+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
*nix Thread, Configuring Samba in Technical; Hello All, I'm setting up a new file server to handle our growing image collection. This is a basic Debian ...
  1. #1

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238

    Configuring Samba

    Hello All,

    I'm setting up a new file server to handle our growing image collection. This is a basic Debian virtual machine running under Centos 5.1 using the 2.6.26-2-xen-686 kernel from the Debian archive.

    I've installed Samba on this server - Ric's guide turned out to be invaluable:

    Installation guide for Samba, Winbind, CUPS and PyKota

    And this document came in handy, too:

    Using Samba on Debian Linux

    I bascially did the following:

    Code:
    apt-get update
    apt-get upgrade 
    apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
    All worked fine - the install procedure even asked me for a few details and did all the Kerebos config files for me, nice and easy.

    Then I had to configure Samba. After a large amount of swearing and muttering, I finally have this:

    Code:
    [global]
       server string = ACSFILES005
       idmap gid = 10000-20000
       obey pam restrictions = yes
       dns proxy = no
       netbios name = ACSFILES005
       invalid users = root
       idmap uid = 10000-20000
       workgroup = CONVENT
       os level = 20
       security = ads
       max log size = 1000
       winbind separator = +
       socket options = TCP_NODELAY
       wins server = 10.0.0.64
       encrypt passwords = true
       public = yes
       realm = CONVENT.ALTONCONVENT.ORG.UK
       winbind use default domain = yes
       wins proxy = no
       winbind enum users = yes
       password server = *
       winbind gid = 10000-20000
       winbind enum groups = yes
       preferred master = no
    
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 1000
       syslog = 0
       panic action = /usr/share/samba/panic-action %d
    
    [photos]
       comment = photos
       path = /data/photos
       read only = no
       inherit acls = yes
       inherit permissions = yes
       create mask = 700
       directory mask = 700
       valid users = @"CONVENT+Domain Users"
       admin users = @"CONVENT+Domain Admins"
    So that's bascially Ric's Samba setup, minus any printer-related lines as this is a file server, and a file share definition. Now, on a windows machine I can put "\\ACSFILES005\photos" into Windows Explorer and get access to the share - but only as long as I first create a local user on the file server. So, if I'm logged in to Windows as "dhicks", I have to do something like...

    Code:
    useradd dhicks -p -
    ...before I can access the share.

    This isn't really much of an issue - I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine easily enough, but is there a proper way of doing this - should Samba be able to create local accounts on demand or something? Have I missed something?

    --
    David Hicks

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    I haven't actually tried it, but I'm sure PAM can use either samba or kerberos as a back-end for authentication. samba maps Active Directory accounts to existing shadow accounts, whereas kerberos and friends actually use it as a database source. I think.

    Edit: this may help you, but it is a bit RedHat-oriented. Adapt as required: http://wiki.samba.org/index.php/Samb...tive_Directory
    Last edited by powdarrmonkey; 14th January 2010 at 07:10 PM.

  3. Thanks to powdarrmonkey from:

    dhicks (14th January 2010)

  4. #3

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,414
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Have a look at the winbind-related stuff in my Samba set up for our FTP server: FTP and Web server [Bishop Barrington IT Wiki]. Specifically, the 'Edit Name Server Switch' part.

  5. Thanks to webman from:

    dhicks (14th January 2010)

  6. #4

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by dhicks View Post
    should Samba be able to create local accounts on demand or something?
    Some more Googling gives me the impression that the following, added to smb.conf, should do the trick...

    Code:
    add user script = /usr/sbin/useradd -s /sbin/nologin %u -p Kqb519Tz
    add user to group script = /usr/sbin/adduser %u %g
    add group script = /usr/sbin/groupadd %g
    ...only problem is that it doesn't seem to be working...

    --
    David Hicks

  7. #5

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,414
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    If you do getent passwd and it returns your domain users, you don't need to have actual linux accounts for your AD users - which would make the useradd scripts etc redundant.

  8. Thanks to webman from:

    dhicks (14th January 2010)

  9. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by dhicks View Post
    I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine
    Added this to crontab, to run every 10 minutes:

    Code:
    #!/usr/bin/python
    
    import os
    import re
    import time
    import random
    
    alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"
    
    def generateRandomString(stringLength):
            result = ""
            for pl in range(0, stringLength):
                    result = result + alphabet[random.randint(0, len(alphabet)-1)]
            return(result)
    
    users = []
    usersFile = open("/etc/passwd", "r")
    usersLines = usersFile.readlines()
    usersFile.close()
    for user in usersLines:
            user = user.split(":")[0]
            users.append(user)
    
    wbinfo = os.popen("wbinfo -u")
    wbinfoLines = wbinfo.readlines()
    wbinfo.close()
    for wbinfoLine in wbinfoLines:
            userSplitArray = wbinfoLine.strip().split("\\")
            if len(userSplitArray) > 1:
                    user = userSplitArray[1]
                    if not user in users:
                            user = re.sub("'", "\\'", user)
                            os.system("useradd -s /sbin/nologin " + user + " -p " + generateRandomString(16))
    We'll see if that sorts it...

