1 <chapter id="FastStart">
6 <title>Fast Start: Cure for Impatience</title>
9 When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
10 someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably
11 difficult to do, without losing a lot of value that can be derived from presenting
12 many extracts from working systems. That is what the rest of this document does.
13 It does so with extensive descriptions of the configuration possibilities within the
14 context of the chapter that covers it. We hope that this chapter is the medicine
15 that has been requested.
19 <title>Features and Benefits</title>
22 Samba needs very little configuration to create a basic working system.
23 In this chapter we progress from the simple to the complex, for each providing
24 all steps and configuration file changes needed to make each work. Please note
25 that a comprehensively configured system will likely employ additional smart
26 features. The additional features are covered in the remainder of this document.
30 The examples used here have been obtained from a number of people who made
31 requests for example configurations. All identities have been obscured to protect
32 the guilty and any resemblance to unreal non-existent sites is deliberate.
38 <title>Description of Example Sites</title>
41 In the first set of configuration examples we consider the case of exceptionally simple
42 system requirements. There is a real temptation to make something that should require
43 little effort much too complex.
47 <link linkend="anon-ro"></link> documents the type of server that might be sufficient to serve CD-ROM
48 images, or reference document files for network client use. This configuration is also discussed in
49 <link linkend="StandAloneServer"></link>, <link linkend="RefDocServer"></link>.
50 The purpose for this configuration is to provide a shared volume that is read-only that anyone, even guests, can access.
54 The second example shows a minimal configuration for a print server that anyone can print
55 to as long as they have the correct printer drivers installed on their computer. This is a
56 mirror of the system described in <link linkend="StandAloneServer"></link>, <link linkend="SimplePrintServer"></link>.
60 The next example is of a secure office file and print server that will be accessible only
61 to users who have an account on the system. This server is meant to closely resemble a
62 Workgroup file and print server, but has to be more secure than an anonymous access machine.
63 This type of system will typically suit the needs of a small office. The server does not
64 provide network logon facilities, offers no Domain Control, instead it is just a network
65 attached storage (NAS) device and a print server.
69 Finally, we start looking at more complex systems that will either integrate into existing
70 Microsoft Windows networks, or replace them entirely. The examples provided covers domain
71 member servers as well as Samba Domain Control (PDC/BDC) and finally describes in detail
72 a large distributed network with branch offices in remote locations.
78 <title>Worked Examples</title>
81 The configuration examples are designed to cover everything necessary to get Samba
82 running. They do not cover basic operating system platform configuration, which is
83 clearly beyond the scope of this text.
87 It is also assumed that Samba has been correctly installed, either by way of installation
88 of the packages that are provided by the operating system vendor, or through other means.
92 <title>Stand-alone Server</title>
95 <indexterm><primary>Server Type</primary><secondary>Stand-alone</secondary></indexterm>
96 A Stand-alone Server implies no more than the fact that it is not a Domain Controller
97 and it does not participate in Domain Control. It can be a simple workgroup-like
98 server, or it may be a complex server that is a member of a domain security context.
102 <title>Anonymous Read-Only Document Server</title>
105 <indexterm><primary>read only</primary><secondary>server</secondary></indexterm>
106 The purpose of this type of server is to make available to any user
107 any documents or files that are placed on the shared resource. The
108 shared resource could be a CD-ROM drive, a CD-ROM image, or a file
113 As the examples are developed, every attempt is made to progress the
114 system toward greater capability, just as one might expect would happen
115 in a real business office as that office grows in size and its needs
119 <para>The configuration file is:</para>
121 <para><smbconfexample id="anon-example">
122 <title>Anonymous Read-Only Server Configuration</title>
123 <smbconfcomment>Global parameters</smbconfcomment>
124 <smbconfsection>[global]</smbconfsection>
125 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
126 <smbconfoption><name>netbios name</name><value>HOBBIT</value></smbconfoption>
127 <smbconfoption><name>security</name><value>share</value></smbconfoption>
129 <smbconfsection>[data]</smbconfsection>
130 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
131 <smbconfoption><name>path</name><value>/export</value></smbconfoption>
132 <smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
133 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
139 The file system share point will be <filename>/export</filename>.
143 All files will be owned by a user called Jack Baumbach.
144 Jack's login name will be <emphasis>jackb</emphasis>. His password will be
145 <emphasis>m0r3pa1n</emphasis> &smbmdash; of course, that's just the example we are
146 using; do not use this in a production environment because
147 all readers of this document will know it.
152 <title>Installation Procedure &smbmdash; Read-Only Server</title>
154 Add user to system (with creation of the users' home directory):
156 &rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
161 Create directory, and set permissions and ownership:
163 &rootprompt;<userinput>mkdir /export</userinput>
164 &rootprompt;<userinput>chmod u+rwx,g+rx,o+rx /export</userinput>
165 &rootprompt;<userinput>chown jackb.users /export</userinput>
170 Copy the files that should be shared to the <filename>/export</filename>
175 Install the Samba configuration file (<filename>/etc/samba/smb.conf</filename>)
180 Test the configuration file:
182 &rootprompt;<userinput>testparm</userinput>
184 Note any error messages that might be produced. Do not proceed until you
185 obtain error-free output. An example of the output with the following file
188 Load smb config files from /etc/samba/smb.conf
189 Processing section "[data]"
190 Loaded services file OK.
191 Server role: ROLE_STANDALONE
192 Press enter to see a dump of your service definitions
193 <userinput>[Press enter]</userinput>
198 netbios name = HOBBIT
210 Start Samba using the method applicable to your operating system
215 Configure your Microsoft Windows client for workgroup <emphasis>MIDEARTH</emphasis>,
216 set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
217 then open Windows Explorer and visit the network neighborhood.
218 The machine HOBBIT should be visible. When you click this machine
219 icon, it should open up to reveal the <emphasis>data</emphasis> share. After
220 clicking the share it, should open up to revel the files previously
221 placed in the <filename>/export</filename> directory.
226 The information above (following # Global parameters) provides the complete
227 contents of the <filename>/etc/samba/smb.conf</filename> file.
233 <title>Anonymous Read-Write Document Server</title>
236 <indexterm><primary>anonymous</primary><secondary>read-write server</secondary></indexterm>
237 We should view this configuration as a progression from the previous example.
238 The difference is that shared access is now forced to the user identity of jackb
239 and to the primary group jackb belongs to. One other refinement we can make is to
240 add the user <emphasis>jackb</emphasis> to the <filename>smbpasswd</filename> file.
243 &rootprompt;<userinput>smbpasswd -a jackb</userinput>
244 New SMB password: <userinput>m0r3pa1n</userinput>
245 Retype new SMB password: <userinput>m0r3pa1n</userinput>
248 Addition of this user to the <filename>smbpasswd</filename> file allows all files
249 to be displayed in the Explorer Properties boxes as belonging to <emphasis>jackb</emphasis>
250 instead of to <emphasis>User Unknown</emphasis>.
254 The complete, modified &smb.conf; file is as shown in <link linkend="anon-rw"/>.
258 <smbconfexample id="anon-rw"><title>Modified Anonymous Read-Write smb.conf</title>
259 <smbconfcomment>Global parameters</smbconfcomment>
260 <smbconfsection>[global]</smbconfsection>
261 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
262 <smbconfoption><name>netbios name</name><value>HOBBIT</value></smbconfoption>
263 <smbconfoption><name>security</name><value>SHARE</value></smbconfoption>
265 <smbconfsection>[data]</smbconfsection>
266 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
267 <smbconfoption><name>path</name><value>/export</value></smbconfoption>
268 <smbconfoption><name>force user</name><value>jackb</value></smbconfoption>
269 <smbconfoption><name>force group</name><value>users</value></smbconfoption>
270 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
271 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
278 <title>Anonymous Print Server</title>
281 <indexterm><primary>anonymous</primary><secondary>print server</secondary></indexterm>
282 An anonymous print server serves two purposes:
287 It allows printing to all printers from a single location.
291 It reduces network traffic congestion due to many users trying
292 to access a limited number of printers.
297 In the simplest of anonymous print servers, it is common to require the installation
298 of the correct printer drivers on the Windows workstation. In this case the print
299 server will be designed to just pass print jobs through to the spooler, and the spooler
300 should be configured to do raw pass-through to the printer. In other words, the print
301 spooler should not filter or process the data stream being passed to the printer.
305 In this configuration it is undesirable to present the Add Printer Wizard and we do
306 not want to have automatic driver download, so we will disable it in the following
307 configuration. <link linkend="anon-print"></link> is the resulting &smb.conf; file.
311 <smbconfexample id="anon-print"><title>Anonymous Print Server smb.conf</title>
312 <smbconfcomment>Global parameters</smbconfcomment>
313 <smbconfsection>[global]</smbconfsection>
314 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
315 <smbconfoption><name>netbios name</name><value>LUTHIEN</value></smbconfoption>
316 <smbconfoption><name>security</name><value>share</value></smbconfoption>
317 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
318 <smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
319 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
320 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
322 <smbconfsection>[printers]</smbconfsection>
323 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
324 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
325 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
326 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
327 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
328 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
333 The above configuration is not ideal. It uses no smart features, and it deliberately
334 presents a less than elegant solution. But it is basic, and it does print.
338 Windows users will need to install a local printer and then change the print
339 to device after installation of the drivers. The print to device can then be set to
340 the network printer on this machine.
344 Make sure that the directory <filename>/var/spool/samba</filename> is capable of being used
345 as intended. The following steps must be taken to achieve this:
350 The directory must be owned by the superuser (root) user and group:
352 &rootprompt;<userinput>chown root.root /var/spool/samba</userinput>
357 Directory permissions should be set for public read-write with the
358 sticky-bit set as shown:
360 &rootprompt;<userinput>chmod a+rw TX /var/spool/samba</userinput>
367 <indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
368 <indexterm><primary>raw printing</primary></indexterm>
369 On CUPS enabled systems there is a facility to pass raw data directly to the printer without
370 intermediate processing via CUPS print filters. Where use of this mode of operation is desired
371 it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
372 handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
373 files. Refer to <link linkend="cups-raw"></link>.
379 <title>Secure Read-Write File and Print Server</title>
382 We progress now from simple systems to a server that is slightly more complex.
386 Our new server will require a public data storage area in which only authenticated
387 users (i.e., those with a local account) can store files, as well as a home directory.
388 There will be one printer that should be available for everyone to use.
392 In this hypothetical environment (no espionage was conducted to obtain this data),
393 the site is demanding a simple environment that is <emphasis>secure enough</emphasis>
394 but not too difficult to use.
398 Site users will be: Jack Baumbach, Mary Orville and Amed Sehkah. Each will have
399 a password (not shown in further examples). Mary will be the printer administrator and will
400 own all files in the public share.
404 This configuration will be based on <emphasis>User Level Security</emphasis> that
405 is the default, and for which the default is to store Microsoft Windows-compatible
406 encrypted passwords in a file called <filename>/etc/samba/smbpasswd</filename>.
407 The default &smb.conf; entry that makes this happen is:
408 <smbconfoption><name>passdb backend</name><value>smbpasswd, guest</value></smbconfoption>. Since this is the default
409 it is not necessary to enter it into the configuration file. Note that guest backend is
410 added to the list of active passdb backends not matter was it specified directly in Samba configuration
416 <title>Installing the Secure Office Server</title>
418 <indexterm><primary>office server</primary></indexterm>
419 Add all users to the Operating System:
421 &rootprompt;<userinput>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</userinput>
422 &rootprompt;<userinput>useradd -c "Mary Orville" -m -g users -p secret maryo</userinput>
423 &rootprompt;<userinput>useradd -c "Amed Sehkah" -m -g users -p secret ameds</userinput>
428 Configure the Samba &smb.conf; file as shown in <link linkend="OfficeServer"/>.
429 <smbconfexample id="OfficeServer">
430 <title>Secure Office Server smb.conf</title>
431 <smbconfcomment>Global parameters</smbconfcomment>
432 <smbconfsection>[global]</smbconfsection>
433 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
434 <smbconfoption><name>netbios name</name><value>OLORIN</value></smbconfoption>
435 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
436 <smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
437 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
438 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
440 <smbconfsection>[homes]</smbconfsection>
441 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
442 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
443 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
444 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
446 <smbconfsection>[public]</smbconfsection>
447 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
448 <smbconfoption><name>path</name><value>/export</value></smbconfoption>
449 <smbconfoption><name>force user</name><value>maryo</value></smbconfoption>
450 <smbconfoption><name>force group</name><value>users</value></smbconfoption>
451 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
453 <smbconfsection>[printers]</smbconfsection>
454 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
455 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
456 <smbconfoption><name>printer admin</name><value>root, maryo</value></smbconfoption>
457 <smbconfoption><name>create mask</name><value>0600</value></smbconfoption>
458 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
459 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
460 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
461 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
466 Initialize the Microsoft Windows password database with the new users:
468 &rootprompt;<userinput>smbpasswd -a root</userinput>
469 New SMB password: <userinput>bigsecret</userinput>
470 Reenter smb password: <userinput>bigsecret</userinput>
473 &rootprompt;<userinput>smbpasswd -a jackb</userinput>
474 New SMB password: <userinput>m0r3pa1n</userinput>
475 Retype new SMB password: <userinput>m0r3pa1n</userinput>
478 &rootprompt;<userinput>smbpasswd -a maryo</userinput>
479 New SMB password: <userinput>secret</userinput>
480 Reenter smb password: <userinput>secret</userinput>
483 &rootprompt;<userinput>smbpasswd -a ameds</userinput>
484 New SMB password: <userinput>mysecret</userinput>
485 Reenter smb password: <userinput>mysecret</userinput>
491 Install printer using the CUPS Web interface. Make certain that all
492 printers that will be shared with Microsoft Windows clients are installed
493 as raw printing devices.
497 Start Samba using the operating system administrative interface.
498 Alternately, this can be done manually by running:
499 <indexterm><primary>smbd</primary></indexterm>
500 <indexterm><primary>nmbd</primary></indexterm>
501 <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
502 <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
504 &rootprompt;<userinput> nmbd; smbd;</userinput>
509 Configure the <filename>/export</filename> directory:
511 &rootprompt;<userinput>mkdir /export</userinput>
512 &rootprompt;<userinput>chown maryo.users /export</userinput>
513 &rootprompt;<userinput>chmod u=rwx,g=rwx,o-rwx /export</userinput>
518 Check that Samba is running correctly:
520 &rootprompt;<userinput>smbclient -L localhost -U%</userinput>
521 Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.0]
523 Sharename Type Comment
524 --------- ---- -------
526 IPC$ IPC IPC Service (Samba-3.0.0)
527 ADMIN$ IPC IPC Service (Samba-3.0.0)
541 Connect to OLORIN as maryo:
543 &rootprompt;<userinput>smbclient //olorin/maryo -Umaryo%secret</userinput>
544 OS=[UNIX] Server=[Samba-3.0.0]
545 smb: \> <userinput>dir</userinput>
546 . D 0 Sat Jun 21 10:58:16 2003
547 .. D 0 Sat Jun 21 10:54:32 2003
548 Documents D 0 Fri Apr 25 13:23:58 2003
549 DOCWORK D 0 Sat Jun 14 15:40:34 2003
550 OpenOffice.org D 0 Fri Apr 25 13:55:16 2003
551 .bashrc H 1286 Fri Apr 25 13:23:58 2003
552 .netscape6 DH 0 Fri Apr 25 13:55:13 2003
553 .mozilla DH 0 Wed Mar 5 11:50:50 2003
554 .kermrc H 164 Fri Apr 25 13:23:58 2003
555 .acrobat DH 0 Fri Apr 25 15:41:02 2003
557 55817 blocks of size 524288. 34725 blocks available
558 smb: \> <userinput>q</userinput>
566 By now you should be getting the hang of configuration basics. Clearly, it is time to
567 explore slightly more complex examples. For the remainder of this chapter we will abbreviate
568 instructions since there are previous examples.
574 <title>Domain Member Server</title>
578 <indexterm><primary>Server Type</primary><secondary>Domain Member</secondary></indexterm>
579 In this instance we will consider the simplest server configuration we can get away with
580 to make an accounting department happy. Let's be warned, the users are accountants and they
581 do have some nasty demands. There is a budget for only one server for this department.
585 The network is managed by an internal Information Services Group (ISG), to which we belong.
586 Internal politics are typical of a medium-sized organization; Human Resources is of the
587 opinion that they run the ISG because they are always adding and disabling users. Also,
588 departmental managers have to fight tooth and nail to gain basic network resources access for
589 their staff. Accounting is different though, they get exactly what they want. So this should
594 We will use the users from the last example. The accounting department
595 has a general printer that all departmental users may. There is also a check printer
596 that may be used only by the person who has authority to print checks. The Chief Financial
597 Officer (CFO) wants that printer to be completely restricted and for it to be located in the
598 private storage area in her office. It therefore must be a network printer.
602 Accounting department uses an accounting application called <emphasis>SpytFull</emphasis>
603 that must be run from a central application server. The software is licensed to run only off
604 one server, there are no workstation components, and it is run off a mapped share. The data
605 store is in a UNIX-based SQL backend. The UNIX gurus look after that, so is not our
610 The accounting department manager (maryo) wants a general filing system as well as a separate
611 file storage area for form letters (nastygrams). The form letter area should be read-only to
612 all accounting staff except the manager. The general filing system has to have a structured
613 layout with a general area for all staff to store general documents, as well as a separate
614 file area for each member of her team that is private to that person, but she wants full
615 access to all areas. Users must have a private home share for personal work-related files
616 and for materials not related to departmental operations.
620 <title>Example Configuration</title>
623 The server <emphasis>valinor</emphasis> will be a member server of the company domain.
624 Accounting will have only a local server. User accounts will be on the Domain Controllers
625 as will desktop profiles and all network policy files.
630 Do not add users to the UNIX/Linux server; all of this will run off the
635 Configure &smb.conf; according to <link linkend="fast-member-server"/>
636 and <link linkend="fast-memberserver-shares"></link>.
