--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Fast Start: Cure for Impatience</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="prev" href="install.html" title="Chapter 1. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Fast Start: Cure for Impatience</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 2. Fast Start: Cure for Impatience</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="FastStart.html#id2521215">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id2521239">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id2521319">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id2521337">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id2523307">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id2524263">Domain Controller</a></span></dt></dl></dd></dl></div><p>
+When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
+someone wrote asking for example configurations and lots of them. That is remarkably
+difficult to do without losing a lot of value that can be derived from presenting
+many extracts from working systems. That is what the rest of this document does.
+It does so with extensive descriptions of the configuration possibilities within the
+context of the chapter that covers it. We hope that this chapter is the medicine
+that has been requested.
+</p><p>
+The information in this chapter is very sparse compared with the book “<span class="quote">Samba-3 by Example</span>”
+that was written after the original version of this book was nearly complete. “<span class="quote">Samba-3 by Example</span>”
+was the result of feedback from reviewers during the final copy editing of the first edition. It
+was interesting to see that reader feedback mirrored that given by the original reviewers.
+In any case, a month and a half was spent in doing basic research to better understand what
+new as well as experienced network administrators would best benefit from. The book “<span class="quote">Samba-3 by Example</span>”
+is the result of that research. What is presented in the few pages of this book is covered
+far more comprehensively in the second edition of “<span class="quote">Samba-3 by Example</span>”. The second edition
+of both books will be released at the same time.
+</p><p>
+So in summary, the book “<span class="quote">The Official Samba-3 HOWTO & Reference Guide</span>” is intended
+as the equivalent of an auto mechanic's repair guide. The book “<span class="quote">Samba-3 by Example</span>” is the
+equivalent of the driver's guide that explains how to drive the car. If you want complete network
+configuration examples, go to <a href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by
+Example</a>.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2521215"></a>Features and Benefits</h2></div></div></div><p>
+Samba needs very little configuration to create a basic working system.
+In this chapter we progress from the simple to the complex, for each providing
+all steps and configuration file changes needed to make each work. Please note
+that a comprehensively configured system will likely employ additional smart
+features. These additional features are covered in the remainder of this document.
+</p><p>
+The examples used here have been obtained from a number of people who made
+requests for example configurations. All identities have been obscured to protect
+the guilty, and any resemblance to unreal nonexistent sites is deliberate.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2521239"></a>Description of Example Sites</h2></div></div></div><p>
+In the first set of configuration examples we consider the case of exceptionally simple system requirements.
+There is a real temptation to make something that should require little effort much too complex.
+</p><p>
+<a href="FastStart.html#anon-ro" title="Anonymous Read-Only Document Server">???</a> documents the type of server that might be sufficient to serve CD-ROM images,
+or reference document files for network client use. This configuration is also discussed in <a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">???</a>, <a href="StandAloneServer.html#RefDocServer" title="Reference Documentation Server">???</a>. The purpose for this configuration
+is to provide a shared volume that is read-only that anyone, even guests, can access.
+</p><p>
+The second example shows a minimal configuration for a print server that anyone can print to as long as they
+have the correct printer drivers installed on their computer. This is a mirror of the system described in
+<a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">???</a>, <a href="StandAloneServer.html#SimplePrintServer" title="Central Print Serving">???</a>.
+</p><p>
+The next example is of a secure office file and print server that will be accessible only to users who have an
+account on the system. This server is meant to closely resemble a workgroup file and print server, but has to
+be more secure than an anonymous access machine. This type of system will typically suit the needs of a small
+office. The server provides no network logon facilities, offers no domain control; instead it is just a
+network-attached storage (NAS) device and a print server.
+</p><p>
+The later example consider more complex systems that will either integrate into existing MS Windows networks
+or replace them entirely. These cover domain member servers as well as Samba domain control (PDC/BDC) and
+finally describes in detail a large distributed network with branch offices in remote locations.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2521319"></a>Worked Examples</h2></div></div></div><p>
+The configuration examples are designed to cover everything necessary to get Samba
+running. They do not cover basic operating system platform configuration, which is
+clearly beyond the scope of this text.
+</p><p>
+It is also assumed that Samba has been correctly installed, either by way of installation
+of the packages that are provided by the operating system vendor or through other means.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2521337"></a>Standalone Server</h3></div></div></div><p>
+ <a class="indexterm" name="id2521345"></a>
+ A standalone server implies no more than the fact that it is not a domain controller
+ and it does not participate in domain control. It can be a simple, workgroup-like
+ server, or it can be a complex server that is a member of a domain security context.
+ </p><p>
+ As the examples are developed, every attempt is made to progress the system toward greater capability, just as
+ one might expect would happen in a real business office as that office grows in size and its needs change.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="anon-ro"></a>Anonymous Read-Only Document Server</h4></div></div></div><p>
+ <a class="indexterm" name="id2521378"></a>
+ The purpose of this type of server is to make available to any user
+ any documents or files that are placed on the shared resource. The
+ shared resource could be a CD-ROM drive, a CD-ROM image, or a file
+ storage area.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ The file system share point will be <code class="filename">/export</code>.
+ </p></li><li><p>
+ All files will be owned by a user called Jack Baumbach.
+ Jack's login name will be <span class="emphasis"><em>jackb</em></span>. His password will be
+ <span class="emphasis"><em>m0r3pa1n</em></span> of course, that's just the example we are
+ using; do not use this in a production environment because
+ all readers of this document will know it.
+ </p></li></ul></div><div class="procedure"><a name="id2521426"></a><p class="title"><b>Procedure 2.1. Installation Procedure: Read-Only Server</b></p><div class="example"><a name="anon-example"></a><p class="title"><b>Example 2.1. Anonymous Read-Only Server Configuration</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2521564"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2521577"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id2521590"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id2521612"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id2521624"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id2521637"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2521650"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div><ol type="1"><li><p>
+ Add user to system (with creation of the user's home directory):
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Create directory, and set permissions and ownership:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chmod u+rwx,g+rx,o+rx /export</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chown jackb.users /export</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Copy the files that should be shared to the <code class="filename">/export</code>
+ directory.
+ </p></li><li><p>
+ Install the Samba configuration file (<code class="filename">/etc/samba/smb.conf</code>)
+ as shown in <a href="FastStart.html#anon-example" title="Example 2.1. Anonymous Read-Only Server Configuration">Anonymous Read-Only Server Configuration</a>.
+ </p></li><li><p>
+ Test the configuration file by executing the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>testparm</code></strong>
+</pre><p>
+ Alternatively, where you are operating from a master configuration file called
+ <code class="filename">smb.conf.master</code>, the following sequence of commands might prove
+ more appropriate:
+</p><pre class="screen">
+<code class="prompt">root# </code> cd /etc/samba
+<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf
+<code class="prompt">root# </code> testparm
+</pre><p>
+ Note any error messages that might be produced. Proceed only if error-free output has been
+ obtained. An example of typical output that should be generated from the above configuration
+ file is shown here:
+</p><pre class="screen">
+Load smb config files from /etc/samba/smb.conf
+Processing section "[data]"
+Loaded services file OK.
+Server role: ROLE_STANDALONE
+Press enter to see a dump of your service definitions
+<strong class="userinput"><code>[Press enter]</code></strong>
+
+# Global parameters
+[global]
+ workgroup = MIDEARTH
+ netbios name = HOBBIT
+ security = share
+
+[data]
+ comment = Data
+ path = /export
+ read only = Yes
+ guest only = Yes
+</pre><p>
+ </p></li><li><p>
+ Start Samba using the method applicable to your operating system platform. The method that
+ should be used is platform dependent. Refer to <a href="compiling.html#startingSamba" title="Starting the smbd nmbd and winbindd">Starting Samba</a>
+ for further information regarding the starting of Samba.
+ </p></li><li><p>
+ Configure your MS Windows client for workgroup <span class="emphasis"><em>MIDEARTH</em></span>,
+ set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
+ then open Windows Explorer and visit the Network Neighborhood.
+ The machine HOBBIT should be visible. When you click this machine
+ icon, it should open up to reveal the <span class="emphasis"><em>data</em></span> share. After
+ you click the share, it should open up to reveal the files previously
+ placed in the <code class="filename">/export</code> directory.
+ </p></li></ol></div><p>
+ The information above (following # Global parameters) provides the complete
+ contents of the <code class="filename">/etc/samba/smb.conf</code> file.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2521800"></a>Anonymous Read-Write Document Server</h4></div></div></div><p>
+ <a class="indexterm" name="id2521808"></a>
+ We should view this configuration as a progression from the previous example.
+ The difference is that shared access is now forced to the user identity of jackb
+ and to the primary group jackb belongs to. One other refinement we can make is to
+ add the user <span class="emphasis"><em>jackb</em></span> to the <code class="filename">smbpasswd</code> file.
+ To do this, execute:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong>
+New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
+Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
+Added user jackb.
+</pre><p>
+ Addition of this user to the <code class="filename">smbpasswd</code> file allows all files
+ to be displayed in the Explorer Properties boxes as belonging to <span class="emphasis"><em>jackb</em></span>
+ instead of to <span class="emphasis"><em>User Unknown</em></span>.
+ </p><p>
+ The complete, modified <code class="filename">smb.conf</code> file is as shown in <a href="FastStart.html#anon-rw" title="Example 2.2. Modified Anonymous Read-Write smb.conf">???</a>.
