SAMBA SERVER (PDC) INTRODUCTION Samba is a suite of utilities that allows your Linux box to share files and other resources, such as printers, with Windows boxes. This lesson describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. Either configuration will allow everyone at home to have: their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive shared access to printers on the Linux box shared files accessible only to members of their Linux user group. Package Installation Samba is comprised of a suite of RPMs that come on the RHEL/Fedora CDs. The files are named: samba samba-common samba-client samba-swat How to Get Samba Started You can configure Samba to start at boot time using the chkconfig command: [root@bigboy tmp]# chkconfig smb on You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below: [root@bigboy tmp]# service smb start [root@bigboy tmp]# service smb stop [root@bigboy tmp]# service smb restart The Samba Configuration File The /etc/samba/smb.conf file is the main configuration file you'll need to edit
Section [global] [printers] [homes] [netlogon] Description General Samba configuration parameters Used for configuring printers Defines treatment of user logins A share for storing logon scripts. (Not created by default.) [profile] A share for storing domain logon information such as "favorites" and desktop icons. (Not created by default.) Configuring SWAT SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. The enabling and disabling, starting and stopping of SWAT is controlled by xinetd ia a configuration file named /etc/xinetd.d/swat. SAMBA PDC CONFIGURATION 1. The [Global] Section Parameter Value Description domain Yes Tells Samba to become the PDC logons preferred master Yes Makes the PDC act as the central store for the names of all windows clients, servers and printers on the network. Very helpful when you need to "browse" your local network for resources. Also known as a local domain master Yes master browser. Tells Samba to become the master browser across multiple networks all over the domain. The local master
browsers register themselves with the domain master to learn about resources on other networks. os level 65 Sets the priority the Samba server should use when negotiating to become the PDC with other Windows servers. A value of 65 will usually make the Samba server win. wins support Yes Allows the Samba server to provide name services for the network. In other words keeps track of the IP addresses of all the domain's servers and clients. time server Yes Lets the samba server provide time updates for the domain's clients. workgroup "homenet" The name of the Windows domain we'll create. The name you select is your choice. I've decided to use "homenet". security user Make domain logins query the Samba password database located on the samba server itself. Here's how to set the values using SWAT. 1. Log into SWAT and click on the [global] section. 2. Click the Advanced button to see all the options. 3. Make your changes and click on the Commit Changes button when finished. 4. Your smb.conf file should resemble the example below when you're finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them. [global] workgroup = HOMENET time server = Yes domain logons = Yes os level = 65 preferred master = Yes domain master = Yes
2. The [homes] Section The [homes] section governs how Samba handles default login directories. Parameter Value Description browseable No Doesn't allow others to browse the contents of the directory read only No Allows the samba user to also write to their Samba Linux directory create mask 0664 Makes new files created by the user to have "644" permissions. You want to change this to "0600" so that only the login user has access to files. directory mask 0775 Makes new sub-directories created by the user to have "775" permissions. You want to change this to "0700" so that only the login user has access to directories. Here's how to set the values using SWAT: 1. Click on the SWAT shares button to proceed to where shared directories are configured. 2. Click the Advanced button to see all the options. 3. Choose the Homes share. 4. Make your changes and click on the Commit Changes button when finished. 5. Your smb.conf file should resemble this when finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them. [homes] read only = No browseable = No create mask = 0644 directory mask = 0755
