Configuring Samba

[dhicks]

Hello All,

I'm setting up a new file server to handle our growing image collection. This is a basic Debian virtual machine running under Centos 5.1 using the 2.6.26-2-xen-686 kernel from the Debian archive.

I've installed Samba on this server - Ric's guide turned out to be invaluable:

Installation guide for Samba, Winbind, CUPS and PyKota

And this document came in handy, too:

Using Samba on Debian Linux

I bascially did the following:

Code:

apt-get update
apt-get upgrade 
apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

All worked fine - the install procedure even asked me for a few details and did all the Kerebos config files for me, nice and easy.

Then I had to configure Samba. After a large amount of swearing and muttering, I finally have this:

Code:

[global]
   server string = ACSFILES005
   idmap gid = 10000-20000
   obey pam restrictions = yes
   dns proxy = no
   netbios name = ACSFILES005
   invalid users = root
   idmap uid = 10000-20000
   workgroup = CONVENT
   os level = 20
   security = ads
   max log size = 1000
   winbind separator = +
   socket options = TCP_NODELAY
   wins server = 10.0.0.64
   encrypt passwords = true
   public = yes
   realm = CONVENT.ALTONCONVENT.ORG.UK
   winbind use default domain = yes
   wins proxy = no
   winbind enum users = yes
   password server = *
   winbind gid = 10000-20000
   winbind enum groups = yes
   preferred master = no

   log level = 3
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

[photos]
   comment = photos
   path = /data/photos
   read only = no
   inherit acls = yes
   inherit permissions = yes
   create mask = 700
   directory mask = 700
   valid users = @"CONVENT+Domain Users"
   admin users = @"CONVENT+Domain Admins"

So that's bascially Ric's Samba setup, minus any printer-related lines as this is a file server, and a file share definition. Now, on a windows machine I can put "\\ACSFILES005\photos" into Windows Explorer and get access to the share - but only as long as I first create a local user on the file server. So, if I'm logged in to Windows as "dhicks", I have to do something like...

Code:

useradd dhicks -p -

...before I can access the share.

This isn't really much of an issue - I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine easily enough, but is there a proper way of doing this - should Samba be able to create local accounts on demand or something? Have I missed something?

--
David Hicks

[powdarrmonkey]

I haven't actually tried it, but I'm sure PAM can use either samba or kerberos as a back-end for authentication. samba maps Active Directory accounts to existing shadow accounts, whereas kerberos and friends actually use it as a database source. I think.

Edit: this may help you, but it is a bit RedHat-oriented. Adapt as required: http://wiki.samba.org/index.php/Samb...tive_Directory

[webman]

Have a look at the winbind-related stuff in my Samba set up for our FTP server: FTP and Web server [Bishop Barrington IT Wiki]. Specifically, the 'Edit Name Server Switch' part.

[dhicks]

should Samba be able to create local accounts on demand or something?

Some more Googling gives me the impression that the following, added to smb.conf, should do the trick...

Code:

add user script = /usr/sbin/useradd -s /sbin/nologin %u -p Kqb519Tz
add user to group script = /usr/sbin/adduser %u %g
add group script = /usr/sbin/groupadd %g

...only problem is that it doesn't seem to be working...

--
David Hicks

[webman]

If you do getent passwd and it returns your domain users, you don't need to have actual linux accounts for your AD users - which would make the useradd scripts etc redundant.

[dhicks]

I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine

Added this to crontab, to run every 10 minutes:

Code:

#!/usr/bin/python

import os
import re
import time
import random

alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"

def generateRandomString(stringLength):
        result = ""
        for pl in range(0, stringLength):
                result = result + alphabet[random.randint(0, len(alphabet)-1)]
        return(result)

users = []
usersFile = open("/etc/passwd", "r")
usersLines = usersFile.readlines()
usersFile.close()
for user in usersLines:
        user = user.split(":")[0]
        users.append(user)

wbinfo = os.popen("wbinfo -u")
wbinfoLines = wbinfo.readlines()
wbinfo.close()
for wbinfoLine in wbinfoLines:
        userSplitArray = wbinfoLine.strip().split("\\")
        if len(userSplitArray) > 1:
                user = userSplitArray[1]
                if not user in users:
                        user = re.sub("'", "\\'", user)
                        os.system("useradd -s /sbin/nologin " + user + " -p " + generateRandomString(16))

We'll see if that sorts it...

--
David Hicks

[dhicks]

Ric's guide turned out to be invaluable

And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add:

Code:

passwd:         files winbind
group:          files winbind
shadow:         files winbind

To /etc/nsswitch.conf, which solves all the previous stuff about Linux not knowing about users or groups and renders that Python script I wrote pointless. Feel silly now...

--
David Hicks

[webman]

And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add: ... To /etc/nsswitch.conf

Have a look at the winbind-related stuff in my Samba set up for our FTP server: ...Specifically, the 'Edit Name Server Switch' part.

Edit Name Server Switch

You will now need to modify /etc/nsswitch.conf so that Linux will look to the domain for users & groups. Simply add 'winbind' to the end of the passwd and group lines

__

[dhicks]

Have a look at the winbind-related stuff in my Samba set up for our FTP server: ...Specifically, the 'Edit Name Server Switch' part.

Sigh... Ah well, at least I feel like I understand what I'm doing now I've gone and thought through every part of what the server needs to do to match up users and permissions between the DC and file server. Samba setup actually turns out to be quite simple once you know what you're doing (apt-get a couple of bits, edit two files, done) - now I've just got to sort out the image storage application. Many thanks for your help, looks like I most definatly needed it.

--
David Hicks

[webman]

No worries, glad you got it eventually. Samba is so configurable, that getting smb.conf right the first time without any resources isn't an easy task.

[dhicks]

Right, just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever: To set up a Samba file server from scratch, first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine). Then install Samba:

Code:

apt-get update
apt-get upgrade 
apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

I found that the above went through the Kerebos setup automatically for me, I just had to provide the domain name (in full, and all in upper case, e.g. "CONVENT.ALTONCONVENT.ORG.UK") and name of the domain controller ("ACSDC001").

Configure Samba, with a single file share called "photos", by editing /etc/samba/smb/conf:

Code:

[global]
   server string = ACSFILES005
   idmap gid = 10000-20000
   obey pam restrictions = yes
   dns proxy = no
   netbios name = ACSFILES005
   invalid users = root
   idmap uid = 10000-20000
   workgroup = CONVENT
   os level = 20
   security = ads
   max log size = 1000
   winbind separator = +
   socket options = TCP_NODELAY
   wins server = 10.0.0.64
   encrypt passwords = true
   public = yes
   realm = CONVENT.ALTONCONVENT.ORG.UK
   winbind use default domain = yes
   wins proxy = no
   winbind enum users = yes
   password server = *
   winbind gid = 10000-20000
   winbind enum groups = yes
   preferred master = no

   log level = 3
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

[photos]
   comment = photos
   path = /data/photos
   read only = no
   inherit acls = yes
   inherit permissions = yes
   create mask = 700
   directory mask = 700
   valid users = @"CONVENT+Domain Users"
   admin users = @"CONVENT+Domain Admins"

Add, or more likely change, some lines in /etc/nsswitch.conf to read:

Code:

passwd:         files winbind
group:          files winbind
shadow:         files winbind

Then join your Linux machine to your Windows domain:

Code:

net ads join -U administrator

Doing:

Code:

wbinfo -u

Should show you a list of domain users, and domain users (and only domain users) should be able to get to your file share.

The above information is merely a cut down version of that provided by Ric and Webman, I'm just putting it here again to stop anyone blundering in via Google and trying to copy the wrong setup from above and spending a couple of days trying to figure out why their server isn't working.

--
David Hicks

[CyberNerd]

If you want to take it a step further for user directories (autocreated upon logon) with emailed hard/soft quota's, hidden files,veto'd files etc I wrote an eduwiki on it here:
Samba Homedirectory

Been running for around 18months now.

[dhicks]

first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine).

Having written that, I then go and decide to install an OpenSolaris server (because of ZFS' support for block-level deduplication), so there's a couple of things worth pointing out:

Do apt-get Kerebos on Debian and you get a wizard window open, asks you for a couple of details and that's it. You do need to remember to follow Ric's guide above to configure kerebos on Solaris - the config file is found in the same place as on Debian (/etc/krb5/krb5.conf).

Do "pkg install SUNWsmba" to install Samba on OpenSolaris.

As detailed on this Sun Wiki Page on how to configure Samba, you need to enable the Samba and WINS deamons. You also need to enable windbind:

Code:

svcadm enable winbind

--
David Hicks

[dhicks]

Ooh, just worked out you need to configure Pam - just copy the example given over the current setup (might want to back that up first, of course):

Code:

cp /etc/pam.conf-winbind /etc/pam.conf

--
David Hicks

[dhicks]

just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever

A quick update for anyone having trouble getting UID/GIDs to syncronise between servers (I've just spent the whole day figuring this out).

The problem: you have a central file server, accessed from different places - maybe Windows clients, other Linux-based servers, etc. In our particular situaton, we have a file server serving user's file areas (their Windows My Documents and Desktop folders) that we also want to use from another Ubuntu-based server (we want the LTSP users on that server to be able to use the same home directories as the Windows users). So, we mounted the server's /home directory as an NFS share (you could also probably use Samba). However, when the Ubuntu users logged on and started to read / write files, they had permissions problems. This turns out to be because the Ubuntu server, which is joined to our Samba domain the same way the file server is, gives different user and groupd IDs (UID, GID) to the same users and groups - a given user seen from one server has a different GID when seen from the other. This causes havoc.

The solution (found after much swearing and muttering, after the first bout of swearing and muttering trying to figure out what the heck was going on in the first place) is to have the UIDs match up in some way. Theoretically, this can be done a number of ways - via an LDAP server, or by calculating a hash value of some sort from the Windows user deata and using that as a consistent UID on each server. However, we don't have an LDAP server running (we use Active Directory as an LDAP server, and I didn't fancy tackling that today...) and we've managed to two different versions of Samba running - 3.2 and 3.4, and 3.2 doesn't support the idmap "hash" backend that 3.4 does.

Samba 3.2 and 3.4 do both support the "rid" idmap backend, but are configured differently, just to be awkward. For Samab 3.2, in /etc/samba/smb.conf, try:

Code:

idmap gid = 10000-20000
idmap domains = CONVENT
idmap config CONVENT:range = 10000 - 20000
idmap config CONVENT:base_rid = 0
idmap config CONVENT:backend = rid

While for Samba 3.4, try:

Code:

idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
idmap config CONVENT:range = 10000 - 20000
idmap config CONVENT:backend = rid

Also, the Ubuntu 10.04 servwer we're using as an LTSP server seems to have difficulty starting Samba - try:

Code:

sleep 10
service smbd restart

in /etc/rc.local

--
David Hicks