The Official Samba 3.2.x HOWTO
Samba Server Installation
apt-get install samba samba-common samba-doc libkrb53 winbind smbclient dmbfs
apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient smbfs
SWAT Installation
- Swat
From the swat man page: swat allows a Samba administrator to configure the complex smb.conf file via a Web browser. In addition, a swat configuration page has help links to all the configurable options in the smb.conf file allowing an administrator to easily look up the effects of any change.
- Installing and running Samba is outside the scope of this document.
- How to actually use Swat is outside the scope of this document, but http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html#id2651818 is a good place to get started.
Installing Swat 1. sudo apt-get install swat xinetd 2. sudo nano /etc/xinetd.d/swat 3. Insert the following text
(borrowed from http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html#xinetd):
# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
# connect to port 901 with your favorite web browser.
service swat
{
port = 901
socket_type = stream
wait = no
# Use only_from if you want to restrict access
# only_from = localhost
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
}
4. Exit and Save
Running Swat
1. sudo /etc/init.d/xinetd restart 2. Point your browser to http://localhost:901/ 3. Enter the username and password of a user with proper privileges
Questions
Q: my feisty system doesn't have /etc/xinetd.d/, now what?
A: you will need to install a dependency beforehand: xinetd
sudo apt-get install xinetd sudo update-inetd --enable 'swat'
then create the /etc/xinetd.d/swat as above, and now sudo dpkg-reconfigure xinetd to restart with the new configuration.
kudos to fabioleitao for the answer, http://ubuntuforums.org/showpost.php?p=980625&postcount=8
Q: The swat help links do not work. How do I tell swat where to find the man pages?
A: You don’t have to tell swat where they are you have to install them.
sudo apt-get install samba-doc
Q: When I open the web page I only see four boxes (Home, Status, View, Password) but none of these boxes give me the ability to configure Samba. What should I do?
A: You do not have the necessary permissions. You will need to ensure you are a user of the administration group (‘admin’) and that the adm group has sufficient access rights to the Samba configuration file (‘smb.conf’). Note the user created during the installation is automatically a member of the adm group.
To ensure the adm group has proper permissions over ‘smb.conf’ use ‘chmod’ and ‘chgrp’ tools to change the file access permissions and group permissions respectively:
sudo chmod g+w /etc/samba/smb.conf sudo chgrp adm /etc/samba/smb.conf
Another method is to grant all users—the whole world essentially—complete access to ‘smb.conf’. This is not recommended for obvious security reasons.
sudo chmod 777 /etc/samba/smb.conf
Now refresh your browser window and you should see additional boxes for Globals, Shares, Printers and Wizard.
Q: On my 6.06 LTS server clients don't see the swat page. It is just a blank page. What now?
A: Edit the /etc/samba/smb.conf file so that the file contains a line for allowed hosts like:
sudo vi /etc/samba/smb.conf
or, if you are not that comfortable with vi:
sudo nano /etc/samba/smb.conf
Add or change the following line:
[global]
......
.......
hosts allow = 192.168.1.0/255.255.255.0
[printers]
Of course this has to match your own network settings. After this you have to restart the samba subsystem.
sudo /etc/init.d/samba restart
Q: On my 9.04 Server i can't access swat. If i test with netstat -lt there ist a line with
... tcp6 0 0 [::]:swat [::]:* LISTEN ...
A: Swat seems to be bound to IPv6 instead of IPv4
Edit the following line with sudo nano /etc/inetd.conf
swat stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/swat
into
swat stream tcp4 nowait.400 root /usr/sbin/tcpd /usr/sbin/swat
then restart inetd with sudo /etc/init.d/inetutils-inetd restart
Samba Server Konfiguration
Idealerweise verwendet man SWAT für die Konfiguration
http://sambaserver:901
Aufsetzen als PDC
[global] workgroup = MYWORKGROUP netbios name = SERVER1 server string = %h server (Samba, Ubuntu) passdb backend = tdbsam security = user username map = /etc/samba/smbusers name resolve order = wins bcast hosts domain logons = yes preferred master = yes wins support = yes # Set CUPS for printing printcap name = CUPS printing = CUPS # Default logon logon drive = H: logon script = scripts/logon.bat logon path = \\%N\profile\%U # Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u idmap uid = 15000-20000 idmap gid = 15000-20000 # sync smb passwords woth linux passwords passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . passwd chat debug = yes unix password sync = yes # set the loglevel log level = 3 [homes] comment = Home valid users = %S read only = no browsable = no [printers] comment = All Printers path = /var/spool/samba printable = yes guest ok = yes browsable = no [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = Administrator valid users = %U read only = no [profile] comment = User profiles path = /home/samba/profiles valid users = %U create mask = 0600 directory mask = 0700 writable = yes browsable = no
Remark: The "netbios name" in the smb.conf must be the same then the hostname of your server.
workgroup = MYWORKGROUP specifies the Windows domain that the Windows workstations use.
logon drive = H: is the drive letter under which the SAMBA share will appear in the Windows Explorer.
