Transcript samba+swat1

Samba
• Objectives
– To be able setting up and working with samba
• Contents
–
–
–
–
–
Samba Servers
Installing and configuring samba
Getting swat working
Sharing directories with samba
Samba tools
• Practical
– Installing and setting up Samba
• Summary
Samba servers
• Domain Controller
– Primary Domain Controller (PDC)
– Backup Domain Controller (BDC)
– ADS Domain Controller
• Domain Member Server
– Active Directory Domain Server
– NT4 Style Domain Domain Server
• Standalone Server
• Samba security modes
–
–
–
–
User level security (DEFAULT MODE) security = user
Share level security
security = share
Domain security mode
security = domain
ADS security mode
security = ADS
realm = your.kerberos.REALM
Download and Install Packages
• You can get official samba from at least 2 places
(As RPM) http://en.opensuse.org/Samba
(As sources) http://us2.samba.org/samba/ftp/
• Install from sources
# wget http://us1.samba.org/samba/ftp/stable/samba-3.0.21b.tar.gz
1. Get the sources:
# tar xvfz samba-3.0.21b.tar.gz
# cd samba-3.0.20/source
2. Unzip it:
# ./autogen.sh
3. Make configuration:
4. Run configuration:
# ./configure
# make install
5. Install samba binaries and docs
• In yast SuSE you need to install the following packages
samba samba-client
kdebase3-samba
samba-winbind
ldabsmb
libsmbclient
• SuSE is very active in maintaining samba
– Consider use SuSE provided rpm packages above rather than sources
How to Get Samba Started
• Checkout /etc/services to confirm that
• Start samba servies
– nmb NetBios messages
– smb Server messages
– winbind
resource browsing and naming
• Make samba start at boot
• Check that samba is running
pgrep smb ; pgrep nmb
netbios-ssn 139/tcp
netbios-ns 137/udp
# rcnmb start
# rcsmb start
# rcwinbind start
# chkconfig nmb on
# chkconfig smb on
# chkconfig winbind on
• Samba is installed by default in SuSE
• Samba main configuration sit in /etc/samba
• Main configuration file has name smb.conf
The Samba Configuration File
• Samba main configuration /etc/samba/smb.conf has 5 main sections
• [global]
General Samba configuration parameters
• [printers]
Used for configuring printers
• [homes]
Defines treatment of user logins
• [netlogon]
A share for storing logon scripts.(Not
created by default.)
• [profile]
A share for storing domain logon
information such as "favorites" and
desktop icons.(Not created by default.)
How SWAT Makes Samba Simpler
• Basic SWAT Setup
– Swat is xinetd dependent
– Only access from localhost
as default
• Activate swat
# chkconfig swat on
• Swat listens on port 901
# grep swat /etc/services
swat
901/tcp
# SWAT is the Samba Web Administration
# Tool.
service swat
{
socket_type = stream
protocol
= tcp
wait
= no
user
= root
server
= /usr/sbin/swat
only_from
= 127.0.0.1
log_on_failure += USERID
}
• Swat is available through WEB interface
http://localhost:901
Login as root with root password
• SWAT can be secured with stunnel
• Allways backup your original smb.conf before using SWAT
# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
Starter: The [Global] Section /etc/samba/smb.conf
domain logons = Yes # Tells Samba to become the PDC
preferred master = Yes # Makes the PDC act as the central store for
# the names of all windows clients, servers
# and printers on the network. Very helpful
# when you need to "browse" your local
# network for resources. Also known as a
# local master browser.
domain master = Yes # Tells Samba to become the master browser
# across multiple networks all over the
# domain. The local master browsers register
# themselves with the domain master to learn
# about resources on other networks.
os level = 65
# Sets the priority the Samba server should
# use when negotiating to become the PDC
# with other Windows servers. A value of 65
# will usually make the Samba server win.
wins support = Yes
# Allows the Samba server to provide name
(default)
# services for the network. In other words
# keeps track of the IP addresses of all the
# domain's servers and clients.
time server = Yes
# Lets the samba server provide time updates for the
# domain's clients.
workgroup = "homenet“
# The name of the Windows domain we'll create.
# The name you select is your choice. I've decided
# to use "homenet".
security = user
# Make domain logins query the Samba password database
(default)
# located on the samba server itself.
Starter: The [Global] Section continued
netbios name = SMBSRV # Tells the name of server
kernel oplocks = false
# file locking
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0
# bind to these interfaces only
bind interfaces only = yes # answer on same interface
host allow = all
# Begin with allowing all hosts
log file = /var/log/samba/log.%m # Client machine logging
max log size = 500
# Builtin logrotate
dns proxy = no
# Use DNS as wins proxy
name resolve order = wins lmhosts hosts bcast
wins server = 127.0.0.1
# We are local wins server
enhanced browsing = yes
load printers = no
printing = lprng
Starter: The [homes] Section /etc/samba/smb.conf
Browseable = No
# Doesn't allow others to browse
# the contents of the directory
read only = No
# Allows the samba user to also
# write to their Samba Linux
# directory
create mask = 0664 # Makes new files created by the
# user to have "644" permissions.
# You want to change this to
# "0600" so that only the login
# user has access to files.
directory mask = 0775
# Makes new sub-directories
# created by the user to have
# "775" permissions. You
# want to change this to
# "0700" so that only the login
# user has access to
# directories.
The [netlogon] and [profiles] Share Sections
•
•
The netlogon contain login scripts for clients
The profiles is storage for desktop enviroment
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
•
Remember to create these share directories from the
command line afterwards.
# mkdir -p /home/samba/netlogon
# mkdir -p /home/samba/profile
# chmod -R 0755 /home/samba
The [printers] Share Section
• The samba default [printers] section:
[printers]
comment = All
Printers path = /var/spool/samba
printable = Yes
browseable = No
How To Create A Samba PDC Administrator User
• Home Environment, adding the root admin
# /usr/bin/smbpasswd -a root password
• Samba passwords are stored in the
/etc/samba/smbpasswd file
• In corporate Environment you might want more than
one person administer Samba
# groupadd sysadmin
• update your smb.conf [global] section with
domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin
• Add some linux users that are members of this group
• Use smbpasswd to add samba passwords for Domain
logons for this group ( ux-passwd ! smbpasswd )
How To Add Workstations To Your Samba Domain
• Adding workstations to a Samba domain is a two step
process
– creation of workstation trust accounts on the samba server
– logging into each workstation to add them to the domain
• Create Samba Trust Accounts For Each Workstation
– Manually # groupadd samba-clients
# /usr/sbin/useradd -g samba-clients -d /dev/null -s /bin/false machine_name$
# passwd -l machine_name$
# smbpasswd -a -m machine_name
– Automatically
[global]
# <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
• Create the samba-clients Linux group
# groupadd samba-clients
Make Your PC Clients Aware Of Your Samba PDC
Windows 95/98/ME and Windows XP Home
Windows 9x machines do not implement full domain membership and therefore don't
require machine trust accounts. Here's what you need to do:
•
Navigate to the Network section of the Control Panel (Start ->Settings->Control
Panel->Network)
•
Select the Configuration tab
•
Highlight "Client for Microsoft Networks"
•
Click the Properties button.
•
Check "Log onto Windows NT Domain", and enter the domain name.
•
Click all the OK buttons and reboot!
Make Your PC Clients Aware Of Your Samba PDC
Windows NT
For Windows NT, you must first create a manual Samba machine trust account as
explained earlier, then follow these steps:
1. Navigate to the Network section of the Control Panel (Start ->Settings->Control
Panel->Network )
2. Select the "Identification" tab
3. Click the "Change" button
4. Enter the domain name and computer name, do not check the box Create a
Computer Account in the Domain. In this case, the existing machine trust account
is used to join the machine to the domain.
5. Click "OK". You should get "Welcome to <DOMAIN>" message as confirmation
that you've been added.
6. Reboot.
You can now log in using any account in the /etc/smbpasswd file with your domain as
the domain name.
Make Your PC Clients Aware Of Your Samba PDC
Windows 200x and Windows XP Professional
For the 200x and XP Professional varieties of Windows, create a dynamic Samba
machine trust account, then go through these steps:
1. Press the Windows and Break keys simultaneously to access the System
Properties dialogue box.
2. Click on the 'Network Identification' or 'Computer Name' tab on the top.
3. Click the "Properties" button.
4. Click on the "Member of Domain" button.
5. Also enter your domain name and computer name and then click "OK"
6. You will be prompted for a user account and password with rights to join a
machine to the domain. Enter the information for your Samba administrator. In
this home environment scenario, the user would be root with the corresponding
smbpasswd password. Now, you should get a "Welcome to <DOMAIN>" message
confirming that you've been added.
7. Reboot.
Log in using any account in the /etc/smbpasswd file with your domain as the domain
name.
How To Add Users To Your Samba Domain
•
Adding The Users In Linux
# useradd -m –g 100 peter
•
Give them a Linux Password
# passwd peter
•
Mapping The Linux Users To An smbpassword
# /usr/bin/smbpasswd -a peter password
•
Mapping A Private Windows Drive Share
– By default $HOME is mapped to h:
•
Batch Login script
– Add the following to /home/samba/netlogon/login.bat
Convert to MSDOS format:
REM Drive Mapping Script
net use P: \\bigboy\
unix2dos /home/samba/netlogon/login.bat
– Set proper rights: Add at global in smb.conf: [global]
# chmod 644 /home/samba/netlogon/login.bat
logon script = login.bat
Domain Groups And Samba
•
•
Domain users domain admin group = USER1 USER2 @GROUP
How To Delete Users From Your Samba Domain
1. # smbpasswd -x john
•
2.
# userdel -r john
How To Modify Samba Passwords
– Samba can let users change their passwords themself
– In [GLOBAL] section of smb.conf:
unix passwd sync = Yes
# Enables Samba/Linux
# password
# synchronization
passwd program = /usr/bin/passwd %u
# Lists the location of the
# Linux password file
# which is usually
# /bin/passwd.
passwd chat = *password* %n\n *password* %n\n *changed*
# A short script to change the Linux
# password using the Samba
# password
Summary