Samba

Install samba samba-common samba-doc smbclient

create user accounts for users:

# sudo useradd -c "Pepe" -m -g users -s /bin/false pepe

create password:

# sudo passwd pepe

create samba password:

# sudo smbpasswd -a pepe

put/configure smb.conf file in /etc/samba directory

start samba service

map samba in fstab with command such as:

stuff here??????

map manually using mount:

sudo mount -t cifs //server/share /mnt/share --verbose -o user=domain\\user

other stuff:

sambafs - cifs

noperm – client does not perform permission checks. Needed if uid and gid are not the same on client and server.

Likewise: http://www.beyondtrust.com/Technical-Support/Downloads/files/pbise/Manuals/likewise-samba-guide.pdf

1. Make sure your Samba version is supported by Likewise by running the following command as root:

/opt/likewise/bin/samba-interop-install --check-version

2. On your Linux or Unix computer that is running Samba, add the following settings -- which are required

to authenticate users with Active Directory with all the versions of Samba that Likewise supports -- to

the global section of the Samba configuration file, smb.conf, typically located in the /etc/samba

directory.

The ADS value for the security setting is required. Replace the values of workgroup and realm

with the values for your network. The workgroup is your computer's NetBIOS domain name. The

realm is your computer's Active Directory domain. Here's an example:

[global]Likewise Samba Guide

3

security = ADS

workgroup = TESTER

realm = TESTER.LIKEWISEDEMO.COM

machine password timeout = 0

Note: If you fail to add the machine password timeout option to smb.conf and set it to

0, Samba will change the machine account password without notifying the Likewise authentication

service, leaving Likewise unable to connect to the domain.

3. If you are using Samba 3.0.25 or later versions in the 3.0 series, you must also add the following settings

and values to the global section of smb.conf. (These settings are not required for Samba 3.2 or later;

using them might result in a warning or an error.)

idmap domains = ALL

idmap config ALL:backend = lwicompat_v4

idmap config ALL:default = yes

idmap config ALL:readonly = yes

idmap uid = 10000-33554431

idmap gid = 10000-33554431

The range of the values for idmap uid and idmap gid will depend on the UID and GID ranges

that you have established for your users and groups in Active Directory.

4. In smb.conf, create a new section to define a shared resource, named testshare in the example

below, or use your own predefined section that specifies a shared resource, known as a share,

and configure it with the Samba parameters that you want. For more information, see the Samba

documentation or the Samba man page.

In this example, the value of the valid users setting is an Active Directory account. Leaving the

value of valid users blank allows all AD users to access the share; defining a list of AD users

constrains access to those in the list. For more information, see the Samba documentation.

[testshare]

comment = This is a test share

path = /share

browseable = yes

read only = no

valid users = LIKEWISEDEMO\Administrator

writeable = yes

guest ok = yes

5. As root, run the testparm command to make sure smb.conf contains no syntax errors:

testparm /etc/samba/smb.conf

6. If you created a share like the example above, execute the following commands as root to create a

corresponding directory for the share and set its permissions and ownership:

mkdir /share

chmod a+rx /share

chown likewisedemo\\administrator /share/

7. As root, run the Likewise-Samba interoperability installer to copy the Likewise files into the Samba

directory and write the machine password in secrets.tdb:Likewise Samba Guide

4

/opt/likewise/bin/samba-interop-install --install

If your Samba daemon is installed in a location other than /usr/sbin or another standard location,

you must specify the path to its location -- for example:

/opt/likewise/bin/samba-interop-install --install /etc/apps/samba/

bin

8. Restart Samba:

/etc/init.d/smb restart

9. With Samba version 3.0.25 or later versions in the 3.0 series, you must also restart Winbind unless you

are running a distribution on which Winbind is automatically restarted by the smb process:

/etc/init.d/winbind restart

10.You are now ready to access the share from a Windows computer and log on with an AD account. (In

the example configuration above, it would be LIKEWISEDEMO\administrator.) If you cannot access

the share or log on with your AD account, see the troubleshooting section below.

--------------------

Samba Connect to domain without likewise:

Before you attempt to join an Active Directory domain, make sure that /etc/resolv.conf on your Linux, Unix, or Mac client includes a DNS server that can resolve SRV records for your domain.

Example:

[root@rhel5d Desktop]# cat /etc/resolv.conf

search domain.com nameserver 192.168.100.132 nameserver 192.168.100.133

For more information on resolv.conf, see your operating system's man page.

Install:

krb5-user

libpam-krb5

libpam-winbind

libnss-winbind

winbind

samba

Setup:

configure /etc/krb5.conf

test configuration via: root@server:# kinit administrator@NCHAR.LOCAL (then authenticate)

verify request worked via klist command should look something like this:

root@linux:~# klist Ticket cache: File: /tmp/krb5cc_0 Default principal: Administrator@test.server.com Valid starting Expires Service principal 05/16/07 10:30:42 05/16/07 20:30:01 Krbtgt/test.server.com@test.server.com renew until 05/16/07 10:30:42

configure /etc/samba/smb.conf

than join domain: root@server:# net ads join -U administrator@NCHAR.LOCAL

reboot

Test with # wbinfo -u

Edit nsswitch Location: /etc/nsswitch.conf Also make sure that dns directly follows files on the hosts: field

passwd: compat winbind group: compat winbind shadow: compat hosts: files dns mdns4_minimal [NOTFOUND=return]

than test with # getent passwd

(should see domain users there)

If you don't see users there you need to adjust your smb.conf file restart winbind and samba and try again to see if it shows up. It's dynamic and very fast

add line to /etc/pam.d/common-session

add lines to /etc/pam.d/sudo

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Auth sufficient pam_winbind.so Auth sufficient pam_unix.so use_first_pass Auth required pam_deny.so @include common-account

Do not need to add lines to common-account and common-auth -- debian does this for you already....

to reset UID and GID use the command# net cache flush

To fix issue unable to use passwd:

by default pam_krb5.so set the "minimun_uid" to 1000 in /etc/pam.d/common-*

e.g.:

password [success=3 default=ignore] pam_krb5.so minimum_uid=1000

my user had uid=1001 and according to the default setup, kerberos took control (bad thing). In the other hand, the mapping for my AD users was in a higher range (/etc/samba/smb.conf):

idmap config * : range = 10000-40000

So, I adjusted the "minimun_uid" in /etc/pam.d/common-* to 10000, and now I'm happy :-)

To cache password for offline authentication:

Restart winbind.

Log off and back in again as the user. Then reboot the workstation off the network.

Taking this workstation or laptop on the road? You will not be able to authenticate if you cannot talk to your server. If you need this capability, do the following.

Add the following line to your /etc/samba/smb.conf file in the [global] section:

Update /etc/pam.d/common-account file to include cached_login

Make a file called /etc/security/pam_winbind.conf. Add the following:

winbind offline logon = true ('Yes' works too, but true is in the smb docs) lock directory = /var/cache/samba/locks/

echo "account sufficient pam_winbind.so cached_login"

# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes

/etc/init.d/winbind restart

----------------------------------------------------

Others - Might also have to adjust these settings to get the cache to last longer:

/etc/samba/smb.conf:

:-> This parameter specifies the number of seconds that Winbind's idmap interface will cache positive SID/uid/gid query results.

Default: idmap cache time = 604800 (one week)parameter

:-> Might be able to adjust idmap per this example: --> Definitely want to do this

idmap gid = has been deprecated in favor of idmap config * : range

idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999

:-> Might want to use inherit permissions in samba setup...

The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

New directories inherit the mode of the parent directory, including bits such as setgid.

New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive, map hidden and map system as usual.

Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).

This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.

Default: inherit permissions = no

:-> Add cache directory: (Don't seem to need - broke cache)

Usually, most of the TDB files are stored in the lock directory. Since Samba 3.4.0, it is possible to differentiate between TDB files with persistent data and TDB files with non-persistent data using the state directory and the cache directory options.

This option specifies the directory where TDB files containing non-persistent data will be stored.

Default: cache directory = ${prefix}/var/locks

Example: cache directory = /var/cache/samba/locks/cache

:-> Than adjust machine password timeout: (Don't seem to need - broke cache)

If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb . This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server.

See also smbpasswd(8), and the security = domain parameter.

Default: machine password timeout = 604800

:-> Passdb backend --- set this to store file? (didn't try)

This option allows the administrator to chose which backend will be used for storing user and possibly group information. This allows you to swap between different storage mechanisms without recompile.

The parameter value is divided into two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include:

    • smbpasswd - The old plaintext passdb backend. Some Samba features will not work if this passdb backend is used. Takes a path to the smbpasswd file as an optional argument.

    • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory.

    • ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost)

      • LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument.

      • Multiple servers may also be specified in double-quotes. Whether multiple servers are supported or not and the exact syntax depends on the LDAP library you use.

Examples of use are:

passdb backend = tdbsam:/etc/samba/private/passdb.tdb or multi server LDAP URL with OpenLDAP library: passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" or multi server LDAP URL with Netscape based LDAP library: passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"

Default: passdb backend = tdbsam

:-> Than if you do the former need to set up the private dir (g) (didn't try)

This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb.

Default: private dir = ${prefix}/private

----------------------------------------------------

resources

primary:

https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory

http://manpages.ubuntu.com/manpages/jaunty/man8/idmap_rid.8.html

http://www.onlamp.com/pub/a/onlamp/2008/04/01/step-by-step-using-samba-to-join-a-windows-domain.html

secondarys:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/windbind.html

https://www.debian-administration.org/article/403/Giving_users_a_home_directory_automatically

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

https://lists.samba.org/archive/samba/2015-January/188045.html

For caching:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1165461

https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain