Configuring Samba

A Small Office Networking

Server Installation Steps

1. Place an entry for the machine sleeth in the /etc/hosts. The printers are network attached, so there should be entries for the network printers also. An example /etc/hosts file is shown here:
   

   192.168.1.1     sleeth sleeth1
   192.168.2.1     sleeth2
   192.168.1.10    hplj6
   192.168.1.11    hplj4
   192.168.2.10    qms
   

2. Install the Samba-3 binary RPM from the Samba-Team FTP site.
3. Install the ISC DHCP server using the UNIX/Linux system tools available to you.
4.  Because Samba will be operating over two network interfaces and clients on each side may want to be able to reach clients on the other side, it is imperative that IP forwarding is enabled. Use the system tool of your choice to enable IP forwarding. In the absence of such a tool on the Linux system, add to the /etc/rc.d/rc.local file an entry as follows:
   

   echo 1 > /proc/sys/net/ipv4/ip_forward
   

   This causes the Linux kernel to forward IP packets so that it acts as a router.
5. Install the smb.conf file as shown in “Accounting Office Network smb.conf File [globals] Section” and “Accounting Office Network smb.conf File Services and Shares Section”. Combine these two examples to form a single /etc/samba/smb.conf file.
6.  Add the user root to the Samba password backend:
   

   root#  smbpasswd -a root
   New SMB password: XXXXXXX
   Retype new SMB password: XXXXXXX
   root# 
   

   This is the Windows Domain Administrator password. Never delete this account from the password backend after Windows Domain Groups have been initialized. If you delete this account, your system is crippled. You cannot restore this account, and your Samba server can no longer be administered.
7.  Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents:
   

   ####
   # User mapping file
   ####
   # File Format
   # -----------
   # Unix_ID = Windows_ID
   #
   # Examples:
   # root = Administrator
   # janes = "Jane Smith"
   # jimbo = Jim Bones
   #
   # Note: If the name contains a space it must be double quoted.
   #       In the example above the name 'jimbo' will be mapped to Windows
   #       user names 'Jim' and 'Bones' because the space was not quoted.
   #######################################################################
   root = Administrator
   ####
   # End of File
   ####
   

8.  Create and map Windows Domain Groups to UNIX groups. A sample script is provided in “Script to Map Windows NT Groups to UNIX Groups”. Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, and then execute the script. Sample output should be as follows:
   
   Example 2.1. Script to Map Windows NT Groups to UNIX Groups

   #!/bin/bash
   #
   # initGrps.sh
   #
   
   # Create UNIX groups
   groupadd acctsdep
   groupadd finsrvcs
   
   # Map Windows Domain Groups to UNIX groups
   net groupmap add ntgroup="Domain Admins"  unixgroup=root type=d
   net groupmap add ntgroup="Domain Users"   unixgroup=users type=d
   net groupmap add ntgroup="Domain Guests"  unixgroup=nobody type=d
   
   # Add Functional Domain Groups
   net groupmap add ntgroup="Accounts Dept"  unixgroup=acctsdep type=d
   net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
   

   
   

   root#  chmod 755 initGrps.sh
   root#  cd /etc/samba
   root#  ./initGrps.sh
   Updated mapping entry for Domain Admins
   Updated mapping entry for Domain Users
   Updated mapping entry for Domain Guests
   No rid or sid specified, choosing algorithmic mapping
   Successfully added group Accounts Dept to the mapping db
   No rid or sid specified, choosing algorithmic mapping
   Successfully added group Domain Guests to the mapping db
   
   root#  cd /etc/samba
   root#  net groupmap list | sort
   Account Operators (S-1-5-32-548) -> -1
   Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep
   Administrators (S-1-5-32-544) -> -1
   Backup Operators (S-1-5-32-551) -> -1
   Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root
   Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody
   Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users
   Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs
   Guests (S-1-5-32-546) -> -1
   Power Users (S-1-5-32-547) -> -1
   Print Operators (S-1-5-32-550) -> -1
   Replicators (S-1-5-32-552) -> -1
   System Operators (S-1-5-32-549) -> -1
   Users (S-1-5-32-545) -> -1
   

9.  For each user who needs to be given a Windows Domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system accounts, and use the Samba smbpasswd program to create the Domain user accounts.
   There are a number of tools for user management under UNIX, such as useradd and adduser, as well as a plethora of custom tools. With the tool of your choice, create a home directory for each user.
10. Using the preferred tool for your UNIX system, add each user to the UNIX groups created previously, as necessary. File system access control will be based on UNIX group membership.
11. Create the directory mount point for the disk subsystem that is mounted to provide data storage for company files. In this case the mount point is indicated in the smb.conf file is /data. Format the file system as required, mount the formatted file system partition using mount, and make the appropriate changes in /etc/fstab.
12. Create the top-level file storage directories are follows:
    

    root#  mkdir -p /data/{accounts,finsvcs}
    root#  chown -R root:root /data
    root#  chown -R alanm:accounts /data/accounts
    root#  chown -R alanm:finsvcs /data/finsvcs
    root#  chmod -R ug+rwx,o+rx-w /data
    

    Each department is responsible for creating its own directory structure within its share. The directory root of the accounts share is /data/accounts. The directory root of the finsvcs share is/data/finsvcs.
13. Configure the printers with the IP addresses as shown in “Abmas Accounting 52-User Network Topology”. Follow the instructions in the manufacturers' manuals to permit printing to port 9100. This allows the CUPS spooler to print using raw mode protocols.
14.  Configure the CUPS Print Queues as follows:
    

    root#  lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E
    root#  lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E
    root#  lpadmin -p qms -v socket://192.168.2.10:9100 -E
    

    This creates the necessary print queues with no assigned print filter.
15.  Edit the file /etc/cups/mime.convs to uncomment the line:
    

    application/octet-stream     application/vnd.cups-raw      0     -
    

16.  Edit the file /etc/cups/mime.types to uncomment the line:
    

    application/octet-stream
    

17.  Using your favorite system editor, create an /etc/dhcpd.conf with the contents as shown in “Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf”.
    
    Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf

    default-lease-time 86400;
    max-lease-time 172800;
    default-lease-time 86400;
    
    option ntp-servers 192.168.1.1;
    option domain-name "abmas.biz";
    option domain-name-servers 192.168.1.1, 192.168.2.1;
    option netbios-name-servers 192.168.1.1, 192.168.2.1;
    option netbios-node-type 8;
    ### NOTE ###
    # netbios-node-type=8 means set clients to Hybrid Mode
    #   so they will use Unicast communication with the WINS
    #   server and thus reduce the level of UDP broadcast
    #   traffic by up to 90%.
    ############
    
    subnet 192.168.1.0 netmask 255.255.255.0 {
    	range dynamic-bootp 192.168.1.128 192.168.1.254;
    	option subnet-mask 255.255.255.0;
    	option routers 192.168.1.1;
    	allow unknown-clients;
    	host hplj4 {
    		hardware ethernet 08:00:46:7a:35:e4;
    		fixed-address 192.168.1.10;
    		}
    	host hplj6 {
    		hardware ethernet 00:03:47:cb:81:e0;
    		fixed-address 192.168.1.11;
    		}
    	}
    subnet 192.168.2.0 netmask 255.255.255.0 {
    	range dynamic-bootp 192.168.2.128 192.168.2.254;
    	option subnet-mask 255.255.255.0;
    	option routers 192.168.2.1;
    	allow unknown-clients;
    	host qms {
    		hardware ethernet 01:04:31:db:e1:c0;
    		fixed-address 192.168.1.10;
    		}
    	}
    subnet 127.0.0.0 netmask 255.0.0.0 {
    	}
    

    
    
18. Use the standard system tool to start Samba and CUPS and configure them to start automatically at every system reboot. For example,
    
    

    root#  chkconfig dhcp on
    root#  chkconfig smb on
    root#  chkconfig cups on
    root#  /etc/rc.d/init.d/dhcp restart
    root#  /etc/rc.d/init.d/smb restart
    root#  /etc/rc.d/init.d/cups restart
    

19.  Configure the name service switch (NSS) to handle WINS-based name resolution. Since this system does not use a DNS server, it is safe to remove this option from the NSS configuration. Edit the /etc/nsswitch.conf file so that the hosts: entry looks like this:
    

    hosts:	files wins
    

Example 2.3. Accounting Office Network smb.conf File [globals] Section

# Global parameters

[global]

workgroup = BILLMORE

passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*

username map = /etc/samba/smbusers

syslog = 0

name resolve order = wins bcast hosts

printcap name = CUPS

show add printer wizard = No

add user script = /usr/sbin/useradd -m -G users '%u'

delete user script = /usr/sbin/userdel -r '%u'

add group script = /usr/sbin/groupadd '%g'

delete group script = /usr/sbin/groupdel '%g'

add user to group script = /usr/sbin/usermod -A '%g' '%u'

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'

logon script = scripts\login.bat

logon path =

logon drive = X:

domain logons = Yes

preferred master = Yes

wins support = Yes

printing = CUPS

Example 2.4. Accounting Office Network smb.conf File Services and Shares Section

[homes]

comment = Home Directories

valid users = %S

read only = No

browseable = No

[printers]

comment = SMB Print Spool

path = /var/spool/samba

printable = Yes

guest ok = Yes

use client driver = Yes

browseable = No

[netlogon]

comment = Network Logon Service

path = /data/%U

valid users = %S

read only = No

[accounts]

comment = Accounting Files

path = /data/accounts

valid users = %G

read only = No

[finsvcs]

comment = Financial Service Files

path = /data/finsvcs

valid users = %G

read only = No

Validation

Does everything function as it ought? That is the key question at this point. Here are some simple steps to validate your Samba server configuration.

Procedure 2.2. Validation Steps

1.  If your smb.conf file has bogus options or parameters, this may cause Samba to refuse to start. The first step should always be to validate the contents of this file by running:
   

   root#  testparm -s
   Load smb config files from smb.conf
   Processing section "[homes]"
   Processing section "[printers]"
   Processing section "[netlogon]"
   Processing section "[accounts]"
   Processing section "[service]"
   Loaded services file OK.
   # Global parameters
   [global]
           workgroup = BILLMORE
           passwd chat = *New*Password* \
   		%n\n *Re-enter*new*password* %n\n *Password*changed*
           username map = /etc/samba/smbusers
           syslog = 0
           name resolve order = wins bcast hosts
           printcap name = CUPS
           show add printer wizard = No
           add user script = /usr/sbin/useradd -m -G users '%u'
           delete user script = /usr/sbin/userdel -r '%u'
           add group script = /usr/sbin/groupadd '%g'
           delete group script = /usr/sbin/groupdel '%g'
           add user to group script = /usr/sbin/usermod -A '%g' '%u'
           add machine script = /usr/sbin/useradd
   				-s /bin/false -d /var/lib/nobody '%u'
           logon script = scripts\logon.bat
           logon path =
           logon drive = X:
           domain logons = Yes
           preferred master = Yes
           wins support = Yes
   ...
   ### Remainder cut to save space ###
   

   The inclusion of an invalid parameter (say one called dogbert) would generate an error as follows:
   

   Unknown parameter encountered: "dogbert"
   Ignoring unknown parameter "dogbert"
   

   Clear away all errors before proceeding, and start or restart samba as necessary.
2.  Check that the Samba server is running:
   

   root#  ps ax | grep mbd
   14244 ?        S      0:00 /usr/sbin/nmbd -D
   14245 ?        S      0:00 /usr/sbin/nmbd -D
   14290 ?        S      0:00 /usr/sbin/smbd -D
   
   $rootprompt; ps ax | grep winbind
   14293 ?        S     0:00 /usr/sbin/winbindd -D
   14295 ?        S     0:00 /usr/sbin/winbindd -D
   

   The winbindd daemon is running in split mode (normal), so there are also two instances of it. For more information regarding winbindd, see TOSHARG2, Chapter 23, Section 23.3. The single instance of smbd is normal.
3.  Check that an anonymous connection can be made to the Samba server:
   

   root#  smbclient -L localhost -U%
   
           Sharename      Type      Comment
           ---------      ----      -------
           netlogon       Disk      Network Logon Service
           accounts       Disk      Accounting Files
           finsvcs        Disk      Financial Service Files
           IPC$           IPC       IPC Service (Samba3)
           ADMIN$         IPC       IPC Service (Samba3)
           hplj4          Printer   Hewlett-Packard LaserJet 4
           hplj6          Printer   Hewlett-Packard LaserJet 6
           qms            Printer   QMS Magicolor Laser Printer XXXX
   
           Server               Comment
           ---------            -------
           SLEETH               Samba 3.0.20
   
