Authenticating Samba Server
Mini-HOWTO
by Brian Pete
Step 1: Install Linux, whichever flavor you prefer, this HOWTO uses Fedora Core 3 (FC3); you can install the Samba suite at this point if you like, but it is not strictly necessary, as it can also be done as part of step 4. The FC3 installation defaults seem to work well for purposes of this HOWTO.
Step 2: Download apt from your favorite repository (this HOWTO uses the Dag APT repositories at http://dag.wieers.com/home-made/apt/. As root, run apt-get update to refresh the package list, followed by apt-get dist-upgrade to bring installed software to the most recent versions - this can take some time, especially over slower connections.
Step 3: Optionally, you can install the Synaptic GUI for apt by running the command apt-get install synaptic. This is a useful tool for removing unneeded packages if your hard drive is small or you are trying to make use of maximum hard drive capacity for your Samba shares.
Step 4: If you have not already done so, install the Samba packages; the minimum requirement is the Samba-common and Samba server packages. Next, install SWAT and Webmin. Synaptic is a convenient graphical interface for this step.
Clint Notes:
1. To be added to this HOWTO. A package selection list for building the server optimized to be a Domain/Login Server.
2. This miniHOWTO is specific to a standard FC3 distribution. Other distributions may require different or additional steps.
3. Getting APT to work can be problematic as is both up2date and YUM. YUM seems to work the best for me but it can be sporadic,you just have to keep trying until you are succesful. If you are using the current 4.2.1 Linux Terminal Server Project distribution from the K12 project, a couple of things that you might do in getting things to work. a) Samba-Swat is not installed by default. It can be installed from CD4. After installation, you may have to edit the samba file in /etc/xinetd.d to change to disable = no as it is disabled by default and checking it in the "services" tool does not seem to enable it in xinetd. b) You can download the latest webmin manually from the K12 repository at http://k12linux.mesd.k12.or.us/K12LTSP/webmin and then install it with rpm -ivh webmin-1.220-1.noarch.rpm (provided this is the rpm that you downloaded). Installing samba-swat and webmin manually in this may speed your project instead of trying to get them installed via APT or YUM.
Brian has done an excellent job with this miniHOWTO but keep in mind that this is work in progress. It is also best to just copy the smb.conf at the end of this HOWTO as it appears that SWAT and Webmin seems to come up short with implementing the working smb.conf correctly.
Step 5: As root, run the following commands:
mkdir
/var/lib/samba
mkdir
/var/lib/samba/netlogon
mkdir
/var/lib/samba/profiles
Note: Although this mini-HOWTO says these directories must be created, you may wish to alter the default contents of the smb.conf file instead, to point to different directories.
Step 6: As root, run the following command:
cat /etc/passwd I /usr/bin/mksmbpasswd.sh > /etc/samba/smbpasswd
This step is extremely important, as it will migrate all accounts in /etc/passwd to the / etc/samba/smbpasswd file, including the root account!
Step 7: Start webmin by navigating to https://Iocathost:10000 from the server. Log in with root credentials. Several tasks need to be accomplished here:
- In the System menu, select Users and Groups, create a new group called ntadmin, and make root a member of that group.
- From the Servers menu, select Samba Windows File Sharing, and then click on Add and edit Samba groups (near the bottom). Click on Administrators and then fill in the Unix group field with the ntadmin group name you created above. Click Save.
- Back in the Samba Windows File Sharing screen, click Edit Samba users and passwords. Select the root user to edit by clicking it. Set a new password (this is very important, because by default, user information imported into smbpasswd using the mksmbpasswd.sh command does not import passwords!). Repeat this step for any user accounts you would like to use Samba authentication. Blank passwords are not allowed. Ensure that all accounts have the Normal user flag checked.
- Optional: Samba only cares about user and machine accounts, meaning that service accounts such as apache, named, etc., are only taking up space in your smbpasswd file. Non-user accounts may be safely removed from smbpasswd.
- Optional: In webmin, you may configure automatic synchronization of Unix to Samba for both users and groups. One caveat is that machine accounts created in Unix through Webmin don't synchronize automatically.
- Machine accounts consist of the computer name with the $ appended (for example, a Windows 2000 Professional computer named orion would have the machine name orion$). Webmin is the recommended tool to create machine accounts for Samba:
-
From the System menu, select Users and Groups and create a new user; make sure
to append the $ to whatever user name you create.
-
In the User Details section, the only fields that need to be filled in are
Username (whatever you want), Shell (/sbin/nologin), and optionally, select No
for everything in the Upon Creation section.
- Back in the Servers menu, select Samba Windows File Sharing again. Click
Convert Unix users to Samba users and at the next screen, accept the defaults
and click the Convert Users button. A screen appears that tells you the status
of the users that Samba converted; some will say being skipped, others will say
is already the same, and your new machine account should say being added and
appear in the list in bold face.
-
Review the machine account you just created by clicking its name in Edit Samba
users and passwords. Ensure that Normal user,
No password, and Workstation trust account are all checked. Webmin sometimes
screws this one up!
Step 8: In the latest versions of Webmin, you can start SWAT from directly within Webmin. SWAT is a very comprehensive tool for configuring Samba, and it is easy to become confused, particularly since some of the configuration options that need to be set can only be found in the Advanced Configuration screens.
The next page details the contents of a smb.conf file that provides a functional primary domain controller for the Megacorp domain, with home directories mapped to the I: Drive, and a public file share point called Download. Copy the text into your / etc/samba/smb.conf. You can edit it later using Webmin.
Note: Enabling WINS support should be considered mandatory in the Samba server, and for best results, Windows 2000 and XP machines should have the Samba server listed as a WINS server in the Advanced Settings of the TCP/IP configuration.
The Samba domain controller can be further enhanced by installing DHCP and DNS servers, allowing for an integrated network solution. Possible future addition to miniHOWTO?
# Samba config file created using SWAT # Date: 2005/08/17 22:49:36
# Global parameters
[global]
workgroup = MEGACORP
server string = File & Print Server
security = user
passdb backend = smbpasswd
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
username map = /etc/samba/smbusers unix
password sync = Yes
log file = /var/log/samba/%m.log
socket options = TOP_NODELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = logon.cmd
logon drive = I:
domain logons = Yes
os
level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
cups options = raw
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[netlogon]
path = /var/lib/samba/netlogon
write list = ntadmin
[profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
[Download]
path = /data/download
read only = No
guest only = Yes
guest ok = Yes
Return to: Linux SIG Page