Linux/Samba/Domain Controller
Tutorial #1
SAMBA (Domain Controller) Server For Small Workgroups With Ubuntu 5.10 "Breezy Badger"
yum install samba samba-client samba-common
Edit /etc/samba/smb.conf:
[global] workgroup = T0E netbios name = TESTLAB server string = %h server passdb backend = tdbsam security = user username map = /etc/samba/smbusers name resolve order = wins bcast hosts domain logons = yes preferred master = yes wins support = yes # Set CUPS for printing #printcap name = CUPS #printing = CUPS # Default logon #logon drive = H: #logon script = scripts/logon.bat #logon path = \\server1\profile\%U # Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u idmap uid = 15000-20000 idmap gid = 15000-20000 # sync smb passwords woth linux passwords passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . passwd chat debug = yes unix password sync = yes # set the loglevel log level = 3 [homes] comment = Home valid users = %S read only = no browsable = no [printers] comment = All Printers path = /var/spool/samba printable = yes guest ok = yes browsable = no [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = Administrator valid users = %U read only = no [profile] comment = User profiles path = /home/samba/profiles valid users = %U create mode = 0600 directory mode = 0700 writable = yes browsable = no
Create the directories for domain logons and profiles:
mkdir /home/samba mkdir /home/samba/netlogon mkdir /home/samba/profiles mkdir /var/spool/samba chmod 777 /var/spool/samba/ chown -R root:users /home/samba/ chmod -R 771 /home/samba/
/etc/init.d/samba restart
Edit /etc/nsswitch.conf. Change the line:
hosts: files dns
to:
hosts: files wins dns
Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.
smbpasswd -a root
Create the file /etc/samba/smbusers and add the line by executing:
echo "root = Administrator" > /etc/samba/smbusers
This will allow us to use the common windows username "Administrator" as alias for the Linux root user. Now I will test if the setup is correct:
smbclient -L localhost -U%
The output should look similar to this:
Domain=[T0E] OS=[Unix] Server=[Samba 3.0.23c-2.el5.2.0.2]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
IPC$ IPC IPC Service (testlab server)
Domain=[T0E] OS=[Unix] Server=[Samba 3.0.23c-2.el5.2.0.2]
Server Comment
--------- -------
TESTLAB testlab server
Workgroup Master
--------- -------
T0E TESTLAB
Setup the default domain groups for windows:
net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup
or:
net groupmap add ntgroup="Domain Admins" unixgroup=root net groupmap add ntgroup="Domain Users" unixgroup=users net groupmap add ntgroup="Domain Guests" unixgroup=nogroup
Adding Users To Our SAMBA Domain
Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.
1) Add a linux user tom:
useradd tom -m -G users
2) Add the linux user tom to the SAMBA password database:
smbpasswd -a tom
Adding Shares
Now I will add a share that is accessible by all users.
mkdir -p /home/shares/allusers chown -R root:users /home/shares/allusers/ chmod -R ug+rwx,o+rx-w /home/shares/allusers/
At the end of the file /etc/samba/smb.conf add the following lines:
[allusers] comment = All Users path = /home/shares/allusers valid users = @users force group = users create mask = 0660 directory mask = 0771 writable = yes
/etc/init.d/samba restart
Problems
Password Change
I was unable to change my user password from my Windows XP machine.
A thread asked the same question. The answer was to:
Change: unix password sync = Yes To: unix password sync = no
This appeared to work. This may be because all of the samba users are the same user, and not individual Linux accounts.
Another suggestion:
A comment suggested to:
Try to change the "passwd chat" line in smb.conf to this: passwd chat = *password* %n\n *password* %n\n *success*
Domain Administration
From what I can tell all new users will need to be added via the command line on the PDC. I was unable to connect to the PDC using mmc "Users" snap-in.
Security
It appears that the domain groups and security permission are either ignored or simply not used.
Linux Client Authentication
How will this work with a Linux workstation? It doesn't appear you can use Samba on a Linux workstation to authenticate against a Samba Domain Controller without some serious reconfiguration.
It seems that joining the domain is no problem, but using the Samba Domain Controller for login authentication appears to be another issue.