           Workgroup            Master
           ---------            -------
           BILLMORE             SLEETH
   

   This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent of browsing the server from a Windows client to obtain a list of shares on the server. The -U%argument means to send a NULL username and a NULL password.
4.  Verify that the printers have the IP addresses assigned in the DHCP server configuration file. The easiest way to do this is to ping the printer name. Immediately after the ping response has been received, execute arp -a to find the MAC address of the printer that has responded. Now you can compare the IP address and the MAC address of the printer with the configuration information in the /etc/dhcpd.conf file. They should, of course, match. For example,
   

   root#  ping hplj4
   PING hplj4 (192.168.1.11) 56(84) bytes of data.
   64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms
   
   root#  arp -a
   hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0
   

   The MAC address 08:00:46:7A:35:E4 matches that specified for the IP address from which the printer has responded and the entry for it in the /etc/dhcpd.conf file.
5.  Make an authenticated connection to the server using the smbclient tool:
   

   root#  smbclient //sleeth/accounts -U alanm
   Password: XXXXXXX
   smb: \> dir
     .                          D        0  Sun Nov  9 01:28:34 2003
     ..                         D        0  Sat Aug 16 17:24:26 2003
     .mc                       DH        0  Sat Nov  8 21:57:38 2003
     .qt                       DH        0  Fri Sep  5 00:48:25 2003
     SMB                        D        0  Sun Oct 19 23:04:30 2003
     Documents                  D        0  Sat Nov  1 00:31:51 2003
     xpsp1a_en_x86.exe           131170400  Sun Nov  2 01:25:44 2003
   
              65387 blocks of size 65536. 28590 blocks available
   smb: \> q
   

Procedure 2.3. Windows XP Professional Client Configuration

1. Configure clients to the network settings shown in “Abmas Accounting 52-User Network Topology”. All clients use DHCP for TCP/IP protocol stack configuration. DHCP configures all Windows clients to use the WINS Server address 192.168.1.1.
2. Join the Windows Domain called BILLMORE. Use the Domain Administrator username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to a Windows Domain is given in “A Collection of Useful Tidbits”, “Joining a Domain: Windows 200x/XP Professional”. Reboot the machine as prompted and then log on using a Domain User account.
3. Verify on each client that the machine called SLEETH is visible in My Network Places, that it is possible to connect to it and see the shares accounts and finsvcs, and that it is possible to open that share to reveal its contents.
4. Instruct all users to log onto the workstation using their assigned username and password.
5. Install a printer on each using the following steps:
   
   1. Click Start → Settings → Printers+Add Printer+Next. Do not click Network printer. Ensure that Local printer is selected.
   2. Click Next. In the Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 4. Click Next.
   3. In the Available ports: panel, select FILE:. Accept the default printer name by clicking Next. When asked, “Would you like to print a test page?”, click No. Click Finish.
   4. You may be prompted for the name of a file to print to. If so, close the dialog panel. Right-click HP LaserJet 4 → Properties → Details (Tab) → Add Port.
   5. In the Network panel, enter the name of the print queue on the Samba server as follows: \\SERVER\hplj4. Click OK+OK to complete the installation.
   6. Repeat the printer installation steps above for the HP LaserJet 6 printer as well as for the QMS Magicolor XXXX laser printer.

Notebook Computers: A Special Case

As a network administrator, you already know how to create local machine accounts for Windows 200x/XP Professional systems. This is the preferred solution to provide continuity of work for notebook users so that absence from the office network environment does not become a barrier to productivity.
By creating a local machine account that has the same username and password as you create for that user in the Windows Domain environment, the user can log onto the machine locally and still transparently access network resources as if logged onto the domain itself. There are some trade-offs that mean that as the network is more tightly secured, it becomes necessary to modify Windows client configuration somewhat.

Key Points Learned

In this network design and implementation exercise, you created a Windows NT4-style Domain Controller using Samba-3.0.20. Following these guidelines, you experienced and implemented several important aspects of Windows networking. In the next chapter, you build on the experience. These are the highlights from this chapter:

•  You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary network configuration settings from this server.
•  You created a Windows Domain Controller. You were able to use the network logon service and successfully joined Windows 200x/XP Professional clients to the Domain.
•  You created raw print queues in the CUPS printing system. You maintained a simple printing system so that all users can share centrally managed printers. You installed native printer drivers on the Windows clients.
• You experienced the benefits of centrally managed user accounts on the server.
• You offered Mobile notebook users a solution that allows them to continue to work while away from the office and not connected to the corporate network.