3. The [netlogon] and [profiles] Share Sections The [netlogon] share section contains scripts that the windows clients may use when they log into the domain. The [profiles] share section stores settings related to the look and feel of windows so that the user has the same settings no matter which Windows PC is logged into. The [profiles] share section stores things such as favorites and desktop icons. Your smb.conf file should look like this when you're finished: [netlogon] path = /home/samba/netlogon guest ok = Yes [profiles] path = /home/samba/profiles read only = No create mask = 0600 directory mask = 0700 Here's how to do it. 1. Click the Shares button. 2. Create a [netlogon] share. 3. Modify the path and guest ok settings. 4. Click on the Commit Changes button. 5. Create a [profiles] share section. 6. Modify the path, mask and read only settings. The mask settings allow only the owner of the netlogon subdirectory to be able to modify its contents. 7. Click on the Commit Changes button. Remember to create these share directories from the command line afterwards. [root@bigboy tmp]# mkdir -p /home/samba/netlogon [root@bigboy tmp]# mkdir -p /home/samba/profile [root@bigboy tmp]# chmod -R 0755 /home/samba 4. The [printers] Share Section The default smb.conf [printers] share section looks like this: [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No
Samba Passwords You should be aware that your Linux password and Samba passwords are stored in two different locations. Samba passwords are stored in the /etc/samba/smbpasswd file and can be changed smbpasswd command. Create A Samba PDC Administrator User [root@bigboy tmp]# /usr/bin/smbpasswd -a root password ADDING WORKSTATIONS TO YOUR SAMBA DOMAIN Adding workstations to a Samba domain is a two step process involving the creation of workstation trust accounts on the Samba server and then logging into each workstation to add them to the domain. Samba can create these Machine Trusts in two ways, either manually or automatically. Manual Creation Of Machine Trust Accounts (NT Only) root@bigboy tmp]# groupadd samba-clients [root@bigboy tmp]# /usr/sbin/useradd -g samba-clients -d /dev/null -s /bin/false machine_name$ [root@bigboy tmp]# passwd -l machine_name$ [root@bigboy tmp]# smbpasswd -a -m machine_name Dynamic Creation of Machine Trust Accounts You can set this up by editing the /etc/samba/smb.conf file to automatically add the required users. The easiest way to do this using SWAT in the Global menu to modify the add machine script parameter. [global] # <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u When you have completed the modifications, you'll need to create the samba-clients Linux group that will be used to help identify the all the domain's Windows clients listed in the /etc/passwd file. [root@bigboy tmp]# groupadd samba-clients MAKE YOUR PC CLIENTS AWARE OF YOUR SAMBA PDC Windows 95/98/ME and Windows XP Home Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts. Here's what you need to do: 1. Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network) 2. Select the Configuration tab 3. Highlight "Client for Microsoft Networks" 4. Click the Properties button. 5. Check "Log onto Windows NT Domain", and enter the domain name. 6. Click all the OK buttons and reboot! Windows NT For Windows NT, you must first create a manual Samba machine trust account as explained earlier, then follow these steps: 1. Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network ) 2. Select the "Identification" tab 3. Click the "Change" button 4. Enter the domain name and computer name, do not check the box Create a Computer Account in the Domain. In this case, the existing machine trust account is used to join the machine to the domain. 5. Click "OK". You should get "Welcome to <DOMAIN>" message as confirmation that you've been added. 6. Reboot. You can now log in using any account in the /etc/smbpasswd file with your domain as the domain name.
Windows 200x and Windows XP Professional For the 200x and XP Professional varieties of Windows, create a dynamic Samba machine trust account, then go through these steps: 1. Press the Windows and Break keys simultaneously to access the System Properties dialogue box. 2. Click on the 'Network Identification' or 'Computer Name' tab on the top. 3. Click the "Properties" button. 4. Click on the "Member of Domain" button. 5. Also enter your domain name and computer name and then click "OK" 6. You will be prompted for a user account and password with rights to join a machine to the domain. Enter the information for your Samba administrator. In this home environment scenario, the user would be root with the corresponding smbpasswd password. Now, you should get a "Welcome to <DOMAIN>" message confirming that you've been added. 7. Reboot. ADDING USERS TO YOUR SAMBA DOMAIN Adding users to a domain has three broad phases. 1. Adding The Users In Linux To create the user, use the command: [root@bigboy tmp]# useradd -g 100 peter 2. Give them a Linux Password Giving them a Linux password is only necessary if the user needs to log into the Samba server directly. If the user does, use this method: [root@bigboy tmp]# passwd peter 3. Mapping The Linux Users To An smbpassword Next, you need to create Samba domain login passwords for the user [root@bigboy tmp]# /usr/bin/smbpasswd -a username password