Configuring Samba

Hello All,

I'm setting up a new file server to handle our growing image collection. This is a basic Debian virtual machine running under Centos 5.1 using the 2.6.26-2-xen-686 kernel from the Debian archive.

I've installed Samba on this server - Ric's guide turned out to be invaluable:

http://www.edugeek.net/forums/nix/69...ps-pykota.html

And this document came in handy, too:

Using Samba on Debian Linux

I bascially did the following:

Code:

---

apt-get update
apt-get upgrade
apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

---

All worked fine - the install procedure even asked me for a few details and did all the Kerebos config files for me, nice and easy.

Then I had to configure Samba. After a large amount of swearing and muttering, I finally have this:

Code:

---

[global]
  server string = ACSFILES005
  idmap gid = 10000-20000
  obey pam restrictions = yes
  dns proxy = no
  netbios name = ACSFILES005
  invalid users = root
  idmap uid = 10000-20000
  workgroup = CONVENT
  os level = 20
  security = ads
  max log size = 1000
  winbind separator = +
  socket options = TCP_NODELAY
  wins server = 10.0.0.64
  encrypt passwords = true
  public = yes
  realm = CONVENT.ALTONCONVENT.ORG.UK
  winbind use default domain = yes
  wins proxy = no
  winbind enum users = yes
  password server = *
  winbind gid = 10000-20000
  winbind enum groups = yes
  preferred master = no

  log level = 3
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d

[photos]
  comment = photos
  path = /data/photos
  read only = no
  inherit acls = yes
  inherit permissions = yes
  create mask = 700
  directory mask = 700
  valid users = @"CONVENT+Domain Users"
  admin users = @"CONVENT+Domain Admins"

---

So that's bascially Ric's Samba setup, minus any printer-related lines as this is a file server, and a file share definition. Now, on a windows machine I can put "\\ACSFILES005\photos" into Windows Explorer and get access to the share - but only as long as I first create a local user on the file server. So, if I'm logged in to Windows as "dhicks", I have to do something like...

Code:

---

useradd dhicks -p -

---

...before I can access the share.

This isn't really much of an issue - I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine easily enough, but is there a proper way of doing this - should Samba be able to create local accounts on demand or something? Have I missed something?

--
David Hicks

I haven't actually tried it, but I'm sure PAM can use either samba or kerberos as a back-end for authentication. samba maps Active Directory accounts to existing shadow accounts, whereas kerberos and friends actually use it as a database source. I think.

Edit: this may help you, but it is a bit RedHat-oriented. Adapt as required: http://wiki.samba.org/index.php/Samb...tive_Directory

Have a look at the winbind-related stuff in my Samba set up for our FTP server: FTP and Web server [Bishop Barrington IT Wiki]. Specifically, the 'Edit Name Server Switch' part.

Quote:

---

Originally Posted by dhicks

should Samba be able to create local accounts on demand or something?

---

Some more Googling gives me the impression that the following, added to smb.conf, should do the trick...

Code:

---

add user script = /usr/sbin/useradd -s /sbin/nologin %u -p Kqb519Tz
add user to group script = /usr/sbin/adduser %u %g
add group script = /usr/sbin/groupadd %g

---

...only problem is that it doesn't seem to be working...

--
David Hicks

If you do getent passwd and it returns your domain users, you don't need to have actual linux accounts for your AD users - which would make the useradd scripts etc redundant.

Quote:

---

Originally Posted by dhicks

I can wrap a script around the "wbinfo -u" command to re-create domain users on the local machine

---

Added this to crontab, to run every 10 minutes:

Code:

---

#!/usr/bin/python

import os
import re
import time
import random

alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"

def generateRandomString(stringLength):
        result = ""
        for pl in range(0, stringLength):
                result = result + alphabet[random.randint(0, len(alphabet)-1)]
        return(result)

users = []
usersFile = open("/etc/passwd", "r")
usersLines = usersFile.readlines()
usersFile.close()
for user in usersLines:
        user = user.split(":")[0]
        users.append(user)

wbinfo = os.popen("wbinfo -u")
wbinfoLines = wbinfo.readlines()
wbinfo.close()
for wbinfoLine in wbinfoLines:
        userSplitArray = wbinfoLine.strip().split("\\")
        if len(userSplitArray) > 1:
                user = userSplitArray[1]
                if not user in users:
                        user = re.sub("'", "\\'", user)
                        os.system("useradd -s /sbin/nologin " + user + " -p " + generateRandomString(16))

---

We'll see if that sorts it...

--
David Hicks

Quote:

---

Originally Posted by dhicks

Ric's guide turned out to be invaluable

---

And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add:

Code:

---

passwd:        files winbind
group:          files winbind
shadow:        files winbind

---

To /etc/nsswitch.conf, which solves all the previous stuff about Linux not knowing about users or groups and renders that Python script I wrote pointless. Feel silly now...

--
David Hicks

Quote:

---

Originally Posted by dhicks

And it helps if you're not a wolly, like me: DON'T FORGET to follow Ric's instruction's and add: ... To /etc/nsswitch.conf

---

Quote:

---

Originally Posted by webman

Have a look at the winbind-related stuff in my Samba set up for our FTP server: ...Specifically, the 'Edit Name Server Switch' part.

---

Quote:

---

Originally Posted by Guide

Edit Name Server Switch

You will now need to modify /etc/nsswitch.conf so that Linux will look to the domain for users & groups. Simply add 'winbind' to the end of the passwd and group lines

---

;)

__

Quote:

---

Originally Posted by webman

Have a look at the winbind-related stuff in my Samba set up for our FTP server: ...Specifically, the 'Edit Name Server Switch' part.

---

Sigh... Ah well, at least I feel like I understand what I'm doing now I've gone and thought through every part of what the server needs to do to match up users and permissions between the DC and file server. Samba setup actually turns out to be quite simple once you know what you're doing (apt-get a couple of bits, edit two files, done) - now I've just got to sort out the image storage application. Many thanks for your help, looks like I most definatly needed it.

--
David Hicks

No worries, glad you got it eventually. Samba is so configurable, that getting smb.conf right the first time without any resources isn't an easy task.

Right, just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever: To set up a Samba file server from scratch, first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine). Then install Samba:

Code:

---

apt-get update
apt-get upgrade
apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

---

I found that the above went through the Kerebos setup automatically for me, I just had to provide the domain name (in full, and all in upper case, e.g. "CONVENT.ALTONCONVENT.ORG.UK") and name of the domain controller ("ACSDC001").

Configure Samba, with a single file share called "photos", by editing /etc/samba/smb/conf:

Code:

---

[global]
  server string = ACSFILES005
  idmap gid = 10000-20000
  obey pam restrictions = yes
  dns proxy = no
  netbios name = ACSFILES005
  invalid users = root
  idmap uid = 10000-20000
  workgroup = CONVENT
  os level = 20
  security = ads
  max log size = 1000
  winbind separator = +
  socket options = TCP_NODELAY
  wins server = 10.0.0.64
  encrypt passwords = true
  public = yes
  realm = CONVENT.ALTONCONVENT.ORG.UK
  winbind use default domain = yes
  wins proxy = no
  winbind enum users = yes
  password server = *
  winbind gid = 10000-20000
  winbind enum groups = yes
  preferred master = no

  log level = 3
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d

[photos]
  comment = photos
  path = /data/photos
  read only = no
  inherit acls = yes
  inherit permissions = yes
  create mask = 700
  directory mask = 700
  valid users = @"CONVENT+Domain Users"
  admin users = @"CONVENT+Domain Admins"

---

Add, or more likely change, some lines in /etc/nsswitch.conf to read:

Code:

---

passwd:        files winbind
group:          files winbind
shadow:        files winbind

---

Then join your Linux machine to your Windows domain:

Code:

---

net ads join -U administrator

---

Doing:

Code:

---

wbinfo -u

---

Should show you a list of domain users, and domain users (and only domain users) should be able to get to your file share.

The above information is merely a cut down version of that provided by Ric and Webman, I'm just putting it here again to stop anyone blundering in via Google and trying to copy the wrong setup from above and spending a couple of days trying to figure out why their server isn't working.

--
David Hicks

If you want to take it a step further for user directories (autocreated upon logon) with emailed hard/soft quota's, hidden files,veto'd files etc I wrote an eduwiki on it here:
Samba Homedirectory

Been running for around 18months now.

Quote:

---

Originally Posted by dhicks

first install your favourite Linux distribution (I used Debian and the 2.6.26-2-xen-686 kernel as I'm running a virtual machine).

---

Having written that, I then go and decide to install an OpenSolaris server (because of ZFS' support for block-level deduplication), so there's a couple of things worth pointing out:

Do apt-get Kerebos on Debian and you get a wizard window open, asks you for a couple of details and that's it. You do need to remember to follow Ric's guide above to configure kerebos on Solaris - the config file is found in the same place as on Debian (/etc/krb5/krb5.conf).

Do "pkg install SUNWsmba" to install Samba on OpenSolaris.

As detailed on this Sun Wiki Page on how to configure Samba, you need to enable the Samba and WINS deamons. You also need to enable windbind:

Code:

---

svcadm enable winbind

---

--
David Hicks

Ooh, just worked out you need to configure Pam - just copy the example given over the current setup (might want to back that up first, of course):

Code:

---

cp /etc/pam.conf-winbind /etc/pam.conf

---

--
David Hicks

Quote:

---

Originally Posted by dhicks

just to summarise with a (hopefully) correct solution for anyone coming accross this in the future, or from a Google search or whatever

---

A quick update for anyone having trouble getting UID/GIDs to syncronise between servers (I've just spent the whole day figuring this out).

The problem: you have a central file server, accessed from different places - maybe Windows clients, other Linux-based servers, etc. In our particular situaton, we have a file server serving user's file areas (their Windows My Documents and Desktop folders) that we also want to use from another Ubuntu-based server (we want the LTSP users on that server to be able to use the same home directories as the Windows users). So, we mounted the server's /home directory as an NFS share (you could also probably use Samba). However, when the Ubuntu users logged on and started to read / write files, they had permissions problems. This turns out to be because the Ubuntu server, which is joined to our Samba domain the same way the file server is, gives different user and groupd IDs (UID, GID) to the same users and groups - a given user seen from one server has a different GID when seen from the other. This causes havoc.

The solution (found after much swearing and muttering, after the first bout of swearing and muttering trying to figure out what the heck was going on in the first place) is to have the UIDs match up in some way. Theoretically, this can be done a number of ways - via an LDAP server, or by calculating a hash value of some sort from the Windows user deata and using that as a consistent UID on each server. However, we don't have an LDAP server running (we use Active Directory as an LDAP server, and I didn't fancy tackling that today...) and we've managed to two different versions of Samba running - 3.2 and 3.4, and 3.2 doesn't support the idmap "hash" backend that 3.4 does.

Samba 3.2 and 3.4 do both support the "rid" idmap backend, but are configured differently, just to be awkward. For Samab 3.2, in /etc/samba/smb.conf, try:

Code:

---

idmap gid = 10000-20000
idmap domains = CONVENT
idmap config CONVENT:range = 10000 - 20000
idmap config CONVENT:base_rid = 0
idmap config CONVENT:backend = rid

---

While for Samba 3.4, try:

Code:

---

idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
idmap config CONVENT:range = 10000 - 20000
idmap config CONVENT:backend = rid

---

Also, the Ubuntu 10.04 servwer we're using as an LTSP server seems to have difficulty starting Samba - try:

Code:

---

sleep 10
service smbd restart

---

in /etc/rc.local

--
David Hicks