Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using samba


Published on


Published in: Technology
  • Be the first to comment

Using samba

  1. 1. LPIC-302 Mixed Environment Using Samba
  2. 2. <ul>Topic 310: Concepts, Architecture and Design <li>310.1 Concepts
  3. 3. 310.2 Samba Roles
  4. 4. 310.3 Trivial Database Files </li></ul>Topic 311: Compile and Install Samba <ul><li>4.2.1 311.1 Configure and Build From Source
  5. 5. 4.2.2 311.2 Install and Upgrade Samba </li></ul>Objectives
  6. 6. Topic 312: Samba Configuration and Usage <ul><li>312.1 Configure Samba
  7. 7. 312.2 File Services
  8. 8. 312.3 Print Services
  9. 9. 312.4 Domain Control
  10. 10. 312.5 SWAT Configuration
  11. 11. 312.6 Internationalization </li></ul>Objectives
  12. 12. <ul>Topic 313: User and Group Management <li>313.1 Managing User Accounts and Groups
  13. 13. 313.2 Authentication and Authorization
  14. 14. 313.3 Winbind </li></ul>Topic 314: Working with CIFS, NetBIOS, and Active Directory <ul><li>314.1 CIFS Integration
  15. 15. 314.2 NetBIOS and WINS
  16. 16. 314.3 Integrating with Active Directory
  17. 17. 314.4 Working with Windows Clients </li></ul>Objectives
  18. 18. Topic 315: Security and Performance <ul><li>315.1 Linux File System and Share/Service Permissions
  19. 19. 315.2 Samba Security
  20. 20. 315.3 Performance Tuning </li></ul>Objectives
  21. 21. <ul><li>310.1 Concepts
  22. 22. Weight: 1
  23. 23. Description: Candidates should be familiar with the fundamental concepts surrounding SMB/CIFS, file sharing and print services in a mixed environment. </li></ul>Topic 310 Concepts, Architecture and Design
  24. 24. <ul><li>Key Knowledge Areas: </li></ul><ul><li>Understand Server Message Block (SMB)/Common Internet File System (CIFS).
  25. 25. Understand file sharing concepts.
  26. 26. Understand print services concepts </li></ul>Topic 310 Concepts, Architecture and Design
  27. 27. <ul><li>File and print sharing
  28. 28. The goal of file and print sharing is to let computers use disks and printers on other computers . This functionality allows more people to use the same expensive resources and to access those resources from anywhere. As central resources, files and printers can be more tightly controlled and audited. </li></ul>Topic 310 Concepts, Architecture and Design
  29. 29. <ul><li>Desirable attributes of a file and print sharing solution are: </li></ul><ul><li>The solution should be network independent , indifferent to the type of network (Ethernet, token ring) on which it is run.
  30. 30. Applications should not need to know whether they are accessing a file on a local disk or a remote one or whether they are printing to an attached or remote printer.
  31. 31. There should be some way to mediate simultaneous requests for the same resource, such as two people trying to print to a printer at the same time.
  32. 32. Cont ---> </li></ul>Topic 310 Concepts, Architecture and Design
  33. 33. <ul><li>The solution should implement some type of authentication system to </li></ul><ul><li>understand who is asking for a resource and an authorization system to
  34. 34. decide whether the access should be granted. </li></ul>Topic 310 Concepts, Architecture and Design
  35. 35. <ul><li>There are several different ways to share files and printers. Many UNIX utilities, such as the Berkeley printing system , have been network aware since the early 1980s. Sun Microsystems introduced the Network File System ( NFS ) in 1984, which let UNIX computers mount file systems over the network. IBM and Microsoft came up with the SMB protocol to perform many network-sharing tasks, including sharing files and printers. File and print sharing can be performed by dedicated servers, by individual workstations, or by a combination of both. </li></ul>Topic 310 Concepts, Architecture and Design
  36. 36. <ul><li>Even if a file is being shared from a workstation, the device that has the disk resource to share is called the server , and the devices accessing the disk are called clients . The server is said to either export the file system (in UNIX terms) or to share the disk or directory (in Windows terms). Clients then mount the file system as a local disk or connect to the share.
  37. 37. The nature of the sharing relationship can be temporary or long term.
  38. 38. Another feature related to file sharing is the concept of browsing. Browsing allows a client to find a server on the network, usually from a dynamically populated list. </li></ul>Concepts, Architecture and Design File sharing
  39. 39. A printer may not be attached directly to a server, so multiple levels of sharing could be occurring. When multiple clients have the same printer configured, they generally do so through a service called a spooler . The job of the spooler is to manage the list of print jobs, otherwise known as the print queue . As multiple people submit print jobs, the spooler stores the job to disk . Once the printer is unused, the spooler can send the job to the printer. Even though printers can be attached to the network, a server is usually used as the spooler, which in turn prints to the printer over the network. This is done for three reasons: first , the server is likely to have a larger spooling area than the printer. Second , the server can take care of access control. And third , the server can handle printer drivers. Concepts, Architecture and Design Print sharing
  40. 40. <ul><li>SMB is a protocol, not an implementation . The protocol has been implemented in many different operating systems, from Windows to UNIX and even to mainframe environments. </li></ul>Concepts, Architecture and Design SMB and CIFS
  41. 41. <ul><li>Andrew Tridgell developed the first version of Samba Unix in December 1991, in the early days of the PC, when IBM and Sytec co developed a simple networking system designed for building small LANs. The system included something called NetBIOS, or Network Basic Input Output System . NetBIOS was a chunk of software that was loaded into memory to provide an interface between programs and the network hardware. It included an addressing scheme that used to identify workstations and network-enabled applications. Next, Microsoft added features to DOS that allowed disk I/O to be redirected to the NetBIOS interface, which made disk space sharable over the LAN. The file-sharing protocol that they used eventually became known as SMB , and now CIFS . </li></ul>Concepts, Architecture and Design History
  42. 42. CIFS is technically a dialect of SMB. The SMB protocol has been modified over the years, CIFS is an enhanced version of Server Message Block protocol (SMB) . Concepts, Architecture and Design SMB vs. CIFS
  43. 43. Concepts, Architecture and Design SMB protocol overview NetBIOS Network Basic Input/Output System It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As a client-server protocol, the client makes contact with the server. SMB started out requiring an application programming interface (API) layer called (NetBIOS), This API provided several services that SMB used as well as several services relating to name resolution and network browsing. When used in conjunction with NetBIOS
  44. 44. <ul><li>NetBIOS provides three key services to a Microsoft network: </li></ul><ul><li>Name services for finding hosts on the network </li></ul><ul><li>• Session services for the reliable communication and transfers between a client and a server
  45. 45. • Datagram distribution services for small messages and network
  46. 46. broadcasts </li></ul>Concepts, Architecture and Design SMB protocol overview
  47. 47. <ul><li>SMB in the OSI stack
  48. 48. Figure 1 shows the Open Systems Interconnection (OSI) model, which is used to explain the interactions between network protocols. The OSI model describes the features necessary to have an application work over a network and breaks down the features into a series of layers. Each layer uses the services provided by the layers below it and provides services to the layers above it.
  49. 49. Page 5 </li></ul>Concepts, Architecture and Design SMB protocol overview
  50. 50. <ul><li>Uniform Naming Convention
  51. 51. universal resource identifiers ( URIs ) such as A URI identifies where you can find a particular content. In the example URI, host to ask for the content is, and /developerworks refers to the resource on that host
  52. 52. Uniform Naming Convention ( UNC ) paths identify Windows network resources. A UNC path looks lik shortydocumentspublicphoto.jpg . The UNC path starts with two backslashes () followed by the name of the server, another backslash, and the name of the shared folder. After that is a path relative to the shared folder that specifies a path to the resource. </li></ul>Concepts, Architecture and Design SMB protocol overview
  53. 53. Samba consists of several daemons meant to run in the background and provide services as well as several command-line tools but some of the more notable binaries are: <ul><li>smbd . This daemon acts as the SMB file and print server. </li></ul>• nmbd . This daemon provides the NetBIOS naming services. • mount.cifs . utility mounts SMB file system onto the local UNIX file • smblient . This utility provides command-line access to SMB resources • smb.conf . This is not a utility but rather the configuration file for all the tools and therefore worth mentioning in the same context as the other binaries. Concepts, Architecture and Design Samba
  54. 54. Samba , like other open source software, can be compiled from the source code or downloaded as part of your distribution. It is managed through system-initialization scripts and configuration files. Moving forward The next exam objective, 310.2, discusses the roles that the different Samba daemons play and the different security modes under which these daemons operate. Concepts, Architecture and Design Samba Concepts
  55. 55. 310.2 Samba Roles Weight : 1 Description : Candidates should be aware of Samba's security modes, and the keys roles of the Samba daemons Key Knowledge Areas: <ul><li>Understand Samba security modes
  56. 56. Identify roles of core Samba daemons
  57. 57. Manage Samba daemons </li></ul>Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  58. 58. Samba isn't a single program; rather, it's a series of interrelated servers and utilities , each of which has its own specific purpose. Understanding the differences between these servers and utilities will help you manage your Samba system. Furthermore, Samba implements a number of different security models. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  59. 59. Identifying Samba daemons Linux servers are often implemented as daemons, A Linux daemon runs in the background to perform some helpful task. The Samba server suite consists of several daemons, including smbd, nmbd , and winbindd . Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  60. 60. Understanding smbd The smbd program provides most of the core functionality of Samba, include: <ul><li>Providing file and printer shares . the most important Samba feature. </li></ul>• Authenticating users . smbd authenticates users against a local database or passes authentication requests on to another computer. • Providing time services . Samba can tell other computers what the current time is. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  61. 61. By default, the smbd daemon binds to TCP ports 139 and 445 . The SMB protocol uses port 139 through NetBIOS over TCP, which is the way many older clients use SMB/CIFS. Port 445 provides plain SMB over TCP services, which is how many newer clients access the Samba server. smbd can be considered the core of Samba. In fact, it's possible to connect to a computer that runs smbd alone by using a program such as Samba's own smbclient to perform file transfers. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  62. 62. Understanding nmbd The second key Samba daemon is nmbd . This server's main duty is handling name-related tasks . You can think of it as Samba's own version of the Domain Name System (DNS), although it's both simpler to configure and much less sophisticated than DNS. Specific tasks that nmbd performs include: Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  63. 63. <ul><li>Responding to name broadcasts . clients broadcast name queries to an entire network segment. The nmbd server listens for such broadcasts and, when Samba is configured to use the name being queried, responds. It also responds when it's configured to function as a proxy for another computer or network.
  64. 64. Registering a NetBIOS name . For NetBIOS name resolution to work, computers must register their names, either with a centralized NetBIOS name server or by broadcasting the name and negotiating rights for it with the network as a whole. nmbd is responsible for doing this and also for negotiating with other computers that register their names.
  65. 65. Functioning as an NBNS server . Samba can be configured as an NBNS (NetBIOS name server) system. </li></ul>Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  66. 66. <ul><li>Functioning as a master browser . Part of the user experience of an </li></ul>SMB/CIFS network is browsing—the ability to browse through the servers on a network much as you would browse through the directories on your hard disk. As this list demonstrates, nmbd does a lot of work. Although they don't involve serving files or printers , many of these tasks are critical parts of any SMB/CIFS server, so nmbd should be considered a critical part of Samba. It's typically run along with smbd by a distribution's startup scripts. Most of nmbd's functions require it to bind to TCP port 137 , but master browser duties involve User Datagram Protocol port 138 . Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  67. 67. Understanding winbindd A third Samba daemon is the Winbind daemon, winbindd. Unlike smbd and nmbd, winbindd doesn't provide services for remote computers; it serves as an interface between a Samba domain controller and the local computer's own Pluggable Authentication Modules tools, enabling a domain controller to host Linux account information. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  68. 68. Controlling Samba Controlling Samba involves at least two tasks: adjusting its configuration options using its configuration file and changing its options on a temporary, on-the-fly basis. You accomplish the first task through Samba's configuration file, while the second can be done through the smbcontrol configuration tool. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  69. 69. Adjusting configuration file options The main Samba configuration file is called smb.conf and typically resides in /etc/samba, although it could be found in other locations. (If you build Samba from source, /usr/local/samba/lib is one common location.) The smb.conf file is composed of sections , begins with a name in square brackets ([]) , such as [global] or [documents] . Most sections define file or printer shares; the [global] section holds options that affect the server as a whole or that set default values used in subsequent share definitions. Lines in smb.conf can be comment lines that begin with a hash mark (#) or a semicolon (;) . parameter = Value The parameter is a keyword, such as security or create mask. Parameter names are case-insensitive. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  70. 70. Controlling Samba with smbcontrol You can use the smbcontrol program to control Samba as it runs. For example, you can tell Samba to shut down a specific share, force a master browser election, reload the configuration file, and so on. The basic syntax for this command is: smbcontrol [-i] [-s configfile] smbcontrol [destination] [message-type] [parameter] When used with the -i option, smbcontrol enters an interactive mode in which you can pass a series of commands in sequence Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  71. 71. The destination is the server name or a process ID number The message-type is a command as summarized in Table 1. page 6 The parameter is an optional parameter that some commands may require. Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  72. 72. Setting your security mode Samba provides a number of options related to how users are authenticated. The most important of these is the security option, which takes five possible values: <ul><li>Share . This mode attempts to emulate the authentication method that the Microsoft operating systems use
  73. 73. User . This mode, which is the default, uses a user name and password for authentication, similar to the way Linux typically works. </li></ul>Server . If you want Samba to relay to another server for authentication, use this authentication method. To a client, this method looks just like user-level authentication Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  74. 74. <ul><li>Domain . You can fully join a Windows domain using this method, which looks just like user-level authentication to clients. Unlike server-level authentication, domain authentication involves a more secure domain-level password exchange.
  75. 75. ADS . This authentication method works much like domain authentication; however, it requires an Active Directory® Domain Services domain controller. </li></ul>Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  76. 76. <ul><li>As a general rule, user-level authentication is the best choice if your Samba server is a member of a Windows workgroup, which is the basic form of an SMB/CIFS network. A workgroup differs from a domain mainly in that a domain provides a domain controller, which is a server that provides authentication services to the domain. To use a domain controller, you must use server, domain, or ADS-level security. Server-level security is the easiest to configure but the least secure, whereas ADS-level security is the most difficult to configure but the most secure. </li></ul>Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  77. 77. <ul><li>To fully join a domain for domain- or ADS-level security, you must set several options in the [global] section of the smb.conf file:
  78. 78. password server = DOMCONT
  79. 79. domain logons = No
  80. 80. encrypt passwords = Yes
  81. 81. The DOMCONT system is the domain controller. You must also type the following command on the Samba server that should join the domain:
  82. 82. # net join member -U adminuser </li></ul>Topic 310 Concepts, Architecture and Design 310.2 Samba Roles
  83. 83. <ul><li>310.3 Trivial Database Files
  84. 84. Weight 2
  85. 85. Description Candidates should understand the structure of trivial database files and know how troubleshoot problems.
