This page is out of date. See Samba/DcWithLdapBackend for an overview of how to setup an old, NT4-style Samba Domain Controller. Most of the information listed here was taken from http://lucasmanual.com/mywiki/SambaDomainController (archive) and is still available there. CategoryProposedDeletion
Domain Controller, Samba - Article taken from http://lucasmanual.com/mywiki/SambaDomainController
Contents
- Install Samba
- Status
- Quick: Connect to samba share
- Quick: Mount Shared Folder
- Quick: Enable Writable Share Folder
- Quick: Ping netbios names from linux
- Print Server
- Configure Samba for Domain
- Netlogon
- Samba Status
- User management
- Migrate NT4 domain to Samba
- Webmin
- Performance
- External samba
- References
Install Samba
- AS root:
apt-get update apt-get install samba
The default setup for samba is with user security. If you want to connect right away add user to samba smbpasswd -u username and try login in with that username and password.
Status
- To see what services are available on samba use this command.
If samba is not running start it by /etc/init.d/samba start
- When prompted for password, hit enter to login anonymously.
smbclient -L servername
- You should see something like:
Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 3.0.24) Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Server Comment --------- ------- SERVERNAME Samba 3.0.24 Workgroup Master --------- ------- DEBIAN MSHOME NTSERVERNAME mydomainname DOMAINSERVER
- This means samba has installed properly and we are ready to configure what is available on it.
Quick: Connect to samba share
- To be able to use samba we have to change 2 things in samba, and add a user. Security and write permissions.
- Edit /etc/samba/smb.cfg
- Uncomment the security
security = user
- Find read only = yes and change it to
read only = no
- Now add a password for your username:
smbpasswd -a myusername
- Restart samba
/etc/init.d/samba restart
- Now you can go and browse \\hostname.or.id.address.of.the.computer\lucas, or via linux file manager smb://hostname.or.id.address.of.the.computer/lucas
- Provide username and password. 'myusername' and password you entered.
- Above link points to your home drive. You can setup more shares later but your are done with initial samba settings.
- Enjoy.
Quick: Mount Shared Folder
- You need to have smbfs installed.This program enables you to mount via smbfs or cifs. If you don't do this:
apt-get update apt-get install smbfs
[FYI]Older version of samba have used smbfs as driver to connect to windows. New driver called cifs is faster and is going to part of the kernel. We will use-t cifs instead of -t smbfs. We still need to install package smbfs because cifs uses parts of it.
- To mount windows share drive you need to create a folder:
mkdir somefolder
- As root or with root privileges (su root or sudo)
mount -t cifs -o username=administrator,password=password //windowsservername/folder /home/lucas/somefolder or mount -t cifs -o user=administrator //windowsservername/folder /home/lucas/somefolder
- The second one will prompt you for the password.
- If you would like to enable a non-privilege user to have write access to share add UID option.
- Option after -o separated by comma and no spaces or use quotation mark -o 'UID=lucas,username=administrator,password=password'
mount -t cifs -o UID=lucas,username=administrator,password=password //windowsservername/folder /home/lucas/somefolder
- If you are connection to a domain make sure you use domain option of samba:
mount -t cifs -o UID=lucas,username=administrator,password=password,domain=mydomainname //windowsservername/folder /home/lucas/somefolder
[Optional] You can replace administrator with your username. You can also replace windowsservername with ip address //192.168.1.10/folder ....
Quick: Enable Writable Share Folder
- If you want to create a shared folder that is writable by everybody you can do the following.
- Change security mode from user to shared. (First line is commmented out)
#; security = user security = share
Then at the buttom add the following lines.
[SHARED] comment = PMS files path = /home/lucas/Unique browseable = yes #printable = no guest account = nobody guest ok = yes write ok = yes force user = lucas #force group = lucas
- Replace lucas with your username or other user that you would like to use.
- Your samba share SHARED folder is ready. On windows machine go to \\COMPUTERNAME\SHARED or \\192.168.1.1\SHARED (replace 192.168.1.1 with ip address of linux machine) and you are done.
Quick: Ping netbios names from linux
Keywords: linux to windows by "full computer name", netbios lookup, nslookup
- Every pc can ping each other using the netbios name which corresponds to ip address.
In windows ping netbios names is working ping mycomputer2 will ping the ip behind the name mycomputer2
- You are able to ping a pc that is on dhcp.
This will enable same feature in linux
- To enable linux pcs to ping netbios names you need to:
apt-get update apt-get install winbind
- Now edit this file:
vi /etc/nsswitch.conf
- Change the line that starts with hosts by adding wins at the end of it.
hosts: files dns to hosts: files dns wins
- In my Debian it looked like this:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 to hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
- Now ping any computer you want:
ping mycomputer2
- Done.
Print Server
Install CUPS
- The first thing you need to do is install all your printers via cups.
apt-get update apt-get install cupsys cupsys-client
- Start cups
/etc/init.d/cupsys start
Add Printers
- Go to localhost:631 and add all your printers.
This page tells you how to do it: ?DebianPrinting
Enable samba Printer sharing
- Then go to /etc/samba/smb.conf
- And make sure the [printers] and [Print$] section are uncommented.
- Now uncomment the :
printing = cups printcap name = cups
- This will load the cups system printers and make them available to you.
- Now type in
smbclient -L localhost password: [hit Enter] --password is empty
- You should see something like this:
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (faxserver server) Departent1-Kyocera-9520DN Printer Kyocera-9520DN Departent1-Kyocera-9500DN Printer Kyocera-9500DN Departent1-HP--8000 Printer HP-8000 Departent2-Kyocera-C5020DN Printer Kyocera-C5020N Departent2-Kyocera-9520DN Printer Kyocera-9520DN Departent2-HP-P3005 Printer HP-3005 Departent2-HP-4000 Printer HP-4000 Accounting-Kyocera-9520DN Printer Kyocera-9520DN Anonymous login successful
Upload Printer Drivers to Samba
- Now we need to upload our windows drivers to the samba [Print$] share so next windows client that wants to use this printer will automatically download the drivers.
Configure Samba for Domain
- First we need to know our server name
uname -n hostname -f
You should see your server name. You will put that server name everywere you see servername in this document.
Root user
- We need to add our first user.
smbpasswd -a root
The SMB root password can and should be different from the unix root password.
- You should see something like this.
root# smbpasswd -a root New SMB password: XXXXXXXX Retype new SMB password: XXXXXXXX
- [page91]Now we need to map our user root to Administrator. This will allow our root account to be called administrator.
In /etc/samba create a file smbusers. In it add
##################### #File Format #Unix_ID = Windows_ID #Example: #root = Administrator #janes = "Jane Smith" ##################### root = Administrator
Routs
- We need to let the system know that when they look for a computer they will need to use these tools in that order.
- Edit /etc/nsswitch.conf and make sure it conatins:
hosts: files dns wins
pre-configuration
- We need to create a folder where we will keep our profiles and netlogons, as well as data and apps folder that will be used for sharing files
- Create following folders for netlogon scripts and profiles.
mkdir /home/samba mkdir -p /home/samba/{netlogon,profiles} chmod ug+rw /home/samba/profiles
As an alternative use install from package coreutils.
install -d -m 0755 /home/samba/netlogon install -d -m 0775 /home/samba/profiles
- [Optional]Create these folders for programs share and company documents
mkdir /data mkdir /apps
Add users
- You need to add an account for each network user. You can do it by executing these commands.
- For each user you you create you need a profiles folder in /home/samba/profiles/. Replace username with the actual Login ID.
adduser username smbpasswd -a username mkdir /home/samba/profiles/username chown username:users /home/samba/profiles/username
netlogon.bat
- When each user logs in, the netlogon will be executed. It needs to be in a correctly terminated with DOS encoding so we will do just that.
