Upload
adanna
View
60
Download
0
Embed Size (px)
DESCRIPTION
Samba. Objectives To be able setting up and working with samba Contents Samba Servers Installing and configuring samba Getting swat working Sharing directories with samba Samba tools Practical Installing and setting up Samba Summary. Samba servers. Domain Controller - PowerPoint PPT Presentation
Citation preview
Samba• Objectives
– To be able setting up and working with samba
• Contents– Samba Servers
– Installing and configuring samba
– Getting swat working
– Sharing directories with samba
– Samba tools
• Practical– Installing and setting up Samba
• Summary
Samba servers• Domain Controller
– Primary Domain Controller (PDC)
– Backup Domain Controller (BDC)
– ADS Domain Controller
• Domain Member Server– Active Directory Domain Server
– NT4 Style Domain Domain Server
• Standalone Server
• Samba security modes– User level security(DEFAULT MODE) security = user
– Share level security security = share
– Domain security mode security = domain
– ADS security mode security = ADS
realm = your.kerberos.REALM
Download and Install Packages• You can get official samba from at least 2 places
(As RPM) http://en.opensuse.org/Samba
(As sources) http://us2.samba.org/samba/ftp/• Install from sources
1. Get the sources:
2. Unzip it:
3. Make configuration:
4. Run configuration:
5. Install samba binaries and docs
• In yast SuSE you need to install the following packagessamba samba-client samba-winbind libsmbclient
kdebase3-samba ldabsmb
• SuSE is very active in maintaining samba– Consider use SuSE provided rpm packages above rather than sources
# wget http://us1.samba.org/samba/ftp/stable/samba-3.0.21b.tar.gz# wget http://us1.samba.org/samba/ftp/stable/samba-3.0.21b.tar.gz
# tar xvfz samba-3.0.21b.tar.gz# tar xvfz samba-3.0.21b.tar.gz # cd samba-3.0.20/source
# ./autogen.sh # cd samba-3.0.20/source
# ./autogen.sh
# ./configure# ./configure # make install# make install
How to Get Samba Started• Checkout /etc/services to confirm that
• Start samba servies– nmb NetBios messages
– smb Server messages
– winbind resource browsing and naming
• Make samba start at boot
• Check that samba is runningpgrep smb ; pgrep nmb
• Samba is installed by default in SuSE
• Samba main configuration sit in /etc/samba
• Main configuration file has name smb.conf
netbios-ssn 139/tcp
netbios-ns 137/udp netbios-ssn 139/tcp
netbios-ns 137/udp
# rcnmb start # rcsmb start
# rcwinbind start
# rcnmb start # rcsmb start
# rcwinbind start
# chkconfig nmb on # chkconfig smb on # chkconfig winbind on
# chkconfig nmb on # chkconfig smb on # chkconfig winbind on
The Samba Configuration File• Samba main configuration /etc/samba/smb.conf has 5 main sections
• [global] General Samba configuration parameters
• [printers] Used for configuring printers
• [homes] Defines treatment of user logins
• [netlogon] A share for storing logon scripts.(Not
created by default.)
• [profile] A share for storing domain logon
information such as "favorites" and
desktop icons.(Not created by default.)
How SWAT Makes Samba Simpler• Basic SWAT Setup
– Swat is xinetd dependent
– Only access from localhost
as default
• Activate swat
• Swat listens on port 901
• Swat is available through WEB interface
http://localhost:901
Login as root with root password
• SWAT can be secured with stunnel
• Allways backup your original smb.conf before using SWAT
# cp /etc/samba/smb.conf /etc/samba/smb.conf.original # cp /etc/samba/smb.conf /etc/samba/smb.conf.original
# SWAT is the Samba Web Administration # Tool. service swat{ socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/swat only_from = 127.0.0.1 log_on_failure += USERID}
# SWAT is the Samba Web Administration # Tool. service swat{ socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/swat only_from = 127.0.0.1 log_on_failure += USERID}
# chkconfig swat on # chkconfig swat on
# grep swat /etc/servicesswat 901/tcp
# grep swat /etc/servicesswat 901/tcp
Starter: The [Global] Section /etc/samba/smb.conf
domain logons = Yes # Tells Samba to become the PDCpreferred master = Yes# Makes the PDC act as the central store for
# the names of all windows clients, servers # and printers on the network. Very helpful # when you need to "browse" your local # network for resources. Also known as a # local master browser.