  86. 86. Key Knowledge Areas:
  87. 87. * Backup TDB files
  88. 88. * Restore TDB files
  89. 89. * Identify TDB file corruption
  90. 90. * Edit / list TDB file content </li></ul>Topic 310 Concepts, Architecture and Design Samba's Trivial Database files
  91. 91. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Trivial Database (TDB) Samba uses Trivial Database files to store both persistent and temporary data as part of its job integrating file and print sharing between Linux and Windows.
  92. 92. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Overview • Backing up Samba Trivial Database (TDB) files <ul><li>Restoring TDB files </li></ul>• Identifying TDB file corruption • Editing/listing TDB file content
  93. 93. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Understanding TDB files Samba stores a lot of information at run time, from local passwords to a list of clients it is expecting to hear from. Some of this data is short lived and can be discarded when Samba is restarted, but some of it is permanent and should not be lost. The data can either be too large or infrequently accessed to keep in memory, or it should persist across restarts. It is effectively a key-value store, meaning that data is stored and retrieved by means of a unique key and there is no joining of tables as in a relational database. Key-value stores and TDB in particular are designed to be fast ways t store data to disk and get it back.
  94. 94. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Key-value stores There are many alternatives to TDB, such as the GNU Database Manager (GDBM), but the Samba project had a special need for multiple processes writing to the database at the same time as well as support for locking internal pieces of data. Therefore, the team built their own database manager and called it the Trivial Database Manager. TDB has been extended to support clustered operation through the Clustered TDB (CTDB) project and is available for use by other projects.
  95. 95. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files TDB files used in Samba Samba stores its TDB files in a few different places. The way to find these files # smbd -b SBINDIR: /usr/sbin BINDIR: /usr/bin SWATDIR: /usr/share/swat CONFIGFILE: /etc/samba/smb.conf LOGFILEBASE: /var/log/samba LMHOSTSFILE: /etc/samba/lmhosts LIBDIR: /usr/lib MODULESDIR: /usr/lib/samba SHLIBE1T: so LOCKDIR: /var/lib/samba STATEDIR: /var/lib/samba CACHEDIR: /var/lib/samba PIDDIR: /var/run SMB_PASSWD_FILE: /var/lib/samba/private/smbpasswd PRIVATE_DIR: /var/lib/samba/private
  96. 96. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Using TDB files Samba comes with three tools for manipulating TDB files: • tdbdump : Print the contents of a TDB file. • tdbbackup : Back up and validate TDB files. • tdbtool : Create, view, and modify TDB files.
  97. 97. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Using tdbdump on a TDB file tdbdump /var/lib/samba/ntprinters.tdb From the output of Listing 2, you can see that there are three keys in the database. The first key is 21 bytes long (the byte length is shown in parentheses [()]) and is called GLOBALS/c_setprinter followed by a NULL, which is ASCII zero. Non-printable characters are shown in hexadecimal format, which is a backslash followed by two hexadecimal characters. The value for the first key is 4 bytes long and it is entirely NULLs. The next two keys are called SECDESC/test and SECDESC/cups-pdf and are both NULL terminated. The data is entirely binary and unprintable, so it has been printed out with the non-printable characters in hexadecimal format.
  98. 98. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Backing up and restoring TDB files Like most databases, you can't just copy the file, because the copy might become corrupted. Backup corruption happens when you copy a file as it is being written so that you have a backup that is in an inconsistent state. One alternative would be to shut down the Samba daemon, and then copy the files. tdbbackup utility that comes with Samba. This utility safely copies a TDB file even if it is actively being written tdbbackup account_policy.tdb
  99. 99. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Verifying and restoring a TDB file tdbbackup -v account_policy.tdb The tdbbackup command is run again but with the -v flag, which verifies a TDB file. If the file is corrupted, you will see a summary of the errors followed by a note that the file has been restored
  100. 100. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Changing TDB files The tdbtool utility lets you make changes to the data inside a TDB file. This utility also inspects the individual keys and values within the file rather than having to dump the entire file and sort through the output. tdbtool can accept commands on the command line, or you can open an interactive console. To accomplish your task on the command line, run tdbtool example.tdb command options, where example.tdb is the name of your file, command is the command, and the options to the command go at the end. To use the tdb shell, just run tdbtool by itself or pass the name of the file on the command line.
  101. 101. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Using transactions The transaction is first started with the transaction_start command. Next, a key is inserted. If another process were to be reading the database, it would not see this key, because it is not committed. The process with the transaction open does see the key. The transaction is then canceled with transaction_cancel . The key no longer appears. The process is then re-run, but the transaction is committed with transaction_commit . The key then exists to all readers. Other readers may be blocked if you are in a transaction, which means that they will hang until the transaction is finished. So be careful when using transactions on production databases! They are a great safety feature but can potentially hurt performance if overused.
  102. 102. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files
  103. 103. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Beyond TDB User accounts can be stored in a variety of places depending on your configuration, and two tools give you a command-line interface while taking care of the back-end communication. For example, you can use the same commands even if your user data is stored in LDAP instead of TDB files. Smbpasswd, pdbedit
  104. 104. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Using smbpasswd The smbpasswd utility can add and delete user or machine accounts and change passwords. It is most commonly used to perform the latter task, either to change the current user's password or by root to change another user's password. Microsoft clients pass passwords around the network as a Microsoft-specific hash rather than plain text or a UNIX password hash. This means that it is not possible to take a Microsoft password hash and determine whether the password is the same as the password stored in the UNIX password database. Therefore, Samba must keep a separate password database for the Microsoft hashes; this is referred to as the password back end.
  105. 105. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Using pdbedit pdbedit manages the Samba user database and the account policies. It can do anything that smbpasswd can plus manage policies and migrate accounts between different back ends. To show all the users in the database, run pdbedit -L. You can get even more details about your users by passing the -v flag
  106. 106. Topic 310 Concepts, Architecture and Design Samba's Trivial Database files Moving forward This is the end of the Concepts, Architecture, and Design topic. In the next article, you will begin Topic 311 by learning how to download the Samba source code and compile it.
  107. 107. Topic 311: Compile and Install Samba 311.1 Configure and Build From Source Assembling Samba from scratch Weight : 1 Description: Candidates should be able to compile Samba from source and resolve dependencies Key Knowledge Areas: * Identify key Samba packages and content * Indentify and resolve dependencies * Describe Samba software structure * Knowledge of common Samba compilation options
  108. 108. Topic 311: Compile and Install Samba Like most Linux software, Samba is open source, so you can obtain the original source code files used by its programmers, and then compile a binary package for your own system. Doing so enables you to run newer software than your distribution maintainers provide, adjust compile-time options, set compiler features for optimum performance, and even modify the source code. We will learn about these concepts: • Identify important Samba packages and their content. • Locate and install depended-upon software. • Describe the structure of the Samba software. • Identify important Samba compilation options.
  109. 109. Topic 311: Compile and Install Samba Obtaining Samba source code Samba source code is readily available from the Samba Web site If you're familiar with compiling and installing software from source code, you should have little trouble with Samba; however, because of the critical nature of Samba to many installations, you may want to take extra care to ensure that your software is what you believe it to be. To this end. You can download the Samba source code from the main Samba Web page. A link to the latest stable version appears on the main page, A download link for the next generation of Samba, version 4, also appears on the main page; however, Samba version 4 is in alpha testing and has been for years. Use it only if you must have its features or if you want to contribute to Samba development.
  110. 110. Topic 311: Compile and Install Samba Verifying the software's authenticity It's possible to decompress, compile, install, and use Samba without verifying the software's authenticity. However, given the server's critical importance, running the handful of commands required to verify its authenticity is generally a good idea. To do so, perform the following steps:- 1. Ensure that you've downloaded the samba-version.tar.asc and samba-pubkey.asc files. 2. Type gunzip samba-version.tar.gz to decompress (not untar) the package file. 3.type gpg –import samba-pubkey.asc to import the Samba public key into your GPG key ring. 4. Type gpg --verify samba-version.tar.asc to verify the key. The program should respond with a message similar to: page 3 3011-1
  111. 111. Topic 311: Compile and Install Samba The output is likely to continue with a message to the effect that the key is not certified with a trusted signature. This message highlights a limitation of the verification procedure just described: If the main Samba Web site were compromised, the attacker could have replaced the Samba package and both keys with fake versions, which could fool you into accepting the bogus keys. You can protect yourself to some extent by using the --keyserver option to gpg in step 4. This option causes gpg to retrieve a key from as part of the verification process. Somebody distributing a fake Samba package would then need to compromise this key server in addition to the Samba server.
  112. 112. Topic 311: Compile and Install Samba Unpacking the tarball Assuming that your package has passed its verification step (or if you don't want to bother with that step), you can unpack your source code tarball. Do so in your home directory or in a directory such as /usr/src/, which is intended to hold source code for locally installed software. If you unpack the source code in /usr/src/, you may need to acquire root privileges to do so or change the permissions on /usr/src/ to enable an ordinary user to write to that directory. However you do it, change to the base of the directory in which you want to untar the source code. Then, type the following command: $ tar xvf ~/samba-version.tar $ tar xvzf ~/samba-version.tar.gz
  113. 113. Topic 311: Compile and Install Samba Compiling Samba With the source code now available, you can begin the compilation process. Before you jump in, though, check that you have the necessary prerequisite software on your system. You must then configure the software before performing the actual compilation. You may run into problems that you'll have to resolve, as well.
  114. 114. Topic 311: Compile and Install Samba Installing prerequisite software To compile Samba, a number of other software packages must be available, the most notable of which is GCC. GCC The Samba code relies on several other libraries software packages that provide support functions for other programs' use,these libraries are already installed on your computer, but to compile a program, you need the libraries' headerfiles, which are often installed in separate packages with names that end in -dev or -devel. ensure that the libc or libc6 development libraries are installed
  115. 115. Topic 311: Compile and Install Samba Configuring Samba To configure Samba, first change to the source3 subdirectory of the main Samba source code directory. This directory holds the source code for the main Samba package. Note: Other subdirectories off of the main Samba source code directory hold the source code for ancillary programs, support programs, documentation, and so on. For instance, the client subdirectory holds files related to Linux's ability to mount SMB/CIFS shares as a client; the swat subdirectory holds source code for the Samba Web Administration Tool (SWAT). Building the main Samba package also compiles some of these programs, but you may need to compile others manually. Compiling the main body of Samba, in the source3 subdirectory, builds the critical smbd and nmbd server programs along with support libraries and many related tools.
  116. 116. Topic 311: Compile and Install Samba Compiling the software ./configure --without-ldap make make install
  117. 117. Topic 311: Compile and Install Samba Resolving problems Unfortunately, configuration and compilation sometimes fail. The most common cause of such problems is a missing library. If the configure step fails, you're likely to see a message near the end of the output that specifies what's missing for instance, the message may indicate that it can't find Pluggable Authentication Module libraries. You should then use your system's package management tools, such as Synaptic or Yumex, to search for and install the relevant software. Remember that you may need to install the development libraries separately from the main library package.
  118. 118. Topic 311: Compile and Install Samba Moving forward The LPIC-3 311.2 objective—and the next article in this series—describe how to install Samba from source and from binary packages. This task necessarily includes launching the Samba server programs, smbd and nmbd. (Additional servers handle ancillary tasks, such as SWAT for Web-based configuration.)
  119. 119. Topic 311: Compile and Install Samba Install and upgrade Samba Like most software, Samba must be installed before it can be used. Several methods of doing this exist, but they fall into two broad categories: compiling and installing from source code and installing pre-built binary packages. The former is the more difficult but also more flexible option, while the latter is quite easy on most Linux distributions but locks you into the decisions your distribution maintainer has made concerning supported versions, patches applied, compile-time options enabled, and so on. We will learn about these concepts: • Install Samba packages. • Install Samba binaries you've compiled yourself. • Upgrade an existing Samba installation.
  120. 120. Topic 311: Compile and Install Samba Choosing an installation method The method you use to install Samba depends on your Linux distribution, the tools available to you, your needs, Although the (RPM) and (Deb) are usually the best and easiest, only installing from source code is possible on all Linux systems. the easiest way to install Samba is invariably to install a Samba binary package provided by the distribution maintainer. and the installation process usually finishes in a few seconds. In most cases, you should install Samba from an RPM, Debian package, or other distribution-specific binary package. Source code installation makes sense mainly if this isn't possible or if you have special needs that require unusual customization during the build process.
  121. 121. Topic 311: Compile and Install Samba Upgrading to a new version using source code If you've previously installed Samba from source code, following the procedure just described renames the old program files with the .old extension . Typing make revert reverts to the old versions, should you decide the new version isn't working Properly. If you want to completely remove an old version of Samba that was installed from source code, you should change into that version's source code directory and type make uninstall . This command removes the installed software. You can then install a new version (from source code or from a binary package) without fear of conflict between the two versions.
  122. 122. Topic 311: Compile and Install Samba Installing an RPM RPM is a popular and powerful package management system. You can install software by downloading RPM files and using the rpm command to install them, or you can use a meta-packaging system, such the Yellowdog Updater, Modified (YUM) to handle some details,To install a package using YUM, you use the yum command as root, yum install samba Note: Samba package names vary from one distribution to another. It's possible you'll need to install the package using a name other than samba, such as samba-server. The name samba works with Fedora Linux.
  123. 123. Topic 311: Compile and Install Samba Installing a Debian package Installing using APT Apt similar to RPM packages, but the details of the utilities involved to manipulate the packages differ. Debian and Ubuntu are the major distributions that use Debian packages, although several others also use this package type. Installing using APT The Advanced Package Tools (APT) , similar to the YUM suite used by many RPM-based distributions. (APT is also available for many RPM-based distributions, and at least one PCLinuxO uses APT by default.) Before installing Samba, it's best to force APT to obtain the latest package lists. You can do this using apt-get and its update subcommand: # apt-get update apt-get install samba
  124. 124. Topic 311: Compile and Install Samba Launching Samba If you install Samba using a binary package, it will include startup script to launch Samba when you reboot. You should use your local startup management tools, such as chkconfig (common on Fedora and related distributions), rc-update Note : Although it's possible to run Samba via a super server such as inetd or Xinetd, If you've installed Samba from source code, you will have to create your own startup script or launch the server via an entry in a local startup script, such as /etc/rc.d/rc.local or /etc/init.d/rc.local. Typically, you'll want to launch both the smbd and nmbd servers and pass them both the -D option, which causes the servers to run as daemons. A minimal configuration looks like this: /usr/local/sbin/nmbd -D /usr/local/sbin/smbd -D
  125. 125. Topic 302 : Configure Samba Samba uses a human-readable file to manage and store its configuration parameters, so the most sophisticated tool you'll need to configure Samba is a text editor. Learn how the configuration file is structured, how Samba interacts with the network, how to configure logging, and how to debug problems with Samba. We will learn : • Navigate the Samba server configuration file structure • Use Samba variables and configuration parameters • Identify key TCP/User Datagram Protocol (UDP) ports used with Server Message Block (SMB)/Common Internet File System (CIFS) Configure Samba logging • Troubleshoot and debug problems with Samba
  126. 126. Topic 302 : Configure Samba The Samba configuration file Samba, like most UNIX daemons, is configured through text files that are human readable, rather than through a graphical tool for binary file editing. The most important configuration file is called smb.conf, which contains all the parameters that Samba needs to run in your environment. Note : Although smb.conf was designed to be edited with a text editor, the Samba team has come up with a web-based tool called the Samba Web Administration Tool. Alternatives, such as webmin, also exist. It is important to remember that you can still edit smb.conf before or after these tools have been run, because you're operating on a text file.
  127. 127. Topic 302 : Configure Samba Samba's configuration file has a fairly simple format that uses three different Constructs: <ul><ul><li>Sections . Sections group the configuration into independent areas. For </li></ul></ul>example, a file share has its own section. <ul><ul><li>Parameters . Parameters are key-value pairs. The keys are well-known </li></ul></ul>attributes such as &quot;read only.&quot; <ul><ul><li>Comments . Comments let you make annotations to the configuration file </li></ul></ul>that don't affect the configuration, such as to indicate the help desk ticket that documents the share.
  128. 128. Topic 302 : Configure Samba Sections Sections group the configuration file into different areas. You start a section by enclosing the name of the section in square brackets ( [] ). The section continues until the next section is defined or the end of the file is reached. Three section names have special meaning: • global . Anything in this section applies to the whole server. Configuration items in the global section can be overridden at the share level, if needed. • homes . The homes section serves as a template for all user shares, and Samba takes care of mapping a user name to the configuration in this section, virtually eliminating the need to configure a separate share each time you want to let a user into his or her home directory. • printers . similar to homes, except that it's used for printers. If the section name used is not one of the above, it is considered a file or printer share.
  129. 129. Topic 302 : Configure Samba If the section name used is not one of the above, it is considered a file or printer Share. When a connection request comes in to Samba for a particular share name, the daemon looks for a section with that name that would define the properties of that share. If the section is not found, Samba looks through the list of users on the system to see whether the connection refers to a user. If not, Samba consults the list of system printers to see if a printer by that name exists. If the connection matched a user, the configuration for the homes sections is used. If the printer was matched, the printers section is used. In all cases, the section-level configuration overrides the global configuration section. If none of the above cases is matched, there is one final check. If a default service is configured, that service is used. If not, an error is passed back to the client. By default, the default service is not configured, so incorrect share names will result in an error.
  130. 130. Topic 302 : Configure Samba Parameters Parameters take the form key = value , which assigns the value to the key. The keys are all documented in the smb.conf man page. Samba configuration is largely an exercise in understanding which keys are needed to achieve the behavior you want and determining the appropriate value to use.Parameters generally take strings as values. Samba does support macros, which allow you to vary the value of the parameter according to items like the share name or input from the user. For example, the homes section defaults to the user's UNIX home directory, but you can use macros to make this parameter use any location and substitute the user name into the file path at the time of connection. Macros start with the % character and will be discussed as they are required. If a parameter's value must extend over two or more lines, all lines except the last must end in a backslash (), just like a UNIX shell.
  131. 131. Topic 302 : Configure Samba Comments Comments begin with a semicolon (;) or octothorpe (hash, or #). Comments can be used to explain the reason for items, to track changes, or to indicate section boundaries.
  132. 132. Topic 302 : Configure Samba An example configuration See Page 4 lpic-312-1 Some special things to note about this example configuration are: • Two different styles of comments are used. One begins with a hash, the other begins with a semicolon. • This file defines one share called projecta. Any other shares will be automatically created from the users and printers defined on the system. • The server string parameter uses the %v macro for part of its value. At run time, %v will be replaced with the version of Samba. • hide dot files is set to yes at the global level but set to no inside the projecta share. Home directories use the configuration from the homes section and so will have their dot files (such as .profile) hidden. Files in projecta will have their dot files visible.
  133. 133. Topic 302 : Configure Samba Samba network interaction Samba is a network service that runs over IP, which allows it to communicate with other hosts on the network that are also using IP. As a Samba administrator, you need to understand how the Samba services behave on the network to troubleshoot connectivity problems. At a high level, you can look at Samba as offering three different kinds of network services: • File and print sharing . Offering files and printers to other network devices and using those services on other machines • Name services . Name resolution services necessary to participate in a Microsoft network • Domain services . Samba can replace various Microsoft server roles such as a legacy domain controller and integrates with newer Active Directory Domain Services (AD DS) servers
  134. 134. Topic 302 : Configure Samba File and print sharing File and print sharing are implemented within smbd, which is one of the Samba daemons. Microsoft file sharing used network basic input/output system (NetBIOS) over TCP when it first moved into the IP world. This method encapsulated NetBIOS content inside a TCP session using TCP port 139. The NetBIOS protocol encompasses several features. TCP port 139 is used only for the session services, which are file transfer and message passing. The name lookup services are not handled on this port. NetBIOS over TCP works, but there is overlap between the session and reliability features provided by NetBIOS and those provided by TCP. With some subtle changes, it became possible to run SMB/CIFS right on top of TCP. This method is known as direct hosting and is used to simplify the protocol. Direct hosting occurs on TCP port 445.
  135. 135. Topic 302 : Configure Samba Name services NetBIOS provides a name services layer responsible for network browsing and name lookups. For example, the host SERVER1 is resolved to an IP address by using NetBIOS name service requests on UDP port 137. Support for browsing and election of support roles such as the master browser happens on UDP port 138, otherwise known as the datagram services port. Name services are implemented within the nmbd daemon. It is important to note that the name services use UDP instead of TCP. UDP packets are connectionless and can be broadcast to all hosts instead of a single unicast stream. With UDP's broadcast functionality, NetBIOS name services can be made easier to process on the network. Samba version 3 does not have any parameters to control which ports nmbd listens on, but Samba version 4 implements the nbt port and dgram port global parameters, which control the name service and datagram services ports, respectively
  136. 136. Topic 302 : Configure Samba Domain services The Samba team is constantly updating the software to make it integrate more closely with Microsoft networks and to replace Microsoft infrastructure. To do so, Samba must emulate these infrastructure services on the network. Most of these services involve Kerberos and the Lightweight Directory Access Protocol (LDAP) in some way. These are advanced topics and will be covered in more depth in later articles. For the moment, just be aware that Samba can do more than just file sharing Summary of the ports that Samba uses see page 8 312-1
  137. 137. Topic 302 : Configure Samba Troubleshooting Samba problems Samba is not immune to problems. Sometimes, these problems are caused by the system administrator; sometimes they're caused by the user. Your job as the system administrator is to figure out where the problem lies, then how to solve it. Testing the configuration file If Samba won't start or you want to check your configuration file for correctness, then the testparm utility will help testparm /etc/samba/smb.conf see page 8 312-1
  138. 138. Topic 302 : Configure Samba Connecting as a client The first and easiest test is to make sure that you can connect to the Samba port. The easiest way to do this is with the telnet command. Telnet 139 Performing a NetBIOS name query for bob Nmblookup master Checking access with testparm testparm /etc/samba/smb.conf see page 11 312-1
  139. 139. Topic 302 : Configure Samba Showing a machine's shares smbclient -L 'bob' see page 12 312-1 Connecting to a share with a different user name and domain see page 12 312-1 Logging and debugging see page 13-14-15 312-1
  140. 140. Topic 302 : Configure Samba Learn how to create and configure file shares in a mixed environment We will learn to: • Create and configure file sharing. • Plan a file service migration. • Hide the administrative share. • Create scripts for user and group handling of file shares. • Use command-line tools relating to file shares.
  141. 141. Topic 302 : Configure Samba Creating file shares Recall from the previous article that Samba understands any section inside smb.conf other than homes, printers, and global to be a share name. Besides the name of the share, mapping the share name to a location on disk is the other important piece of information. Here is the simplest useful share: [tmpdir] path = /var/tmp This code defines a share called tmpdir that maps to /var/tmp on the Samba server. For example, if the server were named phoenix, then users would be able to access that file share with the Universal Naming Convention (UNC) path phoenixtmpdir . This sparse configuration is not useful, however: The default setting for a share is to be read-only, so the share above would not be writable.
  142. 142. Topic 302 : Configure Samba Using security parameters Samba has many security-related parameters that control access Many of these parameters affect the interaction between Samba and the underlying UNIX file permissions and are not discussed in this article. However, a few more general parameters are discussed here. Server Message Block (SMB) servers, including native Microsoft implementations, have a share called IPC$, which is the interprocess communication share and is used to execute software functions over a network. A share ending in a dollar sign ($) is considered hidden and not shown in Microsoft clients, even thought the server will advertise the existence of the share. Samba creates the IPC$ share even though it may not exist in smb.conf. If you create the share, you can control access to it. Here is an example of a restricted IPC$ share: [IPC$] hosts allow = browsable = no
  143. 143. Topic 302 : Configure Samba Home shares It is common to give users a home directory for their personal files. Each user in the UNIX password file has a home directory assigned. You can easily export any number of home directories through Samba without having to type a separate configuration section by using the [homes] section. When someone requests a share called joe, Samba looks for a configured share called joe; if Samba doesn't find that share, it looks for a user by the same name. If the user is found, Samba then uses the configuration in the [homes] section as a template for this share. [homes] comment = Home Directories writable = yes browsable = yes valid users = %S
  144. 144. Topic 302 : Configure Samba The configuration in Listing 1 performs these tasks: • Begins the configuration of the homes section • Assigns a comment, which is shown to people looking at the details of available file shares on that server • Marks the share as writable so that users can make changes to their home directory • Indicates that the share can be seen when users browses for a list of shares; they will see both homes and a share with their user name • Limits the users who can connect to this share to the user who owns the share Note the use of the %S macro in Listing 1: This macro expands to the name of the share. Because the user name is the same as the share, the valid users
  145. 145. Topic 302 : Configure Samba Dealing with mixed case The case of a file or directory name does not matter in the Microsoft realm. That is, FILE, file, and FiLe all refer to the same file. In Linux, however, case is important, so those three files would all be different. Samba needs to know how to map between these two worlds to resolve any conflicts. This case-mapping process is part of a larger process called name mangling. A few parameters affect mangling of file name case. The most important parameter is case sensitive, which can be yes, no, or auto. If case sensitive is enabled, Samba uses whatever case the client requests. If this setting is disabled, Samba looks through the directory for a case-insensitive match. One problem with case sensitivity is that set incorrectly, you might not be able to access some files. Consider a directory with two files—one called test and the other called TEST. If Samba doesn't use case-sensitive access, then it is unable to differentiate between the two files. The default for this setting is auto,
  146. 146. Topic 302 : Configure Samba The default case and preserve case parameters work with each other. If preserve case is set to yes, then whatever the client sets is used. If preserve case is set to no, then the value of default case is used to determine the case of the newly created file.
  147. 147. Topic 302 : Configure Samba Enabling Usershare Users can create their own shares without having to modify smb.conf by using a feature called Usershare. After the administrator enables the Usershare feature, regular users use a command-line tool to export directories of their choosing. Users can also delete their shares when they are done. The first step to using Usershare is to enable the feature at the global level. [global] usershare usershare usershare usershare path = /var/lib/samba/usershares max shares = 5 prefix allow list = /home prefix deny list = /var, /usr
  148. 148. Topic 302 : Configure Samba in the [global] section. First, the usershare path defines a directory that Samba uses for the configuration related to the user share. There are several restrictions on this directory that will be explained later. Next, a limit on the number of user shares is imposed. The last two parameters show how to restrict the directories that can be shared. usershare prefix allow list restricts all the shares to the given directories—in this case, the shares must come from under /home. usershare prefix deny list takes the opposite approach and allows anything except the given directories. Samba imposes two other restrictions on user shares. First, the usershare path must be writable by the user creating the share, and the directory must have the sticky bit set (1000 or +t). Second, the user must own the directory being shared unless usershare owner only is set to false.
  149. 149. Topic 302 : Configure Samba # mkdir -p /var/lib/samba/usershares # chown root:usershares /var/lib/samba/usershares # chmod 1770 /var/lib/samba/usershares The first command creates the directory and any required parent directories. The next command sets the user and group ownership of the directory to root and usershares, respectively. The final command sets the owner and group permissions of the directory to Read/Write/Execute, denies access to everyone else, and sets the sticky bit. Thus, only root and members of the usershares group can use this directory; by virtue of the sticky bit, only the owner of a file can delete the file.
  150. 150. Topic 302 : Configure Samba Setting up the share is perhaps the most difficult part of the exercise. A user can run: The above command exports /home/me/Documents as a share called docs with Full Control for everyone. Other commands allowed are: • net usershare list lists the user shares the user has created. • net usershare info docs shows the configuration of the docs share. • net usershare delete docs removes the docs share.
  151. 151. Topic 302 : Configure Samba Command-line tools Samba comes with several command-line tools. Through the libsmbclient that Samba provides, other people have made SMB/Common Internet File System (CIFS) utilities that are in common use. One striking difference between UNIX and Windows is that UNIX has one big file system, where Windows has a series of drive letters. The smbclient utility lets you browse a remote Windows share in an File Transfer Protocol (FTP)-like interface, but to be transparent to applications, a remote Windows share should be mountable like any other file system. Samba comes with a utility called smbmount, which is sometimes repackaged as mount.cifs. You can call this command directly or through the mount command. Listing 3 shows a Linux system mounting a remote CIFS share onto the regular file system
  152. 152. Topic 302 : Configure Samba Mounting a remote CIFS share # mount -t cifs '' /mnt -o user=myuser Password: # mount The first command mounts a CIFS file system on the given UNC path and places it on /mnt. Other than the UNC path, this looks like a standard mount invocation. Options are passed with the -o option. The only option needed here is the user name. The mount.cifs man page outlines all the other options, which can include a password and a domain. If you don't specify a password, you will be prompted for one. Finally, the mount command shows the mounted file system.
