mirror of
https://github.com/samba-team/samba.git
synced 2025-01-14 19:24:43 +03:00
8f8a9f0190
(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)
1307 lines
52 KiB
XML
1307 lines
52 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<chapter id="FastStart">
|
|
<chapterinfo>
|
|
&author.jht;
|
|
</chapterinfo>
|
|
|
|
<title>Fast Start: Cure for Impatience</title>
|
|
|
|
<para>
|
|
When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
|
|
someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably
|
|
difficult to do without losing a lot of value that can be derived from presenting
|
|
many extracts from working systems. That is what the rest of this document does.
|
|
It does so with extensive descriptions of the configuration possibilities within the
|
|
context of the chapter that covers it. We hope that this chapter is the medicine
|
|
that has been requested.
|
|
</para>
|
|
|
|
<para>
|
|
The information in this chapter is very sparse compared with the book <quote>Samba-3 by Example</quote>
|
|
that was written after the original version of this book was nearly complete. <quote>Samba-3 by Example</quote>
|
|
was the result of feedback from reviewers during the final copy editing of the first edition. It
|
|
was interesting to see that reader feedback mirrored that given by the original reviewers.
|
|
In any case, a month and a half was spent in doing basic research to better understand what
|
|
new as well as experienced network administrators would best benefit from. The book <quote>Samba-3 by Example</quote>
|
|
is the result of that research. What is presented in the few pages of this book is covered
|
|
far more comprehensively in the second edition of <quote>Samba-3 by Example</quote>. The second edition
|
|
of both books will be released at the same time.
|
|
</para>
|
|
|
|
<para>
|
|
So in summary, the book <quote>The Official Samba-3 HOWTO & Reference Guide</quote> is intended
|
|
as the equivalent of an auto mechanic's repair guide. The book <quote>Samba-3 by Example</quote> is the
|
|
equivalent of the driver's guide that explains how to drive the car. If you want complete network
|
|
configuration examples, go to <ulink url="http://www.samba.org/samba/docs/Samba3-ByExample.pdf">Samba-3 by
|
|
Example</ulink>.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
Samba needs very little configuration to create a basic working system.
|
|
In this chapter we progress from the simple to the complex, for each providing
|
|
all steps and configuration file changes needed to make each work. Please note
|
|
that a comprehensively configured system will likely employ additional smart
|
|
features. These additional features are covered in the remainder of this document.
|
|
</para>
|
|
|
|
<para>
|
|
The examples used here have been obtained from a number of people who made
|
|
requests for example configurations. All identities have been obscured to protect
|
|
the guilty, and any resemblance to unreal nonexistent sites is deliberate.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Description of Example Sites</title>
|
|
|
|
<para>
|
|
In the first set of configuration examples we consider the case of exceptionally simple system requirements.
|
|
There is a real temptation to make something that should require little effort much too complex.
|
|
</para>
|
|
|
|
<para>
|
|
<link linkend="anon-ro"></link> documents the type of server that might be sufficient to serve CD-ROM images,
|
|
or reference document files for network client use. This configuration is also discussed in <link
|
|
linkend="StandAloneServer"></link>, <link linkend="RefDocServer"></link>. The purpose for this configuration
|
|
is to provide a shared volume that is read-only that anyone, even guests, can access.
|
|
</para>
|
|
|
|
<para>
|
|
The second example shows a minimal configuration for a print server that anyone can print to as long as they
|
|
have the correct printer drivers installed on their computer. This is a mirror of the system described in
|
|
<link linkend="StandAloneServer"></link>, <link linkend="SimplePrintServer"></link>.
|
|
</para>
|
|
|
|
<para>
|
|
The next example is of a secure office file and print server that will be accessible only to users who have an
|
|
account on the system. This server is meant to closely resemble a workgroup file and print server, but has to
|
|
be more secure than an anonymous access machine. This type of system will typically suit the needs of a small
|
|
office. The server provides no network logon facilities, offers no domain control; instead it is just a
|
|
network-attached storage (NAS) device and a print server.
|
|
</para>
|
|
|
|
<para>
|
|
The later example consider more complex systems that will either integrate into existing MS Windows networks
|
|
or replace them entirely. These cover domain member servers as well as Samba domain control (PDC/BDC) and
|
|
finally describes in detail a large distributed network with branch offices in remote locations.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Worked Examples</title>
|
|
|
|
<para>
|
|
The configuration examples are designed to cover everything necessary to get Samba
|
|
running. They do not cover basic operating system platform configuration, which is
|
|
clearly beyond the scope of this text.
|
|
</para>
|
|
|
|
<para>
|
|
It is also assumed that Samba has been correctly installed, either by way of installation
|
|
of the packages that are provided by the operating system vendor or through other means.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Standalone Server</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Server Type</primary><secondary>Stand-alone</secondary></indexterm>
|
|
A standalone server implies no more than the fact that it is not a domain controller
|
|
and it does not participate in domain control. It can be a simple, workgroup-like
|
|
server, or it can be a complex server that is a member of a domain security context.
|
|
</para>
|
|
|
|
<para>
|
|
As the examples are developed, every attempt is made to progress the system toward greater capability, just as
|
|
one might expect would happen in a real business office as that office grows in size and its needs change.
|
|
</para>
|
|
|
|
<sect3 id="anon-ro">
|
|
<title>Anonymous Read-Only Document Server</title>
|
|
|
|
<para>
|
|
<indexterm><primary>read only</primary><secondary>server</secondary></indexterm>
|
|
The purpose of this type of server is to make available to any user
|
|
any documents or files that are placed on the shared resource. The
|
|
shared resource could be a CD-ROM drive, a CD-ROM image, or a file
|
|
storage area.
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
The file system share point will be <filename>/export</filename>.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
All files will be owned by a user called Jack Baumbach.
|
|
Jack's login name will be <emphasis>jackb</emphasis>. His password will be
|
|
<emphasis>m0r3pa1n</emphasis> &smbmdash; of course, that's just the example we are
|
|
using; do not use this in a production environment because
|
|
all readers of this document will know it.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<procedure>
|
|
<title>Installation Procedure: Read-Only Server</title>
|
|
<step><para>
|
|
Add user to system (with creation of the user's home directory):
|
|
<screen>
|
|
&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Create directory, and set permissions and ownership:
|
|
<screen>
|
|
&rootprompt;<userinput>mkdir /export</userinput>
|
|
&rootprompt;<userinput>chmod u+rwx,g+rx,o+rx /export</userinput>
|
|
&rootprompt;<userinput>chown jackb.users /export</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Copy the files that should be shared to the <filename>/export</filename>
|
|
directory.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Install the Samba configuration file (<filename>/etc/samba/smb.conf</filename>)
|
|
as shown in <link linkend="anon-example">Anonymous Read-Only Server Configuration</link>.
|
|
</para></step>
|
|
|
|
<example id="anon-example">
|
|
<title>Anonymous Read-Only Server Configuration</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">HOBBIT</smbconfoption>
|
|
<smbconfoption name="security">share</smbconfoption>
|
|
|
|
<smbconfsection name="[data]"/>
|
|
<smbconfoption name="comment">Data</smbconfoption>
|
|
<smbconfoption name="path">/export</smbconfoption>
|
|
<smbconfoption name="read only">Yes</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
Test the configuration file by executing the following command:
|
|
<screen>
|
|
&rootprompt;<userinput>testparm</userinput>
|
|
</screen>
|
|
Alternatively, where you are operating from a master configuration file called
|
|
<filename>smb.conf.master</filename>, the following sequence of commands might prove
|
|
more appropriate:
|
|
<screen>
|
|
&rootprompt; cd /etc/samba
|
|
&rootprompt; testparm -s smb.conf.master > smb.conf
|
|
&rootprompt; testparm
|
|
</screen>
|
|
Note any error messages that might be produced. Proceed only if error-free output has been
|
|
obtained. An example of typical output that should be generated from the above configuration
|
|
file is shown here:
|
|
<screen>
|
|
Load smb config files from /etc/samba/smb.conf
|
|
Processing section "[data]"
|
|
Loaded services file OK.
|
|
Server role: ROLE_STANDALONE
|
|
Press enter to see a dump of your service definitions
|
|
<userinput>[Press enter]</userinput>
|
|
|
|
# Global parameters
|
|
[global]
|
|
workgroup = MIDEARTH
|
|
netbios name = HOBBIT
|
|
security = share
|
|
|
|
[data]
|
|
comment = Data
|
|
path = /export
|
|
read only = Yes
|
|
guest only = Yes
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Start Samba using the method applicable to your operating system platform. The method that
|
|
should be used is platform dependent. Refer to <link linkend="startingSamba">Starting Samba</link>
|
|
for further information regarding the starting of Samba.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Configure your MS Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
|
|
set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
|
|
then open Windows Explorer and visit the Network Neighborhood.
|
|
The machine HOBBIT should be visible. When you click this machine
|
|
icon, it should open up to reveal the <emphasis>data</emphasis> share. After
|
|
you click the share, it should open up to reveal the files previously
|
|
placed in the <filename>/export</filename> directory.
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
The information above (following # Global parameters) provides the complete
|
|
contents of the <filename>/etc/samba/smb.conf</filename> file.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Anonymous Read-Write Document Server</title>
|
|
|
|
<para>
|
|
<indexterm><primary>anonymous</primary><secondary>read-write server</secondary></indexterm>
|
|
We should view this configuration as a progression from the previous example.
|
|
The difference is that shared access is now forced to the user identity of jackb
|
|
and to the primary group jackb belongs to. One other refinement we can make is to
|
|
add the user <emphasis>jackb</emphasis> to the <filename>smbpasswd</filename> file.
|
|
To do this, execute:
|
|
<screen>
|
|
&rootprompt;<userinput>smbpasswd -a jackb</userinput>
|
|
New SMB password: <userinput>m0r3pa1n</userinput>
|
|
Retype new SMB password: <userinput>m0r3pa1n</userinput>
|
|
Added user jackb.
|
|
</screen>
|
|
Addition of this user to the <filename>smbpasswd</filename> file allows all files
|
|
to be displayed in the Explorer Properties boxes as belonging to <emphasis>jackb</emphasis>
|
|
instead of to <emphasis>User Unknown</emphasis>.
|
|
</para>
|
|
|
|
<para>
|
|
The complete, modified &smb.conf; file is as shown in <link linkend="anon-rw"/>.
|
|
</para>
|
|
|
|
<example id="anon-rw">
|
|
<title>Modified Anonymous Read-Write smb.conf</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">HOBBIT</smbconfoption>
|
|
<smbconfoption name="security">SHARE</smbconfoption>
|
|
|
|
<smbconfsection name="[data]"/>
|
|
<smbconfoption name="comment">Data</smbconfoption>
|
|
<smbconfoption name="path">/export</smbconfoption>
|
|
<smbconfoption name="force user">jackb</smbconfoption>
|
|
<smbconfoption name="force group">users</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Anonymous Print Server</title>
|
|
|
|
<para>
|
|
<indexterm><primary>anonymous</primary><secondary>print server</secondary></indexterm>
|
|
An anonymous print server serves two purposes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
It allows printing to all printers from a single location.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
It reduces network traffic congestion due to many users trying
|
|
to access a limited number of printers.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
In the simplest of anonymous print servers, it is common to require the installation
|
|
of the correct printer drivers on the Windows workstation. In this case the print
|
|
server will be designed to just pass print jobs through to the spooler, and the spooler
|
|
should be configured to do raw pass-through to the printer. In other words, the print
|
|
spooler should not filter or process the data stream being passed to the printer.