domain master = Yes # Tells Samba to become the master browser # across multiple networks all over the # domain. The local master browsers register # themselves with the domain master to learn
# about resources on other networks.os level = 65 # Sets the priority the Samba server should
# use when negotiating to become the PDC # with other Windows servers. A value of 65 # will usually make the Samba server win.
wins support = Yes # Allows the Samba server to provide name (default) # services for the network. In other words
# keeps track of the IP addresses of all the # domain's servers and clients.
time server = Yes # Lets the samba server provide time updates for the # domain's clients.
workgroup = "homenet“ # The name of the Windows domain we'll create. # The name you select is your choice. I've decided # to use "homenet".
security = user # Make domain logins query the Samba password database (default) # located on the samba server itself.
Starter: The [Global] Section continued
netbios name = SMBSRV # Tells the name of server
kernel oplocks = false # file locking
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0 # bind to these interfaces only
bind interfaces only = yes # answer on same interface
host allow = all # Begin with allowing all hosts
log file = /var/log/samba/log.%m # Client machine logging
max log size = 500 # Builtin logrotate
dns proxy = no # Use DNS as wins proxy
name resolve order = wins lmhosts hosts bcast
wins server = 127.0.0.1 # We are local wins server
enhanced browsing = yes
load printers = no
printing = lprng
Starter: The [homes] Section /etc/samba/smb.conf
Browseable = No # Doesn't allow others to browse # the contents of the directory
read only = No # Allows the samba user to also # write to their Samba Linux # directory
create mask = 0664 # Makes new files created by the # user to have "644" permissions. # You want to change this to # "0600" so that only the login # user has access to files.
directory mask = 0775 # Makes new sub-directories # created by the user to have # "775" permissions. You # want to change this to # "0700" so that only the login # user has access to # directories.
The [netlogon] and [profiles] Share Sections
• The netlogon contain login scripts for clients
• The profiles is storage for desktop enviroment[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
• Remember to create these share directories from the command line afterwards.
# mkdir -p /home/samba/netlogon # mkdir -p /home/samba/profile # chmod -R 0755 /home/samba
# mkdir -p /home/samba/netlogon # mkdir -p /home/samba/profile # chmod -R 0755 /home/samba
• The samba default [printers] section:
The [printers] Share Section
[printers]
comment = All
Printers path = /var/spool/samba
printable = Yes
browseable = No
[printers]
comment = All
Printers path = /var/spool/samba
printable = Yes
browseable = No
How To Create A Samba PDC Administrator User
• Home Environment, adding the root admin
• Samba passwords are stored in the /etc/samba/smbpasswd file
• In corporate Environment you might want more than one person administer Samba
• update your smb.conf [global] section with
• Add some linux users that are members of this group
• Use smbpasswd to add samba passwords for Domain logons for this group ( ux-passwd ! smbpasswd )
# /usr/bin/smbpasswd -a root password # /usr/bin/smbpasswd -a root password
# groupadd sysadmin# groupadd sysadmin
domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin
domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin
How To Add Workstations To Your Samba Domain
• Adding workstations to a Samba domain is a two step process
– creation of workstation trust accounts on the samba server
– logging into each workstation to add them to the domain
• Create Samba Trust Accounts For Each Workstation– Manually
– Automatically
• Create the samba-clients Linux group
# groupadd samba-clients
# /usr/sbin/useradd -g samba-clients -d /dev/null -s /bin/false machine_name$
# passwd -l machine_name$
# smbpasswd -a -m machine_name
# groupadd samba-clients
# /usr/sbin/useradd -g samba-clients -d /dev/null -s /bin/false machine_name$
# passwd -l machine_name$
# smbpasswd -a -m machine_name
[global]
# <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
[global]
# <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
# groupadd samba-clients # groupadd samba-clients
Make Your PC Clients Aware Of Your Samba PDC Windows 95/98/ME and Windows XP HomeWindows 9x machines do not implement full domain membership and therefore don't
require machine trust accounts. Here's what you need to do:
• Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network)
• Select the Configuration tab
• Highlight "Client for Microsoft Networks"
• Click the Properties button.
