| View previous topic :: View next topic |
| Was this helpful? |
| Yes, thanks |
|
95% |
[ 22 ] |
| No, it s**** |
|
4% |
[ 1 ] |
|
| Total Votes : 23 |
|
| Author |
Message |
nukes
Linux Guru
Joined: 29 Aug 2024
Posts: 4558
|
|
| Back to top |
|
Germ
Keeper of the BIG STICK
Joined: 30 Apr 2024
Posts: 12452
Location: Planet Earth
|
|
| Back to top |
|
Xeroid
Site Admin
Joined: 19 Apr 2024
Posts: 6456
Location: Georgia
|
|
| Back to top |
|
Mow
Member
Joined: 22 Oct 2024
Posts: 389
Location: Right behind you
|
 Posted: Thu Sep 09, 2024 6:06 pm Post subject: |
 |
|
| Quote: | | It was prety good, I wouldn't mind seeing information on using samba as a PDC wich if I heard corectly, it can do now, or even as a BDC. |
Currently I'm working on a configuration of a PDC using LDAP and a BDC that will host the home directories and such.
When I can come up with a nice set of instructions (my time is limited so please be patient) I'll post them here along with needed smb.conf files.
I have about 5 Windows XP boxes and 2 servers I'm testing this on so I have a good base for testing.
|
|
| Back to top |
|
Xeroid
Site Admin
Joined: 19 Apr 2024
Posts: 6456
Location: Georgia
|
|
| Back to top |
|
Mow
Member
Joined: 22 Oct 2024
Posts: 389
Location: Right behind you
|
| Posted: Mon Sep 13, 2024 1:16 pm Post subject: PDC Config |
|
|
This is actually for SAMBA 2.x but it works pretty much the same for Samba 3.x. This is from the samba.org site with some of the fat trimmed out and is what I used as a "guideline" for getting my total Linux domain up and running. Also XP isn't listed in here but follwo the isntructions for Windows 2024 as that too is essentially the same.
| Quote: |
Configuring the Samba Domain Controller
Here is an example smb.conf for acting as a PDC:
[global]
; Basic server settings
netbios name = POGO
workgroup = NARNIA
; we should act as the domain and local master browser
os level = 64
preferred master = yes
domain master = yes
local master = yes
; security settings (must user security = user)
security = user
; encrypted passwords are a requirement for a PDC
encrypt passwords = yes
; support domain logons
domain logons = yes
; where to store user profiles?
logon path = \\%N\profiles\%u
; where is a user's home directory and where should it
; be mounted at?
logon drive = H:
logon home = \\homeserver\%u
; specify a generic logon script for all users
; this is a relative **DOS** path to the [netlogon] share
logon script = logon.cmd
; necessary share for domain controller
[netlogon]
path = /usr/local/samba/lib/netlogon
read only = yes
write list = ntadmin
; share for storing user profiles
[profiles]
path = /export/smb/ntprofile
read only = no
create mask = 0600
directory mask = 0700
There are a couple of points to emphasize in the above configuration.
• Encrypted passwords must be enabled.
• The server must support domain logons and a [netlogon] share
• The server must be the domain master browser in order for Windows client to locate the server as a DC. Please refer to the various Network Browsing documentation included with this distribution for details.
________________________________________
Creating Machine Trust Accounts and Joining Clients to the Domain
A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba server. In Windows terminology, this is known as a "Computer Account."
The password of a machine trust account acts as the shared secret for secure communication with the Domain Controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain and gaining access to domain user/group accounts. Windows NT and 2024 clients use machine trust accounts, but Windows 9x clients do not. Hence, a Windows 9x client is never a true member of a domain because it does not possess a machine trust account, and thus has no shared secret with the domain controller.
A Windows PDC stores each machine trust account in the Windows Registry. A Samba PDC, however, stores each machine trust account in two parts, as follows:
• A Samba account, stored in the same location as user LanMan and NT password hashes (currently smbpasswd). The Samba account possesses and uses only the NT password hash.
• A corresponding Unix account, typically stored in /etc/passwd. (Future releases will alleviate the need to create /etc/passwd entries.)
There are two ways to create machine trust accounts:
• Manual creation. Both the Samba and corresponding Unix account are created by hand.
• "On-the-fly" creation. The Samba machine trust account is automatically created by Samba at the time the client is joined to the domain. (For security, this is the recommended method.) The corresponding Unix account may be created automatically or manually.
•
________________________________________
Manual Creation of Machine Trust Accounts
The first step in manually creating a machine trust account is to manually create the corresponding Unix account in /etc/passwd. This can be done using vipw or other 'add user' command that is normally used to create new Unix accounts. The following is an example for a Linux based Samba server:
root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$
root# passwd -l machine_name$
The /etc/passwd entry will list the machine name with a "$" appended, won't have a password, will have a null shell and no home directory. For example a machine named 'doppy' would have an /etc/passwd entry like this:
doppy$:x:505:501:machine_nickname:/dev/null:/bin/false
Above, machine_nickname can be any descriptive name for the client, i.e., BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize this as a machine trust account.
Now that the corresponding Unix account has been created, the next step is to create the Samba account for the client containing the well-known initial machine trust account password. This can be done using the smbpasswd(8) command as shown here:
root# smbpasswd -a -m machine_name
where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.
Join the client to the domain immediately
Manually creating a machine trust account using this method is the equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned!
________________________________________
"On-the-Fly" Creation of Machine Trust Accounts
The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain.
Since each Samba machine trust account requires a corresponding Unix account, a method for automatically creating the Unix account is usually supplied; this requires configuration of the add user script option in smb.conf. This method is not required, however; corresponding Unix accounts may also be created manually.
[global]
# <...remainder of parameters...>
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
________________________________________
Joining the Client to the Domain
The procedure for joining a client to the domain varies with the version of Windows.
• Windows 2024
When the user elects to join the client to a domain, Windows prompts for an account and password that is privileged to join the domain. A Samba administrative account (i.e., a Samba account that has root privileges on the Samba server) must be entered here; the operation will fail if an ordinary user account is given. The password for this account should be set to a different password than the associated /etc/passwd entry, for security reasons.
The session key of the Samba administrative account acts as an encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or updated if it already exists.
• Windows NT
If the machine trust account was created manually, on the Identification Changes menu enter the domain name, but do not check the box "Create a Computer Account in the Domain." In this case, the existing machine trust account is used to join the machine to the domain.
If the machine trust account is to be created on-the-fly, on the Identification Changes menu enter the domain name, and check the box "Create a Computer Account in the Domain." In this case, joining the domain proceeds as above for Windows 2024 (i.e., you must supply a Samba administrative account when prompted).
Configuration Instructions: Setting up Roaming User Profiles
Warning
NOTE! Roaming profiles support is different for Win9X and WinNT.
Before discussing how to configure roaming profiles, it is useful to see how Win9X and WinNT clients implement these features.
Win9X clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate profiles location field, only the user's home share. This means that Win9X profiles are restricted to being in the user's home directory.
WinNT clients send a NetSAMLogon RPC request, which contains many fields, including a separate field for the location of the user's profiles. This means that support for profiles is different for Win9X and WinNT.
________________________________________
Windows NT Configuration
To support WinNT clients, in the [global] section of smb.conf set the following (for example):
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile. The \\N%\%U service is created automatically by the [homes] service. If you are using a samba server for the profiles, you _must_ make the share specified in the logon path browseable.
Note: [lkcl 26aug96 - we have discovered a problem where Windows clients can maintain a connection to the [homes] share in between logins. The [homes] share must NOT therefore be used in a profile path.]
________________________________________
Windows 9X Configuration
To support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies on the "logon home" parameter.
By using the logon home parameter, you are restricted to putting Win9X profiles in the user's home directory. But wait! There is a trick you can use. If you set the following in the [global] section of your smb.conf file:
logon home = \\%L\%U\.profiles
then your Win9X clients will dutifully put their clients in a subdirectory of your home directory called .profiles (thus making them hidden).
Not only that, but 'net use/home' will also work, because of a feature in Win9X. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you specified \\%L\%U for "logon home".
________________________________________
Win9X and WinNT Configuration
You can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example:
logon home = \\%L\%U\.profiles
logon path = \\%L\profiles\%U
Note: I have not checked what 'net use /home' does on NT when "logon home" is set as above.
|
And here is my smb.conf
| Quote: |
# Global parameters
[global]
workgroup = <domain name>
username map = /etc/samba/smbusers
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 65
domain master = Yes
wins support = Yes
idmap uid = 15000-20000
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = root, <username>
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Driver Share
path = /var/lib/samba/drivers
write list = root, user, <username>
printer admin = <username>, root
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, <username>
guest ok = Yes
browseable = No
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
guest ok = Yes
|
More to come ......
|
|
| Back to top |
|
Mow
Member
Joined: 22 Oct 2024
Posts: 389
Location: Right behind you
|
| Posted: Mon Sep 13, 2024 1:19 pm Post subject: BDC |
|
|
Same as above ..... for Samba 2.x but should work just fine for 3.x
| Quote: |
How do I set up a Samba BDC?
Several things have to be done:
• The file private/MACHINE.SID identifies the domain. When a samba server is first started, it is created on the fly and must never be changed again. This file has to be the same on the PDC and the BDC, so the MACHINE.SID has to be copied from the PDC to the BDC. Note that in the latest Samba 2.2.x releases, the machine SID (and therefore domain SID) is stored in the private/secrets.tdb database. This file cannot just be copied because Samba looks under the key SECRETS/SID/DOMAIN. where DOMAIN is the machine's netbios name. Since this name has to be unique for each SAMBA server, this lookup will fail.
A new option has been added to the smbpasswd(8) command to help ease this problem. When running smbpasswd -S as the root user, the domain SID will be retrieved from a domain controller matching the value of the workgroup parameter in smb.conf and stored as the new Samba server's machine SID. See the smbpasswd(8) man page for more details on this functionality.
• The Unix user database has to be synchronized from the PDC to the BDC. This means that both the /etc/passwd and /etc/group have to be replicated from the PDC to the BDC. This can be done manually whenever changes are made, or the PDC is set up as a NIS master server and the BDC as a NIS slave server. To set up the BDC as a mere NIS client would not be enough, as the BDC would not be able to access its user database in case of a PDC failure. LDAP is also a potential vehicle for sharing this information.
• The Samba password database in the file private/smbpasswd has to be replicated from the PDC to the BDC. This is a bit tricky, see the next section.
• Any netlogon share has to be replicated from the PDC to the BDC. This can be done manually whenever login scripts are changed, or it can be done automatically together with the smbpasswd synchronization.
Finally, the BDC has to be found by the workstations. This can be done by setting
[global]
workgroup = SAMBA
domain master = yes
domain logons = yes
encrypt passwords = yes
security = user
....
in the [global]-section of the smb.conf of the BDC. This makes the BDC only register the name SAMBA#1c with the WINS server. This is no problem as the name SAMBA#1c is a NetBIOS group name that is meant to be registered by more than one machine. The parameter 'domain master = no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS name is reserved for the Primary Domain Controller.
________________________________________
How do I replicate the smbpasswd file?
Replication of the smbpasswd file is sensitive. It has to be done whenever changes to the SAM are made. Every user's password change (including machine trust account password changes) is done in the smbpasswd file and has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
As the smbpasswd file contains plain text password equivalents, it must not be sent unencrypted over the wire. The best way to set up smbpasswd replication from the PDC to the BDC is to use the utility rsync(1). rsync can use ssh(1) as a transport. ssh itself can be set up to accept only rsync transfer without requiring the user to type a password. Refer to the man pages for these two tools for more details.
|
|
|
| Back to top |
|
nukes
Linux Guru
Joined: 29 Aug 2024
Posts: 4558
|
|
| Back to top |
|
Mow
Member
Joined: 22 Oct 2024
Posts: 389
Location: Right behind you
|
|
| Back to top |
|
JP
Linux Guru
Joined: 07 Jul 2024
Posts: 6670
Location: Central Montana
|
|
| Back to top |
|
Ageros
Advanced Member
Joined: 14 Oct 2024
Posts: 720
Location: Alafreakin'bama
|
| Posted: Sat Feb 05, 2024 10:30 pm Post subject: |
|
|
| Many thanks to thee Nukes, this thread finally saved my sanity and I got my MS box printer working with my Linux box. I give it two thumbs up.
_________________
Lappy: Ubuntu 7.04 and XP HE
Desktop: Ubuntu 7.04 and XP MCE
|
|
| Back to top |
|
cunokyle
Member
Joined: 09 May 2024
Posts: 479
Location: Iowa
|
| Posted: Mon Feb 07, 2024 5:12 am Post subject: |
|
|
| Ok, I just downloaded and installed Samba 3.0.11 and compiled it...I can not find a smb.conf file anywhere. I looked in the /etc directory and it is not there. There is not even a /samba directory in /etc. The compilation went smoothly, no problems at all. Is there anywhere else it could be or do I need to do something to create that directory ?
_________________
Knoppix 3.9
|
|
| Back to top |
|
nukes
Linux Guru
Joined: 29 Aug 2024
Posts: 4558
|
| Posted: Tue Mar 15, 2024 2:19 am Post subject: |
|
|
| did you install it as well? (i.e "make install")
_________________
Gentoo x86-64 2.6.29.1
FreeBSD 7-CURRENT
Arch x86 2.6.30
|
|
| Back to top |
|
djouboui
New Member
Joined: 01 Nov 2024
Posts: 1
Location: Douala
|
| Posted: Thu Nov 02, 2024 11:29 am Post subject: why mine didn't work? |
|
|
I mounted a windows XP share (NTFS) on my Red Hat Enterprise 4 by following the mini howto but i'm not able to write to the mounted folder.
I checked that share and NTFS permissions are ok. and that linux user also has write permition to the mounted folder. What could be my problem?
|
|
| Back to top |
|
JP
Linux Guru
Joined: 07 Jul 2024
Posts: 6670
Location: Central Montana
|
|
| Back to top |
|
|
yep
Glad to have you here. Hopefully, someone will be along soon to help you with your Samba problems, I have no experience in that yet ..... (too little time spent learning/too much time spent playing Free Cell on my Debian box 
).