- In file: /home/samba/netlogon/netlogon.bat write the following content(replace servername with your server name):
net time \\servername /set /yes net use h: /home
if you are using vim to create the netlogon.bat, you are able to save it in dos convention by doing :set ff=dos just before you save the file with :w
- Now we will convert it to proper DOS file:
- We need to install a tool that will do it for us.
apt-get update apt-get install tofrodos
- Then issue a command
todos /home/samba/netlogon/netlogon.bat
* If you replacing a current drive you might want to remove the unmount the old one and mount a new one
net use u: /delete net use u: \\SERVERNAME\SOME_FOLDER
You also want to check out this link which tells you how to gave yourself mope options: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Logon/WindowsNTLoginScriptTricksandTips.html
simple working smb.conf
- It is time to create a smb.conf
Copy and paste this into your smb.conf. Change workgroup and netbios name.
- This configuration will get your domain up and running in 30 seconds.
[global] #Domain name workgroup = yourdomainname #The Server Name netbios name = servername #server string = Samba #Time server, Workstations will set their time by this server time server =yes passdb backend = tdbsam #SECURITY AND LOGIN SETTINGS #This must be a user in PDC security = user bind interfaces only = yes #Windows XP/2000 encrypt passwords = yes #Login in settings. domain logons = Yes #Error Logs, Comment it out when you in production. log level = 3 #PDC and MASTER BROWSER SETTINGS #os level = 64 #Windows for master PDC. Highers windows can get is 32 preferred master = yes #local master = yes domain master = yes ;This defines it as the Primary Domain Controller #Add delete users on linux and samba (keeps linux and samba accounts in sync) add user script = /usr/sbin/useradd -m %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u #User Profiles and Home directory. logon drive = H: logon path = logon home = logon script = netlogon.bat #Login script. Location is defined in [netlogon] #Define user mappings. root = Administrator #You don't need this if you have created Administrator SMB user. username map = /etc/samba/smbusers wins support = yes passwd program = /usr/bin/passwd %u # --- shares --- [netlogon] comment = Domain Logon Service path = /home/samba/netlogon valid users = %U admin users = Administrator read only = no browseable = no write list =@admins guest ok = Yes #For read only purposes. File is not locked per user. locking = no [homes] #If you want to set home directory somwhere other thean the unix home use below path. # path = \\otherservername\%U volume = %U Home comment = Home Folder valid users = %S read only = No browseable = No public = no create mode = 0750 [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No #These are Optional if you want to use them [apps] comment = Application Files path = /apps admin users = Administrator read only = No [data] comment = Application Files path = /data admin users = Administrator read only = No
- This samba file will allow a user to log into samba server. Each user will have its own H drive. Apps,Data folders are shared. TDBSAM database is used for authentication. It will use Local Profiles, which means the users settings are stored on his/her computer.
Shared folder
- If you need to quickly add a writable shared folder for anybody. You could add this to your samba config file.
[SHARED] comment = PMS files path = /home/lucas/shared browseable = yes #printable = no guest account = guest guest ok = yes write ok = yes force user = lucas #force group = lucas
test smb.conf
- To test smb.conf for proper structure, issue this command.
testparm
Explain smb.conf
smb.conf explained
netbios name - Name by which the Samba server is known on the network. Same as the Windows NT Computer Name. If you don’t specify it, it will default to the server’s hostname.
workgroup - This parameter tells samba which Window NT Domain or
Workgroup it will join. It is equivalent to the Windows NT Domain or Workgroup name.
server string - The description string of the Samba server. It is equivalent to the Windows NT Description field.
security - four possible values: share, user, server, domain
Share - clients need to supply only the password for the resource. This mode of security is the default for the Windows 95 file/print server. It is not recommended for use in UNIX environments, because it violates the UNIX security scheme.
User - the user/password validation is done on the server which is offering the resource. This mode is most widely used.
