Scatch and Dent Samba-3
by Clint Tinsley
About a year ago, we first looked at Samba and SMB shares as a way of accessing a common shared folder from a Linux server. At that time, I had “hacked” a smb.conf file that worked everywhere (every linux distribution that I tried it on). It was very easy to implement after a couple simple “rules” to follow in creating the Shared folder.
At our March meeting, we took our Samba experience to a new level, as the desire of one of the Linux SIG members was to implement a “Microsoft NT 4” domain on Linux using Samba-3 which according to all known reports at the time was feasible to do. This was a scratch and dent experience, at least for me, and I made some pretty deep scratches in surface of the Samba (they might have even been gouges from my fingernails as I attempted to keep myself from falling off the surface) and definitely made a dent in the knowledge base of what can be done. On first scratch, I found out that this would not be a true NT 4 domain controller (DC) but it does support domain functionality such as netlogon and profiles as well as secure user folders. Scratching further, it does not do Active Directory Services however, it can use ADS as an authenication method and be a NT4 style member server in an ADS forest.
My primary tome of reference for this “scratch and dent” experience was The Official Samba-3 HOWTO and Reference Guide by John H. Terpstra and Jelmer R. Vernooij, co-editors of this 674 page compilation. It is part of the Bruce Perens’ Open Source Series which is available on the Internet for free as “open source” but I prefer hardcopy. You can download the pdf as well as other books in the Bruce Perens’ series at http://www.informit.com/promotion/1041 The HOW-TO Samba-3 collection can be found online at http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ My copy is actually signed by Mr. Terpstra, whom I met at Novell Brainshare last March where I bought my copy. Novell has taken the smb/linux user to new hieghts in implementing Novell Netware Linux Services in provisioning and managing Novell e-directory users as LUM users (Linux User Management) using Novell’s iManager portal which means a Novell administrator never has to touch Linux user management to create Novell user accounts on a Linux server or workstation and a lot of it is tied directly to smb/samba.
A useful reference guide to SMB basics including configure konquerer's lan browser Lisa deamon to work can be found at www.linux-magazine.com/issue/28/SMBClients.pdf This was one of those "scratch" experiences, when you first attempt to browse Windows networks from the KDE desktop, you get a very cryptic "Lisa" error which is easily resolved once you know how and the pdf walks you through it but the gnome desktop provides a very capable network browser already to go.
The following command was very necessary to synchronize my linux users as smbusers: "cat /etc/passwd | /usr/bin/mksmbpasswd.sh > /etc/samba/smbpasswd" I could not enable a linux user as an smbuser without first migrating the linux user accounts to the smbpasswd file. I am still not sure what the smbuser file is used for only that it is necessary for the root account to work in "joining" windows client machines to the Domain. The book reference this smbuser file including putting a “username map” line in the global section of the smb.conf which is in the final smb.conf but I could never get the “equivalent” user names of administrator or admin to work in joining a machine to the Domain; the “root” user worked but a gotcha here is that you must set the password for the root user in samba password file and it that password must be different that the linux root user’s password! Another line essential to the joining process which can be seen in the final smb.conf is the "add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u"; this script automatically creates the linux user account for the machine as for a machine join a domain, there has to be a machine account as well as the user account. The other thing of note is the global entry "smb passwd = /etc/samba/smbpasswd" is not in the final smb.conf file but is still displayed in the SWAT global page even though not written to the smb.conf so I am assuming that Samba-3 just "knows" about this file and it definitely uses it to identify and authenticate SMB users as both Windows "share" users in the Workgroup and as Domain accounts.
I am fairly convinced that I could not have gotten everything to work without using SWAT and if I could of, it would have taken days rather than the 3 or 4 hours I spent. Example, even though I set the smbpasswd at the command line, it wasn’t until I set it in SWAT that it actually worked. There was a bit of magic in all this but hey, it worked, who cares what went on behind the curtin. But on the other side, not everything worked in SWAT, such as monitoring or controlling the smb service as SWAT consistently showed that smb wasn’t running when in fact it was and running very well.
The Domain for this DC is LINUXDC, same as the workgroup name. The netbios name SAMBA is the smb share server name. Before I actually got the WindowsXP client computer to join the domain, I could login to the SMB "user" account and see the public "Shared" folder as well as my home directory, the profile and netlogon folders so they were all browseable from the network, after authenticating (logging in) as the user.
My handcoded starting smb.conf based on book and HOW-TO: This smb.conf is based on my standard public "Shared" smb.conf before implementing "user" security which requires authentication as the enabled smbuser on the linux system.
Samba config file created using SWAT
# from clint (127.0.0.1)
# Date: 2003/02/25
# Global parameters
[global]
workgroup = LinuxDC
netbios name = SAMBA
server string = Samba Server
security = user
domain logons = yes
domain master = yes
local master = yes
logon path = \\%N\profiles\%u
logon path = H:
logon home = \\homeserver\%u\winprofile
logon script = logon.cmd
smb passwd = /etc/samba/smbpasswd
encrypt passwords = Yes
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
hosts allow = all
# printcap name = etc/printcap
# load printers = yes
# printing = lprng
# preferred master = yes
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = ntadmin
[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
guest ok = Yes
browseable = No
public = yes
[Shared]
path = /Shared
read only = No
guest ok = Yes
create mask = 0664
directory mask = 0775
My final working smb.conf which I configured using SWAT.
http://localhost:901 samba-swat must be install and as a service. samba-swat is an xinetd process and restarting xinetd did not start it but rebooting did; sometimes rebooting is just the easiest thing to do.
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/03/04 21:52:16
# Global parameters
[global]
workgroup = LINUXDC
netbios name = SAMBA
server string = Samba Server
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smbusers
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
logon script = logon.cmd
logon drive = H:
logon home = \\homeserver\%u\winprofile
domain logons = Yes
domain master = Yes
dns proxy = No
ldap ssl = no
hosts allow = all
[netlogon]
path = /var/lib/samba/netlogon
write list = ntadmin
[profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[Shared]
path = /Shared
read only = No
create mask = 0664
directory mask = 0775
guest ok = Yes
It is useful to in avoiding dependency hell as one person put it to have concurrency in all the samba and samba-swat components. For example, at the meeting, I tried to install samba-swat-3.0.8 which was on the DVD but I was already running samba 3.0.10-1 so I had to go find samba-swat 3.0.10-1 during the meeting so we could proceed. Samba Updates for RedHat Fedora Core 3 (32 bit and 64 bit) are available at: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ The first column numbers are the MD5 checksums for each of the updates.
b117dd7357e6fb7bf1651c6585ccb6de x86_64/samba-3.0.10-1.fc3.x86_64.rpm
f03e59b0ad4a70d51bdd31fd69d35865 x86_64/samba-client-3.0.10-1.fc3.x86_64.rpm
b3226a6f347cba925f9f5638780c969a x86_64/samba-common-3.0.10-1.fc3.x86_64.rpm
a412163b4718321d09bdf885543e33e1 x86_64/samba-swat-3.0.10-1.fc3.x86_64.rpm
d57e07d3d5371de5cc9657f9e9f0dff1 x86_64/debug/samba-debuginfo-3.0.10-1.fc3.x86_64.rpm
2b990c25694c79b70b67a21811e5be77 x86_64/samba-common-3.0.10-1.fc3.i386.rpm
9907eedb4d82fa30d1358666eee9b136 i386/samba-3.0.10-1.fc3.i386.rpm
318121245141868848921d058debbb38 i386/samba-client-3.0.10-1.fc3.i386.rpm
2b990c25694c79b70b67a21811e5be77 i386/samba-common-3.0.10-1.fc3.i386.rpm
ab552a8dc90879ae70daa119d8d408b2 i386/samba-swat-3.0.10-1.fc3.i386.rpm
9d4d78de6bf854e620ef7f371738001b i386/debug/samba-debuginfo-3.0.10-1.fc3.i386.rpm
These updates can also be installed with the Update Agent or YUM; you can launch the Update Agent with the 'up2date' command.
Return to: Linux SIG Page