1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- entities files to use -->
6 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
11 <chapter id="FastStart">
16 <title>Fast Start: Cure for Impatience</title>
19 When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
20 someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably
21 difficult to do, without losing a lot of value that can be derived from presenting
22 many extracts from working systems. That is what the rest of this document does.
23 It does so with extensive descriptions of the configuration possibilities within the
24 context of the chapter that covers it. We hope that this chapter is the medicine
25 that has been requested.
29 <title>Features and Benefits</title>
32 Samba needs very little configuration to create a basic working system.
33 In this chapter we progress from the simple to the complex, for each providing
34 all steps and configuration file changes needed to make each work. Please note
35 that a comprehensively configured system will likely employ additional smart
36 features. The additional features are covered in the remainder of this document.
40 The examples used here have been obtained from a number of people who made
41 requests for example configurations. All identities have been obscured to protect
42 the guilty and any resemblance to unreal non-existent sites is deliberate.
48 <title>Description of Example Sites</title>
51 In the first set of configuration examples we consider the case of exceptionally simple
52 system requirements. There is a real temptation to make something that should require
53 little effort much too complex.
57 <link linkend="anon-ro"></link> documents the type of server that might be sufficient to serve CD-ROM
58 images, or reference document files for network client use. This configuration is also discussed in
59 <link linkend="StandAloneServer"></link>, <link linkend="RefDocServer"></link>.
60 The purpose for this configuration is to provide a shared volume that is read-only that anyone, even guests, can access.
64 The second example shows a minimal configuration for a print server that anyone can print
65 to as long as they have the correct printer drivers installed on their computer. This is a
66 mirror of the system described in <link linkend="StandAloneServer"></link>, <link linkend="SimplePrintServer"></link>.
70 The next example is of a secure office file and print server that will be accessible only
71 to users who have an account on the system. This server is meant to closely resemble a
72 Workgroup file and print server, but has to be more secure than an anonymous access machine.
73 This type of system will typically suit the needs of a small office. The server does not
74 provide network logon facilities, offers no Domain Control, instead it is just a network
75 attached storage (NAS) device and a print server.
79 Finally, we start looking at more complex systems that will either integrate into existing
80 Microsoft Windows networks, or replace them entirely. The examples provided cover domain
81 member servers as well as Samba Domain Control (PDC/BDC) and finally describes in detail
82 a large distributed network with branch offices in remote locations.
88 <title>Worked Examples</title>
91 The configuration examples are designed to cover everything necessary to get Samba
92 running. They do not cover basic operating system platform configuration, which is
93 clearly beyond the scope of this text.
97 It is also assumed that Samba has been correctly installed, either by way of installation
98 of the packages that are provided by the operating system vendor, or through other means.
102 <title>Stand-alone Server</title>
105 <indexterm><primary>Server Type</primary><secondary>Stand-alone</secondary></indexterm>
106 A Stand-alone Server implies no more than the fact that it is not a Domain Controller
107 and it does not participate in Domain Control. It can be a simple workgroup-like
108 server, or it may be a complex server that is a member of a domain security context.
112 <title>Anonymous Read-Only Document Server</title>
115 <indexterm><primary>read only</primary><secondary>server</secondary></indexterm>
116 The purpose of this type of server is to make available to any user
117 any documents or files that are placed on the shared resource. The
118 shared resource could be a CD-ROM drive, a CD-ROM image, or a file
123 As the examples are developed, every attempt is made to progress the
124 system toward greater capability, just as one might expect would happen
125 in a real business office as that office grows in size and its needs
129 <para>The configuration file is:</para>
131 <para><smbconfexample id="anon-example">
132 <title>Anonymous Read-Only Server Configuration</title>
133 <smbconfcomment>Global parameters</smbconfcomment>
134 <smbconfsection>[global]</smbconfsection>
135 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
136 <smbconfoption><name>netbios name</name><value>HOBBIT</value></smbconfoption>
137 <smbconfoption><name>security</name><value>share</value></smbconfoption>
139 <smbconfsection>[data]</smbconfsection>
140 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
141 <smbconfoption><name>path</name><value>/export</value></smbconfoption>
142 <smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
143 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
149 The file system share point will be <filename>/export</filename>.
153 All files will be owned by a user called Jack Baumbach.
154 Jack's login name will be <emphasis>jackb</emphasis>. His password will be
155 <emphasis>m0r3pa1n</emphasis> &smbmdash; of course, that's just the example we are
156 using; do not use this in a production environment because
157 all readers of this document will know it.
162 <title>Installation Procedure &smbmdash; Read-Only Server</title>
164 Add user to system (with creation of the users' home directory):
166 &rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
171 Create directory, and set permissions and ownership:
173 &rootprompt;<userinput>mkdir /export</userinput>
174 &rootprompt;<userinput>chmod u+rwx,g+rx,o+rx /export</userinput>
175 &rootprompt;<userinput>chown jackb.users /export</userinput>
180 Copy the files that should be shared to the <filename>/export</filename>
185 Install the Samba configuration file (<filename>/etc/samba/smb.conf</filename>)
190 Test the configuration file:
192 &rootprompt;<userinput>testparm</userinput>
194 Note any error messages that might be produced. Do not proceed until you
195 obtain error-free output. An example of the output with the following file
198 Load smb config files from /etc/samba/smb.conf
199 Processing section "[data]"
200 Loaded services file OK.
201 Server role: ROLE_STANDALONE
202 Press enter to see a dump of your service definitions
203 <userinput>[Press enter]</userinput>
208 netbios name = HOBBIT
220 Start Samba using the method applicable to your operating system
225 Configure your Microsoft Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
226 set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
227 then open Windows Explorer and visit the network neighborhood.
228 The machine HOBBIT should be visible. When you click this machine
229 icon, it should open up to reveal the <emphasis>data</emphasis> share. After
230 clicking the share it, should open up to reveal the files previously
231 placed in the <filename>/export</filename> directory.
236 The information above (following # Global parameters) provides the complete
237 contents of the <filename>/etc/samba/smb.conf</filename> file.
243 <title>Anonymous Read-Write Document Server</title>
246 <indexterm><primary>anonymous</primary><secondary>read-write server</secondary></indexterm>
247 We should view this configuration as a progression from the previous example.
248 The difference is that shared access is now forced to the user identity of jackb
249 and to the primary group jackb belongs to. One other refinement we can make is to
250 add the user <emphasis>jackb</emphasis> to the <filename>smbpasswd</filename> file.
253 &rootprompt;<userinput>smbpasswd -a jackb</userinput>
254 New SMB password: <userinput>m0r3pa1n</userinput>
255 Retype new SMB password: <userinput>m0r3pa1n</userinput>
258 Addition of this user to the <filename>smbpasswd</filename> file allows all files
259 to be displayed in the Explorer Properties boxes as belonging to <emphasis>jackb</emphasis>
260 instead of to <emphasis>User Unknown</emphasis>.
264 The complete, modified &smb.conf; file is as shown in <link linkend="anon-rw"/>.
268 <smbconfexample id="anon-rw"><title>Modified Anonymous Read-Write smb.conf</title>
269 <smbconfcomment>Global parameters</smbconfcomment>
270 <smbconfsection>[global]</smbconfsection>
271 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
272 <smbconfoption><name>netbios name</name><value>HOBBIT</value></smbconfoption>
273 <smbconfoption><name>security</name><value>SHARE</value></smbconfoption>
275 <smbconfsection>[data]</smbconfsection>
276 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
277 <smbconfoption><name>path</name><value>/export</value></smbconfoption>
278 <smbconfoption><name>force user</name><value>jackb</value></smbconfoption>
279 <smbconfoption><name>force group</name><value>users</value></smbconfoption>
280 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
281 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
288 <title>Anonymous Print Server</title>
291 <indexterm><primary>anonymous</primary><secondary>print server</secondary></indexterm>
292 An anonymous print server serves two purposes:
297 It allows printing to all printers from a single location.
301 It reduces network traffic congestion due to many users trying
302 to access a limited number of printers.
307 In the simplest of anonymous print servers, it is common to require the installation
308 of the correct printer drivers on the Windows workstation. In this case the print
309 server will be designed to just pass print jobs through to the spooler, and the spooler
310 should be configured to do raw pass-through to the printer. In other words, the print
311 spooler should not filter or process the data stream being passed to the printer.
315 In this configuration it is undesirable to present the Add Printer Wizard and we do
316 not want to have automatic driver download, so we will disable it in the following
317 configuration. <link linkend="anon-print"></link> is the resulting &smb.conf; file.
321 <smbconfexample id="anon-print"><title>Anonymous Print Server smb.conf</title>
322 <smbconfcomment>Global parameters</smbconfcomment>
323 <smbconfsection>[global]</smbconfsection>
324 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
325 <smbconfoption><name>netbios name</name><value>LUTHIEN</value></smbconfoption>
326 <smbconfoption><name>security</name><value>share</value></smbconfoption>
327 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
328 <smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
329 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
330 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
332 <smbconfsection>[printers]</smbconfsection>
333 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
334 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
335 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
336 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
337 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
338 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
343 The above configuration is not ideal. It uses no smart features, and it deliberately
344 presents a less than elegant solution. But it is basic, and it does print.
348 Windows users will need to install a local printer and then change the print
349 to device after installation of the drivers. The print to device can then be set to
350 the network printer on this machine.
354 Make sure that the directory <filename>/var/spool/samba</filename> is capable of being used
355 as intended. The following steps must be taken to achieve this:
360 The directory must be owned by the superuser (root) user and group:
362 &rootprompt;<userinput>chown root.root /var/spool/samba</userinput>
367 Directory permissions should be set for public read-write with the
368 sticky-bit set as shown:
370 &rootprompt;<userinput>chmod a+rw TX /var/spool/samba</userinput>
377 <indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
378 <indexterm><primary>raw printing</primary></indexterm>
379 On CUPS enabled systems there is a facility to pass raw data directly to the printer without
380 intermediate processing via CUPS print filters. Where use of this mode of operation is desired
381 it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
382 handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
383 files. Refer to <link linkend="cups-raw"></link>.
389 <title>Secure Read-Write File and Print Server</title>
392 We progress now from simple systems to a server that is slightly more complex.
396 Our new server will require a public data storage area in which only authenticated
397 users (i.e., those with a local account) can store files, as well as a home directory.
398 There will be one printer that should be available for everyone to use.
402 In this hypothetical environment (no espionage was conducted to obtain this data),
403 the site is demanding a simple environment that is <emphasis>secure enough</emphasis>
404 but not too difficult to use.
408 Site users will be: Jack Baumbach, Mary Orville and Amed Sehkah. Each will have
409 a password (not shown in further examples). Mary will be the printer administrator and will
410 own all files in the public share.
414 This configuration will be based on <emphasis>User Level Security</emphasis> that
415 is the default, and for which the default is to store Microsoft Windows-compatible
416 encrypted passwords in a file called <filename>/etc/samba/smbpasswd</filename>.
417 The default &smb.conf; entry that makes this happen is:
418 <smbconfoption><name>passdb backend</name><value>smbpasswd, guest</value></smbconfoption>. Since this is the default
419 it is not necessary to enter it into the configuration file. Note that guest backend is
420 added to the list of active passdb backends not matter was it specified directly in Samba configuration
426 <title>Installing the Secure Office Server</title>
428 <indexterm><primary>office server</primary></indexterm>
429 Add all users to the Operating System:
431 &rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
432 &rootprompt;<userinput>useradd -c "Mary Orville" -m -g users -p secret maryo</userinput>
433 &rootprompt;<userinput>useradd -c "Amed Sehkah" -m -g users -p secret ameds</userinput>
438 Configure the Samba &smb.conf; file as shown in <link linkend="OfficeServer"/>.
439 <smbconfexample id="OfficeServer">
440 <title>Secure Office Server smb.conf</title>
441 <smbconfcomment>Global parameters</smbconfcomment>
442 <smbconfsection>[global]</smbconfsection>
443 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
444 <smbconfoption><name>netbios name</name><value>OLORIN</value></smbconfoption>
445 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
446 <smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
447 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
448 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
450 <smbconfsection>[homes]</smbconfsection>
451 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
452 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
453 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
454 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
456 <smbconfsection>[public]</smbconfsection>
457 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
458 <smbconfoption><name>path</name><value>/export</value></smbconfoption>
459 <smbconfoption><name>force user</name><value>maryo</value></smbconfoption>
460 <smbconfoption><name>force group</name><value>users</value></smbconfoption>
461 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
462 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
464 <smbconfsection>[printers]</smbconfsection>
465 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
466 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
467 <smbconfoption><name>printer admin</name><value>root, maryo</value></smbconfoption>
468 <smbconfoption><name>create mask</name><value>0600</value></smbconfoption>
469 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
470 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
471 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
472 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
477 Initialize the Microsoft Windows password database with the new users:
479 &rootprompt;<userinput>smbpasswd -a root</userinput>
480 New SMB password: <userinput>bigsecret</userinput>
481 Reenter smb password: <userinput>bigsecret</userinput>
484 &rootprompt;<userinput>smbpasswd -a jackb</userinput>
485 New SMB password: <userinput>m0r3pa1n</userinput>
486 Retype new SMB password: <userinput>m0r3pa1n</userinput>
489 &rootprompt;<userinput>smbpasswd -a maryo</userinput>
490 New SMB password: <userinput>secret</userinput>
491 Reenter smb password: <userinput>secret</userinput>
494 &rootprompt;<userinput>smbpasswd -a ameds</userinput>
495 New SMB password: <userinput>mysecret</userinput>
496 Reenter smb password: <userinput>mysecret</userinput>
502 Install printer using the CUPS Web interface. Make certain that all
503 printers that will be shared with Microsoft Windows clients are installed
504 as raw printing devices.
508 Start Samba using the operating system administrative interface.
509 Alternately, this can be done manually by running:
510 <indexterm><primary>smbd</primary></indexterm>
511 <indexterm><primary>nmbd</primary></indexterm>
512 <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
513 <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
515 &rootprompt;<userinput> nmbd; smbd;</userinput>
520 Configure the <filename>/export</filename> directory:
522 &rootprompt;<userinput>mkdir /export</userinput>
523 &rootprompt;<userinput>chown maryo.users /export</userinput>
524 &rootprompt;<userinput>chmod u=rwx,g=rwx,o-rwx /export</userinput>
529 Check that Samba is running correctly:
531 &rootprompt;<userinput>smbclient -L localhost -U%</userinput>
532 Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.0]
534 Sharename Type Comment
535 --------- ---- -------
537 IPC$ IPC IPC Service (Samba-3.0.0)
538 ADMIN$ IPC IPC Service (Samba-3.0.0)
552 Connect to OLORIN as maryo:
554 &rootprompt;<userinput>smbclient //olorin/maryo -Umaryo%secret</userinput>
555 OS=[UNIX] Server=[Samba-3.0.0]
556 smb: \> <userinput>dir</userinput>
557 . D 0 Sat Jun 21 10:58:16 2003
558 .. D 0 Sat Jun 21 10:54:32 2003
559 Documents D 0 Fri Apr 25 13:23:58 2003
560 DOCWORK D 0 Sat Jun 14 15:40:34 2003
561 OpenOffice.org D 0 Fri Apr 25 13:55:16 2003
562 .bashrc H 1286 Fri Apr 25 13:23:58 2003
563 .netscape6 DH 0 Fri Apr 25 13:55:13 2003
564 .mozilla DH 0 Wed Mar 5 11:50:50 2003
565 .kermrc H 164 Fri Apr 25 13:23:58 2003
566 .acrobat DH 0 Fri Apr 25 15:41:02 2003
568 55817 blocks of size 524288. 34725 blocks available
569 smb: \> <userinput>q</userinput>
577 By now you should be getting the hang of configuration basics. Clearly, it is time to
578 explore slightly more complex examples. For the remainder of this chapter we will abbreviate
579 instructions since there are previous examples.
585 <title>Domain Member Server</title>
589 <indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
590 In this instance we will consider the simplest server configuration we can get away with
591 to make an accounting department happy. Let's be warned, the users are accountants and they
592 do have some nasty demands. There is a budget for only one server for this department.
596 The network is managed by an internal Information Services Group (ISG), to which we belong.
597 Internal politics are typical of a medium-sized organization; Human Resources is of the
598 opinion that they run the ISG because they are always adding and disabling users. Also,
599 departmental managers have to fight tooth and nail to gain basic network resources access for
600 their staff. Accounting is different though, they get exactly what they want. So this should
605 We will use the users from the last example. The accounting department
606 has a general printer that all departmental users may. There is also a check printer
607 that may be used only by the person who has authority to print checks. The Chief Financial
608 Officer (CFO) wants that printer to be completely restricted and for it to be located in the
609 private storage area in her office. It therefore must be a network printer.
613 Accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
614 that must be run from a central application server. The software is licensed to run only off
615 one server, there are no workstation components, and it is run off a mapped share. The data
616 store is in a UNIX-based SQL backend. The UNIX gurus look after that, so is not our
621 The accounting department manager (maryo) wants a general filing system as well as a separate
622 file storage area for form letters (nastygrams). The form letter area should be read-only to
623 all accounting staff except the manager. The general filing system has to have a structured
624 layout with a general area for all staff to store general documents, as well as a separate
625 file area for each member of her team that is private to that person, but she wants full
626 access to all areas. Users must have a private home share for personal work-related files
627 and for materials not related to departmental operations.
631 <title>Example Configuration</title>
634 The server <emphasis>valinor</emphasis> will be a member server of the company domain.
635 Accounting will have only a local server. User accounts will be on the Domain Controllers
636 as will desktop profiles and all network policy files.
641 Do not add users to the UNIX/Linux server; all of this will run off the
646 Configure &smb.conf; according to <link linkend="fast-member-server"/>
647 and <link linkend="fast-memberserver-shares"></link>.
651 <smbconfexample id="fast-member-server">
652 <title>Member server smb.conf (globals)</title>
653 <smbconfcomment>Global parameters</smbconfcomment>
654 <smbconfsection>[global]</smbconfsection>
655 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
656 <smbconfoption><name>netbios name</name><value>VALINOR</value></smbconfoption>
657 <smbconfoption><name>security</name><value>DOMAIN</value></smbconfoption>
658 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
659 <smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
660 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
661 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
662 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
663 <smbconfoption><name>winbind use default domain</name><value>Yes</value></smbconfoption>
664 <smbconfoption><name>use sendfile</name><value>Yes</value></smbconfoption>
665 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
666 </smbconfexample></para>
669 <smbconfexample id="fast-memberserver-shares">
670 <title>Member server smb.conf (shares and services)</title>
671 <smbconfsection>[homes]</smbconfsection>
672 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
673 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
674 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
675 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
677 <smbconfsection>[spytfull]</smbconfsection>
678 <smbconfoption><name>comment</name><value>Accounting Application Only</value></smbconfoption>
679 <smbconfoption><name>path</name><value>/export/spytfull</value></smbconfoption>
680 <smbconfoption><name>valid users</name><value>@Accounts</value></smbconfoption>
681 <smbconfoption><name>admin users</name><value>maryo</value></smbconfoption>
682 <smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
684 <smbconfsection>[public]</smbconfsection>
685 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
686 <smbconfoption><name>path</name><value>/export/public</value></smbconfoption>
687 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
689 <smbconfsection>[printers]</smbconfsection>
690 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
691 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
692 <smbconfoption><name>printer admin</name><value>root, maryo</value></smbconfoption>
693 <smbconfoption><name>create mask</name><value>0600</value></smbconfoption>
694 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
695 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
696 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
697 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
703 <indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
704 Join the domain. Note: Do not start Samba until this step has been completed!
706 &rootprompt;<userinput>net rpc join -Uroot%'bigsecret'</userinput>
707 Joined domain MIDEARTH.
712 Make absolutely certain that you disable (shut down) the <command>nscd</command>
713 daemon on any system on which <command>winbind</command> is configured to run.
717 Start Samba following the normal method for your operating system platform.
718 If you wish to this manually execute as root:
719 <indexterm><primary>smbd</primary></indexterm>
720 <indexterm><primary>nmbd</primary></indexterm>
721 <indexterm><primary>winbindd</primary></indexterm>
722 <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
723 <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
724 <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
726 &rootprompt;<userinput>nmbd; smbd; winbindd;</userinput>
731 Configure the name service switch control file on your system to resolve user and group names
732 via winbind. Edit the following lines in <filename>/etc/nsswitch.conf</filename>:
734 passwd: files winbind
736 hosts: files dns winbind
741 Set the password for <command>wbinfo</command> to use:
743 &rootprompt;<userinput>wbinfo --set-auth-user=root%'bigsecret'</userinput>
748 Validate that domain user and group credentials can be correctly resolved by executing:
750 &rootprompt;<userinput>wbinfo -u</userinput>
757 &rootprompt;<userinput>wbinfo -g</userinput>
758 MIDEARTH\Domain Users
759 MIDEARTH\Domain Admins
760 MIDEARTH\Domain Guests
767 Check that <command>winbind</command> is working. The following demonstrates correct
768 username resolution via the <command>getent</command> system utility:
770 &rootprompt;<userinput>getent passwd maryo</userinput>
771 maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
776 A final test that we have this under control might be reassuring:
778 &rootprompt;<userinput>touch /export/a_file</userinput>
779 &rootprompt;<userinput>chown maryo /export/a_file</userinput>
780 &rootprompt;<userinput>ls -al /export/a_file</userinput>
782 -rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file
785 &rootprompt;<userinput>rm /export/a_file</userinput>
790 Configuration is now mostly complete, so this is an opportune time
791 to configure the directory structure for this site:
793 &rootprompt;<userinput>mkdir -p /export/{spytfull,public}</userinput>
794 &rootprompt;<userinput>chmod ug=rwxS,o=x /export/{spytfull,public}</userinput>
795 &rootprompt;<userinput>chown maryo.Accounts /export/{spytfull,public}</userinput>
805 <title>Domain Controller</title>
809 <indexterm><primary>Server Type</primary><secondary>Domain Controller</secondary></indexterm>
810 For the remainder of this chapter the focus is on the configuration of Domain Control.
811 The examples that follow are for two implementation strategies. Remember, our objective is
812 to create a simple but working solution. The remainder of this book should help to highlight
813 opportunity for greater functionality and the complexity that goes with it.
817 A Domain Controller configuration can be achieved with a simple configuration using the new
818 tdbsam password backend. This type of configuration is good for small
819 offices, but has limited scalability (cannot be replicated) and performance can be expected
820 to fall as the size and complexity of the domain increases.
824 The use of tdbsam is best limited to sites that do not need
825 more than a primary Domain Controller (PDC). As the size of a domain grows the need
826 for additional Domain Controllers becomes apparent. Do not attempt to under-resource
827 a Microsoft Windows network environment; Domain Controllers provide essential
828 authentication services. The following are symptoms of an under-resourced Domain Control
834 Domain logons intermittently fail.
838 File access on a Domain Member server intermittently fails, giving a permission denied
844 A more scalable Domain Control authentication backend option might use
845 Microsoft Active Directory, or an LDAP-based backend. Samba-3 provides
846 for both options as a Domain Member server. As a PDC Samba-3 is not able to provide
847 an exact alternative to the functionality that is available with Active Directory.
848 Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
852 The tdbsam authentication backend provides no facility to replicate
853 the contents of the database, except by external means. (i.e., there is no self-contained protocol
854 in Samba-3 for Security Account Manager database [SAM] replication.)
858 If you need more than one Domain Controller, do not use a tdbsam authentication backend.
862 <title>Example: Engineering Office</title>
865 The engineering office network server we present here is designed to demonstrate use
866 of the new tdbsam password backend. The tdbsam
867 facility is new to Samba-3. It is designed to provide many user and machine account controls
868 that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
873 A working PDC configuration using the tdbsam
874 password backend can be found in <link linkend="fast-engoffice-global"></link> together with
875 <link linkend="fast-engoffice-shares"></link>:
879 <indexterm><primary>pdbedit</primary></indexterm>
880 <smbconfexample id="fast-engoffice-global">
881 <title>Engineering Office smb.conf (globals)</title>
882 <smbconfsection>[global]</smbconfsection>
883 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
884 <smbconfoption><name>netbios name</name><value>FRODO</value></smbconfoption>
885 <smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
886 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
887 <smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
888 <smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
889 <smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
890 <smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
891 <smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
892 <smbconfoption><name>add machine script</name><value>/usr/sbin/useradd -s /bin/false \</value></smbconfoption>
893 <member><parameter> -d /dev/null %u</parameter></member>
894 <smbconfcomment>Note: The following specifies the default logon script.</smbconfcomment>
895 <smbconfcomment>Per user logon scripts can be specified in the user account using pdbedit </smbconfcomment>
896 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
897 <smbconfcomment>This sets the default profile path. Set per user paths with pdbedit</smbconfcomment>
898 <smbconfoption><name>logon path</name><value>\\%L\Profiles\%U</value></smbconfoption>
899 <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
900 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
901 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
902 <smbconfoption><name>os level</name><value>35</value></smbconfoption>
903 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
904 <smbconfoption><name>domain master</name><value>Yes</value></smbconfoption>
905 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
906 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
907 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
910 <smbconfexample id="fast-engoffice-shares">
911 <title>Engineering Office smb.conf (shares and services)</title>
912 <smbconfsection>[homes]</smbconfsection>
913 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
914 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
915 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
916 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
918 <smbconfcomment>Printing auto-share (makes printers available thru CUPS)</smbconfcomment>
919 <smbconfsection>[printers]</smbconfsection>
920 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
921 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
922 <smbconfoption><name>printer admin</name><value>root, maryo</value></smbconfoption>
923 <smbconfoption><name>create mask</name><value>0600</value></smbconfoption>
924 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
925 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
926 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
928 <smbconfsection>[print$]</smbconfsection>
929 <smbconfoption><name>comment</name><value>Printer Drivers Share</value></smbconfoption>
930 <smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
931 <smbconfoption><name>write list</name><value>maryo, root</value></smbconfoption>
932 <smbconfoption><name>printer admin</name><value>maryo, root</value></smbconfoption>
934 <smbconfcomment>Needed to support domain logons</smbconfcomment>
935 <smbconfsection>[netlogon]</smbconfsection>
936 <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
937 <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
938 <smbconfoption><name>admin users</name><value>root, maryo</value></smbconfoption>
939 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
940 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
942 <smbconfcomment>For profiles to work, create a user directory under the path</smbconfcomment>
943 <smbconfcomment> shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</smbconfcomment>
944 <smbconfsection>[Profiles]</smbconfsection>
945 <smbconfoption><name>comment</name><value>Roaming Profile Share</value></smbconfoption>
946 <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
947 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
948 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
950 <smbconfcomment>Other resource (share/printer) definitions would follow below.</smbconfcomment>
956 Create UNIX group accounts as needed using a suitable operating system tool:
958 &rootprompt;<userinput>groupadd ntadmins</userinput>
959 &rootprompt;<userinput>groupadd designers</userinput>
960 &rootprompt;<userinput>groupadd engineers</userinput>
961 &rootprompt;<userinput>groupadd qateam</userinput>
966 Create user accounts on the system using the appropriate tool
967 provided with the operating system. Make sure all user home directories
968 are created also. Add users to groups as required for access control
969 on files, directories, printers, and as required for use in the Samba
975 <indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
976 <indexterm><primary>initGroups.sh</primary></indexterm>
977 Assign each of the UNIX groups to NT groups:
978 (It may be useful to copy this text to a shell script called
979 <filename>initGroups.sh</filename>.)
980 <smbfile name="initGroups.sh">
981 <title>Shell script for initializing group mappings</title>
984 #### Keep this as a shell script for future re-use
986 # First assign well known groups
987 net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins rid=512
988 net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513
989 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
991 # Now for our added Domain Groups
992 net groupmap add ntgroup="Designers" unixgroup=designers type=d rid=1112
993 net groupmap add ntgroup="Engineers" unixgroup=engineers type=d rid=1113
994 net groupmap add ntgroup="QA Team" unixgroup=qateam type=d rid=1114
1000 Create the <filename>scripts</filename> directory for use in the
1001 <smbconfsection>[NETLOGON]</smbconfsection> share:
1003 &rootprompt;<userinput>mkdir -p /var/lib/samba/netlogon/scripts</userinput>
1005 Place the logon scripts that will be used (batch or cmd scripts)
1011 The above configuration provides a functional Primary Domain Control (PDC)
1012 system to which must be added file shares and printers as required.
1018 <title>A Big Organization</title>
1021 In this section we finally get to review in brief a Samba-3 configuration that
1022 uses a Light Weight Directory Access (LDAP)-based authentication backend. The
1023 main reasons for this choice are to provide the ability to host primary
1024 and Backup Domain Control (BDC), as well as to enable a higher degree of
1025 scalability to meet the needs of a very distributed environment.
1029 <title>The Primary Domain Controller</title>
1032 This is an example of a minimal configuration to run a Samba-3 PDC
1033 using an LDAP authentication backend. It is assumed that the operating system
1034 has been correctly configured.
1038 The Idealx scripts (or equivalent) are needed to manage LDAP based Posix and/or
1039 SambaSamAccounts. The Idealx scripts may be downloaded from the <ulink url="http://www.idealx.org">
1040 Idealx</ulink> Web site. They may also be obtained from the Samba tarball. Linux
1041 distributions tend to install the Idealx scripts in the
1042 <filename>/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</filename> directory.
1043 Idealx scripts version <constant>smbldap-tools-0.8.2</constant> are known to work well.
1048 Obtain from the Samba sources <filename>~/examples/LDAP/samba.schema</filename>
1049 and copy it to the <filename>/etc/openldap/schema/</filename> directory.
1053 Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
1054 The <filename>/etc/openldap/slapd.conf</filename> file:
1055 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
1056 <smbfile name="slapd.conf"><title>Example slapd.conf file</title>
1058 # Note commented out lines have been removed
1059 include /etc/openldap/schema/core.schema
1060 include /etc/openldap/schema/cosine.schema
1061 include /etc/openldap/schema/inetorgperson.schema
1062 include /etc/openldap/schema/nis.schema
1063 include /etc/openldap/schema/samba.schema
1065 pidfile /var/run/slapd/slapd.pid
1066 argsfile /var/run/slapd/slapd.args
1069 suffix "dc=quenya,dc=org"
1070 rootdn "cn=Manager,dc=quenya,dc=org"
1071 rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
1072 # The password for the above is 'nastyon3'
1074 directory /var/lib/ldap
1076 index objectClass eq
1077 index cn pres,sub,eq
1078 index sn pres,sub,eq
1079 index uid pres,sub,eq
1080 index displayName pres,sub,eq
1085 index sambaPrimaryGroupSID eq
1086 index sambaDomainName eq
1093 Create the following file <filename>samba-ldap-init.ldif</filename>:
1094 <indexterm><primary>samba-ldap-init.ldif</primary></indexterm>
1095 <smbfile name="samba-ldap-init.ldif">
1097 # Organization for SambaXP Demo
1098 dn: dc=quenya,dc=org
1099 objectclass: dcObject
1100 objectclass: organization
1103 description: The SambaXP Demo LDAP Tree
1105 # Organizational Role for Directory Management
1106 dn: cn=Manager,dc=quenya,dc=org
1107 objectclass: organizationalRole
1109 description: Directory Manager
1111 # Setting up the container for users
1112 dn: ou=People, dc=quenya, dc=org
1114 objectclass: organizationalUnit
1117 # Set up an admin handle for People OU
1118 dn: cn=admin, ou=People, dc=quenya, dc=org
1121 objectclass: organizationalRole
1122 objectclass: simpleSecurityObject
1123 userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
1124 # The password for above is 'mordonL8'
1130 Load the initial data above into the LDAP database:
1132 &rootprompt;<userinput>slapadd -v -l initdb.ldif</userinput>
1137 Start the LDAP server using the appropriate tool or method for
1138 the operating system platform on which it is installed.
1142 Install the Idealx script files in the <filename>/usr/local/sbin</filename> directory,
1143 then configure the smbldap_conf.pm file to match your system configuration.
