Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Note

If you need more than one domain controller, do not use a tdbsam authentication backend.

Example: Engineering Office

The engineering office network server we present here is designed to demonstrate use of the new tdbsam password backend. The tdbsam facility is new to Samba-3. It is designed to provide many user and machine account controls that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.

Example2.7.Engineering Office smb.conf (globals)

[global]
workgroup = MIDEARTH
netbios name = FRODO
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups

Example2.8.Engineering Office smb.conf (shares and services)

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
# Printing auto-share (makes printers available thru CUPS)
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = root, maryo
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = maryo, root
printer admin = maryo, root
# Needed to support domain logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, maryo
guest ok = Yes
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/maryo
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
# Other resource (share/printer) definitions would follow below.
  1. A working PDC configuration using the tdbsam password backend can be found in Engineering Office smb.conf (globals) together with Engineering Office smb.conf (shares and services):

  2. Create UNIX group accounts as needed using a suitable operating system tool:

    root# 
    
    groupadd ntadmins
    
    root# 
    
    groupadd designers
    
    root# 
    
    groupadd engineers
    
    root# 
    
    groupadd qateam
    
    

  3. Create user accounts on the system using the appropriate tool provided with the operating system. Make sure all user home directories are created also. Add users to groups as required for access control on files, directories, printers, and as required for use in the Samba environment.

  4. Assign each of the UNIX groups to NT groups by executing this shell script (You could name the script initGroups.sh):

    #!/bin/bash
    #### Keep this as a shell script for future re-use
    			
    # First assign well known groups
    net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins
    net groupmap modify ntgroup="Domain Users"  unixgroup=users
    net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
    
    # Now for our added Domain Groups
    net groupmap add ntgroup="Designers" unixgroup=designers type=d
    net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
    net groupmap add ntgroup="QA Team"   unixgroup=qateam    type=d
    

  5. Create the scripts directory for use in the [NETLOGON] share:

    root# 
    
    mkdir -p /var/lib/samba/netlogon/scripts
    
    

    Place the logon scripts that will be used (batch or cmd scripts) in this directory.

The above configuration provides a functional PDC system to which must be added file shares and printers as required.

A Big Organization

In this section we finally get to review in brief a Samba-3 configuration that uses a Lightweight Directory Access (LDAP)-based authentication backend. The main reasons for this choice are to provide the ability to host primary and Backup Domain Control (BDC), as well as to enable a higher degree of scalability to meet the needs of a very distributed environment.

The Primary Domain Controller

This is an example of a minimal configuration to run a Samba-3 PDC using an LDAP authentication backend. It is assumed that the operating system has been correctly configured.

The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or SambaSamAccounts. The Idealx scripts may be downloaded from the Idealx Web site. They may also be obtained from the Samba tarball. Linux distributions tend to install the Idealx scripts in the /usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools directory. Idealx scripts version smbldap-tools-0.9.1 are known to work well.

Example2.9.LDAP backend smb.conf for PDC

# Global parameters
[global]
workgroup = MIDEARTH
netbios name = FRODO
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
printcap name = cups
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
ldap suffix = dc=quenya,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups
  1. Obtain from the Samba sources ~/examples/LDAP/samba.schema and copy it to the /etc/openldap/schema/ directory.

  2. Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x. The /etc/openldap/slapd.conf file. <title>Example slapd.conf File</title>

    # Note commented out lines have been removed
    include         /etc/openldap/schema/core.schema
    include         /etc/openldap/schema/cosine.schema
    include         /etc/openldap/schema/inetorgperson.schema
    include         /etc/openldap/schema/nis.schema
    include         /etc/openldap/schema/samba.schema
    
    pidfile         /var/run/slapd/slapd.pid
    argsfile        /var/run/slapd/slapd.args
    
    database        bdb
    suffix          "dc=quenya,dc=org"
    rootdn          "cn=Manager,dc=quenya,dc=org"
    rootpw          {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
    # The password for the above is 'nastyon3'
    
    directory     /var/lib/ldap
    
    index   objectClass     eq
    index cn                      pres,sub,eq
    index sn                      pres,sub,eq
    index uid                     pres,sub,eq
    index displayName             pres,sub,eq
    index uidNumber               eq
    index gidNumber               eq
    index memberUid               eq
    index   sambaSID              eq
    index   sambaPrimaryGroupSID  eq
    index   sambaDomainName       eq
    index   default               sub
    

  3. Create the following file initdb.ldif:

    # Organization for SambaXP Demo
    dn: dc=quenya,dc=org
    objectclass: dcObject
    objectclass: organization
    dc: quenya
    o: SambaXP Demo
    description: The SambaXP Demo LDAP Tree
    
    # Organizational Role for Directory Management
    dn: cn=Manager,dc=quenya,dc=org
    objectclass: organizationalRole
    cn: Manager
    description: Directory Manager
    
    # Setting up the container for users
    dn: ou=People, dc=quenya, dc=org
    objectclass: top
    objectclass: organizationalUnit
    ou: People
    
    # Set up an admin handle for People OU
    dn: cn=admin, ou=People, dc=quenya, dc=org
    cn: admin
    objectclass: top
    objectclass: organizationalRole
    objectclass: simpleSecurityObject
    userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
    # The password for above is 'mordonL8'
    

  4. Load the initial data above into the LDAP database:

    root# 
    
    slapadd -v -l initdb.ldif
    
    

  5. Start the LDAP server using the appropriate tool or method for the operating system platform on which it is installed.

  6. Install the Idealx script files in the /usr/local/sbin directory, then configure the smbldap_conf.pm file to match your system configuration.

  7. The smb.conf file that drives this backend can be found in example LDAP backend smb.conf for PDC. Add additional stanzas as required.

  8. Add the LDAP password to the secrets.tdb file so Samba can update the LDAP database:

    root# 
    
    smbpasswd -w mordonL8
    
    

  9. Add users and groups as required. Users and groups added using Samba tools will automatically be added to both the LDAP backend and the operating system as required.

Backup Domain Controller

??? shows the example configuration for the BDC. Note that the smb.conf file does not specify the smbldap-tools scripts they are not needed on a BDC. Add additional stanzas for shares and printers as required.

Example2.10.Remote LDAP BDC smb.conf

# Global parameters
[global]
workgroup = MIDEARTH
netbios name = GANDALF
passdb backend = ldapsam:ldap://frodo.quenya.org
username map = /etc/samba/smbusers
printcap name = cups
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = No
ldap suffix = dc=quenya,dc=org
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups
  1. Decide if the BDC should have its own LDAP server or not. If the BDC is to be the LDAP server, change the following smb.conf as indicated. The default configuration in Remote LDAP BDC smb.conf uses a central LDAP server.

  2. Configure the NETLOGON and PROFILES directory as for the PDC in ???.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire