Slide 1

Download Report

Transcript Slide 1 

Installing Samba 3 on OpenServer 6
Kirk Farquhar, SCO Canada
[email protected]
1
Agenda
2
What is Samba?
Samba is an open-source application suite that enables
SMB/CIFS based services on Unix servers
SMB – Server Message Block – is the underlying protocol for Windows
File & Print Sharing
Licensed under the GPL
Maintained by the Samba Team (12-20 people)
Web Site for resources – www.samba.org
3
Business Benefits of Samba
Samba allows you to merge the resources of your Windows &
Unix networks
Provides seamless access to Unix based files from Windows
clients
Provides a secure & stable file server
Provides an upgrade path from Windows to “big iron”
Eliminates the need for Windows servers in organizations that
don’t require Windows Server based applications
4
Samba 3
Installation
OSR6-Installing from Media
Insert the OpenServer 6 CD
Start scoadmin
Select Software Manager, Software, Install New
Select “From Servername”
Select the media device CDROM 0
Expand SCO OpenServer Release 6.0.0
Expand Connectivity
Highlight SAMBA and click on Install
N.B. If Heimdal Kerberos was not installed, install it in the
same manor.
Run mkdev samba
6
OSR6-Installing from Downloads
Download CPIO file from the SCO site to /tmp
Extract the VOL files
cat *.cpio | cpio – ivcd “*.*”
Start scoadmin
Select Software Manager, Software, Install New
Select “From Servername”
Select the media images option and directory /tmp
Highlight samba and click Install
Run mkdev samba
7
mkdev samba
Run the command mkdev samba
Choose 1 – Configure and Activate Samba
Enter your Windows Domain or Workgroup name
Accept the default machine name provided
If your network has a WINS server select yes and provide
its IP address
If there is no WINS server on Windows this server can be
set as a WINS server
Select whether you want to participate in an MS Domain
Provide the NetBIOS name of the PDC
8
mkdev samba command - Workgroup
9
mkdev samba command-Workgroup
Defaults
10
mkdev samba command-Workgroup
Changes made to /etc/samba/smb.conf
 workgroup = WORKGROUP
 netbios name = FANGORN
 Security = User
 WINS server = 192.168.0.2
11
State of Server after this mkdev samba
nmbd and smbd are running
The server is a member of the workgroup named
WORKGROUP
No shares are created and only root can connect
12
mkdev samba – Domain Member
13
mkdev samba – Domain Member
Changes to /etc/samba/smb.conf
 workgroup = ME
 netbios name = FANGORN
 security = domain
 password server = RIVENDELL
 wins server = 192.168.0.2
14
State of Server after this mkdev samba
nmbd and smbd are running
The server is a member of the domain ME
The only user is root/administrator
Shares aren’t set-up
Password backend is smbpasswd
Passwords are encrypted
15
Introduction to SWAT
What is SWAT?
SWAT = Samba Web Administration Tool
Included and configured by default with SCO Samba
implementations
Swat will allow you to perform most Samba
administration functions from any browser that
can contact the server
Alternative to command line interfaces or configuring
smb.conf
Available on port 901 by default
Controlled by inet and services file entry
17
Issues & Concerns with SWAT
Completely replaces smb.conf on each use
Only stores non-default settings in intermediate file
Doesn’t retain set-up comments
Can be viewed as a security risk
Never run in demo mode
Never run outside firewalls
Doesn’t like some passwords
18
SWAT Connection & Login
Use your browser to connect to http://192.168.0.4:901
19
SWAT HomePage
Primary use of the
home page is to
access the docs
20
SWAT Screens -
Allows you to set all Global
variables that control the
servers behaviour:
•Server Type
•Security Settings
•Master Browser status &
participation
•WINS Options
21
SWAT Screens -
Allows you to configure File
Shares on the Server,
including the specific
permissions and
performance modifiers for
the shares.
22
SWAT Screens -
Allows you to set-up the Unix
printers to be shared by the
server and to configure the
printing and security options for
those printers
23
SWAT Screens -
This screen allows you to rewrite the smb.conf file and
easily re-set the Server type,
WINS status and basic security
access. Probably the first screen
you’ll use, but this is very
dangerous as it can undo much
configuration work.
24
SWAT Screens -
Displays current status of the
Samba Server including active
connections. Can be used to
shut-down or restart the server.
25
SWAT Screens -
View the current smb.conf file.
Note – you cannot change the
file here.
By default shows only the
non-default entries you’ve
created for the file. The Full
View option shows the entire
smb.conf file.
