More Linux Server Topics - Network Diagram - About This Site

 

Chapter 15

Windows, Linux And Samba

 

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In This Chapter

Chapter 15

Windows, Linux And Samba

Download and Install Packages

How To Get SAMBA Started

Configuring SWAT

Samba and PC Firewall Software

How To Create A Samba PDC Administrator User

How to Configure a Samba PDC

How To Add Users To Your Samba Domain

Domain Groups And Samba

How To Delete Users From Your Samba Domain

 

© Peter Harrison, www.linuxhomenetworking.com

 

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Samba is a suite of utilities that allows your Linux box to share files and other resources such as printers with Windows boxes. This chapter describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. Either configuration will allow everyone at home to have:

·     their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive

·     shared access to printers on the Linux box

·     shared files accessible only to members of their Linux user group.

 

What’s the difference between a PDC and Windows Workgroup member? A detailed description is beyond the scope of this chapter, but this simple explanation should be enough.

·     A PDC stores the login information in a central database on its hard drive. This allows each user to have a universal username and password when logging in from all PCs on the network.

·     In a Windows Workgroup, each PC stores the usernames and passwords locally so that they are unique for each PC.

 


 

This chapter will only cover the much more popular PDC methodology used at home. By default, Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux functionality doesn’t disappear when you do this. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your and immediately gain access to files in your Linux user’s home directory. For added security you can make your Samba and Linux passwords different.

When Samba starts up it reads the configuration file /etc/samba/smb.conf to determine its various modes of operation. You can create your own smb.conf using a text editor or using the easier web based SWAT utility. Keep in mind that you will lose all your comments inserted in /etc/samba/smb.conf with a text editor if you subsequently use SWAT to edit it. Explanations of how to use both SWAT and a text editor to configure Samba are given in this chapter.

Download and Install Packages

Samba is comprised of a suite of RPMs that come on the RedHat CDs. As of this writing, the latest version of the Samba suite for RedHat 8.0 was version 2.2.5-10. Install all the packages in this order:

 

[root@bigboy tmp]# rpm -Uvh samba-2.2.5-10.i386.rpm
[root@bigboy tmp]# rpm -Uvh samba-common-2.2.5-10.i386.rpm
[root@bigboy tmp]# rpm -Uvh samba-client-2.2.5-10.i386.rpm
[root@bigboy tmp]# rpm -Uvh samba-swat-2.2.5-10.i386.rpm

 

Downloading and installing RPMs isn’t hard. If you need a refresher, the RPM chapter covers how to do this in detail. 

How To Get SAMBA Started

·      You can configure Samba to start at boot time using the chkconfig command:

 

[root@bigboy tmp]# chkconfig --level 35 smb on

 

·     You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below:

 

[root@bigboy tmp]# /etc/init.d/smb start

[root@bigboy tmp]# /etc/init.d/smb stop

[root@bigboy tmp]# /etc/init.d/smb restart

 

·     Remember to restart the smb process every time you make a change to the conf file for the changes to take effect on the running process.

·     You can test whether the smb process is running with the following command, you should get a response of plain old process ID numbers: 

 

[root@bigboy tmp]# pgrep smb

 


 

Configuring SWAT

SWAT is a very intuitive web based Samba configuration tool that allows you to configure Samba without all the memorization of the keywords needed for text based configuration. Unfortunately it doesn't encrypt your login password. This may be a security concern in a corporate environment. Because of this, you may want to create a Samba administrator user that has no root privileges whatsoever or do your configuration using the configuration files. 

The enabling/disabling, starting and stopping of SWAT is controlled by xinetd via a configuration file named /etc/xinetd.d/swat. Here is a sample.

 

service swat
{

port            = 901
socket_type     = stream
protocol        = tcp
wait            = no
user            = root
server          = /usr/sbin/swat
log_on_failure  += USERID
disable         = no
only_from       = localhost

}

 

The formatting of the file is fairly easy to understand, especially as there are only two entries of interest.

·     The disable parameter must be set to "no" to accept connections.

·     By default, you can only log into SWAT from the VGA console as user "root". The URL must point to your localhost IP address on port 901 (http://127.0.0.0:901) as defined by the only_from and port parameters.

You can make SWAT accessible from other servers by adding IP address entries separated to the only_from parameter. Here’s an example of an entry to allow connections only from 192.168.1.3 and localhost:

 

only_from = localhost, 192.168.1.3

 

Therefore in this case you can also configure Samba on your Linux server "Bigboy" IP with address 192.168.1.100 from PC 192.168.1.3 using the URL http://192.168.1.100:901

 

Samba and PC Firewall Software

Firewall software installed on Windows PCs may cause Samba to not function. Here are some ways to solve the problem with two popular packages.


 

Zone Alarm

The default installation of Zone Alarm assumes that your PC is directly connected to the Internet. This means that the software will deny all inbound connections that attempt to connect with your PC. The NetBIOS traffic that Samba uses to communicate with the PCs on the network will therefore be considered as hostile traffic. The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too.

This can be done by clicking on the firewall tab and editing the settings for your home network that will most likely have a 192.168.x.x/255.255.255.0 type entry. Make this network a trusted network, instead of an Internet network and ZoneAlarm should cease to interfere with Samba.

The Windows XP Built In Firewall

You may also need to disable the firewall feature of Windows XP by doing the following: 

o        Bring up Control Panel

o        Go through the Network and Internet Connections and then Network Connections menus.

o        Right click your on your LAN connection icon and select Properties

o        Click on the Advanced tab.

o        Uncheck the Internet Connection Firewall box and it will be turned on.  

Once you get SAMBA to work, you may want to experiment with the firewall software settings to optimize your security with the need to maintain a valid relationship with the SAMBA server 

 

How To Create A Samba PDC Administrator User

To do both SWAT and user administration with Samba you'll need to create an Administrator account on the Samba PDC Linux box. Here is how it's done:

Create The Administrator’s User Group and Directories

o        First create a Linux group for administrators:

 

[root@bigboy tmp]# /usr/sbin/groupadd sysadmin

 

o        Then create a Linux directory to house all the administrator directories:

 

[root@bigboy tmp]# mkdir /home/sysadmin
[root@bigboy tmp]# chgrp sysadmin /home/sysadmin
[root@bigboy tmp]# chmod 0770 /home/sysadmin


 

Create The Administrator User Under Linux

o        For each administrator user, create a Linux user with the adduser command:

 

[root@bigboy tmp]# /usr/sbin/adduser  -d \

       /home/sysadmin/administrator \

       -g sysdmin -m -k /etc/skel.smb  -n administrator

 

o        As this user may not need a real Linux login, we won’t assign a real Linux password. This provides an added level of security, especially if you’re using SWAT. The table below explains what each of the adduser command switches used. 

 

Adduser’s Command Switches

useradd

command switch

Description

-g group

Sets the group to which the user should be added.

In this case the administrator user has been made a member of the sysadmin group.

-m

Forces linux to create the directory specified with the -d switch

 -d dir_path

Home directory for the new user

-k /etc/skel.smb

Tells adduser to copy the contents of the directory /etc/skel.smb to the users new home directory.

Usually default login scripts.

-n

Tells RedHat NOT to create a default group with the same name as the user. (Redundant in this case)

 

 


 

Create An Administrator Domain Password

The Linux Administrator now needs a Samba password to log into the Windows domain. This is done with the smbpasswd command.

 

[root@bigboy tmp]# /usr/bin/smbpasswd -a administrator password

 

The -a adds the user administrator to the /etc/smbpasswd file. Use a generic password then have users change it immediately from their workstation the usual way.

Note: If you want user "administrator" to be able to log into the Linux box as a regular user via Telnet or SSH, then you'll have to use the Linux passwd command to give this user a Linux (not a Samba domain) password. Samba domain logins use the smbpasswd password.

 

Make The Administrator One Of The Samba Admin Users

Edit /etc/samba/smb.conf file and add the sysadmin group to the list of Samba system administrator users.

 

[global]

admin users = @sysadmin

 

This can also be set via SWAT in the expanded “global settings” section. You’ll need to restart Samba for this to take effect.

 

How to Configure a Samba PDC

Create A Samba PDC 

By far the easiest way to configure a Samba PDC is by using SWAT. Log into SWAT and click on the “globals” section and make sure the key highlighted parameters below are set correctly.

 

# Samba config file created using SWAT

# from 192.168.1.101 (192.168.1.101)

# Date: 2002/11/10 19:54:45

 

# Global parameters

[global]

 

##

## The name I want to give my DOMAIN

##

     workgroup = HOMENET

 

##

## The name of my Linux Box

##

     server string = BigBoy

    

##

## Make sure passwords are always encrypted

##

     encrypt passwords = Yes

 

##

## Samba will log errors via syslog to

## directory /var/log/samba

##

     log file = /var/log/samba/%m.log

     max log size = 0

 

##

## The command Samba uses to add new printers

## directory /var/log/samba

##

     addprinter command = /usr/bin/addprinter

 

##

## Only domain users in the sysadmin group can act as

## universal administrators. Ie administer the PDC

## and do activities on the local PC like

## software installation. You can also have local

## administrator accounts on PCs to do software

## installation, but they wont be PDC administrators

## to do things like adding new PCs to the domain

##

     domain admin group = @sysadmin

 

##

## The script logon.cmd in the Linux user’s home directory

## will be run whenever the user logs in. (Usually blank)

##

     logon script = logon.cmd

 

##

## My user’s Linux login directory will always appear

## to be Windows drive H:

##

     logon drive = h:

 

##

## Activate domain type logins and make

## Linux box be the master Windows server

## in all domain type functions

##

     domain logons = Yes

     os level = 99

     preferred master = True

     domain master = True

     local master = True

 

     dns proxy = No

 

##

## Only users in the sysadmin group can use SWAT

## to modify Samba and

##

admin users = @sysadmin

     printer admin = @sysadmin

     printing = lprng

 

Next you will have to use SWAT to click on the “shares” button. Here you will use the drop down menu to edit the netlogon and profiles shares

 

[netlogon]

##

## Store all Samba PDC overhead data in the directory

## /home/netlogon (or whatever you desire)

##

path = /home/netlogon

     write list = administrator

     guest ok = Yes

 

[profiles]

##

## Store user profiles in this directory

##

     path = /home/ntprofile

     read only = No

     create mask = 0600

     directory mask = 0700

     guest ok = Yes

     browseable = No

 

Click on the “Status” button at the top of the screen and restart Samba to make your settings take effect.

 

Create Your PC Machine Trusts

PDCs will only accept user logins from trusted PCs that have been placed in its PC client database. Samba can create these “Machine Trusts” in two ways, either manually or automatically. 

Manual Creation Of Machine Trust Accounts (NT Only)

When manually creating a machine trust account you need to manually create the corresponding Unix account in /etc/passwd and /etc/smbpasswd files. Pay careful attention to the "$" at the end and replace machine_name with the name of the Windows client machine.


[root@bigboy tmp]# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$
[root@bigboy tmp]# passwd -l machine_name$
[root@bigboy tmp]# smbpasswd -a -m machine_name



This is the only way to configure machine trusts using Windows NT.

 

Dynamic Creation Of Machine Trust Accounts

The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client joins the domain. This can be done by editing /etc/samba/smb.conf to automatically add the required users. This method is also referred to as making a machine account "on the fly".


[global]
# <...remainder of parameters...>
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

 

This is probably easier to do if you use SWAT in the “Global” menu

Make Your PC Clients Aware Of Your Samba PDC 

When you log into the domain, the PDC will send your new client PC a list of universal “look and feel” related features that may have been previously set by the Administrator. These include things like suppressing the splash screen, defining your wall paper and setting the way dates are formatted. This information is stored in the netlogon directory. How to configure the netlogon directory is beyond the scope of this chapter, but suffice it to say that the directory must be created on the Linux box for Samba to operate correctly.

 

[root@bigboy tmp]# mkdir /home/netlogon
[root@bigboy tmp]# chmod 0755 /home/netlogon

 

You’ll then have to log into each PC client and do the following steps depending on their operating system.

 

Windows 95/98/ME

Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts

·         Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network)

·         Select the Configuration tab

·         Highlight "Client for Microsoft Networks"

·         Click the Properties button.

·         Check "Log onto Windows NT Domain", and enter the domain name.

·         Click all the OK buttons and reboot! 

 


 

Windows NT

Create a manual SAMBA machine trust account as explained above, then go through the following steps:

·         Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network )

·         Select the “identification” tab

·         Click the "change" button

·         Enter the domain name and computer name, do not check the box "Create a Computer Account in the Domain." In this case, the existing machine trust account is used to join the machine to the domain.

·         Click "OK"

·         You should then get a confirmation that you’ve been added with a "Welcome to <DOMAIN>" message.

·         Reboot.

·         Log in using any account in the /etc/smbpasswd file with your domain as the domain name. 

 

Windows 2000 

Create a dynamic SAMBA machine trust account as explained above, then go through the following steps:

·         Press Windows-key Break-key simultaneously to get the System Properties dialogue box

·         Click on the 'Network Indentification' tab on the top

·         Click the "Properties" button

·         Click on the “Member of Domain” button

·         Also enter your domain name and computer name and then click "OK"

·         You will now be prompted for a user account and password with rights to join a machine to the domain. This should be your Samba administrator. In our case that would be user "administrator" with the corresponding smbpasswd password. (See this note before proceeding.)

·         You should then get a confirmation that you’ve been added with a "Welcome to <DOMAIN>" message.

·         Reboot.

·         Log in using any account in the /etc/smbpasswd file with your domain as the domain name.  


Windows XP

Create a dynamic SAMBA machine trust account as explained above, then go through the following steps:

·         Press Windows-key Break-key simultaneously to get the System Properties dialogue box

·         Click on the 'Computer Name' tab on the top

·         Click on the 'Change' button

·         Click on the “Member of Domain” button

·         Also enter your domain name and computer name and then click "OK"

·         You will now be prompted for a user account and password with rights to join a machine to the domain. This should be your Samba administrator. In our case that would be user "administrator" with the corresponding smbpasswd password.

·         Reboot.

·         Log in using any account in the /etc/smbpasswd file with your domain as the domain name. 

 

How To Add Users To Your Samba Domain

Add The Users In Linux 

First go through the process of adding users in Linux just like you would normally do. Passwords won’t be necessary unless you want the users to log in to the Samba server via Telnet or SSH.

 

Map The Linux Users To An smbpassword

 Next you need to create Samba domain login passwords for all users

 

[root@bigboy tmp]# /usr/bin/smbpasswd -a username password

 

The -a adds the user to the /etc/smbpasswd file. Use a generic password then have users change it immediately from their workstation the usual way. 

 

Map A Drive Share

By default, Samba will automatically give each user logged into the domain an H: drive that really maps to the /home/username directory on the Linux box.

 

Mapping Using “My Computer”

If the auto-mapping doesn't work then do the following: 

·         Let the user log into the domain

·         Right click on the "My Computer" icon on the desktop

·         Click on "Map Network Drive"

·         Select a drive letter

·         Browse to the HOMENET domain, then the Samba server, then the user’s home directory.

·         Click on the check box "Reconnect at Logon", to make the change permanent 

 

Mapping From The Command Line

If you find the "My Computer" method too time consuming for dozens of users or if the PC doesn't have the feature available, then you can do the following and possibly make it into a script.

 

·         Create a master logon batch file for administrator users. We will add the contents of this file to all administrator's logon scripts.

 

[root@bigboy tmp]# vi /home/netlogon/administrator.bat

 

·         Add the following contents to mount the user's share as drive P: (for 'private').

 

REM administrator
net use P: \\bigboy\administrator

 

·         Make the file world readable:

 

[root@bigboy tmp]# chmod +r /home/samba/netlogon/administrator.bat

 

·         Linux and Windows format text files slightly differently. As the file resides on a Linux box, but will be interpreted bay a Windows machine, you’ll have to convert the file to the Windows format. This requires the 'todos' program to be installed. (You can get this package from http://speakeasy.rpmfind.net )

 

[root@bigboy tmp]# todos /home/samba/netlogon/administrator.bat

 

·         The next page will show you how to add regular users to your new SAMBA domain 

 

Domain Groups And Samba

Samba supports domain groups which will allow users who are members of the group to be able to have Administrator rights on each PC in the domain. This will allow them to do such things as add software and configure network settings. In Windows, Domain Groups also have the ability to join machines to the domain, but this is not currently supported in Samba.

The domain admin group parameter specifies users who will have domain admin rights. The argument is a space-separated list of user names or group names (group names must have an @ sign prefixed). For example:


domain admin group = <USER1> <USER2> @<GROUP>

 


 

How To Delete Users From Your Samba Domain

Delete The Users In Linux

First go through the process of deleting users in Linux just like you would normally do. Here we are deleting the user zmeekins and all zmeekin’s files from the Linux server:

 

[root@bigboy tmp]# userdel -r zmeekins

Delete The Users Using smbpasswd

Next, use the smbpasswd command with the "-x" switch

 

[root@bigboy tmp]# smbpasswd -x zmeekins
Deleted user zmeekins.
[root@bigboy root]#