# # http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC # # # 26-Jul-06 amo Extract sample samba conf # # HOWTO Implement Samba as your PDC ... # su Password: # emerge --sync # emerge samba -av [edit ] Configure Samba *File:* /etc/samba/smb.conf The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria. [edit ] The [global] service section *netbios name* sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. *workgroup* controls what workgroup your server will appear to be in when queried by clients. This is also the DOMAIN you will work from if you are using one *server string* controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. netbios name = COMPUTER_NAME workgroup = YOUR_DOMAIN server string = PDC [on Gentoo :: Samba server %v] *hosts allow* is a comma, space, or tab delimited set of hosts which are permitted to access a service. *security* affects how clients respond to Samba and is one of the most important settings in the smb.conf file. *encrypt passwords* controls whether encrypted passwords will be negotiated with the client. *socket options* allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. *interfaces* allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. *bind interfaces* allows the Samba admin to limit what interfaces on a machine will serve SMB requests. hosts allow = 192.168.4.0/24 127.0.0.0/8 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = lo eth0 bind interfaces only = yes To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. *local master* allows nmbd to try and become a local master browser on a subnet. *os level* controls what level Samba advertises itself as for browse elections. *domain master* enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. *preferred master* controls if nmbd is a preferred master browser for its workgroup. local master = yes os level = 65 domain master = yes preferred master = yes *null passwords* allows or disallows client access to accounts that have null passwords. *hide unreadable* prevents clients from seeing the existance of files that cannot be read. *hide dot files* controls whether files starting with a dot appear as hidden files. null passwords = no hide unreadable = yes hide dot files = yes *domain logons* dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. *logon script* specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. *logon path* specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. *logon drive* specifies the local path to which the home directory will be connected and is only used by NT Workstations. *logon home* specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as long as it does not conflict with other drives on your Win2k client. For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection. domain logons = yes logon script = login.bat OR %U.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U\.9xprofile *wins support* controls if the nmbd process in Samba will act as a WINS server. *name resolve order* is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. *dns proxy* specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client. wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no *time server* determines if nmbd advertises itself as a time server to Windows clients. *log file* option allows you to override the name of the Samba log file (also known as the debug file). *max log size* specifies the max size the log file should grow to. *smb passwd file* sets the path to the encrypted smbpasswd file. By default, the path to the smbpasswd file is compiled into Samba. time server = yes log file = /var/log/samba/log.%m max log size = 50 smb passwd file = /var/lib/samba/private/smbpasswd The following are parameters to assist you in adding/deleting users/machines from a client. Please refer to the O'Reilly book listed in the Resources section . add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u passwd program = /usr/bin/passwd %u passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*" * note that in the smb.conf.example the "add machine script" is slightly separated from these other directives *unix charset* specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use. unix charset = ISO8859-1 [edit ] The [SHARE_NAME] services section This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it! *netlogon* is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755). [netlogon] path = /var/lib/samba/netlogon guest ok = no read only = yes browseable = no *profiles* is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 0755). Inside this directory is where you user profiles are located. Make sure the user profile directories themselves are owned by the user and group owned by users. Make sure user directories permission are 770 (chmod -R 0770). [profiles] path = /var/lib/samba/profiles browseable = no writeable = yes default case = lower preserve case = no short preserve case = no case sensitive = no hide files = /desktop.ini/ntuser.ini/NTUSER.*/ write list = @smbusers @root create mask = 0600 directory mask = 0700 *homes* defines the users home directory. Nothing special needs to be done to this directive or directory. [homes] path = /home/%U browseable = no valid users = %S read only = no guest ok = no inherit permissions = yes *public* is only an example of one of my shares. You can define as many as you want. You can name them whatever you want. It does not have to be named [public]. [public] comment = Public Stuff path = /public public = yes read only = yes browseable = yes write list = @users [edit ] Adding users to Samba The drawback to using samba is that users have to be added twice. Once to your /etc/passwd and once to /etc/samba/private/smbpasswd. I'm going to assume you already have a regular daily user so I'm going to skip the "adduser" unix command. Obviously, and hopefully, root exists on your system. =) Both of the following commands will prompt you for a password. My suggestion is keep your [Samba] root password that same as your [Unix] system root password. Applying the same to your user password. Keep things simple. smbpasswd -a your_user smbpasswd -a root [edit ] Configure Clients [edit ] Configure Windows 2000 clients This is another simple step. Log into your Windows 2000 client locally as Administrator and add your client machine to your domain. This is achieved by right clicking My Computer => Properties => Network Identification => Properties button. You will be prompted for a username/password of an authorised domain user. You'll need to use your root account (the reason root was added to smbpasswd). After changing your domain, you'll need to reboot (no surprise there). When it reboots, you'll have the fancy login screen with the nice little graphic instructing you to do a "ctrl-alt-del" to get to the actual login screen. If you only see fields for you username and password, click on the "Options" button and a domain dropdown will appear. Your choices should be "computer name\local" AND your new domain. In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of C:\Documents and Settings\Default Profile to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into (assuming the usage of roaming profiles). I suggest making sure the latest service pack is installed. After adding the client to the domain and rebooting, lets leave this screen as is. We'll come back to it later. [edit ] Configure Windows XP clients You should start the process for Windows XP clients by a complete Windows Update. After the release of Service Pack 2, Microsoft Windows way of dealing with profile has changed a bit. You will need to start by login into your Windows XP client locally as Administrator and execute : gpedit.msc then, you must navigate to : Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles and change the setting of the key '*Do not check for user ownership of Roaming Profile Folders'* from '*Not Configured'* to '*Enable'*. If that key is not present, you should try visiting Windows Update again. Then you can use 'File / Exit'. This is needed because WinXP actually checks ACL Permission in your profile file system (which isn't really that easy to develop under *NIX). Once this is completed, you can procede as for Windows 2000. [edit ] More Samba configuration This step maps your Windows groups to your Unix groups. This is an important step if you want admin rights on your Windows clients once you have logged onto the client authorizing against the PDC. First, view the list of Windows groups. This way you know what you're mapping. root@localhost # net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Guests (S-1-5-21-3885047494-3765334852-1543503842-514) -> nobody Domain Admins (S-1-5-21-3885047494-3765334852-1543503842-512) -> ntadmins Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> 1 Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-3885047494-3765334852-1543503842-513) -> users Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 As you can see, I've only mapped 3 groups as this is all that I require on my domain. Additionally, I created a Unix group called "ntadmins". root@localhost # groupadd ntadmins After you create your required Unix groups, you need to map them to your Windows groups replacing the ntgroup value with a Windows group listed above and unixgroup is the Unix group you wish to map the Windows group to (remember, the Unix group must already exist). root@localhost # net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins You'll need to perform this command for each Unix group you wish to map. You can now use your new groups for specific group parameters in either your global or service scopes (please review the O'Reilly book). [edit ] Final Steps Now that we are done with configuring Samba, let's start it and add it to your default run levels. root@localhost # /etc/init.d/samba start root@localhost # rc-update add samba default At this point, you should be able to log into your domain using your username and password (not root). If you wish to use a roaming profile, you'll need to tell the client. This is done by right clicking My Computer => Properties => User Profiles. Select your user and "Change type". [edit ] Using ACL [edit ] What are ACLS? *Extended attributes* are arbitrary name/value pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects. The attr(5) manual page describes which kinds of extended attributes are defined. *Access Control Lists* On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled. Some applications require more control over permissions than this model offers. Access control lists implement a more fine-grained permission model: In addition to the file owner, the file group, and others, additional users and groups can be granted or denied access. [edit ] How to enable ACLS For installation and usage please take a look at HOWTO_Use_filesystem_ACLs . [edit ] The option profile acls This option has (as far as I know) nothing to do with the acl's on a filesystem. It is rather an emulation of an acl to make sure that winxp and win2k clients can read their profile from the server. More information can be found on the smb.conf man page. [edit ] Notes *Example login.bat script* echo Setting Current Time... net time \\shadow /set /yes echo Mapping Network Drives to Domain network server... net use H: /HOME net use X: \\shadow\public net use Y: \\shadow\audio net use Z: \\shadow\video When mapping your home drive, please make sure the letter you specify in logon drive in your global service is the same as net use XXX: /HOME command (where XXX = drive letter). Also, please remember, this is the script I use. Change it to suite your needs. *List connected users* This bash script produce a list with all users currently logged in. It can be useful in order to determine if a specific user is logged in or if there are users still connected. For example if you want to shutdown your PDC you must be sure that no user is connected. #!/bin/bash SMBUSERS=`/usr/bin/smbstatus -b|/usr/bin/sed -e '/------/d' -e '/PID/d' \ -e '/Samba version/d' -e '/^$/d'|/usr/bin/awk -F ' ' '{print $2;}'` SMBUSERCOUNT=0 for SMBUSER in $SMBUSERS do echo $SMBUSER #each username let "SMBUSERCOUNT += 1" done echo $SMBUSERCOUNT #number of user logged in exit 0 [edit ] Resources This HOWTO was compiled with the assistance of the resources listed under Suggested Readings . [edit ] Suggested Readings * O'Reilly - Using Samba -- This is a slightly outdated book but its help is priceless. * www.samba.org -- Excellent resource for parameter definitions. Not a good resource to learn samba. * Gentoo Forums Thread #1 * Gentoo Forums Thread #2 # # End of file