diff options
Diffstat (limited to 'docs/Samba-HOWTO-Collection/TOSHARG-FastStart.xml')
-rw-r--r-- | docs/Samba-HOWTO-Collection/TOSHARG-FastStart.xml | 1256 |
1 files changed, 1256 insertions, 0 deletions
diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-FastStart.xml b/docs/Samba-HOWTO-Collection/TOSHARG-FastStart.xml new file mode 100644 index 0000000000..a50b4fa553 --- /dev/null +++ b/docs/Samba-HOWTO-Collection/TOSHARG-FastStart.xml @@ -0,0 +1,1256 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="FastStart"> +<chapterinfo> + &author.jht; +</chapterinfo> + +<title>Fast Start: Cure for Impatience</title> + +<para> +When we first asked for suggestions for inclusion in the Samba HOWTO documentation, +someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably +difficult to do, without losing a lot of value that can be derived from presenting +many extracts from working systems. That is what the rest of this document does. +It does so with extensive descriptions of the configuration possibilities within the +context of the chapter that covers it. We hope that this chapter is the medicine +that has been requested. +</para> + +<sect1> +<title>Features and Benefits</title> + +<para> +Samba needs very little configuration to create a basic working system. +In this chapter we progress from the simple to the complex, for each providing +all steps and configuration file changes needed to make each work. Please note +that a comprehensively configured system will likely employ additional smart +features. The additional features are covered in the remainder of this document. +</para> + +<para> +The examples used here have been obtained from a number of people who made +requests for example configurations. All identities have been obscured to protect +the guilty and any resemblance to unreal non-existent sites is deliberate. +</para> + +</sect1> + +<sect1> +<title>Description of Example Sites</title> + +<para> +In the first set of configuration examples we consider the case of exceptionally simple +system requirements. There is a real temptation to make something that should require +little effort much too complex. +</para> + +<para> +<link linkend="anon-ro"></link> documents the type of server that might be sufficient to serve CD-ROM +images, or reference document files for network client use. This configuration is also discussed in +<link linkend="StandAloneServer"></link>, <link linkend="RefDocServer"></link>. +The purpose for this configuration is to provide a shared volume that is read-only that anyone, even guests, can access. +</para> + +<para> +The second example shows a minimal configuration for a print server that anyone can print +to as long as they have the correct printer drivers installed on their computer. This is a +mirror of the system described in <link linkend="StandAloneServer"></link>, <link linkend="SimplePrintServer"></link>. +</para> + +<para> +The next example is of a secure office file and print server that will be accessible only +to users who have an account on the system. This server is meant to closely resemble a +Workgroup file and print server, but has to be more secure than an anonymous access machine. +This type of system will typically suit the needs of a small office. The server does not +provide network logon facilities, offers no Domain Control, instead it is just a network +attached storage (NAS) device and a print server. +</para> + +<para> +Finally, we start looking at more complex systems that will either integrate into existing +Microsoft Windows networks, or replace them entirely. The examples provided cover domain +member servers as well as Samba Domain Control (PDC/BDC) and finally describes in detail +a large distributed network with branch offices in remote locations. +</para> + +</sect1> + +<sect1> +<title>Worked Examples</title> + +<para> +The configuration examples are designed to cover everything necessary to get Samba +running. They do not cover basic operating system platform configuration, which is +clearly beyond the scope of this text. +</para> + +<para> +It is also assumed that Samba has been correctly installed, either by way of installation +of the packages that are provided by the operating system vendor, or through other means. +</para> + + <sect2> + <title>Stand-alone Server</title> + + <para> + <indexterm><primary>Server Type</primary><secondary>Stand-alone</secondary></indexterm> + A Stand-alone Server implies no more than the fact that it is not a Domain Controller + and it does not participate in Domain Control. It can be a simple workgroup-like + server, or it may be a complex server that is a member of a domain security context. + </para> + + <sect3 id="anon-ro"> + <title>Anonymous Read-Only Document Server</title> + + <para> + <indexterm><primary>read only</primary><secondary>server</secondary></indexterm> + The purpose of this type of server is to make available to any user + any documents or files that are placed on the shared resource. The + shared resource could be a CD-ROM drive, a CD-ROM image, or a file + storage area. + </para> + + <para> + As the examples are developed, every attempt is made to progress the + system toward greater capability, just as one might expect would happen + in a real business office as that office grows in size and its needs + change. + </para> + + <para>The configuration file is:</para> + + <para><smbconfexample id="anon-example"> + <title>Anonymous Read-Only Server Configuration</title> + <smbconfcomment>Global parameters</smbconfcomment> + <smbconfsection name="[global]"/> + <smbconfoption name="workgroup">MIDEARTH</smbconfoption> + <smbconfoption name="netbios name">HOBBIT</smbconfoption> + <smbconfoption name="security">share</smbconfoption> + + <smbconfsection name="[data]"/> + <smbconfoption name="comment">Data</smbconfoption> + <smbconfoption name="path">/export</smbconfoption> + <smbconfoption name="read only">Yes</smbconfoption> + <smbconfoption name="guest ok">Yes</smbconfoption> + </smbconfexample> + </para> + + <itemizedlist> + <listitem><para> + The file system share point will be <filename>/export</filename>. + </para></listitem> + + <listitem><para> + All files will be owned by a user called Jack Baumbach. + Jack's login name will be <emphasis>jackb</emphasis>. His password will be + <emphasis>m0r3pa1n</emphasis> &smbmdash; of course, that's just the example we are + using; do not use this in a production environment because + all readers of this document will know it. + </para></listitem> + </itemizedlist> + + <procedure> + <title>Installation Procedure &smbmdash; Read-Only Server</title> + <step><para> + Add user to system (with creation of the users' home directory): +<screen> +&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput> +</screen> + </para></step> + + <step><para> + Create directory, and set permissions and ownership: +<screen> +&rootprompt;<userinput>mkdir /export</userinput> +&rootprompt;<userinput>chmod u+rwx,g+rx,o+rx /export</userinput> +&rootprompt;<userinput>chown jackb.users /export</userinput> +</screen> + </para></step> + + <step><para> + Copy the files that should be shared to the <filename>/export</filename> + directory. + </para></step> + + <step><para> + Install the Samba configuration file (<filename>/etc/samba/smb.conf</filename>) + as shown. + </para></step> + + <step><para> + Test the configuration file: +<screen> +&rootprompt;<userinput>testparm</userinput> +</screen> + Note any error messages that might be produced. Do not proceed until you + obtain error-free output. An example of the output with the following file + will list the file. +<screen> +Load smb config files from /etc/samba/smb.conf +Processing section "[data]" +Loaded services file OK. +Server role: ROLE_STANDALONE +Press enter to see a dump of your service definitions +<userinput>[Press enter]</userinput> + +# Global parameters +[global] + workgroup = MIDEARTH + netbios name = HOBBIT + security = share + +[data] + comment = Data + path = /export + read only = Yes + guest only = Yes +</screen> + </para></step> + + <step><para> + Start Samba using the method applicable to your operating system + platform. + </para></step> + + <step><para> + Configure your Microsoft Windows client for workgroup <emphasis>MIDEARTH</emphasis>, + set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes, + then open Windows Explorer and visit the network neighborhood. + The machine HOBBIT should be visible. When you click this machine + icon, it should open up to reveal the <emphasis>data</emphasis> share. After + clicking the share it, should open up to reveal the files previously + placed in the <filename>/export</filename> directory. + </para></step> + </procedure> + + <para> + The information above (following # Global parameters) provides the complete + contents of the <filename>/etc/samba/smb.conf</filename> file. + </para> + + </sect3> + + <sect3> + <title>Anonymous Read-Write Document Server</title> + + <para> + <indexterm><primary>anonymous</primary><secondary>read-write server</secondary></indexterm> + We should view this configuration as a progression from the previous example. + The difference is that shared access is now forced to the user identity of jackb + and to the primary group jackb belongs to. One other refinement we can make is to + add the user <emphasis>jackb</emphasis> to the <filename>smbpasswd</filename> file. + To do this execute: +<screen> +&rootprompt;<userinput>smbpasswd -a jackb</userinput> +New SMB password: <userinput>m0r3pa1n</userinput> +Retype new SMB password: <userinput>m0r3pa1n</userinput> +Added user jackb. +</screen> + Addition of this user to the <filename>smbpasswd</filename> file allows all files + to be displayed in the Explorer Properties boxes as belonging to <emphasis>jackb</emphasis> + instead of to <emphasis>User Unknown</emphasis>. + </para> + + <para> + The complete, modified &smb.conf; file is as shown in <link linkend="anon-rw"/>. + </para> + + <para> +<smbconfexample id="anon-rw"><title>Modified Anonymous Read-Write smb.conf</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">HOBBIT</smbconfoption> +<smbconfoption name="security">SHARE</smbconfoption> + +<smbconfsection name="[data]"/> +<smbconfoption name="comment">Data</smbconfoption> +<smbconfoption name="path">/export</smbconfoption> +<smbconfoption name="force user">jackb</smbconfoption> +<smbconfoption name="force group">users</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +</smbconfexample> + </para> + + </sect3> + + <sect3> + <title>Anonymous Print Server</title> + + <para> + <indexterm><primary>anonymous</primary><secondary>print server</secondary></indexterm> + An anonymous print server serves two purposes: + </para> + + <itemizedlist> + <listitem><para> + It allows printing to all printers from a single location. + </para></listitem> + + <listitem><para> + It reduces network traffic congestion due to many users trying + to access a limited number of printers. + </para></listitem> + </itemizedlist> + + <para> + In the simplest of anonymous print servers, it is common to require the installation + of the correct printer drivers on the Windows workstation. In this case the print + server will be designed to just pass print jobs through to the spooler, and the spooler + should be configured to do raw pass-through to the printer. In other words, the print + spooler should