Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Domain Member Server

In this instance we consider the simplest server configuration we can get away with to make an accounting department happy. Let's be warned, the users are accountants and they do have some nasty demands. There is a budget for only one server for this department.

The network is managed by an internal Information Services Group (ISG), to which we belong. Internal politics are typical of a medium-sized organization; Human Resources is of the opinion that they run the ISG because they are always adding and disabling users. Also, departmental managers have to fight tooth and nail to gain basic network resources access for their staff. Accounting is different, though, they get exactly what they want. So this should set the scene.

We use the users from the last example. The accounting department has a general printer that all departmental users may use. There is also a check printer that may be used only by the person who has authority to print checks. The chief financial officer (CFO) wants that printer to be completely restricted and for it to be located in the private storage area in her office. It therefore must be a network printer.

The accounting department uses an accounting application called SpytFull that must be run from a central application server. The software is licensed to run only off one server, there are no workstation components, and it is run off a mapped share. The data store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our problem.

The accounting department manager (maryo) wants a general filing system as well as a separate file storage area for form letters (nastygrams). The form letter area should be read-only to all accounting staff except the manager. The general filing system has to have a structured layout with a general area for all staff to store general documents as well as a separate file area for each member of her team that is private to that person, but she wants full access to all areas. Users must have a private home share for personal work-related files and for materials not related to departmental operations.

Example Configuration

The server valinor will be a member server of the company domain. Accounting will have only a local server. User accounts will be on the domain controllers, as will desktop profiles and all network policy files.

Example2.5.Member Server smb.conf (Globals)

# Global parameters
workgroup = MIDEARTH
netbios name = VALINOR
security = DOMAIN
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind use default domain = Yes
printing = cups

Example2.6.Member Server smb.conf (Shares and Services)

comment = Home Directories
valid users = %S
read only = No
browseable = No
comment = Accounting Application Only
path = /export/spytfull
valid users = @Accounts
admin users = maryo
read only = Yes
comment = Data
path = /export/public
read only = No
comment = All Printers
path = /var/spool/samba
printer admin = root, maryo
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
  1. Do not add users to the UNIX/Linux server; all of this will run off the central domain.

  2. Configure smb.conf according to Member server smb.conf (globals) and Member server smb.conf (shares and services).

  3. Join the domain. Note: Do not start Samba until this step has been completed!

    net rpc join -Uroot%'bigsecret'
    Joined domain MIDEARTH.

  4. Make absolutely certain that you disable (shut down) the nscd daemon on any system on which winbind is configured to run.

  5. Start Samba following the normal method for your operating system platform. If you wish to do this manually, execute as root:

    nmbd; smbd; winbindd;

  6. Configure the name service switch (NSS) control file on your system to resolve user and group names via winbind. Edit the following lines in /etc/nsswitch.conf:

    passwd: files winbind
    group:  files winbind
    hosts:  files dns winbind

  7. Set the password for wbinfo to use:

    wbinfo --set-auth-user=root%'bigsecret'

  8. Validate that domain user and group credentials can be correctly resolved by executing:

    wbinfo -u
    wbinfo -g
    MIDEARTH\Domain Users
    MIDEARTH\Domain Admins
    MIDEARTH\Domain Guests

  9. Check that winbind is working. The following demonstrates correct username resolution via the getent system utility:

    getent passwd maryo
    maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false

  10. A final test that we have this under control might be reassuring:

    touch /export/a_file
    chown maryo /export/a_file
    ls -al /export/a_file
    -rw-r--r--    1 maryo    users       11234 Jun 21 15:32 a_file
    rm /export/a_file

  11. Configuration is now mostly complete, so this is an opportune time to configure the directory structure for this site:

    mkdir -p /export/{spytfull,public}
    chmod ug=rwxS,o=x /export/{spytfull,public}
    chown maryo.Accounts /export/{spytfull,public}

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire