Using Samba Doug Maxwell doug@unixlore.net November 13, 2004 – GHGLUG Updated March, 2006
What is Samba? Samba is a collection of programs that speak the SMB protocol Server Message Block protocol Windows client-server protocol, useful for networked file and printer sharing Samba runs natively on Unix platforms, and so provides a way to bridge the OS divide
Terminology A domain is a group of networked resources NT Domain: Legacy Windows domain Win 95/98/Me/NT PDC: Primary domain controller BDC: Backup domain controller WINS: Windows name resolution services NBT: NetBIOS over TCP Provides name resolution and reliable or unreliable messaging NT Lan Manger: Version of SMB used in Windows NT4 This is the version of SMB implemented by Samba
Terminology Since Win2k, Active Directory (AD) AD Domains are LDAP/Kerberos based Win2k/XP/2003 Server Use DNS instead of WINS CIFS: Common Internet File System The version of SMB used by Win2k/XP Browsing Process of discovering shared resources
What Good is Samba? Integrating Unix and Windows authentication Single Sign-On for all Sharing files and printers across OS platforms Saves on license costs (or drives you less crazy trying to administer it) A Samba server can be an NT domain PDC, client, or server An AD client or server (but not a domain controller) A primary WINS server
What Good is Samba? A replacement for NFS Unix-to-Unix filesharing Has the advantage of authenticating users, not clients
Limitations A Samba server cannot be An AD domain controller This is being worked on by the Samba team A BDC to a Windows PDC ...and a Windows PDC cannot replicate to a Samba BDC
Components The Samba suite is comprised of several daemons and many other utilities nmbd Name resolution and registration smbd TCP/IP connection handling for file/printer sharing winbindd Only needed if the Samba server is an NT domain or AD member server Handles authentication with domain controllers
Components Command-line utilities smbpasswd Used for Samba user and machine account maintenance smbclient Used to access shared resources from the command line testparm Checks the smb.conf file smbstatus Displays the server status and existing network connections
Components SWAT
Questions?
Secure File Server Requirements: Unix file server Accessible by Windows and Unix clients User authentication User home directories Group storage in /export Owned by admin Accesible to members of the users group
Secure File Server Requirements: Make sure the Unix users have been created and are members of the group “users” useradd -c "Test User" -m -g users -p abc123 test mkdir /export chown admin.users /export chmod 770 /export smbpasswd -a root smbpasswd -a test smbpasswd -a admin
Secure File Server, smb.conf # Global parameters [global] workgroup = GHGLUG netbios name = STEALTH [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Shared User Data path = /export force user = admin force group = users guest ok = Yes
Secure File Server Check the smb.conf with “testparm” Start the Samba daemons /etc/init.d/samba start (Debian) service smb start (Red Hat) Check the server status smbclient -L localhost -U% smbclient //STEALTH/test -Utest%abc123
Lab I I've configured smb.conf as noted before You connect to it as user “test” with password “abc123” Try accessing the public share as well
Samba as a PDC The smb.conf is still pretty simple We add a netlogon and profiles shares, for domain logins and roaming profile support The OS Level parameter must be > 32 Windows clients now need machine accounts in the Samba server's Unix password file Unix clients will run the winbind daemon This requires the idmap uid and idmap gid parameters be set in the client smb.conf
Samba as a PDC [global] netbios name = STEALTH workgroup = GHGLUG passdb backend = tdbsam os level = 35 preferred master = yes domain master = yes local master = yes security = user domain logons = yes logon path = \\%N\profiles\%U logon home = \\%L\%u\.profiles logon drive = H: logon script = logon.cmd [netlogon] path = /var/lib/samba/netlogon read only = yes write list = @ntadmins [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700
Samba as a PDC Manually adding machine trust accounts Do this on the Samba server for each Win2k/XP client useradd -d /dev/null -c "nickname" -s /bin/false machine_name$ && passwd -l machine_name$ Note the trailing “$” - this is required Now we add the machine account to the Samba password database smbpasswd -a -m machine_name
Samba as a PDC We should now see netlogon and profiles shares available, after a service restart: stealth:/# smbclient -L localhost -U% Domain=[GHGLUG] OS=[Unix] Server=[Samba 3.0.7-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk profiles Disk IPC$ IPC IPC Service (Samba 3.0.7-Debian) ADMIN$ IPC IPC Service (Samba 3.0.7-Debian) Server Comment --------- ------- STEALTH Samba 3.0.7-Debian Workgroup Master --------- ------- GHGLUG STEALTH
Samba as a PDC Windows clients - Gotchas The first time the client joins the domain, you must login with an account that has domain admin privileges This is usually the Samba “root” account Subsequent logins will use the client's usual username/password pair
Samba as a PDC Windows clients - Gotchas There are some registry/security settings that might need tweaking in older versions of Samba (<3): Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters "RequireSignOrSeal" should have the DWORD value of 0 HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Windows\System\CompatibleRUPSecurity should have the DWORD value of 1 Local Security Policy (disable the following): "Domain member: Digitally encrypt or sign secure channel data (always)" "Domain member: Digitally encrypt secure channel data (when possible)" "Domain member: Digitally sign secure channel data (when possible)" "Domain member: Require strong (Windows 2000 or later) session key"
Questions?
Samba as a Domain Member Samba and windbind run on the client Join the domain with the Samba “net” command net rpc join -Uroot%'password' Start the Samba and winbind daemons Store winbind auth info for session setup wbinfo –set-auth-user=root%'password' Test winbind with wbinfo -u, wbinfo -g, and getent passwd username
Samba as a Domain Member The smb.conf is simple: [global] workgroup = GHGLUG security = DOMAIN idmap uid = 15000-20000 idmap gid = 15000-20000 winbind use default domain = Yes
Lab II Try to connect your Linux or Windows client to the GHGLUG domain controller I setup earlier The test and root users have password “abc123” A note about security In practice, the network administrator configures and logs the client in for the first time This way, the domain administrator password does not have to be shared
Final Notes If you just want to quickly access Windows shares from a Linux workstation, you don't need a full-blown Samba installation Usually you just need smbclient and smbfs support in your kernel Debian: apt-get install smbfs smbclient
Final Notes I have the following in my .bashrc alias mmp3='smbmount "\\\\IP_ADDRESS\\MP3" ~/mmp3 -o username="dmaxwell/DOMAIN%password"' By running the command 'mmp3', I can then access the shared mp3 repository from my locally mounted ~/mmp3 directory
Final Notes Use smbclient like an FTP client smbclient "\\\\FILESRV\\path" -I [IP address] - d 3 -A ~/dom.txt Once logged in, use the standard FTP commands to store and retrieve data The file “dom.txt” should have the following format: username = test password = abc123 domain = GHGLUG
Final Notes We didn't cover printing Samba makes a great print server, and integrates with CUPS natively Configure each CUPS printer with no filter Windows clients install the printer driver locally The Samba documentation is excellent Several of the books are freely available online, or can be read through the SWAT web interface Debian: apt-get install swat samba-doc
Questions?
Copyright & License Copyright (c) 2004, 2006 Doug Maxwell (http://www.unixlore.net). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is at http://www.gnu.org/copyleft/fdl.html.