[SLUG] Samba Configuration

[Paul Teasdale]

Hi

Apologies upfront for the long mail but I did promise Phil that I would
send him my smb.conf (Samba configuration) file at the last meeting and
thought it might be of use others. I have therefore decided to post it
on the list in order that it may help someone else. This script does not
state how to install, stop and start the Samba daemons. I'll leave that 
as an exercise for the reader.

The version of Samba I am currently running is 3.0.6. I have configured
Samba in such a way that it acts as a Primary Domain Controller (PDC)
for a Windows network. This gives proper domain authentication for each
of the windows client PC's and all the other benefits that a domain
gives such as centralised user administration, shared directories with
correct user authentication, printing etc. There is quite a lot more to
this than just the configuration file and I have gone into a little
explanation here and there in order to help someone make use of it.

Firstly the smb.conf file:

[global]
workgroup = LINET
netbios name = saturn
server string = Samba Server
	
; My domain will be called linet, the server will be saturn.

interfaces = 192.168.1.1/255.255.255.0
passdb backend = tdbsam
security = user

; Add machine script explained later

; All one line start
add machine script = /usr/sbin/useradd -d /dev/null -g workstation -s 
bin/false -M %u
; All one line end
	
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = z:
logon home = \\%L\%U\win_profile
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
hosts allow = 192.168.1. 192.168.0.
name resolve order = wins bcast lmhosts hosts
wins support = Yes
time server = Yes
	
; Act as a wins server and a time server
	
max log size = 1000
log level = 0

[homes]

; Share the users /home directory for use as a private area
; Users can only access their own area

path = %H
comment = Private area
browsable = false
valid users = %S
read only = no
force group = users
create mask = 0600
directory mask = 0700

[netlogon]

; Required for logon scripts

path = /home/samba/netlogon
write list = ntadmin
browsable = false

[profiles]

; Required for user profiles

path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
profile acls = Yes
browsable = false
csc policy = disable

[work]

; Share a /home/work directory to all and take permissions
; of individual user for each file

path = /home/work
read only = No

[software]

; Share a /home/software directory. Only allow access to
; to any user in the unix group "software". Force the
; group to software on any files they save so other users
; in the software group have equivalent priveledges on the
; specific file. Force the file and directory creatation
; masks also.

comment = Software Area
path = /home/software
valid users = @software
read only = no
force group = software
create mask = 0660
directory mask = 0770

[admin]
comment = Admin Area
path = /home/admin
valid users = @admin
read only = no
force group = admin
create mask = 0660
directory mask = 0770

Firstly, bad idea or not I have created a directory under /home called
samba. I regularly backup the /home directory and putting the samba
stuff here then ensures it's backed up. I have not created a user called
'samba' just manually created a directory with the mkdir command.

Within /home/samba I have created another two directories called
netlogon and profiles. These directories also need the correct permissions:

#cd /home
#mkdir samba
#mkdir samba/profiles
#mkdir samba/netlogon
#chmod 777 samba
#chmod 777 samba/profiles
#chmod 775 samba/netlogon

The profiles directory holds info relating to each domain user. If you
use roaming profiles any roaming data will be stored here. Regardless of
the Windows client where you logon you will get the same profile data
(screen saver etc) when using roaming profiles (but they can be a pain
it your clients are all configured differently).

The netlogon holds netlogon batch files and must be defined even if you
don't intend to use and batch files.

I have also created some areas to share out to the Windows clients:

#mkdir samba/work
#mkdir samba/software
#mkdir samba/admin
#chmod 777 samba/work
#chmod 770 samba/software
#chmod 770 samba/admin
#chown root.users samba/work
#chown root.software samba/software
#chown root.admin samba/admin

Note that the unix group software and admin must exist for these 
commands to work.

Admin Account
=============

You firstly need an administrator account. I am going to use 'root' as
an example here but it can be any unix user even one with very few
privledges.

So add the root user to the Samba user database:

#smbpasswd -a root

This will ask for and set a password for root. You don't have to use the
root password to your linux account and indeed it's advisable to use
something different. It is possible to sync unix/samba users passwords 
but I have not looked at doing this.

I also want a domain administrators group so I can give other users
extra priviledges to do admin tasks. To do this I create a unix group to
group the admin users together. So:

#groupadd domadmins
#usermod -G domadmins root (Adds root to domadmins group)

Now I need to associate the domadmins group to the builtin Windows group
called "Domain Admins" so:

#net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins

Now any unix users I put in the domadmins group will automatically be
Windows Domain Admins when they logon to my Samba domain.

Machine Account
===============

In order for a Windows PC to join the domain it must have a machine
account. In essence the name of the Windows client PC must have a
matching Unix user account name that ends in a doller ($) on the machine
acting as the Samba server. This is so because if you were running a
proper NT PDC (Windows NT4 Server for example) you cannot williy-nilly
join any Windows client to the domain with authenticating first. These 
are known as trust accounts in the world of Windows. Samba achieves with 
the machine account concept.

You can do this manually by:

Adding a unix user which is actually the name of your Windows PC with a
doller on the end of it and then use the smbpasswd command to link unix
user account with Samba user database (note NO dollar on the smbpasswd
command):

#useradd -d /dev/null -s /bin/false -g winclients -M windowsclientname$
#smbpasswd -m -a windowsclientname

Note 1: The -m switch adds a machine name to the Samba user database as
opposed to a user name.

Note 2: The above command also assumes that you have a unix user group
called winclients to group all the machine accounts together (command:
groupadd winclients).

You'll notice in my smb.conf file a line starting:

add machine script = ...

This allows administrators to automatically add a new machine account
after giving the administrators password. So on your Windows client that
you are connecting to the domain you type the domain name that you want
to join (LINET in my case), you'll be prompted for the administrator 
user and password (root & password in my case) and the machine is 
automatically added as a unix user and into the Samba users database. 
Samba does this by running the script to add the unix user and then 
transparently adds the machine into the unix database.

Normal Users
============

Normal domain users need to be given a unix user account and added to 
theSamba user database. They also need to be given the Windows "Domain 
Users"priviledge which is a built in Windows group in order to logon to 
the domain.

So:

#useradd -d /home/winuser -s /bin/false -g users -G software -M winuser
#smbpasswd -a winuser

The above commands add a unix user called winuser whoose main group is 
users and also one additional group of software. The smbpasswd command 
adds the user to the Samba user database. Note that the user added above 
would not be able to logon to your Unix PC because I have specified 
their shell as /bin/false although you can change this if you wish.

Now link the unix group 'users' to the Windows group "Domain Users":

#net groupmap modify ntgroup="Domain User" unixgroup=users

I also want a new Windows group called software and want to map it to my
unix group software:

#net groupmap add ntgroup=Software unixgroup=software

Note that you don't need quotes if the group does not contain any spaces.

Looking in my smb.conf file this user would now be able to log onto a 
Windows client and have instant access to my /home/software area as well 
as /home/winuser area and /home/work area. This user would not be 
allowed to access the /home/admin share however because they are not 
part of the unix/nt admin group. Clicking on the share would ask the 
user to type in the user details of a priveledged user.

To get a list of all the windows group available try:

#net groupmap list

Add new groups with (see man net for more):

#net groupmap add .....

Modify existing groups with (seeman net for more):

#net groupmap modify .....

Conclusion
==========

There is much, much more to Samba but I hope this helps as a starting 
point. Also Samba can be much simpler if you just want to share files, 
directories and printers normally rather than act as a Windows PDC so 
don't panic it your new to Samba and think this is rather complicated.

Hope this helps,

Paul.