|
|
</para>
|
|
|
|
<para>
|
|
In this configuration, it is undesirable to present the Add Printer Wizard, and we do
|
|
not want to have automatic driver download, so we disable it in the following
|
|
configuration. <link linkend="anon-print"></link> is the resulting &smb.conf; file.
|
|
</para>
|
|
|
|
<example id="anon-print">
|
|
<title>Anonymous Print Server smb.conf</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">LUTHIEN</smbconfoption>
|
|
<smbconfoption name="security">share</smbconfoption>
|
|
<smbconfoption name="printcap name">cups</smbconfoption>
|
|
<smbconfoption name="disable spoolss">Yes</smbconfoption>
|
|
<smbconfoption name="show add printer wizard">No</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
|
|
<smbconfsection name="[printers]"/>
|
|
<smbconfoption name="comment">All Printers</smbconfoption>
|
|
<smbconfoption name="path">/var/spool/samba</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="printable">Yes</smbconfoption>
|
|
<smbconfoption name="use client driver">Yes</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<para>
|
|
The above configuration is not ideal. It uses no smart features, and it deliberately
|
|
presents a less than elegant solution. But it is basic, and it does print. Samba makes
|
|
use of the direct printing application program interface that is provided by CUPS.
|
|
When Samba has been compiled and linked with the CUPS libraries, the default printing
|
|
system will be CUPS. By specifying that the printcap name is CUPS, Samba will use
|
|
the CUPS library API to communicate directly with CUPS for all printer functions.
|
|
It is possible to force the use of external printing commands by setting the value
|
|
of the <parameter>printing</parameter> to either SYSV or BSD, and thus the value of
|
|
the parameter <parameter>printcap name</parameter> must be set to something other than
|
|
CUPS. In such case, it could be set to the name of any file that contains a list
|
|
of printers that should be made available to Windows clients.
|
|
</para>
|
|
|
|
<note><para>
|
|
Windows users will need to install a local printer and then change the print
|
|
to device after installation of the drivers. The print to device can then be set to
|
|
the network printer on this machine.
|
|
</para></note>
|
|
|
|
<para>
|
|
Make sure that the directory <filename>/var/spool/samba</filename> is capable of being used
|
|
as intended. The following steps must be taken to achieve this:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
The directory must be owned by the superuser (root) user and group:
|
|
<screen>
|
|
&rootprompt;<userinput>chown root.root /var/spool/samba</userinput>
|
|
</screen>
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Directory permissions should be set for public read-write with the
|
|
sticky bit set as shown:
|
|
<screen>
|
|
&rootprompt;<userinput>chmod a+twrx /var/spool/samba</userinput>
|
|
</screen>
|
|
The purpose of setting the sticky bit is to prevent who does not own the temporary print file
|
|
from being able to take control of it with the potential for devious misuse.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<note><para>
|
|
<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
|
|
<indexterm><primary>raw printing</primary></indexterm>
|
|
On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
|
|
intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
|
|
it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
|
|
handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
|
|
files. Refer to <link linkend="cups-raw"></link>.
|
|
</para></note>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
|
|
<title>Secure Read-Write File and Print Server</title>
|
|
|
|
<para>
|
|
We progress now from simple systems to a server that is slightly more complex.
|
|
</para>
|
|
|
|
<para>
|
|
Our new server will require a public data storage area in which only authenticated
|
|
users (i.e., those with a local account) can store files, as well as a home directory.
|
|
There will be one printer that should be available for everyone to use.
|
|
</para>
|
|
|
|
<para>
|
|
In this hypothetical environment (no espionage was conducted to obtain this data),
|
|
the site is demanding a simple environment that is <emphasis>secure enough</emphasis>
|
|
but not too difficult to use.
|
|
</para>
|
|
|
|
<para>
|
|
Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have
|
|
a password (not shown in further examples). Mary will be the printer administrator and will
|
|
own all files in the public share.
|
|
</para>
|
|
|
|
<para>
|
|
This configuration will be based on <emphasis>user-level security</emphasis> that
|
|
is the default, and for which the default is to store Microsoft Windows-compatible
|
|
encrypted passwords in a file called <filename>/etc/samba/smbpasswd</filename>.
|
|
The default &smb.conf; entry that makes this happen is
|
|
<smbconfoption name="passdb backend">smbpasswd, guest</smbconfoption>. Since this is the default,
|
|
it is not necessary to enter it into the configuration file. Note that the guest backend is
|
|
added to the list of active passdb backends no matter whether it specified directly in Samba configuration
|
|
file or not.
|
|
</para>
|
|
|
|
|
|
<procedure>
|
|
<title>Installing the Secure Office Server</title>
|
|
<step><para>
|
|
<indexterm><primary>office server</primary></indexterm>
|
|
Add all users to the operating system:
|
|
<screen>
|
|
&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
|
|
&rootprompt;<userinput>useradd -c "Mary Orville" -m -g users -p secret maryo</userinput>
|
|
&rootprompt;<userinput>useradd -c "Amed Sehkah" -m -g users -p secret ameds</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Configure the Samba &smb.conf; file as shown in <link linkend="OfficeServer"/>.
