Linux Links‎ > ‎

Samba

Install samba samba-common samba-doc smbclient

create user accounts for users:
# sudo useradd -c "Pepe" -m -g users -s /bin/false pepe

create password:
# sudo passwd pepe

create samba password:
# sudo smbpasswd -a pepe

put/configure smb.conf file in /etc/samba directory

start samba service

map samba in fstab with command such as:

stuff here??????

map manually using mount:

sudo mount -t cifs //server/share /mnt/share --verbose -o user=domain\\user

other stuff:

sambafs - cifs

noperm – client does not perform permission checks. Needed if uid and gid are not the same on client and server.


1. Make sure your Samba version is supported by Likewise by running the following command as root:
/opt/likewise/bin/samba-interop-install --check-version
2. On your Linux or Unix computer that is running Samba, add the following settings -- which are required
to authenticate users with Active Directory with all the versions of Samba that Likewise supports -- to
the global section of the Samba configuration file, smb.conf, typically located in the /etc/samba
directory.
The ADS value for the security setting is required. Replace the values of workgroup and realm
with the values for your network. The workgroup is your computer's NetBIOS domain name. The
realm is your computer's Active Directory domain. Here's an example:
[global]Likewise Samba Guide
3
        security = ADS
        workgroup = TESTER
        realm = TESTER.LIKEWISEDEMO.COM
        machine password timeout = 0
Note: If you fail to add the machine password timeout option to smb.conf and set it to
0, Samba will change the machine account password without notifying the Likewise authentication
service, leaving Likewise unable to connect to the domain.
3. If you are using Samba 3.0.25 or later versions in the 3.0 series, you must also add the following settings
and values to the global section of smb.conf. (These settings are not required for Samba 3.2 or later;
using them might result in a warning or an error.)
        idmap domains = ALL
        idmap config ALL:backend = lwicompat_v4
        idmap config ALL:default = yes
        idmap config ALL:readonly = yes
        idmap uid = 10000-33554431
        idmap gid = 10000-33554431
The range of the values for idmap uid and idmap gid will depend on the UID and GID ranges
that you have established for your users and groups in Active Directory.
4. In smb.conf, create a new section to define a shared resource, named testshare in the example
below, or use your own predefined section that specifies a shared resource, known as a share,
and configure it with the Samba parameters that you want. For more information, see the Samba
documentation or the Samba man page.
In this example, the value of the valid users setting is an Active Directory account. Leaving the
value of valid users blank allows all AD users to access the share; defining a list of AD users
constrains access to those in the list. For more information, see the Samba documentation.
[testshare]
        comment = This is a test share
        path = /share
        browseable = yes
        read only = no
        valid users = LIKEWISEDEMO\Administrator
        writeable = yes
        guest ok = yes
5. As root, run the testparm command to make sure smb.conf contains no syntax errors:
testparm /etc/samba/smb.conf
6. If you created a share like the example above, execute the following commands as root to create a
corresponding directory for the share and set its permissions and ownership:
mkdir /share
chmod a+rx /share
chown likewisedemo\\administrator /share/
7. As root, run the Likewise-Samba interoperability installer to copy the Likewise files into the Samba
directory and write the machine password in secrets.tdb:Likewise Samba Guide
4
/opt/likewise/bin/samba-interop-install --install
If your Samba daemon is installed in a location other than /usr/sbin or another standard location,
you must specify the path to its location -- for example:
/opt/likewise/bin/samba-interop-install --install /etc/apps/samba/
bin
8. Restart Samba:
/etc/init.d/smb restart
9. With Samba version 3.0.25 or later versions in the 3.0 series, you must also restart Winbind unless you
are running a distribution on which Winbind is automatically restarted by the smb process:
/etc/init.d/winbind restart
10.You are now ready to access the share from a Windows computer and log on with an AD account. (In
the example configuration above, it would be LIKEWISEDEMO\administrator.) If you cannot access
the share or log on with your AD account, see the troubleshooting section below.


--------------------

Samba Connect to domain without likewise:

Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix, or Mac client includes a DNS server that can resolve SRV records for your domain.

Example:

[root@rhel5d Desktop]# cat /etc/resolv.conf
search domain.com
nameserver 192.168.100.132
nameserver 192.168.100.133

For more information on resolv.conf, see your operating system's man page.


Install:

krb5-user
libpam-krb5 
libpam-winbind
libnss-winbind
winbind
samba


Setup:

configure /etc/krb5.conf

test configuration via:  root@server:#  kinit administrator@NCHAR.LOCAL  (then authenticate)
verify request worked via klist command should look something like this:
root@linux:~# klist
Ticket cache: File: /tmp/krb5cc_0
Default principal: Administrator@test.server.com

Valid starting          Expires Service principal
05/16/07 10:30:42       05/16/07 20:30:01
Krbtgt/test.server.com@test.server.com
        renew until 05/16/07 10:30:42
configure /etc/samba/smb.conf

than join domain:  root@server:# net ads join -U administrator@NCHAR.LOCAL

reboot

Test with # wbinfo -u

Edit nsswitch Location: /etc/nsswitch.conf   Also make sure that dns directly follows files on the hosts: field
passwd: compat winbind
group:  compat winbind
shadow: compat

hosts:  files dns mdns4_minimal [NOTFOUND=return]
than test with # getent passwd
(should see domain users there)
If you don't see users there you need to adjust your smb.conf file restart winbind and samba and try again to see if it shows up. It's dynamic and very fast

add line to /etc/pam.d/common-session
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
add lines to /etc/pam.d/sudo
Auth sufficient pam_winbind.so
Auth sufficient pam_unix.so use_first_pass
Auth required    pam_deny.so

@include common-account
Do not need to add lines to common-account and common-auth -- debian does this for you already....

to reset UID and GID use the command#  net cache flush

To fix issue unable to use passwd:

by default pam_krb5.so set the "minimun_uid" to 1000 in /etc/pam.d/common-*
e.g.:

password    [success=3 default=ignore]  pam_krb5.so minimum_uid=1000

my user had uid=1001 and according to the default setup, kerberos took control (bad thing). In the other hand, the mapping for my AD users was in a higher range (/etc/samba/smb.conf):

idmap config * : range = 10000-40000

So, I adjusted the "minimun_uid" in /etc/pam.d/common-* to 10000, and now I'm happy :-)

To cache password for offline authentication:

Taking this workstation or laptop on the road? You will not be able to authenticate if you cannot talk to your server. If you need this capability, do the following.

Add the following line to your /etc/samba/smb.conf file in the [global] section:

winbind offline logon = true                ('Yes' works too, but true is in the smb docs)
lock directory = /var/cache/samba/locks/

Update /etc/pam.d/common-account file to include cached_login

echo "account sufficient pam_winbind.so cached_login"

Make a file called /etc/security/pam_winbind.conf. Add the following:

#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf 
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

Restart winbind.

/etc/init.d/winbind restart

Log off and back in again as the user. Then reboot the workstation off the network.

----------------------------------------------------
Others - Might also have to adjust these settings to get the cache to last longer:

/etc/samba/smb.conf:

:-> This parameter specifies the number of seconds that Winbind's idmap interface will cache positive SID/uid/gid query results.

Default: idmap cache time = 604800 (one week)parameter 

:-> Might be able to adjust idmap per this example:  -->  Definitely want to do this
idmap gid = has been deprecated in favor of idmap config * : range

        idmap config * : backend = tdb
	idmap config * : range = 1000000-1999999

	idmap config CORP : backend  = ad
	idmap config CORP : range = 1000-999999
:-> Might want to use inherit permissions in samba setup...

The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

New directories inherit the mode of the parent directory, including bits such as setgid.

New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archivemap hidden and map system as usual.

Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).

This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.

Default: inherit permissions = no

:-> Add cache directory: (Don't seem to need - broke cache)

Usually, most of the TDB files are stored in the lock directory. Since Samba 3.4.0, it is possible to differentiate between TDB files with persistent data and TDB files with non-persistent data using the state directory and the cache directory options.

This option specifies the directory where TDB files containing non-persistent data will be stored.

Default: cache directory = ${prefix}/var/locks

Example: cache directory = /var/cache/samba/locks/cache

:-> Than adjust machine password timeout:  (Don't seem to need - broke cache)

If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb . This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server.

See also smbpasswd(8), and the security = domain parameter.

Default: machine password timeout = 604800

:->  Passdb backend  --- set this to store file?  (didn't try)

This option allows the administrator to chose which backend will be used for storing user and possibly group information. This allows you to swap between different storage mechanisms without recompile.

The parameter value is divided into two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include:

  • smbpasswd - The old plaintext passdb backend. Some Samba features will not work if this passdb backend is used. Takes a path to the smbpasswd file as an optional argument.

  • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory.

  • ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost)

    LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument.

    Multiple servers may also be specified in double-quotes. Whether multiple servers are supported or not and the exact syntax depends on the LDAP library you use.

Examples of use are:
passdb backend = tdbsam:/etc/samba/private/passdb.tdb 

or multi server LDAP URL with OpenLDAP library:

passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"

or multi server LDAP URL with Netscape based LDAP library:

passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"

Default: passdb backend = tdbsam

:->  Than if you do the former need to set up the private dir (g)  (didn't try)

This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb.

Default: private dir = ${prefix}/private


----------------------------------------------------

resources

primary:
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
http://manpages.ubuntu.com/manpages/jaunty/man8/idmap_rid.8.html
http://www.onlamp.com/pub/a/onlamp/2008/04/01/step-by-step-using-samba-to-join-a-windows-domain.html

secondarys:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/windbind.html
https://www.debian-administration.org/article/403/Giving_users_a_home_directory_automatically
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
https://lists.samba.org/archive/samba/2015-January/188045.html

For caching:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461
https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain

Comments