not filter or process the data stream being passed to the printer. + </para> + + <para> + In this configuration it is undesirable to present the Add Printer Wizard and we do + not want to have automatic driver download, so we will disable it in the following + configuration. <link linkend="anon-print"></link> is the resulting &smb.conf; file. + </para> + + <para> +<smbconfexample id="anon-print"><title>Anonymous Print Server smb.conf</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">LUTHIEN</smbconfoption> +<smbconfoption name="security">share</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="disable spoolss">Yes</smbconfoption> +<smbconfoption name="show add printer wizard">No</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/var/spool/samba</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> +</smbconfexample> + </para> + + <para> + The above configuration is not ideal. It uses no smart features, and it deliberately + presents a less than elegant solution. But it is basic, and it does print. + </para> + + <note><para> + Windows users will need to install a local printer and then change the print + to device after installation of the drivers. The print to device can then be set to + the network printer on this machine. + </para></note> + + <para> + Make sure that the directory <filename>/var/spool/samba</filename> is capable of being used + as intended. The following steps must be taken to achieve this: + </para> + + <itemizedlist> + <listitem><para> + The directory must be owned by the superuser (root) user and group: +<screen> +&rootprompt;<userinput>chown root.root /var/spool/samba</userinput> +</screen> + </para></listitem> + + <listitem><para> + Directory permissions should be set for public read-write with the + sticky-bit set as shown: +<screen> +&rootprompt;<userinput>chmod a+rw TX /var/spool/samba</userinput> +</screen> + </para></listitem> + </itemizedlist> + + + <note><para> + <indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm> + <indexterm><primary>raw printing</primary></indexterm> + On CUPS enabled systems there is a facility to pass raw data directly to the printer without + intermediate processing via CUPS print filters. Where use of this mode of operation is desired + it is necessary to configure a raw printing device. It is also necessary to enable the raw mime + handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> + files. Refer to <link linkend="cups-raw"></link>. + </para></note> + + </sect3> + + <sect3> + + <title>Secure Read-Write File and Print Server</title> + + <para> + We progress now from simple systems to a server that is slightly more complex. + </para> + + <para> + Our new server will require a public data storage area in which only authenticated + users (i.e., those with a local account) can store files, as well as a home directory. + There will be one printer that should be available for everyone to use. + </para> + + <para> + In this hypothetical environment (no espionage was conducted to obtain this data), + the site is demanding a simple environment that is <emphasis>secure enough</emphasis> + but not too difficult to use. + </para> + + <para> + Site users will be: Jack Baumbach, Mary Orville and Amed Sehkah. Each will have + a password (not shown in further examples). Mary will be the printer administrator and will + own all files in the public share. + </para> + + <para> + This configuration will be based on <emphasis>User Level Security</emphasis> that + is the default, and for which the default is to store Microsoft Windows-compatible + encrypted passwords in a file called <filename>/etc/samba/smbpasswd</filename>. + The default &smb.conf; entry that makes this happen is: + <smbconfoption name="passdb backend">smbpasswd, guest</smbconfoption>. Since this is the default + it is not necessary to enter it into the configuration file. Note that guest backend is + added to the list of active passdb backends not matter was it specified directly in Samba configuration + file or not. + </para> + + + <procedure> + <title>Installing the Secure Office Server</title> + <step><para> + <indexterm><primary>office server</primary></indexterm> + Add all users to the Operating System: +<screen> +&rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput> +&rootprompt;<userinput>useradd -c "Mary Orville" -m -g users -p secret maryo</userinput> +&rootprompt;<userinput>useradd -c "Amed Sehkah" -m -g users -p secret ameds</userinput> +</screen> + </para></step> + + <step><para> + Configure the Samba &smb.conf; file as shown in <link linkend="OfficeServer"/>. +<smbconfexample id="OfficeServer"> +<title>Secure Office Server smb.conf</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">OLORIN</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="disable spoolss">Yes</smbconfoption> +<smbconfoption name="show add printer wizard">No</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> + +<smbconfsection name="[homes]"/> +<smbconfoption name="comment">Home Directories</smbconfoption> +<smbconfoption name="valid users">%S</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[public]"/> +<smbconfoption name="comment">Data</smbconfoption> +<smbconfoption name="path">/export</smbconfoption> +<smbconfoption name="force user">maryo</smbconfoption> +<smbconfoption name="force group">users</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/var/spool/samba</smbconfoption> +<smbconfoption name="printer admin">root, maryo</smbconfoption> +<smbconfoption name="create mask">0600</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + </smbconfexample> + </para></step> + + <step><para> + Initialize the Microsoft Windows password database with the new users: +<screen> +&rootprompt;<userinput>smbpasswd -a root</userinput> +New SMB password: <userinput>bigsecret</userinput> +Reenter smb password: <userinput>bigsecret</userinput> +Added user root. + +&rootprompt;<userinput>smbpasswd -a jackb</userinput> +New SMB password: <userinput>m0r3pa1n</userinput> +Retype new SMB password: <userinput>m0r3pa1n</userinput> +Added user jackb. + +&rootprompt;<userinput>smbpasswd -a maryo</userinput> +New SMB password: <userinput>secret</userinput> +Reenter smb password: <userinput>secret</userinput> +Added user maryo. + +&rootprompt;<userinput>smbpasswd -a ameds</userinput> +New SMB password: <userinput>mysecret</userinput> +Reenter smb password: <userinput>mysecret</userinput> +Added user ameds. +</screen> + </para></step> + + <step><para> + Install printer using the CUPS Web interface. Make certain that all + printers that will be shared with Microsoft Windows clients are installed + as raw printing devices. + </para></step> + + <step><para> + Start Samba using the operating system administrative interface. + Alternately, this can be done manually by running: + <indexterm><primary>smbd</primary></indexterm> + <indexterm><primary>nmbd</primary></indexterm> + <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm> + <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm> +<screen> +&rootprompt;<userinput> nmbd; smbd;</userinput> +</screen> + </para></step> + + <step><para> + Configure the <filename>/export</filename> directory: +<screen> +&rootprompt;<userinput>mkdir /export</userinput> +&rootprompt;<userinput>chown maryo.users /export</userinput> +&rootprompt;<userinput>chmod u=rwx,g=rwx,o-rwx /export</userinput> +</screen> + </para></step> + + <step><para> + Check that Samba is running correctly: +<screen> +&rootprompt;<userinput>smbclient -L localhost -U%</userinput> +Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.0] + +Sharename Type Comment +--------- ---- ------- +public Disk Data +IPC$ IPC IPC Service (Samba-3.0.0) +ADMIN$ IPC IPC Service (Samba-3.0.0) +hplj4 Printer hplj4 + +Server Comment +--------- ------- +OLORIN Samba-3.0.0 + +Workgroup Master +--------- ------- +MIDEARTH OLORIN +</screen> + </para></step> + + <step><para> + Connect to OLORIN as maryo: +<screen> +&rootprompt;<userinput>smbclient //olorin/maryo -Umaryo%secret</userinput> +OS=[UNIX] Server=[Samba-3.0.0] +smb: \> <userinput>dir</userinput> +. D 0 Sat Jun 21 10:58:16 2003 +.. D 0 Sat Jun 21 10:54:32 2003 +Documents D 0 Fri Apr 25 13:23:58 2003 +DOCWORK D 0 Sat Jun 14 15:40:34 2003 +OpenOffice.org D 0 Fri Apr 25 13:55:16 2003 +.bashrc H 1286 Fri Apr 25 13:23:58 2003 +.netscape6 DH 0 Fri Apr 25 13:55:13 2003 +.mozilla DH 0 Wed Mar 5 11:50:50 2003 +.kermrc H 164 Fri Apr 25 13:23:58 2003 +.acrobat DH 0 Fri Apr 25 15:41:02 2003 + + 55817 blocks of size 524288. 34725 blocks available +smb: \> <userinput>q</userinput> +</screen> + </para></step> + </procedure> + + <para> + By now you should be getting the hang of configuration basics. Clearly, it is time to + explore slightly more complex examples. For the remainder of this chapter we will abbreviate + instructions since there are previous examples. + </para> + + </sect3> + + </sect2> + + <sect2> + <title>Domain Member Server</title> + + + <para> + <indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm> + In this instance we will consider the simplest server configuration we can get away with + to make an accounting department happy. Let's be warned, the users are accountants and they + do have some nasty demands. There is a budget for only one server for this department. + </para> + + <para> + The network is managed by an internal Information Services Group (ISG), to which we belong. + Internal politics are typical of a medium-sized organization; Human Resources is of the + opinion that they run the ISG because they are always adding and disabling users. Also, + departmental managers have to fight tooth and nail to gain basic network resources access for + their staff. Accounting is different though, they get exactly what they want. So this should + set the scene. + </para> + + <para> + We will use the users from the last example. The accounting department + has a general printer that all departmental users may. There is also a check printer + that may be used only by the person who has authority to print checks. The Chief Financial + Officer (CFO) wants that printer to be completely restricted and for it to be located in the + private storage area in her office. It therefore must be a network printer. + </para> + + <para> + Accounting department uses an accounting application called <emphasis>SpytFull</emphasis> + that must be run from a central application server. The software is licensed to run only off + one server, there are no workstation components, and it is run off a mapped share. The data + store is in a UNIX-based SQL backend. The UNIX gurus look after that, so is not our + problem. + </para> + + <para> + The accounting department manager (maryo) wants a general filing system as well as a separate + file storage area for form letters (nastygrams). The form letter area should be read-only to + all accounting staff except the manager. The general filing system has to have a structured + layout with a general area for all staff to store general documents, as well as a separate + file area for each member of her team that is private to that person, but she wants full + access to all areas. Users must have a private home share for personal work-related files + and for materials not related to departmental operations. + </para> + + <sect3> + <title>Example Configuration</title> + + <para> + The server <emphasis>valinor</emphasis> will be a member server of the company domain. + Accounting will have only a local server. User accounts will be on the Domain Controllers + as will desktop profiles and all network policy files. + </para> + + <procedure> + <step><para> + Do not add users to the UNIX/Linux server; all of this will run off the + central domain. + </para></step> + + <step><para> + Configure &smb.conf; according to <link linkend="fast-member-server"/> + and <link linkend="fast-memberserver-shares"></link>. + </para> + + <para> + <smbconfexample id="fast-member-server"> + <title>Member server smb.conf (globals)</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">VALINOR</smbconfoption> +<smbconfoption name="security">DOMAIN</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="disable spoolss">Yes</smbconfoption> +<smbconfoption name="show add printer wizard">No</smbconfoption> +<smbconfoption name="idmap uid">15000-20000</smbconfoption> +<smbconfoption name="idmap gid">15000-20000</smbconfoption> +<smbconfoption name="winbind use default domain">Yes</smbconfoption> +<smbconfoption name="use sendfile">Yes</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> + </smbconfexample></para> + + <para> + <smbconfexample id="fast-memberserver-shares"> + <title>Member server smb.conf (shares and services)</title> +<smbconfsection name="[homes]"/> +<smbconfoption name="comment">Home Directories</smbconfoption> +<smbconfoption name="valid users">%S</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[spytfull]"/> +<smbconfoption name="comment">Accounting Application Only</smbconfoption> +<smbconfoption name="path">/export/spytfull</smbconfoption> +<smbconfoption name="valid users">@Accounts</smbconfoption> +<smbconfoption name="admin users">maryo</smbconfoption> +<smbconfoption name="read only">Yes</smbconfoption> + +<smbconfsection name="[public]"/> +<smbconfoption name="comment">Data</smbconfoption> +<smbconfoption name="path">/export/public</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/var/spool/samba</smbconfoption> +<smbconfoption name="printer admin">root, maryo</smbconfoption> +<smbconfoption name="create mask">0600</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + </smbconfexample> + </para></step> + + + <step><para> +<indexterm><primary>net</primary><secondary>rpc</secondary></indexterm> + Join the domain. Note: Do not start Samba until this step has been completed! +<screen> +&rootprompt;<userinput>net rpc join -Uroot%'bigsecret'</userinput> +Joined domain MIDEARTH. +</screen> + </para></step> + + <step><para> + Make absolutely certain that you disable (shut down) the <command>nscd</command> + daemon on any system on which <command>winbind</command> is configured to run. + </para></step> + + <step><para> + Start Samba following the normal method for your operating system platform. + If you wish to this manually execute as root: + <indexterm><primary>smbd</primary></indexterm> + <indexterm><primary>nmbd</primary></indexterm> + <indexterm><primary>winbindd</primary></indexterm> + <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm> + <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm> + <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm> +<screen> +&rootprompt;<userinput>nmbd; smbd; winbindd;</userinput> +</screen> + </para></step> + + <step><para> + Configure the name service switch control file on your system to resolve user and group names + via winbind. Edit the following lines in <filename>/etc/nsswitch.conf</filename>: +<programlisting> +passwd: files winbind +group: files winbind +hosts: files dns winbind +</programlisting> + </para></step> + + <step><para> + Set the password for <command>wbinfo</command> to use: +<screen> +&rootprompt;<userinput>wbinfo --set-auth-user=root%'bigsecret'</userinput> +</screen> + </para></step> + + <step><para> + Validate that domain user and group credentials can be correctly resolved by executing: +<screen> +&rootprompt;<userinput>wbinfo -u</userinput> +MIDEARTH\maryo +MIDEARTH\jackb +MIDEARTH\ameds +... +MIDEARTH\root + +&rootprompt;<userinput>wbinfo -g</userinput> +MIDEARTH\Domain Users +MIDEARTH\Domain Admins +MIDEARTH\Domain Guests +... +MIDEARTH\Accounts +</screen> + </para></step> + + <step><para> + Check that <command>winbind</command> is working. The following demonstrates correct + username resolution via the <command>getent</command> system utility: +<screen> +&rootprompt;<userinput>getent passwd maryo</userinput> +maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false +</screen> + </para></step> + + <step><para> + A final test that we have this under control might be reassuring: +<screen> +&rootprompt;<userinput>touch /export/a_file</userinput> +&rootprompt;<userinput>chown maryo /export/a_file</userinput> +&rootprompt;<userinput>ls -al /export/a_file</userinput> +... +-rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file +... + +&rootprompt;<userinput>rm /export/a_file</userinput> +</screen> + </para></step> + + <step><para> + Configuration is now mostly complete, so this is an opportune time + to configure the directory structure for this site: +<screen> +&rootprompt;<userinput>mkdir -p /export/{spytfull,public}</userinput> +&rootprompt;<userinput>chmod ug=rwxS,o=x /export/{spytfull,public}</userinput> +&rootprompt;<userinput>chown maryo.Accounts /export/{spytfull,public}</userinput> +</screen> + </para></step> + </procedure> + + </sect3> + + </sect2> + + <sect2> + <title>Domain Controller</title> + + + <para> + <indexterm><primary>Server Type</primary><secondary>Domain Controller</secondary></indexterm> + For the remainder of this chapter the focus is on the configuration of Domain Control. + The examples that follow