Server - user/password validation is done on the specified authentication server. This server can be a Windows NT server or another Samba server.
Domain - this security level is basically the same as server security, with the exception that the Samba server becomes a member of a Windows NT domain. In this case the Samba server can also participate in such things as trust relationships
encrypt passwords - If set to yes, Samba uses the encrypted password protocol. It is used in Windows NT (starting with Service Pack 3) and Windows 95/98.
smb passwd file - This tells Samba where encrypted passwords are saved. By default, it will use /etc/smbpasswd.
name resolve order - This parameter specifies how the Samba server resolves NetBIOS names into IP addresses. The preferred value is wins lmhosts bcast.
WINS support
- Only one of the parameters (wins support or wins server) can be set at the same time. If
you specify the IP address of WINS server then, wins support must be set to “no”.
wins server - With this parameter, you tell Samba which WINS server to use.
wins support - This option tells Samba to act as a WINS server
Share options
admin users - Specify the users who have administrative privileges for the share. When they access the share, they perform all operations as root.
printable - This parameter specifies if the share is a print share. If the share is printable, then it is also writable by default
write list - Specifies the list of people who have write access to the share. If the name begins with @ it means a group name.
writable -This parameter specifies if the share is writable. (yes/no)
read list -List of people who have read access to the share. If the name begins with @ it means a group name.
read only -If this is set to yes, the share is read only.
valid users -This parameter specifies which users can access the share.
create mask -This is used for file creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0744
directory mask -This is used for directory creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0755
Homes
- Special share section called [homes] will affect all home folders. You don't need to create one seperate for each user.
- When client requests a connection to a file share, existing file shares are scanned. If a match is found, that share is used. If no match is found, the requested share is treated as a username and validated by security. If the name exists and the password is correct, a share with that name is created by cloning the [homes] section.
- Home Folder Structure in smb.conf
[homes] comment = Home Directories path = %H valid users = %S browseable = no writable = yes create mode = 0700 directory mode = 0700
%H - Represents the home directory of the user.
%S - Represents the name of the current service which, in the case of home share,
is equal to the username.
Add Shared Folder to Samba
- Here is a sample share folder structure.
[share] path = /path/to/data comment = Data Directory on servername read only= yes valid users = @users write list = manager
- This shares the data in a directory as a share. You can access this share by \\servername\share. Only valid users who are part of users group are permited to read this data. The user named manager is allowed to write.
Add Writable share Folder
- Following previous procedure. Add this to the smb.conf
[everybody] comment = Everybody files path = /path/to/folder browseable = yes printable = no writable = yes write list = @users
Add Printer to Samba
You need to have printers installed. If you don't have them installed follow directions on ?DebianPrinting.
- When done installing printer add these lines and you will be able to print to them.
- Add this to your globals
[global] ... printcap name = cups printer admin = admin printing = cups
- Add this to the bottom of smb.conf
[printers] path = /var/lib/samba/printers create maske = 0600 printable = yes browseable = no
- Now open windows explorer on your client machine and go to \\servername
- You should see the printers that you have installed in cups.
