com/kb/314054/EN-US/#EXTERNAL or http://support.microsoft.com/kb/314054/EN-US

Samba LDAP, DC, Postfix, IMAP

Mysql

aptitude update
aptitude install mysql-server

Mail server

aptitude install postfix

Pick internet site and provide your http address for your mail host. You will need to add this address to your domain.

maildir

• To use maildir format in your mailbox which creates separate files for each email you can use the following commands:
• Maildir has few advantages over mbox format. (keeps emails in separate files, allows for multiple application to read mail, etc)
• Issue these commands:

postconf -e "home_mailbox = Maildir/"
postconf -e "mailbox_command ="

• You are done. Now your mail goes to Maildir format.

Mutt

• If you want to read your new maildir format you have to tell mutt to use it as well. Edit this file:

vi /etc/Muttrc

• Add these lines to the bottom of the file:

set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

   *

     Now start mutt and send an email to yourself to see if it all works. 

Imap

courier-imap

   * Install curier-imap over ssl. 

aptitude install courier-imap courier-imap-ssl

   *

     Say no to web baseded direcotories. 

System tools

ntp

   * Instll ntp so your server always has the right time 

date
aptitude install ntp
/etc/init.d/ntp start
date

ssh server

• Install ssh server

aptitude install openssh-server

LDAP Settings

samba

aptitude install samba samba-doc
aptitude instal smbldap-tools

      Domain Name: nomis52
      Use Password Encryption: Yes
      Modify smb.conf to use WINS settings via DHCP: No
      How to run Samba: daemons
      Create password database: Yes

openldap

• slapd is a daemon(service) that runs while the comptuer is on. ldap-utils is a set of helper tools for running ldap.

aptitude install slapd ldap-utls

• Set administrative password for ldap.
• Lets reconfigure the slapd and give it proper domain names:

dpkg-reconfigure slapd

• You can keep all the other settings as default

• Omit OpenLDAP server configuration? No
• DNS domain name: example.com
• Organization name: example.com
• Administrator password: CHANGE
• Database backend to use: HDB
• Do you want the database to be removed when slapd is purged? No
• Allow LDAPv2 protocol? No

• slapd needs the Samba schema to work. Do the following:

cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schema/

• Now add the following line to /etc/ldap/slapd.conf after the other includes:

include /etc/ldap/schema/samba.schema

• And restart slapd:

/etc/init.d/slapd restart

Configure samba

• Replace the follwing in /etc/samba/smb.conf

passdb backend = tdbsam guest

• With

passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=nomis52,dc=net
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nomis52,dc=net
ldap delete dn = no

# be a PDC
domain logons = yes

# allow user privileges
enable privileges = yes

• Test samba settings

testparm

• Restart samba

/etc/init.d/samba restart

Configure unix to use ldap

• Install libnss

aptitude install libnss-ldap

• Change example to your domain name

LDAP Server Host: 127.0.0.1
DN of Search Base: dc=nomis52,dc=net
LDAP Version: 3
Database requires login: no
Make config readable by owner only: yes

• Edit the file /etc/nsswitch.conf to look like the following:

passwd: compat ldap 
group: compat ldap 
shadow: compat ldap

• This will search the local database (/etc/passwd) first, then LDAP. You may want it the other way round.

getent 
group ssh:x:103: 
users:x:20001: 
guests:x:20002: 
admins:x:20000: 
.....

• Edit PAM settings

vi /etc/pam.d/common-account

1. Comment out the next line
2. account required pam_unix.so

1. and add these two

account sufficient pam_ldap.so account required pam_unix.so try_first_pass

vi /etc/pam.d/common-auth

# comment out the next line 
#auth required pam_unix.so nullok_secure 

# and add these two 
auth sufficient pam_ldap.so 
auth required pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password

# comment out the next line 
#password required pam_unix.so nullok obscure min=4 max=8 md5 
# and add these two 
password sufficient pam_ldap.so 
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

   * Restart samba and ssh 

/etc/init.d/ssh restart
/etc/init.d/samba restart

References

Based on:

1. . http://www.phptr.com/content/images/013188221X/downloads/013188221X_book.pdf
2. . http://www.redbooks.ibm.com/redpapers/pdfs/redp0023.pdf
3. . http://us1.samba.org/samba/docs/Samba3-HOWTO.pdf
4. . http://pserver.samba.org/samba/ftp/cifs-cvs/linux-cifs-client-guide.pdf