640 <smbconfexample id="fast-member-server">
641 <title>Member server smb.conf (globals)</title>
642 <smbconfcomment>Global parameters</smbconfcomment>
643 <smbconfsection>[global]</smbconfsection>
644 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
645 <smbconfoption><name>netbios name</name><value>VALINOR</value></smbconfoption>
646 <smbconfoption><name>security</name><value>DOMAIN</value></smbconfoption>
647 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
648 <smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
649 <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
650 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
651 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
652 <smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
653 <smbconfoption><name>winbind use default domain</name><value>Yes</value></smbconfoption>
654 <smbconfoption><name>use sendfile</name><value>Yes</value></smbconfoption>
655 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
656 </smbconfexample></para>
659 <smbconfexample id="fast-memberserver-shares">
660 <title>Member server smb.conf (shares and services)</title>
661 <smbconfsection>[homes]</smbconfsection>
662 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
663 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
664 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
665 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
667 <smbconfsection>[spytfull]</smbconfsection>
668 <smbconfoption><name>comment</name><value>Accounting Application Only</value></smbconfoption>
669 <smbconfoption><name>path</name><value>/export/spytfull</value></smbconfoption>
670 <smbconfoption><name>valid users</name><value>@Accounts</value></smbconfoption>
671 <smbconfoption><name>admin users</name><value>maryo</value></smbconfoption>
672 <smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
674 <smbconfsection>[public]</smbconfsection>
675 <smbconfoption><name>comment</name><value>Data</value></smbconfoption>
676 <smbconfoption><name>path</name><value>/export/public</value></smbconfoption>
677 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
679 <smbconfsection>[printers]</smbconfsection>
680 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
681 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
682 <smbconfoption><name>printer admin</name><value>root, maryo</value></smbconfoption>
683 <smbconfoption><name>create mask</name><value>0600</value></smbconfoption>
684 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
685 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
686 <smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
687 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
693 <indexterm><primary>net</primary><secondary>rpc</secondary></indexterm>
694 Join the domain. Note: Do not start Samba until this step has been completed!
696 &rootprompt;<userinput>net rpc join -Uroot%'bigsecret'</userinput>
697 Joined domain MIDEARTH.
702 Make absolutely certain that you disable (shut down) the <command>nscd</command>
703 daemon on any system on which <command>winbind</command> is configured to run.
707 Start Samba following the normal method for your operating system platform.
708 If you wish to this manually execute as root:
709 <indexterm><primary>smbd</primary></indexterm>
710 <indexterm><primary>nmbd</primary></indexterm>
711 <indexterm><primary>winbindd</primary></indexterm>
712 <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
713 <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
714 <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
716 &rootprompt;<userinput>nmbd; smbd; winbindd;</userinput>
721 Configure the name service switch control file on your system to resolve user and group names
722 via winbind. Edit the following lines in <filename>/etc/nsswitch.conf</filename>:
724 passwd: files winbind
726 hosts: files dns winbind
731 Set the password for <command>wbinfo</command> to use:
733 &rootprompt;<userinput>wbinfo --set-auth-user=root%'bigsecret'</userinput>
738 Validate that domain user and group credentials can be correctly resolved by executing:
740 &rootprompt;<userinput>wbinfo -u</userinput>
747 &rootprompt;<userinput>wbinfo -g</userinput>
748 MIDEARTH+Domain Users
749 MIDEARTH+Domain Admins
750 MIDEARTH+Domain Guests
757 Check that <command>winbind</command> is working. The following demonstrates correct
758 username resolution via the <command>getent</command> system utility:
760 &rootprompt;<userinput>getent passwd maryo</userinput>
761 maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
766 A final test that we have this under control might be reassuring:
768 &rootprompt;<userinput>touch /export/a_file</userinput>
769 &rootprompt;<userinput>chown maryo /export/a_file</userinput>
770 &rootprompt;<userinput>ls -al /export/a_file</userinput>
772 -rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file
775 &rootprompt;<userinput>rm /export/a_file</userinput>
780 Configuration is now mostly complete, so this is an opportune time
781 to configure the directory structure for this site:
783 &rootprompt;<userinput>mkdir -p /export/{spytfull,public}</userinput>
784 &rootprompt;<userinput>chmod ug=rwxS,o=x /export/{spytfull,public}</userinput>
785 &rootprompt;<userinput>chown maryo.Accounts /export/{spytfull,public}</userinput>
795 <title>Domain Controller</title>
799 <indexterm><primary>Server Type</primary><secondary>Domain Controller</secondary></indexterm>
800 For the remainder of this chapter the focus is on the configuration of Domain Control.
801 The examples that follow are for two implementation strategies. Remember, our objective is
802 to create a simple but working solution. The remainder of this book should help to highlight
803 opportunity for greater functionality and the complexity that goes with it.
807 A Domain Controller configuration can be achieved with a simple configuration using the new
808 tdbsam password backend. This type of configuration is good for small
809 offices, but has limited scalability (cannot be replicated) and performance can be expected
810 to fall as the size and complexity of the domain increases.
814 The use of tdbsam is best limited to sites that do not need
815 more than a primary Domain Controller (PDC). As the size of a domain grows the need
816 for additional Domain Controllers becomes apparent. Do not attempt to under-resource
817 a Microsoft Windows network environment; Domain Controllers provide essential
818 authentication services. The following are symptoms of an under-resourced Domain Control
824 Domain logons intermittently fail.
828 File access on a Domain Member server intermittently fails, giving a permission denied
834 A more scalable Domain Control authentication backend option might use
835 Microsoft Active Directory, or an LDAP-based backend. Samba-3 provides
836 for both options as a Domain Member server. As a PDC Samba-3 is not able to provide
837 an exact alternative to the functionality that is available with Active Directory.
838 Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
842 The tdbsam authentication backend provides no facility to replicate
843 the contents of the database, except by external means. (i.e., there is no self-contained protocol
844 in Samba-3 for Security Account Manager database [SAM] replication.)
848 If you need more than one Domain Controller, do not use a tdbsam authentication backend.
852 <title>Example: Engineering Office</title>
855 The engineering office network server we present here is designed to demonstrate use
856 of the new tdbsam password backend. The tdbsam
857 facility is new to Samba-3. It is designed to provide many user and machine account controls
858 that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
863 A working PDC configuration using the tdbsam
864 password backend can be found in <link linkend="fast-engoffice-global"></link> together with
865 <link linkend="fast-engoffice-shares"></link>:
869 <indexterm><primary>pdbedit</primary></indexterm>
870 <smbconfexample id="fast-engoffice-global">
871 <title>Engineering Office smb.conf (globals)</title>
872 <smbconfsection>[global]</smbconfsection>
873 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
874 <smbconfoption><name>netbios name</name><value>FRODO</value></smbconfoption>
875 <smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
876 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
877 <smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
878 <smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
879 <smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
880 <smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
881 <smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
882 <smbconfoption><name>add machine script</name><value>/usr/sbin/useradd -s /bin/false \</value></smbconfoption>
883 <member><parameter> -d /dev/null %u</parameter></member>
884 <smbconfcomment>Note: The following specifies the default logon script.</smbconfcomment>
885 <smbconfcomment>Per user logon scripts can be specified in the user account using pdbedit </smbconfcomment>
886 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
887 <smbconfcomment>This sets the default profile path. Set per user paths with pdbedit</smbconfcomment>
888 <smbconfoption><name>logon path</name><value>\\%L\Profiles\%U</value></smbconfoption>
889 <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
890 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
891 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
892 <smbconfoption><name>os level</name><value>35</value></smbconfoption>
893 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
894 <smbconfoption><name>domain master</name><value>Yes</value></smbconfoption>
895 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
896 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
897 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
900 <smbconfexample id="fast-engoffice-shares">
901 <title>Engineering Office smb.conf (shares and services)</title>
902 <smbconfsection>[homes]</smbconfsection>
903 <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
904 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
905 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
906 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
908 <smbconfcomment>Printing auto-share (makes printers available thru CUPS)</smbconfcomment>
909 <smbconfsection>[printers]</smbconfsection>
910 <smbconfoption><name>comment</name><value>All Printers</value></smbconfoption>
911 <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
912 <smbconfoption><name>printer admin</name><value>root, maryo</value></smbconfoption>
913 <smbconfoption><name>create mask</name><value>0600</value></smbconfoption>
914 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
915 <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
916 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
918 <smbconfsection>[print$]</smbconfsection>
919 <smbconfoption><name>comment</name><value>Printer Drivers Share</value></smbconfoption>
920 <smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
921 <smbconfoption><name>write list</name><value>maryo, root</value></smbconfoption>
922 <smbconfoption><name>printer admin</name><value>maryo, root</value></smbconfoption>
924 <smbconfcomment>Needed to support domain logons</smbconfcomment>
925 <smbconfsection>[netlogon]</smbconfsection>
926 <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
927 <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
928 <smbconfoption><name>admin users</name><value>root, maryo</value></smbconfoption>
929 <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
930 <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
932 <smbconfcomment>For profiles to work, create a user directory under the path</smbconfcomment>
933 <smbconfcomment> shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</smbconfcomment>
934 <smbconfsection>[Profiles]</smbconfsection>
935 <smbconfoption><name>comment</name><value>Roaming Profile Share</value></smbconfoption>
936 <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
937 <smbconfoption><name>read only</name><value>No</value></smbconfoption>
938 <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
940 <smbconfcomment>Other resource (share/printer) definitions would follow below.</smbconfcomment>
946 Create UNIX group accounts as needed using a suitable operating system tool:
948 &rootprompt;<userinput>groupadd ntadmins</userinput>
949 &rootprompt;<userinput>groupadd designers</userinput>
950 &rootprompt;<userinput>groupadd engineers</userinput>
951 &rootprompt;<userinput>groupadd qateam</userinput>
956 Create user accounts on the system using the appropriate tool
957 provided with the operating system. Make sure all user home directories
958 are created also. Add users to groups as required for access control
959 on files, directories, printers, and as required for use in the Samba
965 <indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
966 <indexterm><primary>initGroups.sh</primary></indexterm>
967 Assign each of the UNIX groups to NT groups:
968 (It may be useful to copy this text to a shell script called
969 <filename>initGroups.sh</filename>.)
970 <smbfile name="initGroups.sh">
971 <title>Shell script for initializing group mappings</title>
974 #### Keep this as a shell script for future re-use
976 # First assign well known groups
977 net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins rid=512
978 net groupmap modify ntgroup="Domain Users" unixgroup=users rid=513
979 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody rid=514
981 # Now for our added Domain Groups
982 net groupmap add ntgroup="Designers" unixgroup=designers type=d rid=1112
983 net groupmap add ntgroup="Engineers" unixgroup=engineers type=d rid=1113
984 net groupmap add ntgroup="QA Team" unixgroup=qateam type=d rid=1114
990 Create the <filename>scripts</filename> directory for use in the
991 <smbconfsection>[NETLOGON]</smbconfsection> share:
993 &rootprompt;<userinput>mkdir -p /var/lib/samba/netlogon/scripts</userinput>
995 Place the logon scripts that will be used (batch or cmd scripts)
1001 The above configuration provides a functional Primary Domain Control (PDC)
1002 system to which must be added file shares and printers as required.
1008 <title>A Big Organization</title>
1011 In this section we finally get to review in brief a Samba-3 configuration that
1012 uses a Light Weight Directory Access (LDAP)-based authentication backend. The
1013 main reasons for this choice are to provide the ability to host primary
1014 and Backup Domain Control (BDC), as well as to enable a higher degree of
1015 scalability to meet the needs of a very distributed environment.
1019 <title>The Primary Domain Controller</title>
1022 This is an example of a minimal configuration to run a Samba-3 PDC
1023 using an LDAP authentication backend. It is assumed that the operating system
1024 has been correctly configured.
1028 The Idealx scripts (or equivalent) are needed to manage LDAP based Posix and/or
1029 SambaSamAccounts. The Idealx scripts may be downloaded from the <ulink url="http://www.idealx.org">
1030 Idealx</ulink> Web site. They may also be obtained from the Samba tarball. Linux
1031 distributions tend to install the Idealx scripts in the
1032 <filename>/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</filename> directory.
1033 Idealx scripts version <constant>smbldap-tools-0.8.2</constant> are known to work well.
1038 Obtain from the Samba sources <filename>~/examples/LDAP/samba.schema</filename>
1039 and copy it to the <filename>/etc/openldap/schema/</filename> directory.
1043 Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
1044 The <filename>/etc/openldap/slapd.conf</filename> file:
1045 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
1046 <smbfile name="slapd.conf"><title>Example slapd.conf file</title>
1048 # Note commented out lines have been removed
1049 include /etc/openldap/schema/core.schema
1050 include /etc/openldap/schema/cosine.schema
1051 include /etc/openldap/schema/inetorgperson.schema
1052 include /etc/openldap/schema/nis.schema
1053 include /etc/openldap/schema/samba.schema
1055 pidfile /var/run/slapd/slapd.pid
1056 argsfile /var/run/slapd/slapd.args
1059 suffix "dc=quenya,dc=org"
1060 rootdn "cn=Manager,dc=quenya,dc=org"
1061 rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
1062 # The password for the above is 'nastyon3'
1064 directory /var/lib/ldap
1066 index objectClass eq
1067 index cn pres,sub,eq
1068 index sn pres,sub,eq
1069 index uid pres,sub,eq
1070 index displayName pres,sub,eq
1075 index sambaPrimaryGroupSID eq
1076 index sambaDomainName eq
1083 Create the following file <filename>samba-ldap-init.ldif</filename>:
1084 <indexterm><primary>samba-ldap-init.ldif</primary></indexterm>
1085 <smbfile name="samba-ldap-init.ldif">
1087 # Organization for SambaXP Demo
1088 dn: dc=quenya,dc=org
1089 objectclass: dcObject
1090 objectclass: organization
1093 description: The SambaXP Demo LDAP Tree
1095 # Organizational Role for Directory Management
1096 dn: cn=Manager,dc=quenya,dc=org
1097 objectclass: organizationalRole
1099 description: Directory Manager
1101 # Setting up the container for users
1102 dn: ou=People, dc=quenya, dc=org
1104 objectclass: organizationalUnit
1107 # Set up an admin handle for People OU
1108 dn: cn=admin, ou=People, dc=quenya, dc=org
1111 objectclass: organizationalRole
1112 objectclass: simpleSecurityObject
1113 userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
1114 # The password for above is 'mordonL8'
1120 Load the initial data above into the LDAP database:
1122 &rootprompt;<userinput>slapadd -v -l initdb.ldif</userinput>
1127 Start the LDAP server using the appropriate tool or method for
1128 the operating system platform on which it is installed.
1132 Install the Idealx script files in the <filename>/usr/local/sbin</filename> directory,
1133 then configure the smbldap_conf.pm file to match your system configuration.
1137 The &smb.conf; file that drives this backend can be found in example <link linkend="fast-ldap"/>.
1141 <smbconfexample id="fast-ldap">
1142 <title>LDAP backend smb.conf for PDC</title>
1143 <smbconfcomment>Global parameters</smbconfcomment>
1144 <smbconfsection>[global]</smbconfsection>
1145 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
1146 <smbconfoption><name>netbios name</name><value>FRODO</value></smbconfoption>
1147 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://localhost</value></smbconfoption>
1148 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1149 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
1150 <smbconfoption><name>add user script</name><value>/usr/local/sbin/smbldap-useradd.pl -m '%u'</value></smbconfoption>
1151 <smbconfoption><name>delete user script</name><value>/usr/local/sbin/smbldap-userdel.pl %u</value></smbconfoption>
1152 <smbconfoption><name>add group script</name><value>/usr/local/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption>
1153 <smbconfoption><name>delete group script</name><value>/usr/local/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption>
1154 <smbconfoption><name>add user to group script</name><value>/usr/local/sbin/ \</value></smbconfoption>
1155 <member><parameter>smbldap-groupmod.pl -m '%g' '%u'</parameter></member>
1156 <smbconfoption><name>delete user from group script</name><value>/usr/local/sbin/ \</value></smbconfoption>
1157 <member><parameter>smbldap-groupmod.pl -x '%g' '%u'</parameter></member>
1158 <smbconfoption><name>set primary group script</name><value>/usr/local/sbin/ \</value></smbconfoption>
1159 <member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member>
1160 <smbconfoption><name>add machine script</name><value>/usr/local/sbin/smbldap-useradd.pl -w '%u'</value></smbconfoption>
1161 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
1162 <smbconfoption><name>logon path</name><value>\\%L\Profiles\%U</value></smbconfoption>
1163 <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
1164 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
1165 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1166 <smbconfoption><name>os level</name><value>35</value></smbconfoption>
1167 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1168 <smbconfoption><name>domain master</name><value>Yes</value></smbconfoption>
1169 <smbconfoption><name>ldap suffix</name><value>dc=quenya,dc=org</value></smbconfoption>
1170 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
1171 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
1172 <smbconfoption><name>ldap group suffix</name><value>ou=People</value></smbconfoption>
1173 <smbconfoption><name>ldap idmap suffix</name><value>ou=People</value></smbconfoption>
1174 <smbconfoption><name>ldap admin dn</name><value>cn=Manager</value></smbconfoption>
1175 <smbconfoption><name>ldap ssl</name><value>no</value></smbconfoption>
1176 <smbconfoption><name>ldap passwd sync</name><value>Yes</value></smbconfoption>
1177 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
1178 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
1179 <smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
1180 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1181 <member>...</member>
1186 Add the LDAP password to the <filename>secrets.tdc</filename> file so Samba can update
1189 &rootprompt;<userinput>smbpasswd -w mordonL8</userinput>
1194 Add users and groups as required. Users and groups added using Samba tools
1195 will automatically be added to both the LDAP backend as well as to the operating
1204 <title>Backup Domain Controller</title>
1207 <link linkend="fast-bdc"/> shows the example configuration for the BDC.
1212 Decide if the BDC should have its own LDAP server or not. If the BDC is to be
1213 the LDAP server change the following &smb.conf; as indicated. The default
1214 configuration in <link linkend="fast-bdc"/> uses a central LDAP server.
1215 <smbconfexample id="fast-bdc">
1216 <title>Remote LDAP BDC smb.conf</title>
1217 <smbconfcomment>Global parameters</smbconfcomment>
1218 <smbconfsection>[global]</smbconfsection>
1219 <smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
1220 <smbconfoption><name>netbios name</name><value>GANDALF</value></smbconfoption>
1221 <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://frodo.quenya.org</value></smbconfoption>
1222 <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
1223 <smbconfoption><name>printcap name</name><value>cups</value></smbconfoption>
1224 <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
1225 <smbconfoption><name>logon path</name><value>\\%L\Profiles\%U</value></smbconfoption>
1226 <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption>
1227 <smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
1228 <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
1229 <smbconfoption><name>os level</name><value>33</value></smbconfoption>
1230 <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
1231 <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
1232 <smbconfoption><name>ldap suffix</name><value>dc=quenya,dc=org</value></smbconfoption>
1233 <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
1234 <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
1235 <smbconfoption><name>ldap group suffix</name><value>ou=People</value></smbconfoption>
1236 <smbconfoption><name>ldap idmap suffix</name><value>ou=People</value></smbconfoption>
1237 <smbconfoption><name>ldap admin dn</name><value>cn=Manager</value></smbconfoption>
1238 <smbconfoption><name>ldap ssl</name><value>no</value></smbconfoption>
1239 <smbconfoption><name>ldap passwd sync</name><value>Yes</value></smbconfoption>
1240 <smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
1241 <smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
1242 <smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
1243 <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
1244 <member>...</member>
1249 Configure the NETLOGON and PROFILES directory as for the PDC in <link linkend="fast-bdc"/>.