# # Official Samba-3 HOWTO http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ # http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html # samba PDC LDAP # # PDC # ------ # ============================================================================ # http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html # ============================================================================ # http://www.lapinux.org/howto/ch03.html # http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html # # http://daniel.fiser.cz/?go=samba # http://info.ccone.at/INFO/Samba-2.2.12/Samba-PDC-HOWTO.html # http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC # http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC # http://en.opensuse.org/Howto_setup_SUSE_as_SAMBA_PDC_with_OpenLDAP,_DYNDNS_and_CLAM # http://madpenguin.org/cms/?m=show&id=72 # http://research.imb.uq.edu.au/~l.rathbone/ldap/samba_pdc.shtml # http://www.oreilly.com/catalog/samba/chapter/book # # # Animated Demo # ------------- # http://itsyourpc.org/SuSE_Contest/SMB/SMB.html # http://www.brennan.id.au/18-Samba.html http://www.tldp.org/HOWTO/Samba-Authenticated-Gateway-HOWTO.html # http://www.faqs.org/docs/Linux-HOWTO/SMB-HOWTO.html http://www.tldp.org/HOWTO/SMB-HOWTO.html # has redhat style /etc/rc.d/init.d/smb # # [global] # To configure Samba to use encrypted passwords: encrypt passwords = yes smb passwd file = /etc/smbpasswd 7.html upper case/lower case stuff for filenames # # # # # To see which shares are available on a given host smbclient -L host # # to see zimmerman:/public smbclient \\\\zimmerman\\public mypasswd smb: \> h # # # # to mount windoze # smbmount "\\\\samba1\\customers" -U rtg2t -c 'mount /customers -u 500 -g 100' # # # http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html # # # which config file # smbd -b | grep smb.conf # # test the config file testparm /etc/samba/smb.conf # # # Active Directory # ------------------ # http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain # # LDAP # http://www.tutorialized.com/tutorial/Setting-up-a-Samba-PDC-with-an-OpenLDAP-backend-on-SuSE/9231 # # # # printing # -------- # http://www.tldp.org/HOWTO/SMB-HOWTO-9.html # http://www.linuxprinting.org/kpfeifle/SambaPrintHOWTO/Samba-HOWTO-Collection-3.0-PrintingChapter-11th-draft.html # # # CUPS + clamAV # http://www.gentoo.org/doc/en/quick-samba-howto.xml # # # # http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch10_:_Windows,_Linux,_and_Samba # stunnel + swat # # # Tells Samba to become the PDC # domain logons Yes # # tell windows about Samba as the PDC # # # # Samba GUI # --------- # swat # # http://www.math.temple.edu/computing/samba.html david@lechnyr.com # ( almost same as uoregon.edu ) # Unofficial Samba HOWTO http://hr.uoregon.edu/davidrl/samba.html david@hr.uoregon.edu # # gpg --keyserver-options auto-key-retrieve --verify samba-latest.tar.asc # # $ cd source # # avoid overwriting the existing system $ ./configure --prefix=/usr/local/samba-3.0.21a \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba/private \ --disable-cups --with-syslog # # If you're really set on having Samba installed in your main /usr filesystem, # you could try something like: $ ./configure --prefix=/usr --with-fhs \ --bindir=/usr/bin --sbindir=/usr/sbin \ --with-lockdir=/var/lock/samba \ --localstatedir=/var \ --with-swatdir=/usr/share/swat \ --sysconfdir=/etc --with-configdir=/etc/samba \ --with-privatedir=/etc/samba/private # # # Overwrite existing files # To make it easy to find our files, we'll create the necessary symlinks: # $ cd /usr/bin # ln -sf /usr/local/samba-3.0.21a/{,s}bin/* . # vi /etc/services ... netbios-ns 137/udp # NETBIOS Name Service netbios-dgm 138/udp # NETBIOS Datagram Service netbios-ssn 139/tcp # NETBIOS Session Service microsoft-ds 445/tcp # Microsoft-DS # # Startup samba # /etc/rc.d/rc.samba # /usr/sbin/smbd -D # /usr/sbin/nmbd -D # # Configure Samba # /etc/samba/smb.conf # /usr/local/samba/lib/smb.conf # /usr/src/samba-3.0.21a/examples/smb.conf.default # # Create some empty dir and files # mkdir /etc/samba/private # touch /etc/samba/private/smbpasswd # chmod 0600 /etc/samba/private/smbpasswd # # to provide access to files and folders on your Linux box to your Windows XP clients, # you could use something (which is quite unsecure -- FYI) # ... [global] encrypt passwords = yes netbios name = FLUFFYGERBIL security = share socket options = TCP_NODELAY IPTOS_LOWDELAY wins support = yes workgroup = WORKGROUP [public] path = /home/public read only = no # # linux# mount -t smbfs -o username=myname,password=mypass //192.168.0.1/pub/mnt # # Logging debug timestamp = yes log file = /var/log/samba/%U-%m.log log level = 2 # 9MB log file limit max log size = 9216 # # Oplocks # http://www.microsoft.com/mind/1196/cifs.asp # # # tell the client not to cache a copy of the file on their end # # # Level2 Oplocks is a fancy way of saying, 2nd client willget "read-only" access level2 oplocks = no oplocks = no # # # you could disable oplocks on a per-file basis within the share # veto oplock files = /*.mdb/*.MDB/ # # Passwords # /etc/samba/private/smbpasswd # /usr/local/samba/private/smbpasswd # touch /etc/samba/private/smbpasswd chmod 600 /etc/samba/private/smbpasswd chown root:root /etc/samba/private/smbpasswd # smbpasswd -a davidrl == add # smbpasswd -d davidrl == disable # smbpasswd -x davidrl == delete # # # unless you have win95, turn on encrypted passwd # encrypt passwords = yes # # Primary Domain Controller (PDC) # The theory is that it's beneficial to be able to log on to a shared group of resources # rather than a single server # # you must decide if the ability to have more than one person log onto a single # Windows machine is worth the associated headaches # # LOCAL USERS are accounts that are unique to a single workstation # Each Windows workstation has two built-in Users: Administrator and Guest # Local Users are not available on Domain Controllers # # LOCAL GROUPS are groups that are unique to a single workstation # Each Windows workstation has several built-in Groups: # - Administrators have complete and unrestricted access to the workstation # - Power Users have most administrative powers with some restrictions # - Users are prevented from making accidental or intentional system-wide changes # - Guests Local Group actually has the same access permissions as the Users group # Local Groups are not available on Domain Controllers # # DOMAIN USERS are accounts that are created on a Windows server that is acting as a PDC # Samba mimics this behavior by treating every user in smbpasswd(8) as a Domain User # If the user root is defined in smbpasswd, it is equivalent to the # Administrator account on Windows NT/2000/2003. # # DOMAIN GROUPS are created on a Windows server that is acting as a PDC # Samba technically only has two Domain Groups: # - root user # - everyone else # Samba mimics additional group behavior by honoring filesystem permission # restrictions using the group membership information in/etc/group # # Samba has no knowledge of Windows Local Accounts # there are only multiple users (defined in smbpasswd) and # a single Administrator named root (if defined in smbpasswd) # # "root" ( aka Administrator ) will not have Administrator priviledge on windoze # # all Samba group memberships are defined in /etc/group # # Windows has no direct knowledge of Samba Domain Users or the /etc/group file on the Samba box # # Under Windows servers, you can add Local Users, Global Users, and Global Groups to Local Groups # With Samba, you can add Local Users and Global Users to Local Groups. # # with both Windows servers and Samba Servers, # you cannot add Local Users and Local Groups to Global Groups # # to get around this is to select one account from Samba to add