• Check "Log onto Windows NT Domain", and enter the domain name.
• Click all the OK buttons and reboot!
Make Your PC Clients Aware Of Your Samba PDC Windows NTFor Windows NT, you must first create a manual Samba machine trust account as
explained earlier, then follow these steps:
1. Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network )
2. Select the "Identification" tab
3. Click the "Change" button
4. Enter the domain name and computer name, do not check the box Create a Computer Account in the Domain. In this case, the existing machine trust account is used to join the machine to the domain.
5. Click "OK". You should get "Welcome to <DOMAIN>" message as confirmation that you've been added.
6. Reboot.
You can now log in using any account in the /etc/smbpasswd file with your domain as
the domain name.
Make Your PC Clients Aware Of Your Samba PDC Windows 200x and Windows XP ProfessionalFor the 200x and XP Professional varieties of Windows, create a dynamic Samba
machine trust account, then go through these steps:
1. Press the Windows and Break keys simultaneously to access the System Properties dialogue box.
2. Click on the 'Network Identification' or 'Computer Name' tab on the top.
3. Click the "Properties" button.
4. Click on the "Member of Domain" button.
5. Also enter your domain name and computer name and then click "OK"
6. You will be prompted for a user account and password with rights to join a machine to the domain. Enter the information for your Samba administrator. In this home environment scenario, the user would be root with the corresponding smbpasswd password. Now, you should get a "Welcome to <DOMAIN>" message confirming that you've been added.
7. Reboot.
Log in using any account in the /etc/smbpasswd file with your domain as the domain
name.
How To Add Users To Your Samba Domain
• Adding The Users In Linux
• Give them a Linux Password
• Mapping The Linux Users To An smbpassword
• Mapping A Private Windows Drive Share– By default $HOME is mapped to h:
• Batch Login script– Add the following to /home/samba/netlogon/login.bat
Convert to MSDOS format:
– Set proper rights: Add at global in smb.conf:
# useradd -m –g 100 peter# useradd -m –g 100 peter
# passwd peter# passwd peter
# /usr/bin/smbpasswd -a peter password # /usr/bin/smbpasswd -a peter password
REM Drive Mapping Script
net use P: \\bigboy\
REM Drive Mapping Script
net use P: \\bigboy\
# chmod 644 /home/samba/netlogon/login.bat # chmod 644 /home/samba/netlogon/login.bat
unix2dos /home/samba/netlogon/login.bat unix2dos /home/samba/netlogon/login.bat
[global]
logon script = login.bat
[global]
logon script = login.bat
Domain Groups And Samba• Domain users
• How To Delete Users From Your Samba Domain1. 2.
• How To Modify Samba Passwords – Samba can let users change their passwords themself
– In [GLOBAL] section of smb.conf:
unix passwd sync = Yes # Enables Samba/Linux # password # synchronization
passwd program = /usr/bin/passwd %u# Lists the location of the # Linux password file # which is usually # /bin/passwd.
passwd chat = *password* %n\n *password* %n\n *changed* # A short script to change the Linux # password using the Samba # password
domain admin group = USER1 USER2 @GROUP domain admin group = USER1 USER2 @GROUP
# smbpasswd -x john # smbpasswd -x john # userdel -r john # userdel -r john
Summary