|
|
</para></step>
|
|
|
|
<example id="OfficeServer">
|
|
<title>Secure Office Server smb.conf</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">OLORIN</smbconfoption>
|
|
<smbconfoption name="printcap name">cups</smbconfoption>
|
|
<smbconfoption name="disable spoolss">Yes</smbconfoption>
|
|
<smbconfoption name="show add printer wizard">No</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
|
|
<smbconfsection name="[homes]"/>
|
|
<smbconfoption name="comment">Home Directories</smbconfoption>
|
|
<smbconfoption name="valid users">%S</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfsection name="[public]"/>
|
|
<smbconfoption name="comment">Data</smbconfoption>
|
|
<smbconfoption name="path">/export</smbconfoption>
|
|
<smbconfoption name="force user">maryo</smbconfoption>
|
|
<smbconfoption name="force group">users</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[printers]"/>
|
|
<smbconfoption name="comment">All Printers</smbconfoption>
|
|
<smbconfoption name="path">/var/spool/samba</smbconfoption>
|
|
<smbconfoption name="printer admin">root, maryo</smbconfoption>
|
|
<smbconfoption name="create mask">0600</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="printable">Yes</smbconfoption>
|
|
<smbconfoption name="use client driver">Yes</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
Initialize the Microsoft Windows password database with the new users:
|
|
<screen>
|
|
&rootprompt;<userinput>smbpasswd -a root</userinput>
|
|
New SMB password: <userinput>bigsecret</userinput>
|
|
Reenter smb password: <userinput>bigsecret</userinput>
|
|
Added user root.
|
|
|
|
&rootprompt;<userinput>smbpasswd -a jackb</userinput>
|
|
New SMB password: <userinput>m0r3pa1n</userinput>
|
|
Retype new SMB password: <userinput>m0r3pa1n</userinput>
|
|
Added user jackb.
|
|
|
|
&rootprompt;<userinput>smbpasswd -a maryo</userinput>
|
|
New SMB password: <userinput>secret</userinput>
|
|
Reenter smb password: <userinput>secret</userinput>
|
|
Added user maryo.
|
|
|
|
&rootprompt;<userinput>smbpasswd -a ameds</userinput>
|
|
New SMB password: <userinput>mysecret</userinput>
|
|
Reenter smb password: <userinput>mysecret</userinput>
|
|
Added user ameds.
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Install printer using the CUPS Web interface. Make certain that all
|
|
printers that will be shared with Microsoft Windows clients are installed
|
|
as raw printing devices.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Start Samba using the operating system administrative interface.
|
|
Alternately, this can be done manually by executing:
|
|
<indexterm><primary>smbd</primary></indexterm>
|
|
<indexterm><primary>nmbd</primary></indexterm>
|
|
<indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
|
|
<indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
|
|
<screen>
|
|
&rootprompt;<userinput> nmbd; smbd;</userinput>
|
|
</screen>
|
|
Both applications automatically execute as daemons. Those who are paranoid about
|
|
maintaining control can add the <constant>-D</constant> flag to coerce them to start
|
|
up in daemon mode.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Configure the <filename>/export</filename> directory:
|
|
<screen>
|
|
&rootprompt;<userinput>mkdir /export</userinput>
|
|
&rootprompt;<userinput>chown maryo.users /export</userinput>
|
|
&rootprompt;<userinput>chmod u=rwx,g=rwx,o-rwx /export</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Check that Samba is running correctly:
|
|
<screen>
|
|
&rootprompt;<userinput>smbclient -L localhost -U%</userinput>
|
|
Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.20]
|
|
|
|
Sharename Type Comment
|
|
--------- ---- -------
|
|
public Disk Data
|
|
IPC$ IPC IPC Service (Samba-3.0.20)
|
|
ADMIN$ IPC IPC Service (Samba-3.0.20)
|
|
hplj4 Printer hplj4
|
|
|
|
Server Comment
|
|
--------- -------
|
|
OLORIN Samba-3.0.20
|
|
|
|
Workgroup Master
|
|
--------- -------
|
|
MIDEARTH OLORIN
|
|
</screen>
|
|
The following error message indicates that Samba was not running:
|
|
<screen>
|
|
&rootprompt; smbclient -L olorin -U%
|
|
Error connecting to 192.168.1.40 (Connection refused)
|
|
Connection to olorin failed
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Connect to OLORIN as maryo:
|
|
<screen>
|
|
&rootprompt;<userinput>smbclient //olorin/maryo -Umaryo%secret</userinput>
|
|
OS=[UNIX] Server=[Samba-3.0.20]
|
|
smb: \> <userinput>dir</userinput>
|
|
. D 0 Sat Jun 21 10:58:16 2003
|
|
.. D 0 Sat Jun 21 10:54:32 2003
|
|
Documents D 0 Fri Apr 25 13:23:58 2003
|
|
DOCWORK D 0 Sat Jun 14 15:40:34 2003
|
|
OpenOffice.org D 0 Fri Apr 25 13:55:16 2003
|
|
.bashrc H 1286 Fri Apr 25 13:23:58 2003
|
|
.netscape6 DH 0 Fri Apr 25 13:55:13 2003
|
|
.mozilla DH 0 Wed Mar 5 11:50:50 2003
|
|
.kermrc H 164 Fri Apr 25 13:23:58 2003
|
|
.acrobat DH 0 Fri Apr 25 15:41:02 2003
|
|
|
|
55817 blocks of size 524288. 34725 blocks available
|
|
smb: \> <userinput>q</userinput>
|
|
</screen>
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
By now you should be getting the hang of configuration basics. Clearly, it is time to
|
|
explore slightly more complex examples. For the remainder of this chapter we abbreviate
|
|
instructions, since there are previous examples.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Domain Member Server</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
|
|
In this instance we consider the simplest server configuration we can get away with
|
|
to make an accounting department happy. Let's be warned, the users are accountants and they
|
|
do have some nasty demands. There is a budget for only one server for this department.
|
|
</para>
|
|
|
|
<para>
|
|
The network is managed by an internal Information Services Group (ISG), to which we belong.
|
|
Internal politics are typical of a medium-sized organization; Human Resources is of the
|
|
opinion that they run the ISG because they are always adding and disabling users. Also,
|
|
departmental managers have to fight tooth and nail to gain basic network resources access for
|
|
their staff. Accounting is different, though, they get exactly what they want. So this should
|
|
set the scene.
|
|
</para>
|
|
|
|
<para>
|
|
We use the users from the last example. The accounting department
|
|
has a general printer that all departmental users may use. There is also a check printer
|
|
that may be used only by the person who has authority to print checks. The chief financial
|
|
officer (CFO) wants that printer to be completely restricted and for it to be located in the
|
|
private storage area in her office. It therefore must be a network printer.
|
|
</para>
|
|
|
|
<para>
|
|
The accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
|
|
that must be run from a central application server. The software is licensed to run only off
|
|
one server, there are no workstation components, and it is run off a mapped share. The data
|
|
store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our
|
|
problem.
|
|
</para>
|
|
|
|
<para>
|
|
The accounting department manager (maryo) wants a general filing system as well as a separate
|
|
file storage area for form letters (nastygrams). The form letter area should be read-only to
|
|
all accounting staff except the manager. The general filing system has to have a structured
|
|
layout with a general area for all staff to store general documents as well as a separate
|
|
file area for each member of her team that is private to that person, but she wants full
|
|
access to all areas. Users must have a private home share for personal work-related files
|
|
and for materials not related to departmental operations.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>Example Configuration</title>
|
|
|
|
<para>
|
|
The server <emphasis>valinor</emphasis> will be a member server of the company domain.
|
|
Accounting will have only a local server. User accounts will be on the domain controllers,
|
|
as will desktop profiles and all network policy files.
|
|
</para>
|
|
|
|
<procedure>
|
|
<step><para>
|
|
Do not add users to the UNIX/Linux server; all of this will run off the
|
|
central domain.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Configure &smb.conf; according to <link linkend="fast-member-server">Member server smb.conf
|
|
(globals)</link> and <link linkend="fast-memberserver-shares">Member server smb.conf (shares
|
|
and services)</link>.
|
|
</para></step>
|
|
|
|
<example id="fast-member-server">
|
|
<title>Member Server smb.conf (Globals)</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">VALINOR</smbconfoption>
|
|
<smbconfoption name="security">DOMAIN</smbconfoption>
|
|
<smbconfoption name="printcap name">cups</smbconfoption>
|
|
<smbconfoption name="disable spoolss">Yes</smbconfoption>
|
|
<smbconfoption name="show add printer wizard">No</smbconfoption>
|
|
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
|
<smbconfoption name="winbind use default domain">Yes</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<example id="fast-memberserver-shares">
|
|
<title>Member Server smb.conf (Shares and Services)</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[homes]"/>
|
|
<smbconfoption name="comment">Home Directories</smbconfoption>
|
|
<smbconfoption name="valid users">%S</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfsection name="[spytfull]"/>
|
|
<smbconfoption name="comment">Accounting Application Only</smbconfoption>
|
|
<smbconfoption name="path">/export/spytfull</smbconfoption>
|
|
<smbconfoption name="valid users">@Accounts</smbconfoption>
|
|
<smbconfoption name="admin users">maryo</smbconfoption>
|
|
<smbconfoption name="read only">Yes</smbconfoption>
|
|
|
|
<smbconfsection name="[public]"/>
|
|
<smbconfoption name="comment">Data</smbconfoption>
|
|
<smbconfoption name="path">/export/public</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[printers]"/>
|
|
<smbconfoption name="comment">All Printers</smbconfoption>
|
|
<smbconfoption name="path">/var/spool/samba</smbconfoption>
|
|
<smbconfoption name="printer admin">root, maryo</smbconfoption>
|
|
<smbconfoption name="create mask">0600</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="printable">Yes</smbconfoption>
|
|
<smbconfoption name="use client driver">Yes</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
|
|
Join the domain. Note: Do not start Samba until this step has been completed!
|
|
<screen>
|
|
&rootprompt;<userinput>net rpc join -Uroot%'bigsecret'</userinput>
|
|
Joined domain MIDEARTH.
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Make absolutely certain that you disable (shut down) the <command>nscd</command>
|
|
daemon on any system on which <command>winbind</command> is configured to run.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Start Samba following the normal method for your operating system platform.
|
|
If you wish to do this manually, execute as root:
|
|
<indexterm><primary>smbd</primary></indexterm>
|
|
<indexterm><primary>nmbd</primary></indexterm>
|
|
<indexterm><primary>winbindd</primary></indexterm>
|
|
<indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
|
|
<indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
|
|
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
|
|
<screen>
|
|
&rootprompt;<userinput>nmbd; smbd; winbindd;</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Configure the name service switch (NSS) control file on your system to resolve user and group names
|
|
via winbind. Edit the following lines in <filename>/etc/nsswitch.conf</filename>:
|
|
<programlisting>
|
|
passwd: files winbind
|
|
group: files winbind
|
|
hosts: files dns winbind
|
|
</programlisting>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Set the password for <command>wbinfo</command> to use:
|
|
<screen>
|
|
&rootprompt;<userinput>wbinfo --set-auth-user=root%'bigsecret'</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Validate that domain user and group credentials can be correctly resolved by executing:
|
|
<screen>
|
|
&rootprompt;<userinput>wbinfo -u</userinput>
|
|
MIDEARTH\maryo
|
|
MIDEARTH\jackb
|
|
MIDEARTH\ameds
|
|
...
|
|
MIDEARTH\root
|
|
|
|
&rootprompt;<userinput>wbinfo -g</userinput>
|
|
MIDEARTH\Domain Users
|
|
MIDEARTH\Domain Admins
|
|
MIDEARTH\Domain Guests
|
|
...
|
|
MIDEARTH\Accounts
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Check that <command>winbind</command> is working. The following demonstrates correct
|
|
username resolution via the <command>getent</command> system utility:
|
|
<screen>
|
|
&rootprompt;<userinput>getent passwd maryo</userinput>
|
|
maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
A final test that we have this under control might be reassuring:
|
|
<screen>
|
|
&rootprompt;<userinput>touch /export/a_file</userinput>
|
|
&rootprompt;<userinput>chown maryo /export/a_file</userinput>
|
|
&rootprompt;<userinput>ls -al /export/a_file</userinput>
|
|
...
|
|
-rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file
|
|
...
|
|
|
|
&rootprompt;<userinput>rm /export/a_file</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Configuration is now mostly complete, so this is an opportune time
|
|
to configure the directory structure for this site:
|
|
<screen>
|
|
&rootprompt;<userinput>mkdir -p /export/{spytfull,public}</userinput>
|
|
&rootprompt;<userinput>chmod ug=rwxS,o=x /export/{spytfull,public}</userinput>
|
|
&rootprompt;<userinput>chown maryo.Accounts /export/{spytfull,public}</userinput>
|
|
</screen>
|
|
</para></step>
|
|
</procedure>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Domain Controller</title>
|
|
|
|
|
|
<para>
|
|
<indexterm><primary>Server Type</primary><secondary>Domain Controller</secondary></indexterm>
|
|
For the remainder of this chapter the focus is on the configuration of domain control.
|
|
The examples that follow are for two implementation strategies. Remember, our objective is
|
|
to create a simple but working solution. The remainder of this book should help to highlight
|
|
opportunity for greater functionality and the complexity that goes with it.
|
|
</para>
|
|
|
|
<para>
|
|
A domain controller configuration can be achieved with a simple configuration using the new
|
|
tdbsam password backend. This type of configuration is good for small
|
|
offices, but has limited scalability (cannot be replicated), and performance can be expected
|
|
to fall as the size and complexity of the domain increases.
|
|
</para>
|
|
|
|
<para>
|
|
The use of tdbsam is best limited to sites that do not need
|
|
more than a Primary Domain Controller (PDC). As the size of a domain grows the need
|
|
for additional domain controllers becomes apparent. Do not attempt to under-resource
|
|
a Microsoft Windows network environment; domain controllers provide essential
|
|
authentication services. The following are symptoms of an under-resourced domain control
|
|
environment:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
Domain logons intermittently fail.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
File access on a domain member server intermittently fails, giving a permission denied
|
|
error message.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
A more scalable domain control authentication backend option might use
|
|
Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
|
|
for both options as a domain member server. As a PDC, Samba-3 is not able to provide
|
|
an exact alternative to the functionality that is available with Active Directory.
|
|
Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
|
|
</para>
|
|
|
|
<para>
|
|
The tdbsam authentication backend provides no facility to replicate
|
|
the contents of the database, except by external means (i.e., there is no self-contained protocol
|
|
in Samba-3 for Security Account Manager database [SAM] replication).
|
|
</para>
|
|
|
|
<note><para>
|
|
If you need more than one domain controller, do not use a tdbsam authentication backend.
|
|
</para></note>
|
|
|
|
<sect3>
|
|
<title>Example: Engineering Office</title>
|
|
|
|
<para>
|
|
The engineering office network server we present here is designed to demonstrate use
|
|
of the new tdbsam password backend. The tdbsam
|
|
facility is new to Samba-3. It is designed to provide many user and machine account controls
|
|
that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
|
|
</para>
|
|
|
|
<procedure>
|
|
<step><para>
|
|
A working PDC configuration using the tdbsam
|
|
password backend can be found in <link linkend="fast-engoffice-global">Engineering Office smb.conf
|
|
(globals)</link> together with <link linkend="fast-engoffice-shares">Engineering Office smb.conf
|
|
(shares and services)</link>:
|
|
<indexterm><primary>pdbedit</primary></indexterm>
|
|
</para></step>
|
|
|
|
<example id="fast-engoffice-global">
|
|
<title>Engineering Office smb.conf (globals)</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">FRODO</smbconfoption>
|
|
<smbconfoption name="passdb backend">tdbsam</smbconfoption>
|
|
<smbconfoption name="printcap name">cups</smbconfoption>
|
|
<smbconfoption name="add user script">/usr/sbin/useradd -m %u</smbconfoption>
|
|
<smbconfoption name="delete user script">/usr/sbin/userdel -r %u</smbconfoption>
|
|
<smbconfoption name="add group script">/usr/sbin/groupadd %g</smbconfoption>
|
|
<smbconfoption name="delete group script">/usr/sbin/groupdel %g</smbconfoption>
|
|
<smbconfoption name="add user to group script">/usr/sbin/groupmod -A %u %g</smbconfoption>
|
|
<smbconfoption name="delete user from group script">/usr/sbin/groupmod -R %u %g</smbconfoption>
|
|
<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u</smbconfoption>
|
|
<smbconfcomment>Note: The following specifies the default logon script.</smbconfcomment>
|
|
<smbconfcomment>Per user logon scripts can be specified in the user account using pdbedit </smbconfcomment>
|
|
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
|
|
<smbconfcomment>This sets the default profile path. Set per user paths with pdbedit</smbconfcomment>
|
|
<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">H:</smbconfoption>
|
|
<smbconfoption name="logon home">\\%L\%U</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="os level">35</smbconfoption>
|
|
<smbconfoption name="preferred master">Yes</smbconfoption>
|
|
<smbconfoption name="domain master">Yes</smbconfoption>
|
|
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<example id="fast-engoffice-shares">
|
|
<title>Engineering Office smb.conf (shares and services)</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[homes]"/>
|
|
<smbconfoption name="comment">Home Directories</smbconfoption>
|
|
<smbconfoption name="valid users">%S</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfcomment>Printing auto-share (makes printers available thru CUPS)</smbconfcomment>
|
|
<smbconfsection name="[printers]"/>
|
|
<smbconfoption name="comment">All Printers</smbconfoption>
|
|
<smbconfoption name="path">/var/spool/samba</smbconfoption>
|
|
<smbconfoption name="printer admin">root, maryo</smbconfoption>
|
|
<smbconfoption name="create mask">0600</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="printable">Yes</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfsection name="[print$]"/>
|
|
<smbconfoption name="comment">Printer Drivers Share</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
|
|
<smbconfoption name="write list">maryo, root</smbconfoption>
|
|
<smbconfoption name="printer admin">maryo, root</smbconfoption>
|
|
|
|
<smbconfcomment>Needed to support domain logons</smbconfcomment>
|
|
<smbconfsection name="[netlogon]"/>
|
|
<smbconfoption name="comment">Network Logon Service</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
|
|
<smbconfoption name="admin users">root, maryo</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfcomment>For profiles to work, create a user directory under the path</smbconfcomment>
|
|
<smbconfcomment> shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</smbconfcomment>
|
|
<smbconfsection name="[Profiles]"/>
|
|
<smbconfoption name="comment">Roaming Profile Share</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="profile acls">Yes</smbconfoption>
|
|
|
|
<smbconfcomment>Other resource (share/printer) definitions would follow below.</smbconfcomment>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
Create UNIX group accounts as needed using a suitable operating system tool:
|
|
<screen>
|
|
&rootprompt;<userinput>groupadd ntadmins</userinput>
|
|
&rootprompt;<userinput>groupadd designers</userinput>
|
|
&rootprompt;<userinput>groupadd engineers</userinput>
|
|
&rootprompt;<userinput>groupadd qateam</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Create user accounts on the system using the appropriate tool
|
|
provided with the operating system. Make sure all user home directories
|
|
are created also. Add users to groups as required for access control
|
|
on files, directories, printers, and as required for use in the Samba
|
|
environment.
|
|
</para></step>
|
|
|
|
|
|
<step><para>
|
|
<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
|
|
<indexterm><primary>initGroups.sh</primary></indexterm>
|
|
Assign each of the UNIX groups to NT groups by executing this shell script
|
|
(You could name the script <filename>initGroups.sh</filename>):
|
|
<screen>
|
|
#!/bin/bash
|
|
#### Keep this as a shell script for future re-use
|
|
|
|
# First assign well known groups
|
|
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d
|
|
net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=
|
|
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
|
|
|
|
# Now for our added Domain Groups
|
|
net groupmap add ntgroup="Designers" unixgroup=designers type=d
|
|
net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
|
|
net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Create the <filename>scripts</filename> directory for use in the
|
|
<smbconfsection name="[NETLOGON]"/> share:
|
|
<screen>
|
|
&rootprompt;<userinput>mkdir -p /var/lib/samba/netlogon/scripts</userinput>
|
|
</screen>
|
|
Place the logon scripts that will be used (batch or cmd scripts)
|
|
in this directory.
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
The above configuration provides a functional PDC
|
|
system to which must be added file shares and printers as required.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>A Big Organization</title>
|
|
|
|
<para>
|
|
In this section we finally get to review in brief a Samba-3 configuration that
|
|
uses a Lightweight Directory Access (LDAP)-based authentication backend. The
|
|
main reasons for this choice are to provide the ability to host primary
|
|
and Backup Domain Control (BDC), as well as to enable a higher degree of
|
|
scalability to meet the needs of a very distributed environment.
|
|
</para>
|
|
|
|
<sect4>
|
|
<title>The Primary Domain Controller</title>
|
|
|
|
<para>
|
|
This is an example of a minimal configuration to run a Samba-3 PDC
|
|
using an LDAP authentication backend. It is assumed that the operating system
|
|
has been correctly configured.
|
|
</para>
|
|
|
|
<para>
|
|
The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or
|
|
SambaSamAccounts. The Idealx scripts may be downloaded from the <ulink url="http://www.idealx.org">
|
|
Idealx</ulink> Web site. They may also be obtained from the Samba tarball. Linux
|
|
distributions tend to install the Idealx scripts in the
|
|
<filename>/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</filename> directory.
|
|
Idealx scripts version <constant>smbldap-tools-0.9.1</constant> are known to work well.
|
|
</para>
|
|
|
|
<procedure>
|
|
<step><para>
|
|
Obtain from the Samba sources <filename>~/examples/LDAP/samba.schema</filename>
|
|
and copy it to the <filename>/etc/openldap/schema/</filename> directory.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
|
|
The <filename>/etc/openldap/slapd.conf</filename> file.
|
|
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
|
|
<title>Example slapd.conf File</title>
|
|
<screen>
|
|
# Note commented out lines have been removed
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/nis.schema
|
|
include /etc/openldap/schema/samba.schema
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
database bdb
|
|
suffix "dc=quenya,dc=org"
|
|
rootdn "cn=Manager,dc=quenya,dc=org"
|
|
rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
|
|
# The password for the above is 'nastyon3'
|
|
|
|
directory /var/lib/ldap
|
|
|
|
index objectClass eq
|
|
index cn pres,sub,eq
|
|
index sn pres,sub,eq
|
|
index uid pres,sub,eq
|
|
index displayName pres,sub,eq
|
|
index uidNumber eq
|
|
index gidNumber eq
|
|
index memberUid eq
|
|
index sambaSID eq
|
|
index sambaPrimaryGroupSID eq
|
|
index sambaDomainName eq
|
|
index default sub
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Create the following file <filename>initdb.ldif</filename>:
|
|
<indexterm><primary>initdb.ldif</primary></indexterm>
|
|
<programlisting>
|
|
# Organization for SambaXP Demo
|
|
dn: dc=quenya,dc=org
|
|
objectclass: dcObject
|
|
objectclass: organization
|
|
dc: quenya
|
|
o: SambaXP Demo
|
|
description: The SambaXP Demo LDAP Tree
|
|
|
|
# Organizational Role for Directory Management
|
|
dn: cn=Manager,dc=quenya,dc=org
|
|
objectclass: organizationalRole
|
|
cn: Manager
|
|
description: Directory Manager
|
|
|
|
# Setting up the container for users
|
|
dn: ou=People, dc=quenya, dc=org
|
|
objectclass: top
|
|
objectclass: organizationalUnit
|
|
ou: People
|
|
|
|
# Set up an admin handle for People OU
|
|
dn: cn=admin, ou=People, dc=quenya, dc=org
|
|
cn: admin
|
|
objectclass: top
|
|
objectclass: organizationalRole
|
|
objectclass: simpleSecurityObject
|
|
userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
|
|
# The password for above is 'mordonL8'
|
|
</programlisting>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Load the initial data above into the LDAP database:
|
|
<screen>
|
|
&rootprompt;<userinput>slapadd -v -l initdb.ldif</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Start the LDAP server using the appropriate tool or method for
|
|
the operating system platform on which it is installed.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Install the Idealx script files in the <filename>/usr/local/sbin</filename> directory,
|
|
then configure the smbldap_conf.pm file to match your system configuration.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The &smb.conf; file that drives this backend can be found in example <link
|
|
linkend="fast-ldap">LDAP backend smb.conf for PDC</link>. Add additional stanzas
|
|
as required.
|
|
</para></step>
|
|
|
|
<example id="fast-ldap">
|
|
<title>LDAP backend smb.conf for PDC</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">FRODO</smbconfoption>
|
|
<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
|
|
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
|
|
<smbconfoption name="printcap name">cups</smbconfoption>
|
|
<smbconfoption name="add user script">/usr/local/sbin/smbldap-useradd -m '%u'</smbconfoption>
|
|
<smbconfoption name="delete user script">/usr/local/sbin/smbldap-userdel %u</smbconfoption>
|
|
<smbconfoption name="add group script">/usr/local/sbin/smbldap-groupadd -p '%g'</smbconfoption>
|
|
<smbconfoption name="delete group script">/usr/local/sbin/smbldap-groupdel '%g'</smbconfoption>
|
|
<smbconfoption name="add user to group script">/usr/local/sbin/smbldap-groupmod -m '%u' '%g'</smbconfoption>
|
|
<smbconfoption name="delete user from group script">/usr/local/sbin/smbldap-groupmod -x '%u' '%g'</smbconfoption>
|
|
<smbconfoption name="set primary group script">/usr/local/sbin/smbldap-usermod -g '%g' '%u'</smbconfoption>
|
|
<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w '%u'</smbconfoption>
|
|
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
|
|
<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">H:</smbconfoption>
|
|
<smbconfoption name="logon home">\\%L\%U</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="os level">35</smbconfoption>
|
|
<smbconfoption name="preferred master">Yes</smbconfoption>
|
|
<smbconfoption name="domain master">Yes</smbconfoption>
|
|
<smbconfoption name="ldap suffix">dc=quenya,dc=org</smbconfoption>
|
|
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap group suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap admin dn">cn=Manager</smbconfoption>
|
|
<smbconfoption name="ldap ssl">no</smbconfoption>
|
|
<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
|
|
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
Add the LDAP password to the <filename>secrets.tdb</filename> file so Samba can update
|
|
the LDAP database:
|
|
<screen>
|
|
&rootprompt;<userinput>smbpasswd -w mordonL8</userinput>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Add users and groups as required. Users and groups added using Samba tools
|
|
will automatically be added to both the LDAP backend and the operating
|
|
system as required.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Backup Domain Controller</title>
|
|
|
|
<para>
|
|
<link linkend="fast-bdc"/> shows the example configuration for the BDC. Note that
|
|
the &smb.conf; file does not specify the smbldap-tools scripts &smbmdash; they are
|
|
not needed on a BDC. Add additional stanzas for shares and printers as required.
|
|
</para>
|
|
|
|
<procedure>
|
|
<step><para>
|
|
Decide if the BDC should have its own LDAP server or not. If the BDC is to be
|
|
the LDAP server, change the following &smb.conf; as indicated. The default
|
|
configuration in <link linkend="fast-bdc">Remote LDAP BDC smb.conf</link>
|
|
uses a central LDAP server.
|
|
</para></step>
|
|
|
|
<example id="fast-bdc">
|
|
<title>Remote LDAP BDC smb.conf</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
|
|
<smbconfoption name="netbios name">GANDALF</smbconfoption>
|
|
<smbconfoption name="passdb backend">ldapsam:ldap://frodo.quenya.org</smbconfoption>
|
|
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
|
|
<smbconfoption name="printcap name">cups</smbconfoption>
|
|
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
|
|
<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">H:</smbconfoption>
|
|
<smbconfoption name="logon home">\\%L\%U</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="os level">33</smbconfoption>
|
|
<smbconfoption name="preferred master">Yes</smbconfoption>
|
|
<smbconfoption name="domain master">No</smbconfoption>
|
|
<smbconfoption name="ldap suffix">dc=quenya,dc=org</smbconfoption>
|
|
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap group suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap admin dn">cn=Manager</smbconfoption>
|
|
<smbconfoption name="ldap ssl">no</smbconfoption>
|
|
<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
|
|
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
Configure the NETLOGON and PROFILES directory as for the PDC in <link linkend="fast-bdc"/>.
|
|
</para></step>
|
|
</procedure>
|
|
|
|
</sect4>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|