LinkBack URL
About LinkBacks
Reply With Quotedhicks (14th January 2010)
Hello All,
I'm setting up a new file server to handle our growing image collection. This is a basic Debian virtual machine running under Centos 5.1 using the 2.6.26-2-xen-686 kernel from the Debian archive.
I've installed Samba on this server - Ric's guide turned out to be invaluable:
Installation guide for Samba, Winbind, CUPS and PyKota
And this document came in handy, too:
Using Samba on Debian Linux
I bascially did the following:
All worked fine - the install procedure even asked me for a few details and did all the Kerebos config files for me, nice and easy.Code:apt-get update apt-get upgrade apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
Then I had to configure Samba. After a large amount of swearing and muttering, I finally have this:
So that's bascially Ric's Samba setup, minus any printer-related lines as this is a file server, and a file share definition. Now, on a windows machine I can put "\\ACSFILES005\photos" into Windows Explorer and get access to the share - but only as long as I first create a local user on the file server. So, if I'm logged in to Windows as "dhicks", I have to do something like...Code:[global] server string = ACSFILES005 idmap gid = 10000-20000 obey pam restrictions = yes dns proxy = no netbios name = ACSFILES005 invalid users = root idmap uid = 10000-20000 workgroup = CONVENT os level = 20 security = ads max log size = 1000 winbind separator = + socket options = TCP_NODELAY wins server = 10.0.0.64 encrypt passwords = true public = yes realm = CONVENT.ALTONCONVENT.ORG.UK winbind use default domain = yes wins proxy = no winbind enum users = yes password server = * winbind gid = 10000-20000 winbind enum groups = yes preferred master = no log level = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d [photos] comment = photos path = /data/photos read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = @"CONVENT+Domain Users" admin users = @"CONVENT+Domain Admins"
...before I can access the share.Code:useradd dhicks -p -
This isn't really much of an issue - I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine easily enough, but is there a proper way of doing this - should Samba be able to create local accounts on demand or something? Have I missed something?
--
David Hicks
I haven't actually tried it, but I'm sure PAM can use either samba or kerberos as a back-end for authentication. samba maps Active Directory accounts to existing shadow accounts, whereas kerberos and friends actually use it as a database source. I think.
Edit: this may help you, but it is a bit RedHat-oriented. Adapt as required: http://wiki.samba.org/index.php/Samb...tive_Directory
Last edited by powdarrmonkey; 14th January 2010 at 07:10 PM.
dhicks (14th January 2010)
Have a look at the winbind-related stuff in my Samba set up for our FTP server: FTP and Web server [Bishop Barrington IT Wiki]. Specifically, the 'Edit Name Server Switch' part.
dhicks (14th January 2010)
Some more Googling gives me the impression that the following, added to smb.conf, should do the trick...Originally Posted by dhicks
...only problem is that it doesn't seem to be working...Code:add user script = /usr/sbin/useradd -s /sbin/nologin %u -p Kqb519Tz add user to group script = /usr/sbin/adduser %u %g add group script = /usr/sbin/groupadd %g
--
David Hicks
If you do getent passwd and it returns your domain users, you don't need to have actual linux accounts for your AD users - which would make the useradd scripts etc redundant.
dhicks (14th January 2010)
Added this to crontab, to run every 10 minutes:
We'll see if that sorts it...Code:#!/usr/bin/python import os import re import time import random alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890" def generateRandomString(stringLength): result = "" for pl in range(0, stringLength): result = result + alphabet[random.randint(0, len(alphabet)-1)] return(result) users = [] usersFile = open("/etc/passwd", "r") usersLines = usersFile.readlines() usersFile.close() for user in usersLines: user = user.split(":")[0] users.append(user) wbinfo = os.popen("wbinfo -u") wbinfoLines = wbinfo.readlines() wbinfo.close() for wbinfoLine in wbinfoLines: userSplitArray = wbinfoLine.strip().split("\\") if len(userSplitArray) > 1: user = userSplitArray[1] if not user in users: user = re.sub("'", "\\'", user) os.system("useradd -s /sbin/nologin " + user + " -p " + generateRandomString(16))
--
David Hicks
And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add:
To /etc/nsswitch.conf, which solves all the previous stuff about Linux not knowing about users or groups and renders that Python script I wrote pointless. Feel silly now...Code:passwd: files winbind group: files winbind shadow: files winbind
--
David Hicks
__
dhicks (18th January 2010)
Sigh... Ah well, at least I feel like I understand what I'm doing now I've gone and thought through every part of what the server needs to do to match up users and permissions between the DC and file server. Samba setup actually turns out to be quite simple once you know what you're doing (apt-get a couple of bits, edit two files, done) - now I've just got to sort out the image storage application. Many thanks for your help, looks like I most definatly needed it.
--
David Hicks
No worries, glad you got it eventually. Samba is so configurable, that getting smb.conf right the first time without any resources isn't an easy task.