  153. 153. Topic 302 : Configure Samba Migrating file shares When you move file services from one server to another, users may forget to access the new server. Samba allows you to have your server respond to another name. For example, if you move file shares from a server called phoenix to a server called fs2, you can have fs2 respond to requests for phoenix. You will, of course, have to make sure that phoenix doesn't respond, either by turning it off or renaming it. To add an alias to a server, use the netbios aliases global parameter. If you want to change the name of a Samba server to something other than the UNIX name of the server, use the netbios name parameter. The commands you have learned so far about mounting file systems will also be helpful in copying files from one server to another in preparation for a migration. You may also wish to use UNIX utilities like rsync to help out.
  154. 154. Topic 312: Samba Configuration and Usage 312.3 Print Services Weight : 2 Description : able to create and manage print shares in a mixed environment. Key Knowledge Areas: <ul><ul><li>Create and configure printer sharing.
  155. 155. Configure integration between Samba and CUPS.
  156. 156. Manage Windows print drivers and configure downloading of print drivers.
  157. 157. Configure [print$]
  158. 158. Understand security concerns with printer sharing
  159. 159. Setup and manage print accounting </li></ul></ul>
  160. 160. Topic 312: Samba Configuration and Usage Print Services File serving is considered by most to be Samba’s bread and butter. However, pulling up a close second in justifications for deploying Samba is its capability to centrally manage printers and to make them available across a network to Windows clients. We will focuses on the steps necessary to add print services to Samba’s configuration as well as the details for sending print jobs from Unix and Linux clients to remote SMB/CIFS printers via smbclient. Because Samba relies on a functioning, underlying print system, we will concentrate on sharing printers that have previously been configured on the server.
  161. 161. Topic 312: Samba Configuration and Usage Print Shares Samba at heart is not a printing system, but rather a spooling system. Its mantra is, “If Unix can print to it, so can I. ” To implement this philosophy, it must define a mechanism an external commands or software library to use when performing operations such as printing spooled jobs, retrieving a list of jobs in a queue, or pausing a printer.
  162. 162. Topic 312: Samba Configuration and Usage The process of sending a print job to a Samba printer. The client opens the spool file on the server, writes the file in its entirety, and then closes the file, indicating that the job is ready to be printed. This series of events has some important implications: • The smbd daemon can hand the spooled job over to the server’s printing system only after the entire file has been transmitted. • The spooled job must be in a format that can be sent directly to the Unix print queue. Generally, this means no special Windows meta formats.
  163. 163. Topic 312: Samba Configuration and Usage 312.4 Domain Control Weight : 4 Description: able to setup and maintain primary and backup domain controllers, and manage Windows/Linux clients' access to the domain Key Knowledge Areas: * Understand domain membership * Create and maintain a primary domain controller * Create and maintain a backup domain controller * Add computers to an existing domain * Configure logon scripts, Configure roaming profiles, Configure system policies
  164. 164. Topic 312: Samba Configuration and Usage Our discussion of Samba up to this point has focused on file and print servers that authenticate users against a local set of accounts; these accounts had to previously be added to the system hosting Samba using either pdbedit or smbpasswd. Standalone servers (also called workgroup servers) have the advantages of being easy to set up and possessing no dependencies on external services. However, managing user accounts on more than two or three of these servers quickly becomes onerous.Our systems administration mantra is, “Reduce redundancy through consolidation.” Creating a Samba domain removes duplicate users and groups from each standalone server by consolidating these accounts onto a small set of domain controllers that can process authentication requests on behalf of domain member servers. Coupled with Microsoft’s networking facility that allows a user to log in to her local workstation via a domain account, a Samba domain provides a means to centrally manage all authentication, not just access to file and print services.
  165. 165. Topic 312: Samba Configuration and Usage we show you how to configure Samba as a Primary Domain Control- ler (PDC) with one or more Samba Backup Domain Controllers (BDC), and how to join Windows clients to this domain. Domains by themselves have little relevance without users and groups, so we also explore the mechanisms to manage and store user and group accounts. After you have a solid understanding of how to configure Samba’s domain controller functionality, we explain how to migrate a Windows NT 4.0 domain to a Samba domain and retain the complete list of accounts and user set- tings. We conclude with a discussion of remotely monitoring and managing Samba hosts using tools such as the Windows Event Viewer, the Service Control Manager, and the Performance Monitor.
  166. 166. Topic 312: Samba Configuration and Usage Chapter 9
  167. 167. Topic 313: User and Group Management 313.1 Managing User Accounts and Groups Weight: 4 Description : manage user and group accounts in a mixed environment Key Knowledge Areas: * Manager user and group accounts * Understand user and group mapping * Knowledge of user account management tools * Use of the smbpasswd program * Force ownership of file and directory objects
  168. 168. Topic 313: User and Group Management Authentication is proving that you are who you say you are. You do this every day, during such activities as printing a document or saving a file to a network drive. When things are working correctly, the steps taken by a server to authenticate a request are often taken for granted. You enter a password, and it is used whenever the client machine needs to access a network resource on your behalf. Authentication is a prerequiste to authorization. Authorization is what the server does to verify that the authenticated user should (or should not) gain access to the requested resource (such as the printer or file share).
  169. 169. Topic 313: User and Group Management Security Modes The SMB/CIFS protocol has two security levels : user and share . Samba implements these levels across five security modes defined by the global security parameter in smb.conf.* Only three of these values are relevant to modern Samba servers User [Default] ads domain share (deprecated) server (deprecated)
  170. 170. Topic 313: User and Group Management smbpasswd file format The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user: Name: This is the user name. It must be a name that already exists in the standard UNIX passwd file. Uid: This is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.
  171. 171. Topic 313: User and Group Management Lanman Password Hash: This is the LANMAN hash of the user's password. NT Password Hash: This is the Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it. Account Flags: This section contains flags that describe the attributes of the users account. U - This means this is a &quot;User&quot; account, i.e. an ordinary user. N - This means the account has no password. Last Change Time: This field consists of the time the account was last modified.
  172. 172. Topic 313: User and Group Management Synchronizing Passwords The complaint with Samba in regard to user accounts is that its user passwords must be maintained separately from the from the Unix or Linux system passwords. To help alleviate the pain of managing multiple passwords for each user, Samba provides a mechanism to synchronize the user’s Unix password entry when a CIFS client requests that the LanMan and NT password hashes be changed. Of course, this solution does not help when the user changes the password by means other than the SMB/CIFS protocol, such as using the passwd command or writing to the passdb storage directly using pdbedit. The only prerequisite of using this feature is for the root user to able to reset a user’s password without knowing the old password. The reason for this requirement is that the client encrypts the new password with the old password hash as the key. The clear text of the old password is never sent. Password hashes are one-way, so there is no way to derive the clear text of the password from the old password hash.
  173. 173. Topic 313: User and Group Management The smbd daemon currently supports three mechanisms for changing a user’s Unix Password: • Communicating with an external password program • Utilizing the PAM password change API • Requesting that the LDAP Directory service do the work on its behalf The simplest option of the three, the ldap password sync option (sometimes called ldap passwd sync), instructs smbd to send a ModifyPassword extended request to the directory service, which then updates the userPassword attribute on behalf of the user. This option currently works only when Samba is using the ldapsam passdb module and when the LDAP directory service is running a recent version of OpenLDAP. To enable password synchronization, with all these prerequisites in place, add ldap password sync = yes to the [global] section of smb.conf.