+ </p><div class="example"><a name="anon-rw"></a><p class="title"><b>Example 2.2. Modified Anonymous Read-Write smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2521922"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2521935"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id2521948"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id2521969"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id2521982"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id2521994"></a><em class="parameter"><code>force user = jackb</code></em></td></tr><tr><td><a class="indexterm" name="id2522007"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id2522020"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2522032"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2522047"></a>Anonymous Print Server</h4></div></div></div><p>
+ <a class="indexterm" name="id2522055"></a>
+ An anonymous print server serves two purposes:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ It allows printing to all printers from a single location.
+ </p></li><li><p>
+ It reduces network traffic congestion due to many users trying
+ to access a limited number of printers.
+ </p></li></ul></div><p>
+ In the simplest of anonymous print servers, it is common to require the installation
+ of the correct printer drivers on the Windows workstation. In this case the print
+ server will be designed to just pass print jobs through to the spooler, and the spooler
+ should be configured to do raw pass-through to the printer. In other words, the print
+ spooler should not filter or process the data stream being passed to the printer.
+ </p><p>
+ In this configuration, it is undesirable to present the Add Printer Wizard, and we do
+ not want to have automatic driver download, so we disable it in the following
+ configuration. <a href="FastStart.html#anon-print" title="Example 2.3. Anonymous Print Server smb.conf">???</a> is the resulting <code class="filename">smb.conf</code> file.
+ </p><div class="example"><a name="anon-print"></a><p class="title"><b>Example 2.3. Anonymous Print Server smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2522138"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2522151"></a><em class="parameter"><code>netbios name = LUTHIEN</code></em></td></tr><tr><td><a class="indexterm" name="id2522164"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td><a class="indexterm" name="id2522177"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2522190"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522203"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2522216"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2522238"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id2522250"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2522263"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522276"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522288"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522301"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div><p>
+ The above configuration is not ideal. It uses no smart features, and it deliberately
+ presents a less than elegant solution. But it is basic, and it does print. Samba makes
+ use of the direct printing application program interface that is provided by CUPS.
+ When Samba has been compiled and linked with the CUPS libraries, the default printing
+ system will be CUPS. By specifying that the printcap name is CUPS, Samba will use
+ the CUPS library API to communicate directly with CUPS for all printer functions.
+ It is possible to force the use of external printing commands by setting the value
+ of the <em class="parameter"><code>printing</code></em> to either SYSV or BSD, and thus the value of
+ the parameter <em class="parameter"><code>printcap name</code></em> must be set to something other than
+ CUPS. In such case, it could be set to the name of any file that contains a list
+ of printers that should be made available to Windows clients.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ Windows users will need to install a local printer and then change the print
+ to device after installation of the drivers. The print to device can then be set to
+ the network printer on this machine.
+ </p></div><p>
+ Make sure that the directory <code class="filename">/var/spool/samba</code> is capable of being used
+ as intended. The following steps must be taken to achieve this:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ The directory must be owned by the superuser (root) user and group:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>chown root.root /var/spool/samba</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Directory permissions should be set for public read-write with the
+ sticky bit set as shown:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>chmod a+twrx /var/spool/samba</code></strong>
+</pre><p>
+ The purpose of setting the sticky bit is to prevent who does not own the temporary print file
+ from being able to take control of it with the potential for devious misuse.
+ </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2522418"></a>
+ <a class="indexterm" name="id2522427"></a>
+ On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
+ intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
+ it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
+ handler in the <code class="filename">/etc/mime.conv</code> and <code class="filename">/etc/mime.types</code>
+ files. Refer to <a href="CUPS-printing.html#cups-raw" title="Explicitly Enable “raw” Printing for application/octet-stream">???</a>.
+ </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2522460"></a>Secure Read-Write File and Print Server</h4></div></div></div><p>
+ We progress now from simple systems to a server that is slightly more complex.
+ </p><p>
+ Our new server will require a public data storage area in which only authenticated
+ users (i.e., those with a local account) can store files, as well as a home directory.
+ There will be one printer that should be available for everyone to use.
+ </p><p>
+ In this hypothetical environment (no espionage was conducted to obtain this data),
+ the site is demanding a simple environment that is <span class="emphasis"><em>secure enough</em></span>
+ but not too difficult to use.
+ </p><p>
+ Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have
+ a password (not shown in further examples). Mary will be the printer administrator and will
+ own all files in the public share.
+ </p><p>
+ This configuration will be based on <span class="emphasis"><em>user-level security</em></span> that
+ is the default, and for which the default is to store Microsoft Windows-compatible
+ encrypted passwords in a file called <code class="filename">/etc/samba/smbpasswd</code>.
+ The default <code class="filename">smb.conf</code> entry that makes this happen is
+ <a class="indexterm" name="id2522517"></a>passdb backend = smbpasswd, guest. Since this is the default,
+ it is not necessary to enter it into the configuration file. Note that the guest backend is
+ added to the list of active passdb backends no matter whether it specified directly in Samba configuration
+ file or not.
+ </p><div class="procedure"><a name="id2522530"></a><p class="title"><b>Procedure 2.2. Installing the Secure Office Server</b></p><div class="example"><a name="OfficeServer"></a><p class="title"><b>Example 2.4. Secure Office Server smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2522637"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2522650"></a><em class="parameter"><code>netbios name = OLORIN</code></em></td></tr><tr><td><a class="indexterm" name="id2522662"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2522675"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522688"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2522702"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2522723"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2522736"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2522749"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2522761"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id2522783"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id2522796"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id2522808"></a><em class="parameter"><code>force user = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id2522821"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id2522834"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2522855"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id2522868"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2522881"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id2522894"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id2522906"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522919"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522932"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2522945"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div><ol type="1"><li><p>
+ <a class="indexterm" name="id2522541"></a>
+ Add all users to the operating system:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Mary Orville" -m -g users -p secret maryo</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Amed Sehkah" -m -g users -p secret ameds</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Configure the Samba <code class="filename">smb.conf</code> file as shown in <a href="FastStart.html#OfficeServer" title="Example 2.4. Secure Office Server smb.conf">???</a>.
+ </p></li><li><p>
+ Initialize the Microsoft Windows password database with the new users:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a root</code></strong>
+New SMB password: <strong class="userinput"><code>bigsecret</code></strong>
+Reenter smb password: <strong class="userinput"><code>bigsecret</code></strong>
+Added user root.
+
+<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong>
+New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
+Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
+Added user jackb.
+
+<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a maryo</code></strong>
+New SMB password: <strong class="userinput"><code>secret</code></strong>
+Reenter smb password: <strong class="userinput"><code>secret</code></strong>
+Added user maryo.
+
+<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a ameds</code></strong>
+New SMB password: <strong class="userinput"><code>mysecret</code></strong>
+Reenter smb password: <strong class="userinput"><code>mysecret</code></strong>
+Added user ameds.
+</pre><p>
+ </p></li><li><p>
+ Install printer using the CUPS Web interface. Make certain that all
+ printers that will be shared with Microsoft Windows clients are installed
+ as raw printing devices.
+ </p></li><li><p>
+ Start Samba using the operating system administrative interface.
+ Alternately, this can be done manually by executing:
+ <a class="indexterm" name="id2523083"></a>
+ <a class="indexterm" name="id2523090"></a>
+ <a class="indexterm" name="id2523096"></a>
+ <a class="indexterm" name="id2523106"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code> nmbd; smbd;</code></strong>
+</pre><p>
+ Both applications automatically execute as daemons. Those who are paranoid about
+ maintaining control can add the <code class="constant">-D</code> flag to coerce them to start
+ up in daemon mode.
+ </p></li><li><p>
+ Configure the <code class="filename">/export</code> directory:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.users /export</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chmod u=rwx,g=rwx,o-rwx /export</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Check that Samba is running correctly:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>smbclient -L localhost -U%</code></strong>
+Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.20]
+
+Sharename Type Comment
+--------- ---- -------
+public Disk Data
+IPC$ IPC IPC Service (Samba-3.0.20)
+ADMIN$ IPC IPC Service (Samba-3.0.20)
+hplj4 Printer hplj4
+
+Server Comment
+--------- -------
+OLORIN Samba-3.0.20
+
+Workgroup Master
+--------- -------
+MIDEARTH OLORIN
+</pre><p>
+ The following error message indicates that Samba was not running:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbclient -L olorin -U%
+Error connecting to 192.168.1.40 (Connection refused)
+Connection to olorin failed
+</pre><p>
+ </p></li><li><p>
+ Connect to OLORIN as maryo:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>smbclient //olorin/maryo -Umaryo%secret</code></strong>
+OS=[UNIX] Server=[Samba-3.0.20]
+smb: \> <strong class="userinput"><code>dir</code></strong>
+. D 0 Sat Jun 21 10:58:16 2003
+.. D 0 Sat Jun 21 10:54:32 2003
+Documents D 0 Fri Apr 25 13:23:58 2003
+DOCWORK D 0 Sat Jun 14 15:40:34 2003
+OpenOffice.org D 0 Fri Apr 25 13:55:16 2003
+.bashrc H 1286 Fri Apr 25 13:23:58 2003
+.netscape6 DH 0 Fri Apr 25 13:55:13 2003
+.mozilla DH 0 Wed Mar 5 11:50:50 2003
+.kermrc H 164 Fri Apr 25 13:23:58 2003
+.acrobat DH 0 Fri Apr 25 15:41:02 2003
+
+ 55817 blocks of size 524288. 34725 blocks available
+smb: \> <strong class="userinput"><code>q</code></strong>
+</pre><p>
+ </p></li></ol></div><p>
+ By now you should be getting the hang of configuration basics. Clearly, it is time to
+ explore slightly more complex examples. For the remainder of this chapter we abbreviate
+ instructions, since there are previous examples.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2523307"></a>Domain Member Server</h3></div></div></div><p>
+ <a class="indexterm" name="id2523315"></a>
+ In this instance we consider the simplest server configuration we can get away with
+ to make an accounting department happy. Let's be warned, the users are accountants and they
+ do have some nasty demands. There is a budget for only one server for this department.
+ </p><p>
+ The network is managed by an internal Information Services Group (ISG), to which we belong.
+ Internal politics are typical of a medium-sized organization; Human Resources is of the
+ opinion that they run the ISG because they are always adding and disabling users. Also,
+ departmental managers have to fight tooth and nail to gain basic network resources access for
+ their staff. Accounting is different, though, they get exactly what they want. So this should
+ set the scene.
+ </p><p>
+ We use the users from the last example. The accounting department
+ has a general printer that all departmental users may use. There is also a check printer
+ that may be used only by the person who has authority to print checks. The chief financial
+ officer (CFO) wants that printer to be completely restricted and for it to be located in the
+ private storage area in her office. It therefore must be a network printer.
+ </p><p>
+ The accounting department uses an accounting application called <span class="emphasis"><em>SpytFull</em></span>
+ that must be run from a central application server. The software is licensed to run only off
+ one server, there are no workstation components, and it is run off a mapped share. The data
+ store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our
+ problem.
+ </p><p>
+ The accounting department manager (maryo) wants a general filing system as well as a separate
+ file storage area for form letters (nastygrams). The form letter area should be read-only to
+ all accounting staff except the manager. The general filing system has to have a structured
+ layout with a general area for all staff to store general documents as well as a separate
+ file area for each member of her team that is private to that person, but she wants full
+ access to all areas. Users must have a private home share for personal work-related files
+ and for materials not related to departmental operations.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2523379"></a>Example Configuration</h4></div></div></div><p>
+ The server <span class="emphasis"><em>valinor</em></span> will be a member server of the company domain.
+ Accounting will have only a local server. User accounts will be on the domain controllers,
+ as will desktop profiles and all network policy files.
+ </p><div class="procedure"><div class="example"><a name="fast-member-server"></a><p class="title"><b>Example 2.5. Member Server smb.conf (Globals)</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2523463"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2523476"></a><em class="parameter"><code>netbios name = VALINOR</code></em></td></tr><tr><td><a class="indexterm" name="id2523489"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id2523502"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2523515"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2523528"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2523541"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2523554"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2523566"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2523580"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div><div class="example"><a name="fast-memberserver-shares"></a><p class="title"><b>Example 2.6. Member Server smb.conf (Shares and Services)</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2523618"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2523630"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2523643"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2523656"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[spytfull]</code></em></td></tr><tr><td><a class="indexterm" name="id2523677"></a><em class="parameter"><code>comment = Accounting Application Only</code></em></td></tr><tr><td><a class="indexterm" name="id2523690"></a><em class="parameter"><code>path = /export/spytfull</code></em></td></tr><tr><td><a class="indexterm" name="id2523703"></a><em class="parameter"><code>valid users = @Accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2523716"></a><em class="parameter"><code>admin users = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id2523729"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id2523750"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id2523763"></a><em class="parameter"><code>path = /export/public</code></em></td></tr><tr><td><a class="indexterm" name="id2523776"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2523797"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id2523810"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2523823"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id2523836"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id2523849"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2523861"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2523874"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2523887"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div><ol type="1"><li><p>
+ Do not add users to the UNIX/Linux server; all of this will run off the
+ central domain.
+ </p></li><li><p>
+ Configure <code class="filename">smb.conf</code> according to <a href="FastStart.html#fast-member-server" title="Example 2.5. Member Server smb.conf (Globals)">Member server smb.conf
+ (globals)</a> and <a href="FastStart.html#fast-memberserver-shares" title="Example 2.6. Member Server smb.conf (Shares and Services)">Member server smb.conf (shares
+ and services)</a>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2523906"></a>
+ Join the domain. Note: Do not start Samba until this step has been completed!
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -Uroot%'bigsecret'</code></strong>
+Joined domain MIDEARTH.
+</pre><p>
+ </p></li><li><p>
+ Make absolutely certain that you disable (shut down) the <span><strong class="command">nscd</strong></span>
+ daemon on any system on which <span><strong class="command">winbind</strong></span> is configured to run.
+ </p></li><li><p>
+ Start Samba following the normal method for your operating system platform.
+ If you wish to do this manually, execute as root:
+ <a class="indexterm" name="id2523963"></a>
+ <a class="indexterm" name="id2523970"></a>
+ <a class="indexterm" name="id2523977"></a>
+ <a class="indexterm" name="id2523984"></a>
+ <a class="indexterm" name="id2523993"></a>
+ <a class="indexterm" name="id2524002"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>nmbd; smbd; winbindd;</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Configure the name service switch (NSS) control file on your system to resolve user and group names
+ via winbind. Edit the following lines in <code class="filename">/etc/nsswitch.conf</code>:
+</p><pre class="programlisting">
+passwd: files winbind
+group: files winbind
+hosts: files dns winbind
+</pre><p>
+ </p></li><li><p>
+ Set the password for <span><strong class="command">wbinfo</strong></span> to use:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>wbinfo --set-auth-user=root%'bigsecret'</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Validate that domain user and group credentials can be correctly resolved by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong>
+MIDEARTH\maryo
+MIDEARTH\jackb
+MIDEARTH\ameds
+...
+MIDEARTH\root
+
+<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong>
+MIDEARTH\Domain Users
+MIDEARTH\Domain Admins
+MIDEARTH\Domain Guests
+...
+MIDEARTH\Accounts
+</pre><p>
+ </p></li><li><p>
+ Check that <span><strong class="command">winbind</strong></span> is working. The following demonstrates correct
+ username resolution via the <span><strong class="command">getent</strong></span> system utility:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>getent passwd maryo</code></strong>
+maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
+</pre><p>
+ </p></li><li><p>
+ A final test that we have this under control might be reassuring:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>touch /export/a_file</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chown maryo /export/a_file</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>ls -al /export/a_file</code></strong>
+...
+-rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file
+...
+
+<code class="prompt">root# </code><strong class="userinput"><code>rm /export/a_file</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Configuration is now mostly complete, so this is an opportune time
+ to configure the directory structure for this site:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /export/{spytfull,public}</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chmod ug=rwxS,o=x /export/{spytfull,public}</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.Accounts /export/{spytfull,public}</code></strong>
+</pre><p>
+ </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2524263"></a>Domain Controller</h3></div></div></div><p>
+ <a class="indexterm" name="id2524271"></a>
+ For the remainder of this chapter the focus is on the configuration of domain control.
+ The examples that follow are for two implementation strategies. Remember, our objective is
+ to create a simple but working solution. The remainder of this book should help to highlight
+ opportunity for greater functionality and the complexity that goes with it.
+ </p><p>
+ A domain controller configuration can be achieved with a simple configuration using the new
+ tdbsam password backend. This type of configuration is good for small
+ offices, but has limited scalability (cannot be replicated), and performance can be expected
+ to fall as the size and complexity of the domain increases.
+ </p><p>
+ The use of tdbsam is best limited to sites that do not need
+ more than a Primary Domain Controller (PDC). As the size of a domain grows the need
+ for additional domain controllers becomes apparent. Do not attempt to under-resource
+ a Microsoft Windows network environment; domain controllers provide essential
+ authentication services. The following are symptoms of an under-resourced domain control
+ environment:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Domain logons intermittently fail.
+ </p></li><li><p>
+ File access on a domain member server intermittently fails, giving a permission denied
+ error message.
+ </p></li></ul></div><p>
+ A more scalable domain control authentication backend option might use
+ Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
+ for both options as a domain member server. As a PDC, Samba-3 is not able to provide
+ an exact alternative to the functionality that is available with Active Directory.
+ Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
+ </p><p>
+ The tdbsam authentication backend provides no facility to replicate
+ the contents of the database, except by external means (i.e., there is no self-contained protocol
+ in Samba-3 for Security Account Manager database [SAM] replication).
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ If you need more than one domain controller, do not use a tdbsam authentication backend.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2524344"></a>Example: Engineering Office</h4></div></div></div><p>
+ The engineering office network server we present here is designed to demonstrate use
+ of the new tdbsam password backend. The tdbsam
+ facility is new to Samba-3. It is designed to provide many user and machine account controls
+ that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
+ </p><div class="procedure"><div class="example"><a name="fast-engoffice-global"></a><p class="title"><b>Example 2.7. Engineering Office smb.conf (globals)</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2524420"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2524432"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id2524445"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id2524458"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2524471"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m %u</code></em></td></tr><tr><td><a class="indexterm" name="id2524484"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r %u</code></em></td></tr><tr><td><a class="indexterm" name="id2524497"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd %g</code></em></td></tr><tr><td><a class="indexterm" name="id2524511"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel %g</code></em></td></tr><tr><td><a class="indexterm" name="id2524524"></a><em class="parameter"><code>add user to group script = /usr/sbin/groupmod -A %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id2524537"></a><em class="parameter"><code>delete user from group script = /usr/sbin/groupmod -R %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id2524551"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u</code></em></td></tr><tr><td># Note: The following specifies the default logon script.</td></tr><tr><td># Per user logon scripts can be specified in the user account using pdbedit </td></tr><tr><td><a class="indexterm" name="id2524574"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td># This sets the default profile path. Set per user paths with pdbedit</td></tr><tr><td><a class="indexterm" name="id2524591"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2524604"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id2524617"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2524630"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2524643"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id2524655"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2524668"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2524681"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2524694"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2524707"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div><div class="example"><a name="fast-engoffice-shares"></a><p class="title"><b>Example 2.8. Engineering Office smb.conf (shares and services)</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2524746"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2524758"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2524771"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2524783"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># Printing auto-share (makes printers available thru CUPS)</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2524809"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id2524822"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2524835"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id2524848"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id2524860"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2524873"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2524886"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2524907"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id2524920"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2524933"></a><em class="parameter"><code>write list = maryo, root</code></em></td></tr><tr><td><a class="indexterm" name="id2524946"></a><em class="parameter"><code>printer admin = maryo, root</code></em></td></tr><tr><td># Needed to support domain logons</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2524972"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2524985"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2524998"></a><em class="parameter"><code>admin users = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id2525010"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2525023"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># For profiles to work, create a user directory under the path</td></tr><tr><td># shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2525053"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2525066"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2525079"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2525092"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td># Other resource (share/printer) definitions would follow below.</td></tr></table></div><ol type="1"><li><p>
+ A working PDC configuration using the tdbsam
+ password backend can be found in <a href="FastStart.html#fast-engoffice-global" title="Example 2.7. Engineering Office smb.conf (globals)">Engineering Office smb.conf
+ (globals)</a> together with <a href="FastStart.html#fast-engoffice-shares" title="Example 2.8. Engineering Office smb.conf (shares and services)">Engineering Office smb.conf
+ (shares and services)</a>:
+ <a class="indexterm" name="id2524388"></a>
+ </p></li><li><p>
+ Create UNIX group accounts as needed using a suitable operating system tool:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>groupadd ntadmins</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>groupadd designers</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>groupadd engineers</code></strong>
+<code class="prompt">root# </code><strong class="userinput"><code>groupadd qateam</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Create user accounts on the system using the appropriate tool
+ provided with the operating system. Make sure all user home directories
+ are created also. Add users to groups as required for access control
+ on files, directories, printers, and as required for use in the Samba
+ environment.
+ </p></li><li><p>
+ <a class="indexterm" name="id2525183"></a>
+ <a class="indexterm" name="id2525192"></a>
+ Assign each of the UNIX groups to NT groups by executing this shell script
+ (You could name the script <code class="filename">initGroups.sh</code>):
+</p><pre class="screen">
+#!/bin/bash
+#### Keep this as a shell script for future re-use
+
+# First assign well known groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Now for our added Domain Groups
+net groupmap add ntgroup="Designers" unixgroup=designers type=d
+net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
+net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
+</pre><p>
+ </p></li><li><p>
+ Create the <code class="filename">scripts</code> directory for use in the
+ <em class="parameter"><code>[NETLOGON]</code></em> share:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /var/lib/samba/netlogon/scripts</code></strong>
+</pre><p>
+ Place the logon scripts that will be used (batch or cmd scripts)
+ in this directory.
+ </p></li></ol></div><p>
+ The above configuration provides a functional PDC
+ system to which must be added file shares and printers as required.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2525267"></a>A Big Organization</h4></div></div></div><p>
+ In this section we finally get to review in brief a Samba-3 configuration that
+ uses a Lightweight Directory Access (LDAP)-based authentication backend. The
+ main reasons for this choice are to provide the ability to host primary
+ and Backup Domain Control (BDC), as well as to enable a higher degree of
+ scalability to meet the needs of a very distributed environment.
+ </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2525283"></a>The Primary Domain Controller</h5></div></div></div><p>
+ This is an example of a minimal configuration to run a Samba-3 PDC
+ using an LDAP authentication backend. It is assumed that the operating system
+ has been correctly configured.
+ </p><p>
+ The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or
+ SambaSamAccounts. The Idealx scripts may be downloaded from the <a href="http://www.idealx.org" target="_top">
+ Idealx</a> Web site. They may also be obtained from the Samba tarball. Linux
+ distributions tend to install the Idealx scripts in the
+ <code class="filename">/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</code> directory.
+ Idealx scripts version <code class="constant">smbldap-tools-0.9.1</code> are known to work well.
+ </p><div class="procedure"><div class="example"><a name="fast-ldap"></a><p class="title"><b>Example 2.9. LDAP backend smb.conf for PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2525528"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2525540"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id2525553"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2525567"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2525580"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2525593"></a><em class="parameter"><code>add user script = /usr/local/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2525606"></a><em class="parameter"><code>delete user script = /usr/local/sbin/smbldap-userdel %u</code></em></td></tr><tr><td><a class="indexterm" name="id2525620"></a><em class="parameter"><code>add group script = /usr/local/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2525633"></a><em class="parameter"><code>delete group script = /usr/local/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2525646"></a><em class="parameter"><code>add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2525660"></a><em class="parameter"><code>delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2525674"></a><em class="parameter"><code>set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2525688"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2525702"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2525715"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2525728"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id2525741"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2525753"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2525766"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id2525779"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2525792"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2525805"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2525818"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2525831"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2525844"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2525857"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2525870"></a><em class="parameter"><code>ldap admin dn = cn=Manager</code></em></td></tr><tr><td><a class="indexterm" name="id2525883"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2525895"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2525908"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2525921"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2525934"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div><ol type="1"><li><p>
+ Obtain from the Samba sources <code class="filename">~/examples/LDAP/samba.schema</code>
+ and copy it to the <code class="filename">/etc/openldap/schema/</code> directory.
+ </p></li><li><p>
+ Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
+ The <code class="filename">/etc/openldap/slapd.conf</code> file.
+ <a class="indexterm" name="id2525357"></a>
+<font color="red"><title>Example slapd.conf File</title></font>
+</p><pre class="screen">
+# Note commented out lines have been removed
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database bdb
+suffix "dc=quenya,dc=org"
+rootdn "cn=Manager,dc=quenya,dc=org"
+rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
+# The password for the above is 'nastyon3'
+
+directory /var/lib/ldap
+
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUid eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</pre><p>
+ </p></li><li><p>
+ Create the following file <code class="filename">initdb.ldif</code>:
+ <a class="indexterm" name="id2525404"></a>
+</p><pre class="programlisting">
+# Organization for SambaXP Demo
+dn: dc=quenya,dc=org
+objectclass: dcObject
+objectclass: organization
+dc: quenya
+o: SambaXP Demo
+description: The SambaXP Demo LDAP Tree
+
+# Organizational Role for Directory Management
+dn: cn=Manager,dc=quenya,dc=org
+objectclass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+# Setting up the container for users
+dn: ou=People, dc=quenya, dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+
+# Set up an admin handle for People OU
+dn: cn=admin, ou=People, dc=quenya, dc=org
+cn: admin
+objectclass: top
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
+# The password for above is 'mordonL8'
+</pre><p>
+ </p></li><li><p>
+ Load the initial data above into the LDAP database:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>slapadd -v -l initdb.ldif</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Start the LDAP server using the appropriate tool or method for
+ the operating system platform on which it is installed.
+ </p></li><li><p>
+ Install the Idealx script files in the <code class="filename">/usr/local/sbin</code> directory,
+ then configure the smbldap_conf.pm file to match your system configuration.
+ </p></li><li><p>
+ The <code class="filename">smb.conf</code> file that drives this backend can be found in example <a href="FastStart.html#fast-ldap" title="Example 2.9. LDAP backend smb.conf for PDC">LDAP backend smb.conf for PDC</a>. Add additional stanzas
+ as required.
+ </p></li><li><p>
+ Add the LDAP password to the <code class="filename">secrets.tdb</code> file so Samba can update
+ the LDAP database:
+</p><pre class="screen">
+<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -w mordonL8</code></strong>
+</pre><p>
+ </p></li><li><p>
+ Add users and groups as required. Users and groups added using Samba tools
+ will automatically be added to both the LDAP backend and the operating
+ system as required.
+ </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2525990"></a>Backup Domain Controller</h5></div></div></div><p>
+ <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">???</a> shows the example configuration for the BDC. Note that
+ the <code class="filename">smb.conf</code> file does not specify the smbldap-tools scripts they are
+ not needed on a BDC. Add additional stanzas for shares and printers as required.
+ </p><div class="procedure"><div class="example"><a name="fast-bdc"></a><p class="title"><b>Example 2.10. Remote LDAP BDC smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2526069"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id2526082"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id2526095"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://frodo.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id2526108"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2526121"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2526134"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2526147"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2526160"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id2526173"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2526186"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2526198"></a><em class="parameter"><code>os level = 33</code></em></td></tr><tr><td><a class="indexterm" name="id2526211"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2526224"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2526237"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2526250"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2526263"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2526276"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2526289"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2526302"></a><em class="parameter"><code>ldap admin dn = cn=Manager</code></em></td></tr><tr><td><a class="indexterm" name="id2526315"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2526328"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2526340"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2526353"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2526366"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div><ol type="1"><li><p>
+ Decide if the BDC should have its own LDAP server or not. If the BDC is to be
+ the LDAP server, change the following <code class="filename">smb.conf</code> as indicated. The default
+ configuration in <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">Remote LDAP BDC smb.conf</a>
+ uses a central LDAP server.
+ </p></li><li><p>
+ Configure the NETLOGON and PROFILES directory as for the PDC in <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">???</a>.
+ </p></li></ol></div></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>
projects / samba / blobdiff