Right, just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever: To set up a Samba file server from scratch, first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine). Then install Samba:
I found that the above went through the Kerebos setup automatically for me, I just had to provide the domain name (in full, and all in upper case, e.g. "CONVENT.ALTONCONVENT.ORG.UK") and name of the domain controller ("ACSDC001").Code:apt-get update apt-get upgrade apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
Configure Samba, with a single file share called "photos", by editing /etc/samba/smb/conf:
Add, or more likely change, some lines in /etc/nsswitch.conf to read:Code:[global] server string = ACSFILES005 idmap gid = 10000-20000 obey pam restrictions = yes dns proxy = no netbios name = ACSFILES005 invalid users = root idmap uid = 10000-20000 workgroup = CONVENT os level = 20 security = ads max log size = 1000 winbind separator = + socket options = TCP_NODELAY wins server = 10.0.0.64 encrypt passwords = true public = yes realm = CONVENT.ALTONCONVENT.ORG.UK winbind use default domain = yes wins proxy = no winbind enum users = yes password server = * winbind gid = 10000-20000 winbind enum groups = yes preferred master = no log level = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d [photos] comment = photos path = /data/photos read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = @"CONVENT+Domain Users" admin users = @"CONVENT+Domain Admins"
Then join your Linux machine to your Windows domain:Code:passwd: files winbind group: files winbind shadow: files winbind
Doing:Code:net ads join -U administrator
Should show you a list of domain users, and domain users (and only domain users) should be able to get to your file share.Code:wbinfo -u
The above information is merely a cut down version of that provided by Ric and Webman, I'm just putting it here again to stop anyone blundering in via Google and trying to copy the wrong setup from above and spending a couple of days trying to figure out why their server isn't working.
--
David Hicks
oxide54 (22nd November 2010), powdarrmonkey (21st January 2010)
If you want to take it a step further for user directories (autocreated upon logon) with emailed hard/soft quota's, hidden files,veto'd files etc I wrote an eduwiki on it here:
Samba Homedirectory
Been running for around 18months now.
dhicks (21st January 2010)
Having written that, I then go and decide to install an OpenSolaris server (because of ZFS' support for block-level deduplication), so there's a couple of things worth pointing out:
Do apt-get Kerebos on Debian and you get a wizard window open, asks you for a couple of details and that's it. You do need to remember to follow Ric's guide above to configure kerebos on Solaris - the config file is found in the same place as on Debian (/etc/krb5/krb5.conf).
Do "pkg install SUNWsmba" to install Samba on OpenSolaris.
As detailed on this Sun Wiki Page on how to configure Samba, you need to enable the Samba and WINS deamons. You also need to enable windbind:
--Code:svcadm enable winbind
David Hicks
Ooh, just worked out you need to configure Pam - just copy the example given over the current setup (might want to back that up first, of course):
--Code:cp /etc/pam.conf-winbind /etc/pam.conf
David Hicks
A quick update for anyone having trouble getting UID/GIDs to syncronise between servers (I've just spent the whole day figuring this out).
The problem: you have a central file server, accessed from different places - maybe Windows clients, other Linux-based servers, etc. In our particular situaton, we have a file server serving user's file areas (their Windows My Documents and Desktop folders) that we also want to use from another Ubuntu-based server (we want the LTSP users on that server to be able to use the same home directories as the Windows users). So, we mounted the server's /home directory as an NFS share (you could also probably use Samba). However, when the Ubuntu users logged on and started to read / write files, they had permissions problems. This turns out to be because the Ubuntu server, which is joined to our Samba domain the same way the file server is, gives different user and groupd IDs (UID, GID) to the same users and groups - a given user seen from one server has a different GID when seen from the other. This causes havoc.
The solution (found after much swearing and muttering, after the first bout of swearing and muttering trying to figure out what the heck was going on in the first place) is to have the UIDs match up in some way. Theoretically, this can be done a number of ways - via an LDAP server, or by calculating a hash value of some sort from the Windows user deata and using that as a consistent UID on each server. However, we don't have an LDAP server running (we use Active Directory as an LDAP server, and I didn't fancy tackling that today...) and we've managed to two different versions of Samba running - 3.2 and 3.4, and 3.2 doesn't support the idmap "hash" backend that 3.4 does.
Samba 3.2 and 3.4 do both support the "rid" idmap backend, but are configured differently, just to be awkward. For Samab 3.2, in /etc/samba/smb.conf, try:
While for Samba 3.4, try:Code:idmap gid = 10000-20000 idmap domains = CONVENT idmap config CONVENT:range = 10000 - 20000 idmap config CONVENT:base_rid = 0 idmap config CONVENT:backend = rid
Also, the Ubuntu 10.04 servwer we're using as an LTSP server seems to have difficulty starting Samba - try:Code:idmap uid = 10000 - 20000 idmap gid = 10000 - 20000 idmap config CONVENT:range = 10000 - 20000 idmap config CONVENT:backend = rid
in /etc/rc.localCode:sleep 10 service smbd restart
--
David Hicks
Last edited by dhicks; 7th June 2010 at 07:27 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