    --
    David Hicks

  10. #7

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by dhicks View Post
    Ric's guide turned out to be invaluable
    And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add:

    Code:
    passwd:         files winbind
    group:          files winbind
    shadow:         files winbind
    To /etc/nsswitch.conf, which solves all the previous stuff about Linux not knowing about users or groups and renders that Python script I wrote pointless. Feel silly now...

    --
    David Hicks

  11. #8

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,414
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Quote Originally Posted by dhicks View Post
    And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add: ... To /etc/nsswitch.conf
    Quote Originally Posted by webman View Post
    Have a look at the winbind-related stuff in my Samba set up for our FTP server: ...Specifically, the 'Edit Name Server Switch' part.
    Quote Originally Posted by Guide
    Edit Name Server Switch

    You will now need to modify /etc/nsswitch.conf so that Linux will look to the domain for users & groups. Simply add 'winbind' to the end of the passwd and group lines


    __

  12. Thanks to webman from:

    dhicks (18th January 2010)

  13. #9

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by webman View Post
    Have a look at the winbind-related stuff in my Samba set up for our FTP server: ...Specifically, the 'Edit Name Server Switch' part.
    Sigh... Ah well, at least I feel like I understand what I'm doing now I've gone and thought through every part of what the server needs to do to match up users and permissions between the DC and file server. Samba setup actually turns out to be quite simple once you know what you're doing (apt-get a couple of bits, edit two files, done) - now I've just got to sort out the image storage application. Many thanks for your help, looks like I most definatly needed it.

    --
    David Hicks

  14. #10

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,414
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    No worries, glad you got it eventually. Samba is so configurable, that getting smb.conf right the first time without any resources isn't an easy task.

  15. #11

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Right, just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever: To set up a Samba file server from scratch, first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine). Then install Samba:

    Code:
    apt-get update
    apt-get upgrade 
    apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
    I found that the above went through the Kerebos setup automatically for me, I just had to provide the domain name (in full, and all in upper case, e.g. "CONVENT.ALTONCONVENT.ORG.UK") and name of the domain controller ("ACSDC001").

    Configure Samba, with a single file share called "photos", by editing /etc/samba/smb/conf:

    Code:
    [global]
       server string = ACSFILES005
       idmap gid = 10000-20000
       obey pam restrictions = yes
       dns proxy = no
       netbios name = ACSFILES005
       invalid users = root
       idmap uid = 10000-20000
       workgroup = CONVENT
       os level = 20
       security = ads
       max log size = 1000
       winbind separator = +
       socket options = TCP_NODELAY
       wins server = 10.0.0.64
       encrypt passwords = true
       public = yes
       realm = CONVENT.ALTONCONVENT.ORG.UK
       winbind use default domain = yes
       wins proxy = no
       winbind enum users = yes
       password server = *
       winbind gid = 10000-20000
       winbind enum groups = yes
       preferred master = no
    
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 1000
       syslog = 0
       panic action = /usr/share/samba/panic-action %d
    
    [photos]
       comment = photos
       path = /data/photos
       read only = no
       inherit acls = yes
       inherit permissions = yes
       create mask = 700
       directory mask = 700
       valid users = @"CONVENT+Domain Users"
       admin users = @"CONVENT+Domain Admins"
    Add, or more likely change, some lines in /etc/nsswitch.conf to read:

    Code:
    passwd:         files winbind
    group:          files winbind
    shadow:         files winbind
    Then join your Linux machine to your Windows domain:

    Code:
    net ads join -U administrator
    Doing:

    Code:
    wbinfo -u
    Should show you a list of domain users, and domain users (and only domain users) should be able to get to your file share.

    The above information is merely a cut down version of that provided by Ric and Webman, I'm just putting it here again to stop anyone blundering in via Google and trying to copy the wrong setup from above and spending a couple of days trying to figure out why their server isn't working.