26
SWAT Screens -
Add, enable and disable users
as well as resetting passwords
for users.
27
Files & Directories
Files & Directories
/etc/samba
smb.conf
lmhosts
secrets.tdb
smbusers
smbpasswd
smbstab
primary samba configuration file
file of netbios host names & ip addresses
holds SID information
maps Unix to Windows account names
Equivalent to the Unix Password file
Info about file & print shares
/usr/sbin
Daemons smbd and nmbd
/usr/bin
Executables, testparm, smbnet etc
29
smb.conf file
 The smb.conf file contains all non-default entries
you make to configure the Samba server
 Other entries are automatically set to defaults by
Samba
 Re-read on each new connection and every 60
seconds
 Rebuilt dynamically if you use SWAT
30
S99smbd & S99nmbd
Located in /etc/rc2.d – linked to smb & nmb in /etc/init.d
Created by mkdev samba or you can manually create links
/etc/init.d/smb enable, /etc/init.d/nmb enable
Starts and stops daemons
Syntax
/etc/rc2.d/S99smbd start|stop|restart|enable|disable
/etc/rc2.d/S99nmbd start|stop|restart|enable|disable
Can be modified to change location of Samba files
Attempts to delete PID files and starts smbd and nmbd
31
Daemons
Located in /usr/sbin
smbd
 tcp/ip daemon handles all file and print requests as well
as authentication and security
nmbd
 Handles name look-up and resolution and manages
network browsing
 Handles all UDP traffic
 smbd will not work without nmbd
32
Using testparm
Utility to test syntax of smb.conf file
Located in /usr/lib/samba/bin
Usage
testparm (-v) (smb.conf file location)
By default only lists changes you’ve made
The –v option will show all defaults added by Samba
Giving smb.conf file location lets you test multiple files
Besides displaying data does a very simple syntax check –
Note: this doesn’t guarantee your server will work
33
Configuring Your Server
Configuring the Samba Server
Decisions to be made
Do you have an existing Windows Network?
 Is it a Workgroup or Domain?
 If a Domain, what security profile?
What type of Server will this be?
What Security Mode do you want?
Will you join an existing Workgroup or Domain?
 Do you have a Windows Domain?
 Do you use Active Directory?
 Is the Samba Server to be a Domain Controller?
 Are Unix userids and network ids to be the same?
What type of clients will you have, Win95, Win2K?
35
Prerequisites
You need to have a running network interface
DNS should be configured
 Optionally use /etc/hosts
 Test with ping & nslookup
 If joining an AD domain DNS should probably be running from the
Win2K server
i.e. nslookup fangorn.me.local returns 192.168.0.4
nslookup 192.168.0.4 should return fangorn.me.local
Apache is necessary for SWAT to function
Other smb services must not be operating (AFPS VFS)
Ports 137,139, and 901 must be available
36
Windows Networking Issues
Existing Win2K+ Domains with AD need to be
configured with a Domain Functional Level of:
 Windows 2000 Mixed
 This allows servers using NT4 style Domain functionality to participate
in the Domain
 Or Native
 This allows for native AD authentication using kerberos – this will
require the Heimdal modules
37
Server Types
Stand-alone Server
A stand-alone server is a Workgroup member, but does not participate
in Domain Security. Domain members may access it using local
authentication.
Domain Member Server
A Domain Member Server participates in a Domain and provides for a
Single Sign-on Environment
Domain Controller
Acts as either a Primary or Back-up Domain Controller
38
Security Levels
User Security
 Security=user
 Client sends session request as username/password
 Server checks user and hostname only since no share info is
available
 Once authenticated client “expects” to be able to mount shares
with a tree connection without further authentication
 Client can send multiple session requests and gets a separate UID
for each
Share Security
 Security=share
 Each tree connection request has a password submitted
 Unlike NT, Unix needs a username/password combo
 Samba will try to resolve a username by checking the PW against possible users
 Not recommended – may create problems with newer Win Clients
 Primarily to support legacy implementations – Win9?
39
Security Levels
Domain Security (NT4 Domains)
 Security=Domain
 Workgroup=ME
 Encrypt Passwords=Yes
Server has a trust account on the domain server –gotcha!
Authentication requests passed to domain server to be resolved
You must join a domain after Samba is started ( you only need to do
this once)
As root execute:
/usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw
You must have a standard Unix user account for each user of the server or
define acceptable users by share
Populate /etc/passwd with
/usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw
40
Security Levels
Domain Security (Native AD Domains)
 Security=Domain
 Workgroup=ME
 Encrypt Passwords=Yes
Server has a trust account on the domain server –gotcha!
Authentication requests passed to domain server to be resolved
You must join a domain after Samba is started ( you only need to do
this once)
As root execute:
/usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw
You must have a standard Unix user account for each user of the server or
define acceptable users by share
Populate /etc/passwd with
/usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw
41
Security Levels
Server Security
smb.conf entries needed
Security=Server
Encrypt passwords=yes
Password Server=nbnameofserver
Variation of user level security – client “thinks” this is user level
When the server gets a session setup request it uses the
username/password combo to try to login to the password
server
Requires a standard Unix user account on the Samba Server
You may want to block shell connections for this account
May cause account lockouts on servers for failed authentications
If the PW server shuts down Samba won’t work
42
Setting Up a Standalone Server
Setting up a Stand-alone Server -
In the Globals Screen:
•Define your Workgroup name
•Define the netbios name
•Set security level
•Set Encrypted Passwords to Yes
•Set Password Backend to
smbpasswd
•Commit changes
44
Setting up a Stand-alone Server -
In the Wizard Screen:
•Select Stand-alone Server
•Configure WINS Server
•Expose Home Dirs?
•Commit changes
45
Create Machine Accounts for Workstations
You need to create machine accounts for workstations running W2K or
above
 Create a Unix Group machines
 groupadd machines
 Add an account for each machine
 useradd –g machines –d /var/nobody –c “Kirks Workstation” –s /bin/false
bilbo$
 Note $ at end of machine name
46
Add Users -
In the Password Screen
 Add users
 Set passwords to match
Windows PW
 Click Add New User for
each user
 Click Enable User
47
Setting up a Stand-alone Server -
In the Status screen:
Click on Restart All to shutdown and restart the Server
From a windows Workstation go to My Network Places, and select
Entire Network,
Microsoft Windows Network
Your Domain
Your Samba Server
To display current shares.
48
smb.conf Entries
Security = User
Workgroup = SCO
Encrypted Passwords = Yes
Password Backend = smbpasswd
49
Check Access to Resources
50
Try to Access Resources
51
Try to Access Resources
52
Setting Up a Domain Member Server
Setting up a Domain Member
In the Globals screen:
•
Add the Domain name in the
Workgroup field
•
Add the Server’s name in the
NetBIOS name Field
•
Set Security to DOMAIN
•
Commit changes
54
Setting up a Domain Member
In the Wizard screen:
•
Jump to Parameter Edit
•
Configure the Server Type as
Domain Member
•
Configure WINS as Client of
another Server
•
Set security=Domain
•
Set the IP address of your
primary WINS Server
•
Expose Home Dirs?
•
Commit changes
55
Setting up a Domain Member
In the Status screen:
•
Click on Restart All to shutdown and restart the Server
•
At a Unix prompt as root run the command:
•
/usr/bin/smbnet rpc join –U administrator%password
From a windows Workstation go to My Network Places, and select
•
Entire Network,
•
Microsoft Windows Network
•
Your Domain
•
Your Samba Server
To display current shares.
56
smb.conf Entries
[global] workgroup = ME
server string = Fangorn Samba 3 Server
interfaces = net0, lo0
bind interfaces only = Yes
security = DOMAIN
password server = rivendell
log file = /var/log/samba/log.%m max
log size = 50
dns proxy = No
wins server = 192.168.0.2
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
57
ADS Authentication – Globals Screen
Essentially same as a domain member,
but:
•Add realm
•Set Security to ADS
58
ADS Authentication – Wizard Screen
 The wizard should pick
up correct changes from
the Globals commit
 Note addition of realm
59
Changes to the Globals section of smb.conf
[global]
workgroup = ME
realm = ME.LOCAL
server string = Fangorn Samba 3 Server
interfaces = net0, lo0
bind interfaces only = Yes
security = ADS
password server = rivendell
log file = /var/log/samba/log.%m
max log size = 50
dns proxy = No
wins server = 192.168.0.2
60
Getting Kerberos to Work
To authenticate natively to AD you need kerberos services to
work
In smb.conf Globals section we need
security = ADS
(use AD for Authentication)
realm = ME.LOCAL (the realm is your local DNS domain name)
password server = RIVENDELL (Netbios name of the Windows PDC)
SID must be correct
If errors show in SID use
smbnet getlocalsid domainname
smbnet setlocalsid S-1-5-21-x-y-z
Run smbnet ads status –U administrator (you should get a big dump of data)
Re-run smbnet ads join –U administrator
61
Sharing Directories
Sharing Directories
In SWAT Shares screen
Enter a new share name & click
on Create Share
63
Sharing Directories
Fill in options for this share
Optionally
Add special user conditions
Turn on/off Guest Access
Control host access
Set Browseable
NB- blank entry for valid users
means anyone can access the
share
If hosts are allowed then only
those hosts are allowed
Click on Commit Changes when
done
64
smb.conf Entries
This will create a section in smb.conf for this share
[U Filesystem]
path = /u
valid users = kirk, @Administrators
hosts deny = 192.168.0.5
65
Sharing Unix Printers
Configuring the Print Server
By default Samba will load all of the printers in the
/etc/printcap file
This is done by the Global option Load Printers=yes
Printing mode is sysv
Optionally on Legend you can use CUPS
In the Globals screen/Advanced View you can set
print spooler options (defaults work well)
67
Sharing all printers
In the Printers tab:
•Choose “printers”
•Note Browseable option
•Set Hosts to allow & Deny
68
Adding a Specific Printer





69
Enter Printer Name
Click on Create Printer
Make printer specific settings
Set Browseable to Yes
Commit changes
Accessing the Printer from Windows
To use this printer from Windows:
•Start
•Printers
•Add a Printer
•Choose a Network Printer
•Choose connect to this Printer
•(leave name blank)
•Drill down to printer
70
Setting Up Windows Clients
Configuring the Windows Clients
From the Control panel select Networking-Local
Area Connetion
Select Properties
Ensure File & Print Sharing for Microsoft Networks
is installed
Select Internet Protocol (TCP/IP) and then
Properties
72
Configuring the Windows Clients
Select Control Panel-System
73
Choose the Network Identification Wizard
(Network ID button) and enter your machine
name and Domain Name or Workgroup
You will be prompted for an admin user
name and password on the domain
controller
Configuring the Windows Clients
If using DHCP select “Obtain
Address Automatically”
Otherwise populate all fields
Select the Advanced tab
74
Configuring the Windows Clients
If not using DHCP you must add
the IP Address and Gateway
Likewise, DHCP will automatically
add DNS & WINS information
75
Configuring the Windows Clients
If not using DHCP populate DNS & WINS Screens
76
Configuring Windows Clients
From the Desktop
-My Network Places
-Microsoft Windows Network
Choose your Domain (ME)
The Samba Server should be displayed
(FANGORN)
Expand the Server and Shares should
appear
Double click on the Server’s name to
see Shares
Alt-click on a Share to consume it
Double click on it to Browse
77
Using Windows Resources
Using smbclient
smbclient is a CIFS client that allows the Samba
system to consume resources from other CIFS
servers
Usage: [-?EgVNkP] [--usage] [-R NAME-RESOLVE-ORDER] [-M HOST] [-I
IP] [-L HOST] [-t CODE] [-m LEVEL] [-T<c|x>IXFqgbNan] [-D DIR] [-c
ARG] [-b BYTES] [-p PORT] [-d DEBUGLEVEL] [-s CONFIGFILE] [-l
LOGFILEBASE] [-O SOCKETOPTIONS] [-n NETBIOSNAME] [-W
WORKGROUP] [-i SCOPE] [-U USERNAME] [-A FILE] [-S
on|off|required] service <password>
79
smbclient - L
Use to list shared resources on a server
rohan:~$ smbclient -L bilbo
Password:
Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Sharename
Type
Comment
-----------------E$
Disk
Default share
IPC$
IPC
Remote IPC
D$
Disk
Default share
downloads
Disk
ADMIN$
Disk
Remote Admin
C$
Disk
Default share
ExchangeData Disk
Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Server
--------Workgroup
--------rohan:~$
80
Comment
------Master
-------
Accessing Windows Files
Use smbclient to connect to a File Share and get an
FTP-like interface
rohan:~$ smbclient //bilbo/downloads -Ukirk
Password:
Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \>
At the smb prompt you can use commands similar to
FTP, cd, dir, get, mget etc.
81
Listing Files
rohan:~$ smbclient //bilbo/downloads -Ukirk
Password:
Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> dir
.
D
0 Mon May 30 14:46:16 2005
..
D
0 Mon May 30 14:46:16 2005
AdbeRdr60_enu_full.exe
A 16706160 Wed Apr 13 16:40:49 2005
bilbo01_1024x768.jpg
A 317087 Tue Jul 6 12:59:22 2004
casedge
D
0 Tue Nov 30 16:20:08 2004
genica
D
0 Tue Nov 30 14:26:54 2004
gn788.zip
A 565618 Thu Oct 14 14:58:33 2004
ISA2004Enterprise.iso
A 114960384 Sun Apr 24 18:50:35 2005
iTunesSetup.exe
A 21904216 Mon May 30 14:46:16 2005
ppviewer.exe
A 1951432 Wed Apr 13 16:26:26 2005
Product_Training_April_v_4.ppt
A 4551680 Wed Apr 13 16:30:37 2005
RealPlayer10-5GOLD.exe
A 10827296 Thu Apr 21 23:25:11 2005
RiskFilter_403.ISO
A 376932352 Mon Jan 10 15:21:51 2005
threatdetector.exe
A 17345027 Mon May 16 16:02:34 2005
W2KSP2.exe
A 106278016 Tue Nov 30 16:33:23 2004
W2Ksp3.exe
A 32913953 Tue Dec 14 14:42:37 2004
smb: \>
smb: \>
82
51740 blocks of size 524288. 44090 blocks available
Getting a file
smb: \> cd casedge
smb: \casedge\> dir
.
..
audio
audio_0050.exe
lan
usb
video
D
D
D
D
D
D
0 Tue Nov 30 16:20:08 2004
0 Tue Nov 30 16:20:08 2004
0 Tue Nov 30 16:23:03 2004
A 19342431 Tue Nov 30 16:22:32 2004
0 Tue Nov 30 14:19:29 2004
0 Tue Nov 30 14:21:29 2004
0 Tue Nov 30 14:20:39 2004
51740 blocks of size 524288. 44090 blocks available
smb: \casedge\> cd video
smb: \casedge\video\> dir
.
D
0 Tue Nov 30 14:20:39 2004
..
D
0 Tue Nov 30 14:20:39 2004
autorun.inf
A
34 Thu Jul 11 16:07:42 2002
Graphics
D
0 Tue Nov 30 14:20:39 2004
ReadMe.txt
A 27090 Thu Jul 11 18:02:00 2002
51740 blocks of size 524288. 44090 blocks available
smb: \casedge\video\> get ReadMe.txt
getting file \casedge\video\ReadMe.txt of size 27090 as ReadMe.txt (464.1 kb/s)
(average 464.1 kb/s)
smb: \casedge\video\>
83
Using a Printer
Configure CUPS printing on the Unix Server
Use smbclient –L servername to identify the
sharename of the available printers
Create a PPD file for the Windows printer
Install the printer to CUPS
root#lpadmin –p winprinter –v smb: //frodo/psc2200 \ -P
/path/to/PPDfile
84
Special Considerations
Special Considerations
Real Time updates of smb.conf
The smb.conf file is reread on each new connection and every 60
seconds
Manually changing smb.conf can interrupt existing connections
Sharing datafiles with Windows & Unix Apps
By default Samba enables Opportunistic locking for local data caching
This should only be used where shares are used exclusively
In the Globals-Advanced View-Locking set the oplocks and level2
oplocks to No
You can also disable oplocks on a per share basis in Shares-Share
Properties-Advanced-Locking
86
Securing your Samba Server
If possible Samba servers should be behind the
firewall
Host-Based Protection
You can restrict access to certain systems in the GlobalsHost Allow/Deny options to create entries
hosts allow = 127.0.0.1, 192.168.0.0/24
hosts deny = 0.0.0.0/0
These entries allow only local and from the 192.168.0 net
and deny everyone else
User Based Protection
You can restrict access to certain users or groups from
Globals-(in)valid users option
87
Securing your Samba Server
You can control access by Interface with Globals-Interfaces
eth0 lo as an example will only listen on the loopback and eth0, but not on
eth1, eth2 etc
You must set Bind Interfaces Only in the Advanced screen for this to work
Useful on dual-homed systems
Blocking IPC$ Shares
Cannot be done from SWAT
Add lines to smb.conf
[IPC$]
Hosts Allow = 127.0.0.1, 192.168.0.0/24
Hosts Deny = 0.0.0.0/0
NB – this will be overwritten if you use SWAT to rebuild smb.conf
88
Resources
http://www.samba.org
http://us1.samba.org/samba/docs/man/samba.7.html
The Official Samba-3 HOWTO and Reference Guide
by
and Jelmer R. Vernooij
89
Samba
– Installation & Configuration
John Terpstra and
90
91
Questions