More smb.conf
Profiles
There is a choice of methods here
- For each user to continue using their existing profile, always using the same machine with its own applications installed
after having created an account for them on the server, simply logon to the server and the existing Windows profile on the local machine will be used (as there won't be one already on the server) and copied over to the server. This is fine if they only ever use the same computer but beware, the profile may have references to software installed only on their machine, so if they want to login from other machines it is probably worth starting over with a fresh profile and setting up each machine exactly the same; see the next method
or
- [We will use the first option for under 50 users in same location]for each user to have their own profile, which they can alter, donated to them efficiently using a single template profile; and that they can roam with from one machine to another; each machine having the same applications installed, or installed on the server
configure a Windows user account on a workstation the way you want it (if you try to create a user account after you've created a machine account for this machine on the Samba server, creating the account on the workstation will fail and elicit a message saying you can't create accounts in that domain. We don't know what this is about but to work around it you can use Users and Passwords' Advanced → Advanced → Users → Action → New User... option (or create the account without the workstation being part of a domain (do so before-hand, or temporarily revert back to a workgroup). This will be a 'Restricted User' account. This account will be the template user profile. (We use TWEAK - The Windows Environment and Application Konfigurator, available from http://thegoldenear.org/tweak/, to configure the template user account quickly and easily (you only need run the per-user options (including Roaming Computing System specific options, A → P → P)). create the template without running any applications, that will be done later; consider where you're going to keep icons for applications by reading the section on applications further on. Any applications that require their preferences pre-installing manually (rather than dealing with it themselves) in the Windows profile will want that doing so now (see applications section further on)
- Create a profiles folder
- Lets change permissions on our profiles folder
mkdir /home/samba mkdir /home/samba/profiles chmod 1757 /home/samba/profiles
- Let's create an initial template
mkdir /home/samba/profiles/template
- In Windows Explorer log into your server by going to \\yourservername
Netlogon
- We need to create a netlogon script that will be used to mount extra drives on client machines.
- First we need to create a directory for that. Samba folder should exists already
cd /home/samba ls mkdir netlogon chmod 0755 /home/samba/netlogon cd /home/samba/netlogon
- Here is a sample NETLOGON.BAT that we will put into /home/netlogon/NETLOGON.BAT
- You will need to create this file on windows because windows will be the one reading it. (We need CR/LF as end of line character)
rem ########################################### rem logon script rem version 0.7.0 rem rem remember this file needs DOS CR/LF to work rem ########################################### rem Change Log rem 0.7.0 13-Dec-2003 rem - added a new system and user TEMP location of e:\%username%\windows and e:\windows rem - changed 'cooledit' directory name to 'audition' to reflect that program's name change rem - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively rem 0.6.5 08-April-2003 rem - renamed 'server' to 'file-server' rem - removed '/PERSISTANT:YES' rem ------------------------------------------- net use P: \\file-server\programs rem (only admins group can write there in our Samba configuration) rem make mappings to shared areas, i.e.: rem H: is made by smb.conf net use S: \\file-server\shared rem sync the workstation's time to that of the file-server net time \\file-server /set /yes rem make connections to any printer(s): rem net use LPT1: rem create temporary directories for %USERNAME% on TEMP partition rem (remove any for applications not used on your system): if not exist "e:\%username%" md "e:\%username%" if not exist "e:\%username%\winnt" md "e:\%username%\winnt" if not exist "e:\%username%\windows" md "e:\%username%\windows" rem ('winnt' remains for backwards compatibility. we changed to 'windows' on 12 Dec 03 / TWEAK 0.8.32) if not exist "e:\%username%\ie" md "e:\%username%\ie" if not exist "e:\%username%\ie\Temporary Internet Files" md "e:\%username%\ie\Temporary Internet Files" if not exist "e:\%username%\mozilla" md "e:\%username%\mozilla" if not exist "e:\%username%\java" md "e:\%username%\java" if not exist "e:\%username%\nero" md "e:\%username%\nero" if not exist "e:\%username%\audacity" md "e:\%username%\audacity" if not exist "e:\%username%\audition" md "e:\%username%\audition" :EOF
- Now allow users to read that file
chmod a+r /home/samba/netlogon/NETLOGON.BAT
Update hosts file on computers
- Add this script to your logonscript.bat. Replace "MYPDC" with your domain computer name.
copy \\MYPDC\netlogon\hosts %systemroot%\system32\drivers\etc\hosts
smb.conf
- Here is a final smb.conf that you can just paste into your smb.conf file.
YOU will need to change the workgroup name, hosts allowed/deny ip address,
netbios name
- Before you start, lets make a copy of smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf-original
- Now clear the old file and paste this in.
# Smb.conf, samba domain controller # Replacing windows nt domain controller # Need to change workgroup, netbios name, allowed host allow/deny [global] #Domain name workgroup = domainname #The Server Name netbios name = domainserver #server string = Samba #Time server, Workstations will set their time by this server time server =yes passdb backend = tdbsam #SECURITY AND LOGIN SETTINGS #This must be a user in PDC security = user #Allow connection from specified addresses 10.1.1.* #Change it to your ip network, example: 192.168.0. #hosts allow = 127.0.0.1 10.1.1. #Deny others #hosts deny 0.0.0.0/0 #Only allow connection through network card #interfaces =eth* lo #bind interfaces only = yes #Windows XP/2000 encrypt passwords = yes #Login in settings. domain logons = Yes #Error Logs, Comment it out when you in production. log level = 5 #PDC and MASTER BROWSER SETTINGS #os level = 64 #Windows for master PDC. Highers windows can get is 32 preferred master = yes #preferred master = auto local master = yes domain master = yes ;This defines it as the Primary Domain Controller #Add delete users on linux and samba (keeps linux and samba accounts in sync) add user script = /usr/sbin/useradd -m %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u #User Profiles and Home directory. logon path = \\%L\profiles\%U logon home = \\%L\%U logon script = netlogon.bat #Login script. Location is defined in [netlogon] #Define user mappings between this system and windows system. #Without this you get ask for password. #You don't need this if you have created SMB user here. username map = /etc/samba/smbusers wins support = yes admin users = root #Keep the case in file/directory names.Matching is done without regard to case. #It allows transition from non-case system (windows) to case system(unix) preserve case = yes short preserve case = yes case sensitive = no #Sync Unix passwords from windows workstation using PAM #Allow users to change their password unix password sync = yes #pam password change = yes #Optimized of samba for increased speed #SO_KEEPALIVE -sends a probe every 4 hours to check that a connection is still active #TCP_NODELAY #IPTOS_LOWDELAY #SO_SNDBUF=14596 -14596 is roughly the best in most circumstances, # it may be optimized better for your system. #SO_RCVBUF = 14596 socket options =TCP_NODELAY,IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596 #lpq command = %p #name resolve order = wins bcast hosts #passwd chat debug = Yes #idmap gid = 15000-20000 #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n #lprm command = passwd program = /usr/bin/passwd %u #print command = #printing = cups #idmap uid = 15000-20000 #printcap name = CUPS #null passwords = yes # --- shares --- [netlogon] comment = Domain Logon Service path = /home/samba/netlogon valid users = %U admin users = Administrator read only = no browseable = no write list =@admins guest ok = Yes #For read only purposes. File is not locked per user. locking = No [profiles] comment = Network PRofiles Share path = /home/samba/profiles browseable = yes guest ok = yes writeable = yes read only = no profile acls = yes csc policy = disable create mode = 0600 directory mode = 0700 [homes] #If you want to set home directory somwhere other thean the unix home use below path. # path = volume = %U Home comment = Home Folder valid users = %S read only = No browseable = No public = no create mode = 0750 [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No #These are Optional [apps] comment = Application Files path = /apps admin users = Administrator read only = No [data] comment = Application Files path = /data admin users = Administrator read only = No
Samba Status
What is available
- To see what services are available on samba use this command
- If no password is set, hit enter to login anonymously.
smbclient -L servername
- You should see something like:
Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 3.0.24) Dept1-HP-P3005N Printer Dept1 Anonymous login successful Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24] Server Comment --------- ------- DOMAINSERVER Samba 3.0.24 Workgroup Master --------- ------- DEBIAN MSHOME NTSERVERNAME mydomainname DOMAINSERVER
User management
Manage users
*Ther are two tools to manage users. We will use the second one because it gives us more control.
- smbpasswd
- pdbedit
smbpasswd:
- add user or machine accounts.
- delete user or machine accounts.
- enable user or machine accounts.
- disable user or machine accounts.
- set to NULL user passwords.
- manage interdomain trust accounts.
pdbedit:
- add, remove, or modify user accounts.
- list user accounts.
- migrate user accounts.
- migrate group accounts.
- manage account policies.
- manage domain access policy settings.
pdbedit
- Find the details on user:
pdbedit -Lv username
- Or to see all users:
pdbedit -Lv |less
space to view next page. q to quit
Add user
- Two options.
smbpasswd: Add username to debian linux account and samba account.
adduser 'username' smbpasswd -a 'username'
Add user with pdbedit. Unix account need to exist already:
pdbedit -a username
Delete user
Delete samba account:
pdbedit -x username
Change account
- Change user account information
pdbedit -r --fullname="First Last name" username
Reset password expiration for account
pdbedit -z username
Account flag, disable
- Available flags
D Account is disabled. H A home directory is required. I An inter-domain trust account. L Account has been auto-locked. M An MNS (Microsoft network service) logon account. N Password not required. S A server trust account. T Temporary duplicate account entry. U A normal user account. W A workstation trust account. X Password does not expire.
- To change a flag do this:
pdbedit -r -c "[DLX]" username
- To reset to default:
pdbedit -r -c "[]" username
Default account settings
- Acount policies must be set individually on each PDC and BDC.
- See what is the default now.
pdbedit -P ?
- Change a default:
pdbedit -P "min password length" -C 8
- Replace "min password length" with other options you saw in pdbedut -P ?
Unix passwords to samba passwords
cat /etc/passwd | /usr/sbin/mksmbpasswd > /etc/samba.d/smbpasswd
Change password backend
- This will migrate passwords from smbpasswd to tdbsam
pdbedit -i smbpasswd -e tdbsam
- Make sure your remove smbpasswd from smb.cof
passdb backend = tdbsam:/etc/samba/passdb.tdb
- You should be done. Your user should be able to log into your domain.
Administrator
- The Administrator user is a member of the Administrators group, and thus inherits dministrators group privileges. When an MS Windows NT4/200x/XP machine is made a domain member, the “Domain Admins” group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Admins group inherits the rights of the local Administrators group when logging on the workstation.
- The following steps describe how to make Samba PDC users members of the Domain Admins group.
- Create a UNIX group (usually in /etc/group); let's call it domainadmin.
addgroup domainadmin
- Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:
domainadmin:x:502:joe,john,mary
- Map this domadm group to the “Domain Admins” group by executing the command:
root# net groupmap add ntgroup="Domain Admins" unixgroup=domainadmin rid=512 type=d
- Now joe, john, and mary are domain administrators.
Add unix group to samba
- It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:
root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d
- Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you.
Migrate NT4 domain to Samba
- We start from a begining.
Clean up or delete the passdb.tdb. Located: /var/lib/samba/passdb.tdb
Clean up NT4 Domain
- Clean up the NT domain. Make sure all groups are lowercase, delete any accounts that you don't want to transfer.
smb.conf
- Add this to replace smb.conf
- Replace [domainname], netbios name, wins server ip address. If you don't have wins server. Comment it out.
[global] workgroup = [domainname] netbios name = SAMBASERVER passdb backend = tdbsam domain master = No domain logons = Yes os level = 33 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' wins server = [IP of wins server]
- Restart Samba
/etc/init.d/samba restart
- Test your settings in smb.conf. You should see no errors.
testparm
Join the samba BDC to NT domain
- Replace with proper names
net rpc join -S [NT netbios name or IP] -U Administrator
- Replace domaincomputername or user ip address instead.
net rpc join -S domaincomputername -U Administrator
- You should see something like.
server:/etc/samba# net rpc join -S domaincomputername -U Administrator Password: Joined domain LIABILITY.
Migrate User Accounts
- We will user a script to migrate the user accounts
net rpc vampire -S [NT netbios name or IP] -W [domainname] -U Administrator
- So in my case it would be:
net rpc vampire -S domaincomputername -W xyzdomain -U Administrator
- You should see something like:
Fetching DOMAIN database Creating unix group: 'Domain Admins' Creating unix group: 'Domain Users' Creating unix group: 'Domain Guests' Creating unix group: 'Claims' Creating unix group: 'Accounting' Creating account: Administrator Creating account: Guest ... Creating unix group: 'Administrators' Creating unix group: 'Backup Operators' Creating unix group: 'Guests' Creating unix group: 'Print Operators' Creating unix group: 'Replicator' Creating unix group: 'Server Operators' Creating unix group: 'Users'
- Double check your users have created. Use this command.
pdbedit -L
- Shutdown your old domain. You might need it later so don't distroy it just yet.
- Edit smb.conf and change or add these two things.
}
- Now restart Samba
/etc/init.d/samba restart
- Now Login with your client workstation.
Webmin
Install Webmin
- Install Administrative webfronted app
- Install prerequisites
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
- Download the deb file.
- Check for newer version on the website.
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.350_all.deb
- Install downloaded file
dpkg --install webmin_1.350_all.deb
Performance
windows max tcp/ip speed windows speed
The problem is in the old tcp/ip setting in windows. Back in the beging windows had a small tcp window size and it never changed. By adding the following to the registry you can increase it to something more apropriate for 100M nic's
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowsSize"=dword:00020148 "TcpWindowsSize"=dword:00020148 "Tcp1323Opts"=dword:00000003
This help me no end with my backups. Increased network thru put by a factor of 30. So give it ago.
http://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm will explain it a bit more.
windows 7 and samba issues
If you discover that speed of copying file from (to) shared folder is too slow set up socket options in global section to TCP_NODELAY and then restart samba. smb.conf
socket options = TCP_NODELAY
restart samba
# /etc/init.d/samba reload
To restart samba you have to be root or have privileges to manage samba. In case this way doesn't help and your speed is too low (in my case it takes 20 hours to copy 800 Mb file form shared folder) install ethtool and switch off autoneg in the apropriate network adapter.
aptitude install ethtool ethtool -s eth1 speed 100 full duplex autoneg off
In my situation it helps... i hope it will be useful for you too...
External samba
time
The relationship of "net time" and a real ntp server seems to be a one time sync only anyway. However, you can have the PC really use ntp: :: setup ntp client :: need to be an admin - one time setup sc stop w32time w32tm /unregister w32tm /register net time /setsntp:ntpd-server sc config w32time start= auto sc start w32time w32tm /resync w32tm /stripchart /computer:ntpd-server /samples:1 Could instead use a real Policy or manually jam it into the registry: :: setup ntp client :: need to be an admin - one time setup reg add HKLM\SOFTWARE\Policies\microsoft\w32time /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v NtpServer /d ntpd-server /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v Type /d NTP /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v Enabled /t REG_DWORD /d 0x1 /f reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v CrossSiteSyncFlags /t REG_DWORD /d 0x2 reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v ResolvePeerBackoffMinutes /t REG_DWORD /d 0xf reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v ResolvePeerBackoffMaxTimes /t REG_DWORD /d 0x7 reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v SpecialPollInterval /t REG_DWORD /d 0xe10 reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /v EventLogFlags /t REG_DWORD /d 0x0 gpudate /target:computer /force
* These might be usefull as well
"How to configure an authoritative time server in Windows XP: Configuring the Windows Time service to use an external time source" http://support.microsoft.com/kb/314054/EN-US/#EXTERNAL or http://support.microsoft.com/kb/314054/EN-US
References
Based on:
http://www.phptr.com/content/images/013188221X/downloads/013188221X_book.pdf
http://pserver.samba.org/samba/ftp/cifs-cvs/linux-cifs-client-guide.pdf
CategoryNetwork | CategorySoftware | CategoryObsolete | ToDo: review/refactor, merge to Samba/DcWithLdapBackend