Notatki z lektury dokumentacji SAMBY

Poni¿szy materia³ to prawie wy³±cznie kompozycja cytatów z oryginalnej dokumentacji.

Always run testparm again whenever the smb.conf file is changed! (root# testparm /etc/samba/smb.conf)
The testparm utility can be used to generate a fully optimized smb.conf file from this master configuration and documentation file (root# testparm -s smb.conf.master > smb.conf)
To launch SWAT, just run your favorite Web browser and point it to http://localhost:901/.
Check that Samba is running correctly (smbclient -L localhost -U%)
Samba-3 provides management of users and groups via the User Manager for Domains using the SRVTOOLS.EXE package for MS Windows NT4/200x/XP platforms. This package is available from Microsoft's Web site.
The Windows 200x/XP Microsoft Management Console (MMC) cannot be used to manage a Samba-3 server.
New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM database (one of the registry files).
The following are necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows NT4/200x/XP clients:
- Configuration of basic TCP/IP and MS Windows networking.
- Correct designation of the server role (security = user).
- Consistent configuration of name resolution (see network browsing)
- Domain logons for Windows NT4/200x/XP Professional clients.
- Configuration of roaming profiles or explicit configuration to force local profile usage.
- Configuration of network/system policies.
- Adding and managing domain user accounts.
- Configuring MS Windows NT4/2000 Professional and Windows XP Professional client machines to become domain members.

Example of smb.conf for being a PDC

 [global]
 passdb backend = tdbsam
 os level = 33
 preferred master = auto
 domain master = yes
 local master = yes
 security = user
 domain logons = yes
 logon path = \\%N\profiles\%U
 logon drive = H:
 logon home = \\homeserver\%U\winprofile
 logon script = logon.cmd

 [netlogon]
 path = /var/lib/samba/netlogon
 read only = yes
 [profiles]
 path = /var/lib/samba/profiles
 read only = no
 create mask = 0600
 directory mask = 0700

MS Windows XP Home Edition does not have the ability to join any type of domain security facility.
To reset or change the domain SID you can use the net command as follows:

       root# net getlocalsid 'OLDNAME'
       root# net setlocalsid 'SID'

The first step in manually creating a Machine Trust Account is to manually create the corresponding UNIX account. The “$” must be appended to the NetBIOS name of the machine or Samba will not recognize this as a Machine Trust Account. Now that the corresponding UNIX account has been created, the next step is to create the Samba account for the client containing the well-known initial Machine Trust Account password. This can be done using the smbpasswd command as shown here:

       root# smbpasswd -a -m machine_name

Joining a Domain: Windows 2000/XP Professional

Click Start.
Right-click My Computer, then select Properties.
The opening panel is the same one that can be reached by clicking System on the Control Panel. See “The General Panel.”.
Click the Computer Name tab. This panel shows the Computer Description, the Full computer name, and the Workgroup or Domain name. Clicking the Network ID button will launch the configuration wizard. Do not use this with Samba-3. If you wish to change the computer name or join or leave the domain, click the Change button.
Click Domain radio-button and enter the domain name in the field below the domain radio button.
Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) of a domain administrative account that has the rights to add machines to the domain. Enter the name “root” and the root password from your Samba-3 server.

The following mappings are required:

Essential Domain Group Mappings

 Domain Group	RID	Example UNIX Group
 Domain Admins	512	root
 Domain Users	513	users
 Domain Guests	514	nobody

When an MS Windows NT4/200x/XP machine is made a domain member, the “Domain Admins” group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Admins group inherits the rights of the local Administrators group when logging on the workstation.

The following steps describe how to make Samba PDC users members of the Domain Admins group.

Create a UNIX group (usually in /etc/group); let's call it domadm.
Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:

      		domadm:x:502:joe,john,mary

Map this domadm group to the “Domain Admins” group by executing the command:

      root# net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d

The quotes around “Domain Admins” are necessary due to the space in the group name. Also make sure to leave no white space surrounding the equal character (=).

Now joe, john, and mary are domain administrators.

It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:

     root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d

The ntgroup value must be in quotes if it contains space characters to prevent the space from being interpreted as a command delimiter.

Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you.

Windows does not permit user and group accounts to have the same name.

Dodatek ze strony: http://educationwebsitesfree.blogspot.com/2009/05/downloading-and-installing-srvtoolsexe.html

Downloading and installing the SRVTOOLS.EXE file on a Windows NT/2K/XP computer

The PC must be a member of the domain (see the above post on how to join a PC to the domain). Login as an administrator user for the NEWDOM Domain (the root user from the Linux Server can be logged into by using the Login Administrator, the password of the linux root user, and the Domain as NEWDOM).
Go to the following page and download SRVTOOLS.EXE.
Copy the downloaded file (SRVTOOLS.EXE) to the SystemRoot/system32 directory using Windows Explorer. (Usually either c:/winnt/system32 or c:/windows/system32. You may have to unhide directories (if asked) while clicking to get to the the system32 directory.
Once the SRVTOOLS.EXE file is in the system 32 directory, double click to expand it. 4 new files should now be at the bottom of the explorer window ... create shorcuts that point to SystemRoot/system32/USRMGR.EXE and SystemRoot/system32/SRVMGR.EXE from your desktop.
You should be able to add new users and groups via the USRMGR. After you add new users via the USRMGR, you have to login to the linux server (as root) and issue the following commands to create the new profile for that user:

    cd /var/lib/samba/profiles
    mkdir username
    chown -R username.users username
    chmod -R 771 username

To make it a little bit easier, I am including a script to do this .... edit the file /usr/bin/mk_smb_profile and paste in the following:

(:source lang=Bash:)

!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin

if [ $1"x" == "x" ]; then echo $"Usage: $0 username" exit 1 fi

SMB_PROFILES=/var/lib/samba/profiles

if [ -d $SMB_PROFILES/$1 ]; then echo $"$1 user profile already exists" exit 1 fi

cd $SMB_PROFILES mkdir $1 chown -R $1".users" $1 chmod -R 771 $1 exit 0 (:sourceend:)

then do:

    chmod 755 /usr/bin/mk_smb_profile

To add the new user, just issue the command:

    mk_smb_profile username

Now you should be able to login as the new user on the windows machines.

Edytuj