    --
    David Hicks

  16. 3 Thanks to dhicks:

    Miscbrah (1st May 2012), oxide54 (22nd November 2010), powdarrmonkey (21st January 2010)

  17. #12


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    If you want to take it a step further for user directories (autocreated upon logon) with emailed hard/soft quota's, hidden files,veto'd files etc I wrote an eduwiki on it here:
    Samba Homedirectory

    Been running for around 18months now.

  18. Thanks to CyberNerd from:

    dhicks (21st January 2010)

  19. #13

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by dhicks View Post
    first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine).
    Having written that, I then go and decide to install an OpenSolaris server (because of ZFS' support for block-level deduplication), so there's a couple of things worth pointing out:

    Do apt-get Kerebos on Debian and you get a wizard window open, asks you for a couple of details and that's it. You do need to remember to follow Ric's guide above to configure kerebos on Solaris - the config file is found in the same place as on Debian (/etc/krb5/krb5.conf).

    Do "pkg install SUNWsmba" to install Samba on OpenSolaris.

    As detailed on this Sun Wiki Page on how to configure Samba, you need to enable the Samba and WINS deamons. You also need to enable windbind:

    Code:
    svcadm enable winbind
    --
    David Hicks

  20. 2 Thanks to dhicks:

    CyberNerd (6th February 2010), webman (5th February 2010)

  21. #14

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Ooh, just worked out you need to configure Pam - just copy the example given over the current setup (might want to back that up first, of course):

    Code:
    cp /etc/pam.conf-winbind /etc/pam.conf
    --
    David Hicks

  22. #15

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,688
    Thank Post
    1,271
    Thanked 791 Times in 688 Posts
    Rep Power
    238
    Quote Originally Posted by dhicks View Post
    just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever
    A quick update for anyone having trouble getting UID/GIDs to syncronise between servers (I've just spent the whole day figuring this out).

    The problem: you have a central file server, accessed from different places - maybe Windows clients, other Linux-based servers, etc. In our particular situaton, we have a file server serving user's file areas (their Windows My Documents and Desktop folders) that we also want to use from another Ubuntu-based server (we want the LTSP users on that server to be able to use the same home directories as the Windows users). So, we mounted the server's /home directory as an NFS share (you could also probably use Samba). However, when the Ubuntu users logged on and started to read / write files, they had permissions problems. This turns out to be because the Ubuntu server, which is joined to our Samba domain the same way the file server is, gives different user and groupd IDs (UID, GID) to the same users and groups - a given user seen from one server has a different GID when seen from the other. This causes havoc.

    The solution (found after much swearing and muttering, after the first bout of swearing and muttering trying to figure out what the heck was going on in the first place) is to have the UIDs match up in some way. Theoretically, this can be done a number of ways - via an LDAP server, or by calculating a hash value of some sort from the Windows user deata and using that as a consistent UID on each server. However, we don't have an LDAP server running (we use Active Directory as an LDAP server, and I didn't fancy tackling that today...) and we've managed to two different versions of Samba running - 3.2 and 3.4, and 3.2 doesn't support the idmap "hash" backend that 3.4 does.

    Samba 3.2 and 3.4 do both support the "rid" idmap backend, but are configured differently, just to be awkward. For Samab 3.2, in /etc/samba/smb.conf, try:

    Code:
    idmap gid = 10000-20000
    idmap domains = CONVENT
    idmap config CONVENT:range = 10000 - 20000
    idmap config CONVENT:base_rid = 0
    idmap config CONVENT:backend = rid
    While for Samba 3.4, try:

    Code:
    idmap uid = 10000 - 20000
    idmap gid = 10000 - 20000
    idmap config CONVENT:range = 10000 - 20000
    idmap config CONVENT:backend = rid
    Also, the Ubuntu 10.04 servwer we're using as an LTSP server seems to have difficulty starting Samba - try:

    Code:
    sleep 10
    service smbd restart
    in /etc/rc.local

    --
    David Hicks
    Last edited by dhicks; 7th June 2010 at 08:27 AM.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Help with configuring new W2K3 server
    By bmittleider in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 9th March 2009, 03:09 PM
  2. Configuring Blackberry email
    By Netware in forum Windows
    Replies: 5
    Last Post: 16th August 2008, 05:59 PM
  3. Configuring trunking on HP Switches
    By Gibbo in forum Wireless Networks
    Replies: 3
    Last Post: 3rd June 2008, 11:39 AM
  4. Configuring Openfire - Asterisk IM
    By Khanduri in forum How do you do....it?
    Replies: 0
    Last Post: 2nd May 2008, 04:44 AM
  5. Replies: 7
    Last Post: 30th November 2007, 04:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •