Linux/Samba/Domain Controller

From Omnia
< Linux‎ | Samba
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Tutorial #1

SAMBA (Domain Controller) Server For Small Workgroups With Ubuntu 5.10 "Breezy Badger"

yum install samba samba-client samba-common

Edit /etc/samba/smb.conf:

[global]
   workgroup = T0E
   netbios name = TESTLAB
   server string = %h server

   passdb backend = tdbsam
   security = user
   username map = /etc/samba/smbusers
   name resolve order = wins bcast hosts
   domain logons = yes
   preferred master = yes
   wins support = yes
   
   # Set CUPS for printing
   #printcap name = CUPS
   #printing = CUPS
   
   # Default logon
   #logon drive = H:
   #logon script = scripts/logon.bat
   #logon path = \\server1\profile\%U

   # Useradd scripts
   add user script = /usr/sbin/useradd -m %u
   delete user script = /usr/sbin/userdel -r %u
   add group script = /usr/sbin/groupadd %g
   delete group script = /usr/sbin/groupdel %g
   add user to group script = /usr/sbin/usermod -G %g %u
   add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
   idmap uid = 15000-20000
   idmap gid = 15000-20000

   # sync smb passwords woth linux passwords
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
   passwd chat debug = yes
   unix password sync = yes
   
   # set the loglevel
   log level = 3

[homes]
   comment = Home
   valid users = %S
   read only = no
   browsable = no

[printers]
   comment = All Printers
   path = /var/spool/samba
   printable = yes
   guest ok = yes
   browsable = no

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   admin users = Administrator
   valid users = %U
   read only = no

[profile]
   comment = User profiles
   path = /home/samba/profiles
   valid users = %U
   create mode = 0600
   directory mode = 0700
   writable = yes
   browsable = no

Create the directories for domain logons and profiles:

mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
mkdir /var/spool/samba
chmod 777 /var/spool/samba/
chown -R root:users /home/samba/
chmod -R 771 /home/samba/

/etc/init.d/samba restart

Edit /etc/nsswitch.conf. Change the line:

hosts: files dns

to:

hosts: files wins dns

Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.

smbpasswd -a root

Create the file /etc/samba/smbusers and add the line by executing:

echo "root = Administrator" > /etc/samba/smbusers

This will allow us to use the common windows username "Administrator" as alias for the Linux root user. Now I will test if the setup is correct:

smbclient -L localhost -U%

The output should look similar to this:

Domain=[T0E] OS=[Unix] Server=[Samba 3.0.23c-2.el5.2.0.2]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      Network Logon Service
        IPC$            IPC       IPC Service (testlab server)
Domain=[T0E] OS=[Unix] Server=[Samba 3.0.23c-2.el5.2.0.2]

        Server               Comment
        ---------            -------
        TESTLAB              testlab server

        Workgroup            Master
        ---------            -------
        T0E                  TESTLAB

Setup the default domain groups for windows:

net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup

or:

net groupmap add ntgroup="Domain Admins" unixgroup=root
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nogroup

Adding Users To Our SAMBA Domain

Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

1) Add a linux user tom:

useradd tom -m -G users

2) Add the linux user tom to the SAMBA password database:

smbpasswd -a tom

Adding Shares

Now I will add a share that is accessible by all users.

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

[allusers]
  comment = All Users
  path = /home/shares/allusers
  valid users = @users
  force group = users 
  create mask = 0660
  directory mask = 0771
  writable = yes

/etc/init.d/samba restart

Problems

Password Change

I was unable to change my user password from my Windows XP machine.

A thread asked the same question. The answer was to:

Change:
unix password sync = Yes

To:
unix password sync = no

This appeared to work. This may be because all of the samba users are the same user, and not individual Linux accounts.

Another suggestion:

A comment suggested to:

Try to change the "passwd chat" line in smb.conf to this:

passwd chat = *password* %n\n *password* %n\n *success*

Domain Administration

From what I can tell all new users will need to be added via the command line on the PDC. I was unable to connect to the PDC using mmc "Users" snap-in.

Security

It appears that the domain groups and security permission are either ignored or simply not used.

Linux Client Authentication

How will this work with a Linux workstation? It doesn't appear you can use Samba on a Linux workstation to authenticate against a Samba Domain Controller without some serious reconfiguration.

It seems that joining the domain is no problem, but using the Samba Domain Controller for login authentication appears to be another issue.

How do force Passwords Restrictions and Expiration?

How do force Passwords Restrictions and Expiration?

See [1] for a possible example:

min password length = 6
null passwords = No

NetBIOS name resolution failure

I am unable to visit \\t0e without having to add it to the ...\etc\hosts file

Testing Samba Configuration

Quick HOWTO : Ch12 : Samba Security and Troubleshooting

This will test the Samba configuration file:

testparm -s

This will report the Samba details (hit enter when prompted for password):

smbclient -L <hostname>

or you can use:

smbclient -L <hostname> -U%

To check if the Samba software is running correctly:

nmblookup -B 192.168.1.100 __SAMBA__
nmblookup -B 192.168.1.103 "*"
nmblookup -d 2 '*'
nmblookup -M homenet  # check for master browser

Linux as SMB Client

Samba as a NT Domain Member

[global]

       workgroup = T0E
       security = DOMAIN
       password server = T0E
net join T0E -U Administrator

Iptables and Samba

Quick HOWTO : Ch12 : Samba Security and Troubleshooting

Configure it to allow through such Microsoft protocols as NetBIOS (UDP ports 137 and 138, TCP ports 139) and TCP port 445 for SMB file sharing without NetBIOS. Here is sample script snippet:

#!/bin/bash
 
SAMBA_SERVER="192.168.1.100 "
NETWORK="192.168.1.0/24"    # Local area network
BROADCAST="192.168.255.255" # Local area network Broadcast Address
 
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \
    -m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \
    --dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \
    -j ACCEPT
iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \
    --dports 137,138 -j DROP
iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \
    --dports 139,445 -j DROP
iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \
    ESTABLISHED,RELATED -j ACCEPT

Samba PAM authentication

pam_smb pam_smb FAQ pam_smb README

/lib/security/pam_smb_auth.so

Samba and Winbind

" I'm not sure if it was connected, but I'd just run wbinfo -D workground_name which seemed to hang, but I went to do something else, forgetting that is was hanging. Only it wasn't. Eventually it came back with correct answers, at which point, wbinfo -u|g worked and the authentication was back, too.

Wow. Weird. I was trying to get Samba and winbind working for Squid today. Most wbinfo tests seemed fine, but "wbinfo -u" and "wbinfo -g" kept giving that "Error looking up domain users" (or groups) error. I found your post, and tried running "wbinfo -D domain_name", just to see if it made a difference. While it did not hang on my system (returned info immediately), after that, "wbinfo -u" and "wbinfo -g" started working. So whatever's going on, that "-D" switch seems to help unwedge things somehow.

Magic." Samba, Pam, winbind and ADS

Samba Winbind - wbinfo -u works, getent passwd only gives local users:

wbinfo --own-domain
wbinfo -t  # does not work
wbinfo -D T0E
wbinfo -g
wbinfo -u  # does not work?

Samba: wbinfo -I not responding:

wbinfo -p

[Samba wbinfo can't list users]:

net rpc join -U Administrator
wbinfo -u
wbinfo -g
wbinfo -m
winbindd -d 3 -i

Samba - Winbind: Use of Domain Accounts

See Also

Less See Also

To Read