1147 The &smb.conf; file that drives this backend can be found in example <link linkend="fast-ldap"/>.
1151 <smbconfexample id="fast-ldap">
1152 <title>LDAP backend smb.conf for PDC</title>
1153 <smbconfcomment>Global parameters</smbconfcomment>
1154 <smbconfsection>[global]</smbconfsection>
1155 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
1156 <smbconfoption><name>netbios name</name><value>FRODO</value></smbconfoption>
1157 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://localhost</value></smbconfoption>
1158 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1159 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
1160 <smbconfoption><name>add user script</name><value>/usr/local/sbin/smbldap-useradd.pl -m '%u'</value></smbconfoption>
1161 <smbconfoption><name>delete user script</name><value>/usr/local/sbin/smbldap-userdel.pl %u</value></smbconfoption>
1162 <smbconfoption><name>add group script</name><value>/usr/local/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption>
1163 <smbconfoption><name>delete group script</name><value>/usr/local/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption>
1164 <smbconfoption><name>add user to group script</name><value>/usr/local/sbin/ \</value></smbconfoption>
1165 <member><parameter>smbldap-groupmod.pl -m '%g' '%u'</parameter></member>
1166 <smbconfoption><name>delete user from group script</name><value>/usr/local/sbin/ \</value></smbconfoption>
1167 <member><parameter>smbldap-groupmod.pl -x '%g' '%u'</parameter></member>
1168 <smbconfoption><name>set primary group script</name><value>/usr/local/sbin/ \</value></smbconfoption>
1169 <member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member>
1170 <smbconfoption><name>add machine script</name><value>/usr/local/sbin/smbldap-useradd.pl -w '%u'</value></smbconfoption>
1171 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
1172 <smbconfoption><name>logon path</name><value>\\%L\Profiles\%U</value></smbconfoption>
1173 <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
1174 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
1175 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1176 <smbconfoption><name>os level</name><value>35</value></smbconfoption>
1177 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1178 <smbconfoption><name>domain master</name><value>Yes</value></smbconfoption>
1179 <smbconfoption><name>ldap suffix</name><value>dc=quenya,dc=org</value></smbconfoption>
1180 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
1181 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
1182 <smbconfoption><name>ldap group suffix</name><value>ou=People</value></smbconfoption>
1183 <smbconfoption><name>ldap idmap suffix</name><value>ou=People</value></smbconfoption>
1184 <smbconfoption><name>ldap admin dn</name><value>cn=Manager</value></smbconfoption>
1185 <smbconfoption><name>ldap ssl</name><value>no</value></smbconfoption>
1186 <smbconfoption><name>ldap passwd sync</name><value>Yes</value></smbconfoption>
1187 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
1188 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
1189 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1190 <member>...</member>
1195 Add the LDAP password to the <filename>secrets.tdc</filename> file so Samba can update
1198 &rootprompt;<userinput>smbpasswd -w mordonL8</userinput>
1203 Add users and groups as required. Users and groups added using Samba tools
1204 will automatically be added to both the LDAP backend as well as to the operating
1213 <title>Backup Domain Controller</title>
1216 <link linkend="fast-bdc"/> shows the example configuration for the BDC.
1221 Decide if the BDC should have its own LDAP server or not. If the BDC is to be
1222 the LDAP server change the following &smb.conf; as indicated. The default
1223 configuration in <link linkend="fast-bdc"/> uses a central LDAP server.
1224 <smbconfexample id="fast-bdc">
1225 <title>Remote LDAP BDC smb.conf</title>
1226 <smbconfcomment>Global parameters</smbconfcomment>
1227 <smbconfsection>[global]</smbconfsection>
1228 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
1229 <smbconfoption><name>netbios name</name><value>GANDALF</value></smbconfoption>
1230 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://frodo.quenya.org</value></smbconfoption>
1231 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1232 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
1233 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
1234 <smbconfoption><name>logon path</name><value>\\%L\Profiles\%U</value></smbconfoption>
1235 <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
1236 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
1237 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1238 <smbconfoption><name>os level</name><value>33</value></smbconfoption>
1239 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1240 <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
1241 <smbconfoption><name>ldap suffix</name><value>dc=quenya,dc=org</value></smbconfoption>
1242 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
1243 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
1244 <smbconfoption><name>ldap group suffix</name><value>ou=People</value></smbconfoption>
1245 <smbconfoption><name>ldap idmap suffix</name><value>ou=People</value></smbconfoption>
1246 <smbconfoption><name>ldap admin dn</name><value>cn=Manager</value></smbconfoption>
1247 <smbconfoption><name>ldap ssl</name><value>no</value></smbconfoption>
1248 <smbconfoption><name>ldap passwd sync</name><value>Yes</value></smbconfoption>
1249 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
1250 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
1251 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1252 <member>...</member>
1257 Configure the NETLOGON and PROFILES directory as for the PDC in <link linkend="fast-bdc"/>.