Questions and Answers

Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that may help.

1. What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?

2. Are there any DHCP server configuration parameters in the /etc/dhcpd.conf that should be noted in particular?

3. Is it possible to create a Windows Domain account that is specifically called Administrator?

4. Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0?

5. One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him root access. How can we do this?

6. Why must I map Windows Domain Groups to UNIX groups?

7. I deleted my root account and now I cannot add it back! What can I do?

8. When I run net groupmap list, it reports a group called Administrators as well as Domain Admins. What is the difference between them?

9. What is the effect of changing the name of a Samba server or of changing the Domain name?

10. How can I manage user accounts from my Windows XP Professional workstation?

1.	What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?
	First and foremost, portability. It means that notebook users can move between the Abmas office and client offices (so long as they, too, use DHCP) without having to manually reconfigure their machines. It also means that when they work from their home environments either using DHCP assigned addressing or when using dial-up networking, settings such as default routes and DNS server addresses that apply only to the Abmas office environment do not interfere with remote operations. This is an extremely important feature of DHCP.
2.	Are there any DHCP server configuration parameters in the /etc/dhcpd.conf that should be noted in particular?
	Yes. The configuration you created automatically provides each client with the IP address of your WINS server. It also configures the client to preferentially register NetBIOS names with the WINS server, and then instructs the client to first query the WINS server when a NetBIOS machine name needs to be resolved to an IP Address. This configuration results in far lower UDP broadcast traffic than would be the case if WINS was not used.
3.	Is it possible to create a Windows Domain account that is specifically called Administrator?
	You can surely create a Windows Domain account called Administrator. It is also possible to map that account so that it has the effective UNIX UID of 0. This way it isn't necessary to use theusername map facility to map this account to the UNIX account called root.
4.	Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0?
	The Windows Domain Administrator account is the most privileged account that exists on the Windows platform. This user can change any setting, add, delete, or modify user accounts, and completely reconfigure the system. The equivalent to this account in the UNIX environment is the root account. If you want to permit the Windows Domain Administrator to manage accounts as well as permissions, privileges, and security settings within the Domain and on the Samba server, equivalent rights must be assigned. This is achieved with the root UID equal to 0.
5.	One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him root access. How can we do this?
	Users who are members of the Domain Admins group can add machines to the Domain. This group is mapped to the UNIX group account called root (or the equivalent wheel on some UNIX systems) that has a GID of 0. This must be the primary GID of the account of the user who is a member of the Windows Domain Admins account.
6.	Why must I map Windows Domain Groups to UNIX groups?
	Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are Domain Guests, Domain Users, and Domain Admins.
7.	I deleted my root account and now I cannot add it back! What can I do?
	This is a nasty problem. Fortunately, there is a solution. Back up your existing configuration files in case you need to restore them. Rename the group_mapping.tdb file. Use the smbpasswd to add the root account. Restore the group_mapping.tdb file.
8.	When I run net groupmap list, it reports a group called Administrators as well as Domain Admins. What is the difference between them?
	The group called Administrators is representative of the same account that would be present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This may change at some later date. These accounts are provided only so that security objects are correctly shown.
9.	What is the effect of changing the name of a Samba server or of changing the Domain name?
	If you elect to change the name of the Samba server, on restarting smbd, Windows security identifiers are changed. In the case of a standalone server or a Domain Member server, the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name (Workgroup name), the Domain SID is changed. This affects all Domain memberships. If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective SID before the change is made. You can back up the SID using the net getlocalsid (Samba-3) or the smbpasswd (Samba-2.2.x). To change the SID, you use the same tool. Be sure to check the man page for this command for detailed instructions regarding the steps involved.
10.	How can I manage user accounts from my Windows XP Professional workstation?
	Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot be managed using tools present on a Windows XP Professional installation. You may download from the Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use it. This package extracts the tools: User Manager for Domains,Server Manager, and Event Viewer. You may use the User Manager for Domains to manage your Samba-3 Domain user and group accounts. Of course, you do need to be logged on as theAdministrator for the Samba-3 Domain. It may help to log on as the root account.