are for two implementation strategies. Remember, our objective is + to create a simple but working solution. The remainder of this book should help to highlight + opportunity for greater functionality and the complexity that goes with it. + </para> + + <para> + A Domain Controller configuration can be achieved with a simple configuration using the new + tdbsam password backend. This type of configuration is good for small + offices, but has limited scalability (cannot be replicated) and performance can be expected + to fall as the size and complexity of the domain increases. + </para> + + <para> + The use of tdbsam is best limited to sites that do not need + more than a primary Domain Controller (PDC). As the size of a domain grows the need + for additional Domain Controllers becomes apparent. Do not attempt to under-resource + a Microsoft Windows network environment; Domain Controllers provide essential + authentication services. The following are symptoms of an under-resourced Domain Control + environment: + </para> + + <itemizedlist> + <listitem><para> + Domain logons intermittently fail. + </para></listitem> + + <listitem><para> + File access on a Domain Member server intermittently fails, giving a permission denied + error message. + </para></listitem> + </itemizedlist> + + <para> + A more scalable Domain Control authentication backend option might use + Microsoft Active Directory, or an LDAP-based backend. Samba-3 provides + for both options as a Domain Member server. As a PDC Samba-3 is not able to provide + an exact alternative to the functionality that is available with Active Directory. + Samba-3 can provide a scalable LDAP-based PDC/BDC solution. + </para> + + <para> + The tdbsam authentication backend provides no facility to replicate + the contents of the database, except by external means. (i.e., there is no self-contained protocol + in Samba-3 for Security Account Manager database [SAM] replication.) + </para> + + <note><para> + If you need more than one Domain Controller, do not use a tdbsam authentication backend. + </para></note> + + <sect3> + <title>Example: Engineering Office</title> + + <para> + The engineering office network server we present here is designed to demonstrate use + of the new tdbsam password backend. The tdbsam + facility is new to Samba-3. It is designed to provide many user and machine account controls + that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks. + </para> + + <procedure> + <step><para> + A working PDC configuration using the tdbsam + password backend can be found in <link linkend="fast-engoffice-global"></link> together with + <link linkend="fast-engoffice-shares"></link>: + </para> + + <para> +<indexterm><primary>pdbedit</primary></indexterm> + <smbconfexample id="fast-engoffice-global"> + <title>Engineering Office smb.conf (globals)</title> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">FRODO</smbconfoption> +<smbconfoption name="passdb backend">tdbsam</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="add user script">/usr/sbin/useradd -m %u</smbconfoption> +<smbconfoption name="delete user script">/usr/sbin/userdel -r %u</smbconfoption> +<smbconfoption name="add group script">/usr/sbin/groupadd %g</smbconfoption> +<smbconfoption name="delete group script">/usr/sbin/groupdel %g</smbconfoption> +<smbconfoption name="add user to group script">/usr/sbin/groupmod -A %u %g</smbconfoption> +<smbconfoption name="delete user from group script">/usr/sbin/groupmod -R %u %g</smbconfoption> +<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u</smbconfoption> +<smbconfcomment>Note: The following specifies the default logon script.</smbconfcomment> +<smbconfcomment>Per user logon scripts can be specified in the user account using pdbedit </smbconfcomment> +<smbconfoption name="logon script">scripts\logon.bat</smbconfoption> +<smbconfcomment>This sets the default profile path. Set per user paths with pdbedit</smbconfcomment> +<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption> +<smbconfoption name="logon drive">H:</smbconfoption> +<smbconfoption name="logon home">\\%L\%U</smbconfoption> +<smbconfoption name="domain logons">Yes</smbconfoption> +<smbconfoption name="os level">35</smbconfoption> +<smbconfoption name="preferred master">Yes</smbconfoption> +<smbconfoption name="domain master">Yes</smbconfoption> +<smbconfoption name="idmap uid">15000-20000</smbconfoption> +<smbconfoption name="idmap gid">15000-20000</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> + </smbconfexample> + + <smbconfexample id="fast-engoffice-shares"> + <title>Engineering Office smb.conf (shares and services)</title> +<smbconfsection name="[homes]"/> +<smbconfoption name="comment">Home Directories</smbconfoption> +<smbconfoption name="valid users">%S</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfcomment>Printing auto-share (makes printers available thru CUPS)</smbconfcomment> +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/var/spool/samba</smbconfoption> +<smbconfoption name="printer admin">root, maryo</smbconfoption> +<smbconfoption name="create mask">0600</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[print$]"/> +<smbconfoption name="comment">Printer Drivers Share</smbconfoption> +<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption> +<smbconfoption name="write list">maryo, root</smbconfoption> +<smbconfoption name="printer admin">maryo, root</smbconfoption> + +<smbconfcomment>Needed to support domain logons</smbconfcomment> +<smbconfsection name="[netlogon]"/> +<smbconfoption name="comment">Network Logon Service</smbconfoption> +<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption> +<smbconfoption name="admin users">root, maryo</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfcomment>For profiles to work, create a user directory under the path</smbconfcomment> +<smbconfcomment> shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</smbconfcomment> +<smbconfsection name="[Profiles]"/> +<smbconfoption name="comment">Roaming Profile Share</smbconfoption> +<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="profile acls">Yes</smbconfoption> + +<smbconfcomment>Other resource (share/printer) definitions would follow below.</smbconfcomment> + </smbconfexample> + </para></step> + + <step><para> + Create UNIX group accounts as needed using a suitable operating system tool: +<screen> +&rootprompt;<userinput>groupadd ntadmins</userinput> +&rootprompt;<userinput>groupadd designers</userinput> +&rootprompt;<userinput>groupadd engineers</userinput> +&rootprompt;<userinput>groupadd qateam</userinput> +</screen> + </para></step> + + <step><para> + Create user accounts on the system using the appropriate tool + provided with the operating system. Make sure all user home directories + are created also. Add users to groups as required for access control + on files, directories, printers, and as required for use in the Samba + environment. + </para></step> + + + <step><para> +<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm> +<indexterm><primary>initGroups.sh</primary></indexterm> + Assign each of the UNIX groups to NT groups: + (It may be useful to copy this text to a shell script called + <filename>initGroups.sh</filename>.) + <smbfile name="initGroups.sh"> + <title>Shell script for initializing group mappings</title> + <programlisting> +#!/bin/bash +#### Keep this as a shell script for future re-use + +# First assign well known groups +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody + +# Now for our added Domain Groups +net groupmap add ntgroup="Designers" unixgroup=designers type=d +net groupmap add ntgroup="Engineers" unixgroup=engineers type=d +net groupmap add ntgroup="QA Team" unixgroup=qateam type=d +</programlisting> +</smbfile> + </para></step> + + <step><para> + Create the <filename>scripts</filename> directory for use in the + <smbconfsection name="[NETLOGON]"/> share: +<screen> +&rootprompt;<userinput>mkdir -p /var/lib/samba/netlogon/scripts</userinput> +</screen> + Place the logon scripts that will be used (batch or cmd scripts) + in this directory. + </para></step> + </procedure> + + <para> + The above configuration provides a functional Primary Domain Control (PDC) + system to which must be added file shares and printers as required. + </para> + + </sect3> + + <sect3> + <title>A Big Organization</title> + + <para> + In this section we finally get to review in brief a Samba-3 configuration that + uses a Light Weight Directory Access (LDAP)-based authentication backend. The + main reasons for this choice are to provide the ability to host primary + and Backup Domain Control (BDC), as well as to enable a higher degree of + scalability to meet the needs of a very distributed environment. + </para> + + <sect4> + <title>The Primary Domain Controller</title> + + <para> + This is an example of a minimal configuration to run a Samba-3 PDC + using an LDAP authentication backend. It is assumed that the operating system + has been correctly configured. + </para> + + <para> + The Idealx scripts (or equivalent) are needed to manage LDAP based Posix and/or + SambaSamAccounts. The Idealx scripts may be downloaded from the <ulink url="http://www.idealx.org"> + Idealx</ulink> Web site. They may also be obtained from the Samba tarball. Linux + distributions tend to install the Idealx scripts in the + <filename>/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</filename> directory. + Idealx scripts version <constant>smbldap-tools-0.8.7</constant> are known to work well. + </para> + + <procedure> + <step><para> + Obtain from the Samba sources <filename>~/examples/LDAP/samba.schema</filename> + and copy it to the <filename>/etc/openldap/schema/</filename> directory. + </para></step> + + <step><para> + Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x. + The <filename>/etc/openldap/slapd.conf</filename> file: +<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm> +<smbfile name="slapd.conf"><title>Example slapd.conf file</title> +<programlisting> +# Note commented out lines have been removed +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +database bdb +suffix "dc=quenya,dc=org" +rootdn "cn=Manager,dc=quenya,dc=org" +rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P +# The password for the above is 'nastyon3' + +directory /var/lib/ldap + +index objectClass eq +index cn pres,sub,eq +index sn pres,sub,eq +index uid pres,sub,eq +index displayName pres,sub,eq +index uidNumber eq +index gidNumber eq +index memberUid eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +</programlisting> +</smbfile> + </para></step> + + <step><para> + Create the following file <filename>samba-ldap-init.ldif</filename>: + <indexterm><primary>samba-ldap-init.ldif</primary></indexterm> + <smbfile name="samba-ldap-init.ldif"> +<programlisting> +# Organization for SambaXP Demo +dn: dc=quenya,dc=org +objectclass: dcObject +objectclass: organization +dc: quenya +o: SambaXP Demo +description: The SambaXP Demo LDAP Tree + +# Organizational Role for Directory Management +dn: cn=Manager,dc=quenya,dc=org +objectclass: organizationalRole +cn: Manager +description: Directory Manager + +# Setting up the container for users +dn: ou=People, dc=quenya, dc=org +objectclass: top +objectclass: organizationalUnit +ou: People + +# Set up an admin handle for People OU +dn: cn=admin, ou=People, dc=quenya, dc=org +cn: admin +objectclass: top +objectclass: organizationalRole +objectclass: simpleSecurityObject +userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb +# The password for above is 'mordonL8' +</programlisting> +</smbfile> + </para></step> + + <step><para> + Load the initial data above into the LDAP database: +<screen> +&rootprompt;<userinput>slapadd -v -l initdb.ldif</userinput> +</screen> + </para></step> + + <step><para> + Start the LDAP server using the appropriate tool or method for + the operating system platform on which it is installed. + </para></step> + + <step><para> + Install the Idealx script files in the <filename>/usr/local/sbin</filename> directory, + then configure the smbldap_conf.pm file to match your system configuration. + </para></step> + + <step><para> + The &smb.conf; file that drives this backend can be found in example <link linkend="fast-ldap"/>. + </para> + + <para> +<smbconfexample id="fast-ldap"> +<title>LDAP backend smb.conf for PDC</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">FRODO</smbconfoption> +<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption> +<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="add user script">/usr/local/sbin/smbldap-useradd -m '%u'</smbconfoption> +<smbconfoption name="delete user script">/usr/local/sbin/smbldap-userdel %u</smbconfoption> +<smbconfoption name="add group script">/usr/local/sbin/smbldap-groupadd -p '%g'</smbconfoption> +<smbconfoption name="delete group script">/usr/local/sbin/smbldap-groupdel '%g'</smbconfoption> +<smbconfoption name="add user to group script">/usr/local/sbin/smbldap-groupmod -m '%u' '%g'</smbconfoption> +<smbconfoption name="delete user from group script">/usr/local/sbin/smbldap-groupmod -x '%u' '%g'</smbconfoption> +<smbconfoption name="set primary group script">/usr/local/sbin/smbldap-usermod -g '%g' '%u'</smbconfoption> +<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w '%u'</smbconfoption> +<smbconfoption name="logon script">scripts\logon.bat</smbconfoption> +<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption> +<smbconfoption name="logon drive">H:</smbconfoption> +<smbconfoption name="logon home">\\%L\%U</smbconfoption> +<smbconfoption name="domain logons">Yes</smbconfoption> +<smbconfoption name="os level">35</smbconfoption> +<smbconfoption name="preferred master">Yes</smbconfoption> +<smbconfoption name="domain master">Yes</smbconfoption> +<smbconfoption name="ldap suffix">dc=quenya,dc=org</smbconfoption> +<smbconfoption name="ldap machine suffix">ou=People</smbconfoption> +<smbconfoption name="ldap user suffix">ou=People</smbconfoption> +<smbconfoption name="ldap group suffix">ou=People</smbconfoption> +<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption> +<smbconfoption name="ldap admin dn">cn=Manager</smbconfoption> +<smbconfoption name="ldap ssl">no</smbconfoption> +<smbconfoption name="ldap passwd sync">Yes</smbconfoption> +<smbconfoption name="idmap uid">15000-20000</smbconfoption> +<smbconfoption name="idmap gid">15000-20000</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> +</smbconfexample> + </para></step> + + <step><para> + Add the LDAP password to the <filename>secrets.tdb</filename> file so Samba can update + the LDAP database: +<screen> +&rootprompt;<userinput>smbpasswd -w mordonL8</userinput> +</screen> + </para></step> + + <step><para> + Add users and groups as required. Users and groups added using Samba tools + will automatically be added to both the LDAP backend as well as to the operating + system as required. + </para></step> + + </procedure> + + </sect4> + + <sect4> + <title>Backup Domain Controller</title> + + <para> + <link linkend="fast-bdc"/> shows the example configuration for the BDC. + </para> + + <procedure> + <step><para> + Decide if the BDC should have its own LDAP server or not. If the BDC is to be + the LDAP server change the following &smb.conf; as indicated. The default + configuration in <link linkend="fast-bdc"/> uses a central LDAP server. +<smbconfexample id="fast-bdc"> +<title>Remote LDAP BDC smb.conf</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MIDEARTH</smbconfoption> +<smbconfoption name="netbios name">GANDALF</smbconfoption> +<smbconfoption name="passdb backend">ldapsam:ldap://frodo.quenya.org</smbconfoption> +<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="logon script">scripts\logon.bat</smbconfoption> +<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption> +<smbconfoption name="logon drive">H:</smbconfoption> +<smbconfoption name="logon home">\\%L\%U</smbconfoption> +<smbconfoption name="domain logons">Yes</smbconfoption> +<smbconfoption name="os level">33</smbconfoption> +<smbconfoption name="preferred master">Yes</smbconfoption> +<smbconfoption name="domain master">No</smbconfoption> +<smbconfoption name="ldap suffix">dc=quenya,dc=org</smbconfoption> +<smbconfoption name="ldap machine suffix">ou=People</smbconfoption> +<smbconfoption name="ldap user suffix">ou=People</smbconfoption> +<smbconfoption name="ldap group suffix">ou=People</smbconfoption> +<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption> +<smbconfoption name="ldap admin dn">cn=Manager</smbconfoption> +<smbconfoption name="ldap ssl">no</smbconfoption> +<smbconfoption name="ldap passwd sync">Yes</smbconfoption> +<smbconfoption name="idmap uid">15000-20000</smbconfoption> +<smbconfoption name="idmap gid">15000-20000</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> +</smbconfexample> + </para></step> + + <step><para> + Configure the NETLOGON and PROFILES directory as for the PDC in <link linkend="fast-bdc"/>. + </para></step> + </procedure> + + </sect4> + + </sect3> + + </sect2> + +</sect1> + +</chapter> |