How do force Passwords Restrictions and Expiration?
How do force Passwords Restrictions and Expiration?
See [1] for a possible example:
min password length = 6 null passwords = No
NetBIOS name resolution failure
I am unable to visit \\t0e without having to add it to the ...\etc\hosts file
Testing Samba Configuration
Quick HOWTO : Ch12 : Samba Security and Troubleshooting
This will test the Samba configuration file:
testparm -s
This will report the Samba details (hit enter when prompted for password):
smbclient -L <hostname>
or you can use:
smbclient -L <hostname> -U%
To check if the Samba software is running correctly:
nmblookup -B 192.168.1.100 __SAMBA__ nmblookup -B 192.168.1.103 "*" nmblookup -d 2 '*' nmblookup -M homenet # check for master browser
Linux as SMB Client
[global]
workgroup = T0E
security = DOMAIN
password server = T0E
net join T0E -U Administrator
Iptables and Samba
Quick HOWTO : Ch12 : Samba Security and Troubleshooting
Configure it to allow through such Microsoft protocols as NetBIOS (UDP ports 137 and 138, TCP ports 139) and TCP port 445 for SMB file sharing without NetBIOS. Here is sample script snippet:
#!/bin/bash
SAMBA_SERVER="192.168.1.100 "
NETWORK="192.168.1.0/24" # Local area network
BROADCAST="192.168.255.255" # Local area network Broadcast Address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \
-m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \
-j ACCEPT
iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \
--dports 137,138 -j DROP
iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j DROP
iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \
ESTABLISHED,RELATED -j ACCEPT
Samba PAM authentication
pam_smb pam_smb FAQ pam_smb README
/lib/security/pam_smb_auth.so
Samba and Winbind
" I'm not sure if it was connected, but I'd just run wbinfo -D workground_name which seemed to hang, but I went to do something else, forgetting that is was hanging. Only it wasn't. Eventually it came back with correct answers, at which point, wbinfo -u|g worked and the authentication was back, too.
Wow. Weird. I was trying to get Samba and winbind working for Squid today. Most wbinfo tests seemed fine, but "wbinfo -u" and "wbinfo -g" kept giving that "Error looking up domain users" (or groups) error. I found your post, and tried running "wbinfo -D domain_name", just to see if it made a difference. While it did not hang on my system (returned info immediately), after that, "wbinfo -u" and "wbinfo -g" started working. So whatever's going on, that "-D" switch seems to help unwedge things somehow.
Magic." Samba, Pam, winbind and ADS
Samba Winbind - wbinfo -u works, getent passwd only gives local users:
wbinfo --own-domain wbinfo -t # does not work wbinfo -D T0E wbinfo -g wbinfo -u # does not work?
Samba: wbinfo -I not responding:
wbinfo -p
[Samba wbinfo can't list users]:
net rpc join -U Administrator wbinfo -u wbinfo -g wbinfo -m winbindd -d 3 -i
Samba - Winbind: Use of Domain Accounts
See Also
Less See Also
- Linux Magazine: Using Samba as a PDC
- Samba Setup Guide for Linux
- Linux Magazine: Samba
- Linux-Windows Single Sign-On
- Samba-3 Server Types and Security Modes
- Using Samba - 6.3 Authentication Security
- Using Samba (HTML eBook)
- Samba authentication through PAM with MySQL
- Setting up Samba to use an NT PDC for authentication
- Chapter 7. Adding Domain Member Servers and Clients - Part II. Domain Members, Updating Samba and Migration
- Samba Setup Guide for Linux - Samba as a Primary Domain Controller
- Chapter 4. Domain Control - Part II. Server Configuration Basics
- Common threads: Samba domain controller support
- SAMBA (Domaincontroller) Server For Small Workgroups With Ubuntu 6.10
- HOWTO SAMBA-LDAP Domain Controller (with Real Time antivirus)
- Samba PDC mini-HOWTO
- Samba as Primary Domain Controller - HowTo
- Samba Winbind wbinfo -u fails with "Error looking up domain users"
- The Official Samba-3 HOWTO and Reference Guide