it to each # Windows workstation's Administrators Local Group per each workstation # # To Join a Samba Domain # ====================== # you'll need to first enable a Samba password for the root account on your Samba box. # # vi /etc/passwd myworkstation$:!x:5000:5000::/dev/null:/bin/false vi /etc/groups workstation::5000 # run the following commands on your samba server smbpasswd -a root smbpasswd -m -a myworkstation == note no trailing $ # # On Windows # make the following changes to your registry in HKEY_LOCAL_MACHINE\SYSTEM # under CurrentControlSet\Services\Netlogon\ Parameters: "requiresignorseal"=dword:00000000 "signsecurechannel"=dword:00000000 # check there is no lingering connections # NET USE * /D /Y # # WindowControlPanel->SystemIcon(sysdm.cpl)->ComputerName->Change->Add Domain Name(Engineering) # # # New database format # *.tdb # - also can migrate smbpasswd to *.tdb # # Roaming Profiles # -- strongly discouraged to prevent headaches # # for the logon scripts # Microsoft Windows ends each line with a Carriage Return (0x0d) and Line Feed (0x0a) # Macintosh systems just use a single Carriage Return # UNIX/Linux systems just use a single Line Feed # # SSH support # - fix lmhosts file and dns issues # - add tcp port forwarding # # SSL support has been removed from Samba as of version 3.0 # # # Miscellaneous/Unfiled # ... # When a file hasn't been accessed for fifteen minutes, # I want Samba to close any established connections to the file. deadtime = 15 # This restricts which IP addresses are allowed to connect to this server. hosts allow = 192.168.0.0/255.255.0.0 127.0.0.1 hosts deny = ALL # # # You can also filter out hosts using iptables with something like: iptables -A INPUT -p udp -s 192.168.0.0/16 -d 192.168.0.1/32 --dport 137:138 -j ACCEPT iptables -A INPUT -p udp --dport 137:138 -j DROP iptables -A INPUT -p tcp -s 192.168.0.0/16 -d 192.168.0.1/32 --dport 139 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.0.0/16 -d 192.168.0.1/32 --dport 445 -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 139,445 -j DROP # # # It's useful to limit the interfaces on which Samba will run if you have a multi-homed server # (more than one IP address) # interfaces = 192.168.0.0/255.255.255.0 127.0.0.1 # bind interfaces only = Yes # # # Don't allow the root user or anyone belonging to the wheel group access # # BUT:Note that specifying "root" here will make it impossible to allow a workstation # to join your domain (if you're running a PDC). invalid users = root +wheel # # # # These settings roughly translate to, "only allow Windows 2000/XP clients to connect." lanman auth = no lm announce = no # # Microsoft Windows does not store or transmit passwords in clear text. # it uses hash of the passwd # - LAN Manager (least secure) == used for Win9x/WinME # - NTLM and NTLMv2 (most secure) min protocol = NT1 # # # samba server name netbios name = FLUFFYGERBIL # typically, it's the Samba version number server string = "Is It Not Nifty?" # # # enforce "I'm on a local area network" socket options = TCP_NODELAY IPTOS_LOWDELAY # # SO_KEEPALIVE, # # # define the maximum size of the send and receive buffers for Samba # Smaller buffers means more fragmented packets SO_RCVBUF=8192 SO_SNDBUF=8192 # # Testing Samba ... # --------------- # - transfer one 100MB file # - transfer 100 1M files # # To create a single 100 MB test file, you could use something like: # $ dd if=/dev/zero of=testfile count=10240 bs=10240 # # To create 100 multiple 1 MB test files, you could use: # #!/bin/sh # # count=1 # until [ "$count" -gt 100 ]; do # let "count += 1" # dd if=/dev/zero of=testfile${count} count=1024 bs=1024 # done # # # # this server should run as a WINS server wins support = yes # # # Don't, don't, absolutely don't do any offline client-side caching of this folder. # # This is different than level2 oplocks. csc policy = disable # # # End of file