With logon script = scripts/logon.bat you can specify a Windows batch script that is executed as soon as a Windows workstation logs in. If the script does not exist, you can comment out that line.
Create the directories for domain logons and profiles:
mkdir /home/samba mkdir /home/samba/netlogon mkdir /home/samba/profiles mkdir /var/spool/samba chmod 777 /var/spool/samba/ chown -R root:users /home/samba/ chmod -R 771 /home/samba/
Now we restart Samba:
/etc/init.d/samba restart
Edit /etc/nsswitch.conf. Change the line:
hosts: files dns to: hosts: files wins dns
Add all computers of your workgroup in the /etc/hosts file on the server.
192.168.0.100 server1 192.168.0.110 workstation1 192.168.0.111 workstation2 192.168.0.112 workstation3 192.168.0.113 workstation4
Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.
smbpasswd -a root
Create the file /etc/samba/smbusers and add the line by executing:
echo "root = Administrator" > /etc/samba/smbusers
This will allow us to use the common windows username "Administrator" as alias for the Linux root user.
Now I will test if the setup is correct:
smbclient -L localhost -U%
The output should look similar to this:
Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.14a-Ubuntu]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
print$ Disk Printer Drivers
IPC$ IPC IPC Service (server1 server (Samba, Ubuntu))
ADMIN$ IPC IPC Service (server1 server (Samba, Ubuntu))
Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.14a-Ubuntu]
Server Comment
--------- -------
SERVER1 server1 server (Samba, Ubuntu)
Workgroup Master
--------- -------
MDKGROUP IPRG
MYWORKGROUP SERVER1
Setup the default domain groups for windows:
net groupmap add ntgroup="Domain Admins" unixgroup=root net groupmap add ntgroup="Domain Users" unixgroup=users net groupmap add ntgroup="Domain Guests" unixgroup=nogroup
Roaming Issues
Remember also for roaming profiles to work you need to have subdirectory with the name of the user: /home/samba/profiles/<your username>
Over the network: \\<your hostname>\profiles\<your username>
I had trouble with Roaming profiles, to get it working ,and it does, you need to upload a profile to /home/samba/netlogon/Default\ User/ with widows profile upload, make sure you chown -R root:users /home/samba/ and chmod -R 771 /home/samba/( with no user profiles or you will stop them working)).
Then when users logon they get a default profile and folder in /home/samba/profile, which saves on logout.
Samba Server Betrieb
Joining a Windows XP PC into the domain
These instructions work if you're running a SAMBA domain server on Linux or any other UNIX, and your domain server is not using LDAP services to store SAM information, but the standard SAMBA TDB files.
Three steps are all that's required, if you have a properly configured SAMBA server (regrettably, out of the scope of this 5-minute topic). Add the machine account on the server
Okay, time to do this. As root, on the console, add a UNIX user account, with the following command:
[root@amauta2 ~]# /usr/sbin/useradd 'machinename$'
That should create a UNIX user account that, by default, has a disabled password. So it won't be useable as an interactive shell or graphical login account. But, anyways, remember to replace machinename with the machine name you intend to set on the XP computer. Do note that the useradd command may be on a different directory than /usr/sbin on your computer.
Please note that the single quotes are relevant. Otherwise, they would be unprotected by the shell's variable replacing tendency.
Now run the following command:
[root@amauta2 ~]# smbpasswd -ma 'machinename'
This command actually creates the machine account on the SAMBA server. Disable RequireSignOrSeal
According to a contributor, you can skip this step if you're using SAMBA 3 or higher. But if you aren't, then it's time to disable a setting that makes Windows XP complain when attempting to join a SAMBA domain. The famed RequireSignOrSeal.
Physically go to the Windows XP computer. Log on using an administrative account (Administrator comes to mind) on the local machine. Open the Registry editor (regedit.exe). Now open the key named:
My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
You'll see, on the right pane, a key named requiresignorseal. Double-click it and set the value data to 0. If it doesn't exist, create a key named requiresignorseal of type REG_DWORD and set it to 0.
Now, that machine is ready to join the SAMBA domain. Configure the machine to join the domain
Open the Properties tab of My Computer. Click the Computer Name tab, and click the Change button.
The computer name should be the same as the name of the machine account you created in the first step. On the Member of: group, click Domain, and type the domain name you've configured in the SAMBA server.
Click OK. A password prompt will surprise you. Enter the root user name and the root password of the SAMBA server, and hit OK. In the few moments after you've hit OK, Windows XP and SAMBA will be negotiating the process of joining the domain.
if everything went OK, you'll see a Welcome to the XYZ domain popup. If something went wrong, you'll have a hard time figuring out what went wrong; the first place to go is the SAMBA log file. Conclusions
Tools
nmblookup
nmblookup -A ns1 Looking up status of 172.16.150.10 NS1 <00> - B <ACTIVE> NS1 <03> - B <ACTIVE> NS1 <20> - B <ACTIVE> HG <1e> - <GROUP> B <ACTIVE> HG <00> - <GROUP> B <ACTIVE> MAC Address = 00-00-00-00-00-00
User Accounts
Einrichten Unix Account
useradd -d /home/username -s /bin/bash -m username -p password erstellt den Unix Account username, mit bash als Shell, kreiert das Login Directory (-m) und setzt das Password passwd username modifiziert das Password von User passwd -aS listet den Status der Useraccounts auf
Einrichten Samba Account
smbpasswd Samba Account kreieren smbpasswd -a username Samba Account löschen smbpasswd -x username Samba Account daktivieren smbpasswd -d username Ändern des Passwortes smbpasswd username
pdbedit Kreieren, modifizieren und löschen von Useraccaounts, sowie Account Attribute ändern Samba Account kreieren pdbedit -a username Samba Account löschen pdbedit -x Auflisten der Samba Accounts pdbedit -L Auflisten eines bestimmten Accounts pdbedit -Lv username Ändern eines Attributes z.B. pdbedit username -f "Full Name of User" Help pdbedit -h
net sam Dient als Ersatz für smbpasswd und pdbedit net sam show net sam set
Groupmappings
net groupmap list net groupmap list verbose Listet die bestehnden Groupmappings net groupmap add ntgroup=Administrator unixgroup=adm mapped die ntgroup Administrator zur Unix Group adm net groupmap modify ntgroup="Domain Users" unixgroup=domusers Mapped die ntgroup Domain Users zur UNIX group domusers
smbclient
Auflisten der Service eines Rechners
smbclient -L ns1 Enter root's password: Domain=[NS1] OS=[Unix] Server=[Samba 3.3.2] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (ns1 server (Samba, Ubuntu)) print$ Disk Printer Drivers Domain=[NS1] OS=[Unix] Server=[Samba 3.3.2] Server Comment --------- ------- Workgroup Master --------- ------- HG NS1
WINS
Wins Diagnose
nmblookup -R -U ns1 ns1 querying ns1 on 172.16.150.10 172.16.150.10 ns1<00>
nmblookup -R -U ns1 geniws1 querying geniws1 on 172.16.150.10 name_query failed to find name geniws1
Windows 7
Samba versions supporting Windows7 Domain Logon
Support for Windows 7 and Windows 2008 using Samba Domain Controllers has been added to the following versions:
- Samba 3.4 or later
- Samba 3.3.5 or later
- Samba 3.3.2, 3.3.3 and 3.3.4 (with NOTES)
- Samba 3.2.12 or later
We successfully tested Windows 7 Ultimate (Build 2600) with Samba 3.4.0, Samba 3.3.7, Samba 3.3.5, Samba 3.3.2, Samba 3.2.15, Samba 3.2.12 and other versions.
If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user.
--Monyo 12:42, 6 April 2011 (CDT)
Windows 7 Registry settings
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Samba also ships with a registry patchfile that users can apply directly. The patchfile can be found in recent Samba sourcecode: $SOURCE/docs-xml/registry/Win7_Samba3DomainMember.reg or in Samba Bugzilla here: https://bugzilla.samba.org/attachment.cgi?id=4988&action=view
Make sure to either reboot Windows 7 or restart the LanmanWorkstation service after setting these entries.
You will receive one warning about DNS domain name configuration after the join has succeeded:
"Changing the Primary Domain DNS name of this computer to "" failed.
The name will remain "MYDOM". The error was:
The specified domain either does not exist or could not be contacted"
This warning can be ignored or silenced with setting other registry keys.
Update: There is a hotfix available from Microsoft to address this, see this http://support.microsoft.com/kb/2171571 Knowledge Base article for details
Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.
If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:
HKLM\System\CCS\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1
See Also : http://wiki.samba.org/index.php/Windows7
How to Map OpenVMS Resource Identifiers to a CIFS Local Group
Information
User wants to administer file protections based on OpenVMS identifiers using windows explorer. Details
The following resource identifier is stored in rightslist.dat of OpenVMS system.
$ mc authorize show/ident localreaddata Name Value Attributes Localreaddata %X8001002A RESOURCE
One should link this identifier to a local group (in this case lreaddata ). The command to manually do this is:
$ net groupmap add unixgroup=localreaddata type="L" - _$ ntgroup=lreaddata
Now, grant domain users/groups to this group.
In below example domain name is WINDOM and the domain user is user1, the administrative CIFS user account is samba$admin and the OpenVMS systemname is VMSBOX.
$ net rpc group addmem lreaddata WINDOM\user1 - _$ "-UWINDOM\samba$admin" "-Svmsbox" "-Wvmsbox" Password: ****** (password of user samba$admin)
To see the granted user of group lreaddata , issue the command:
$ net groupmap list
And
$ wbinfo "-o"
User Management
To create a Samba share to use for your user's profiles simply add something similar to your share section of the smb.conf file:
* [profiles] * comment = Network Profiles Share * path = /srv/samba/profiles * read only = No * store dos attributes = Yes * create mask = 0600 * directory mask = 0700 * browseable = no * guest ok = no * printable = no * hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
Then ensure that everyone has write access to the directory listed as the path:
* chmod o+rw /srv/samba/profiles
[edit] Setting relevant directives for Roaming Profiles
The smb.conf settings required to use Roaming Profiles by default are:
* logon path = \\%L\profiles\%U * logon home = \\%L\%U\.9xprofile * logon drive = P:
The logon home directive is only used if you have any Windows 9x based machines on your Domain, otherwise it does not need to be set. The logon drive specifies the Drive Letter Windows will assign your home directory, this alleviates the need to create a logon script that essentially would do the same thing.
The logon path directive is where you actually setup roaming profiles. This directive should contain a Windows Network path to the location of the profile for each user. If the user's profile directory does not exist, one will be created at that location (as long as the user has write access to that directory).
You can also take full advantage of Samba's Variable Substitutions and further separate User's profiles, such as by architecture. Using the directive:
* logon path = \\%L\profiles\%U\%a
will separate the user's profiles relating to each version of Windows, such as WinXP, WinNT, etc. This is extremely helpful if you have users that jump from computer to computer that have different versions of Windows on them. This can solve a whole slew of problems relating to the registry on different versions of Windows, especially when running different version of Internet Explorer. Separating profiles in this way can be a very powerful feature, especially when you include Folder Redirection into the mix.
Adding a Samba User
After you have install samba sever, yous still can’t login samba server. You will need create a samba user :
smbpasswd -a username
‘-a’ switch tell smbpasswd we want to add a new user, is the user you want to add. Please take note, username must exist in /etc/passwd file else you will need the use ‘useradd’ to create a user in Linux :
useradd -d /home/username -s /bin/false -n username
This will create a new user with same group name with (told by ‘-n’), but the user can’t login and run any shell command (because you have specfic the login shell is /bin/false by the ‘-s’ switch, if you want allow user to able to login to a shell, replace /bin/false with /bin/sh).
Ok now you have create a new samba user, how about you want delete or disable them? ‘-d’ switch will disable the user to login to samba server:
smbpasswd -d username
If you want to delete a user permanently:
smbpasswd -x username
Add a User to the Domain Admin Group
When you install MS Windows NT4/200x on a computer, the installation program creates default users and groups, notably the Administrators group, and gives that group privileges necessary to perform essential system tasks, such as the ability to change the date and time or to kill (or close) any process running on the local machine.
The Administrator user is a member of the Administrators group, and thus inherits Administrators group privileges. If a joe user is created to be a member of the Administrators group, joe has exactly the same rights as the user Administrator.
When an MS Windows NT4/200x/XP machine is made a domain member, the “Domain Admins” group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Admins group inherits the rights of the local Administrators group when logging on the workstation.
The following steps describe how to make Samba PDC users members of the Domain Admins group.
- Create a UNIX group (usually in /etc/group); let's call it domadm.
- Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:
domadm:x:502:joe,john,mary
- Map this domadm group to the “Domain Admins” group by executing the command:
root# net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
The quotes around “Domain Admins” are necessary due to the space in the group name. Also make sure to leave no white space surrounding the equal character (=).
Now joe, john, and mary are domain administrators.
It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:
root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d
The ntgroup value must be in quotes if it contains space characters to prevent the space from being interpreted as a command delimiter.
Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you. Warning: User Private Group Problems
Windows does not permit user and group accounts to have the same name. This has serious implications for all sites that use private group accounts. A private group account is an administrative practice whereby users are each given their own group account. Red Hat Linux, as well as several free distributions of Linux, by default create private groups.
When mapping a UNIX/Linux group to a Windows group account, all conflict can be avoided by assuring that the Windows domain group name does not overlap with any user account name.