  174. 174. Topic 313: User and Group Management alternative backend storage for passwords Samba can store account data in a “TDB” Using TDB does not require any additional configuration. This backend is recommended for new installations that do not require LDAP. we does not recommend using the TDB backend for sites that have 250 or more users. , TDB is not capable of scaling for use in sites that require replication of the account database. The high growth rates projected are a good reason to use the tdbsam passdb backend. The use of smbpasswd for the backend may result in performance problems. The tdbsam passdb backend offers features that are not available with the older, flat ASCII-based smbpasswd database.
  175. 175. Topic 313: User and Group Management Integrate Samba with LDAP Samba exposes Unix objects—files, printers, users and groups—in a way that Windows clients understand. It is necessary, however, for Samba to store some additional attributes for users beyond the information in /etc/passwd. These attributes, such as the LanMan and NT password hashes, the user’s SID, and a home directory UNC path, are maintained in what is referred to as a passdb backend. This storage facility can currently take one of three forms: • A flat text file • A trivial database (tdb) file • An LDAP directory service
  176. 176. Topic 313: User and Group Management 313.3 Winbind Weight : 2 Description: Candidates should be able to install and configure the Winbind service Key Knowledge Areas: * Install Winbind * Configure Winbind
  177. 177. Topic 313: User and Group Management winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM to Samba itself. Even if winbind is not used for nsswitch, it still provides a service to smbd and the PAM module, by managing connections to domain controllers. The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system. The service provided by winbindd is called `winbind' and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module.
  178. 178. Topic 313: User and Group Management install and configure Winbind on centos
  179. 179. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  180. 180. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  181. 181. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  182. 182. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  183. 183. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  184. 184. Topic 314: Working with CIFS, NetBIOS, and Active Directory 314.1 CIFS Integration Weight: 3 Description: Candidates should be comfortable working with CIFS in a mixed environment Key Knowledge Areas: * Understand SMB/CIFS concepts * Mount remote CIFS shares from a Linux client * Understand features and benefits of CIFS
  185. 185. Topic 314: Working with CIFS, NetBIOS, and Active Directory Samba’s popularity come from its ability to serve Microsoft Windows clients, but SMB/CIFS clients are also available on a wide variety of platforms running your choice of Windows, Linux, Mac OS X, or any other operating systems. By providing SMB/CIFS support , you can standardize your local area network, allowing everybody to use Files can be shared by saving them to the SMB/CIFS share just as if it were a local hard disk. This method can also be part of a migration strategy for moving users from one operating system to another. The most transparent means of accessing SMB/CIFS file shares is to provide a filesystem that understands the protocol. we explore the native SMB/CIFSfilesystem support available on Linux, OS X, and FreeBSD systems. Samba’s tools that can help you to perform remote administration tasks from Unix clients. One example is the net tool , which can perform common tasks such as managing users and groups, restarting services, and rebooting servers.
  186. 186. Topic 314: Working with CIFS, NetBIOS, and Active Directory The Linux CIFS Filesystem CIFS filesystem included in the Linux 2.6 kernel. A patch for 2.4 kernels is available Linux’s original SMB/CIFS filesystem client, named smbfs, was written by Volker Lendecke, an active Samba developer. The smbfs kernel module and user space tools (smbmount, smbumount, and smbmnt) will likely continue to be included in Linux and Samba for some time, If you have Linux systems that are currently set up to use smbfs, now is a good time to begin thinking about migrating them to use the cifs module instead.
  187. 187. Topic 314: Working with CIFS, NetBIOS, and Active Directory Mounting a SMB/CIFS File Share to mount a SMB/CIFS share as part of your local filesystem. Mounting filesystems is normally restricted to the root account. We’ll show you how to allow users to mount and unmount SMB/CIFS shares shortly. For the moment, make sure to run the mount and umount commands as root. The general syntax for accessing a SMB/CIFS file share is: $ mount -t cifs //server/share mount_point [-o options] The -t option specifies the filesystem type (cifs) The mount_point is the path to a local directory where the share will be mounted. Numerous options can be specified with the -o flag. the account used to connect to the remote server: user=name. 307
  188. 188. Topic 314: Working with CIFS, NetBIOS, and Active Directory 314.2 NetBIOS and WINS Weight: 7 Description: should be familiar with NetBIOS/WINS concepts and understand network browsing Key Knowledge Areas: * Understand WINS concepts and Understand NetBIOS concepts and Understand the role of a local master browser and the role of a domain master browser * Understand the role of Samba as a WINS server and Understand name resolution * Configure Samba as a WINS server and WINS replication * Understand NetBIOS browsing, service announcements and elections
  189. 189. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand WINS concepts Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and was designed to solve the problems arising from NetBIOS name resolution in routed environments. WINS is the best choice for NetBIOS name resolution in routed networks that use NetBIOS over TCP/IP
  190. 190. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand NetBIOS concepts NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for acessing networking services.
  191. 191. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand the role of a local master browser Master Browser - Maintains the main or master list of computers and shared resources. All workgroups or domains have one master browser. A new resource list is sent to the backup browsers every 15 minutes. A client will not be removed from the resource list for 3, 12 minute periods. Another domain master will wait 3 15 minute periods of no response from a domain master browser before removing the domain resources from its list. The client will first go to the master browser which will give the client a list of backup browsers. Domain Master Browser - The master browser for a domain. The primary domain controller (PDC) in a domain network .
  192. 192. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand the role of a domain master browser the Primary Domain Controller (PDC) acts as the domain master browser (DMB), which ties subnets together and allows browse lists to be shared between master and backup browsers on separate subnets. This is how browsing is extended to function beyond the local subnet. Each subnet functions as a separate browsing entity, and the domain master browser synchronizes the master browsers of each subnet. In a Windows-only network, browsing cannot function across subnets unless a PDC exists on the network. By default, each computer that participates in a browse election is considered a potential browser. It can be ordered by the browse master to become a backup browser or can identify itself as a backup browser and accept the role on its own.
  193. 193. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand the role of Samba as a WINS server You can set up Samba as a WINS server by setting two global options in the configuration file, as shown below: [global] wins support = yes name resolve order = wins lmhosts hosts bcast The wins support option turns Samba into a WINS server. Samba handles the rest of the details behind the scenes
  194. 194. Topic 314: Working with CIFS, NetBIOS, and Active Directory If Samba is acting as a WINS server, you should probably get familiar with the name resolve order option mentioned earlier. This option tells Samba the order of methods in which it tries to resolve a NetBIOS name. It can take up to four values: Lmhosts: Uses a LAN Manager LMHOSTS file Hosts: Uses the standard name resolution methods of the Unix system, /etc/hosts, DNS, NIS, or a combination (as configured for the system) Wins: Uses the WINS server Bcast : Uses a broadcast method
  195. 195. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand name resolution Name resolution is critical to Samba's operation because names are used to find the servers that share files or printers. Browsing takes the task of finding servers to a new level of sophistication by allowing a user to delve down into a hierarchy of networks, domains, hosts, and services offered by each server. While name resolution and browsing are not difficult to configure, some complexity is introduced by the variety of available name-resolution systems. Historically, Unix and other TCP/IP users have moved from a flat hosts file to the Domain Name System, with the Network Information System being another popular choice. Meanwhile, Microsoft has moved from a broadcasting system to a simple, LAN-only name server called WINS and ultimately to DNS.
  196. 196. Topic 314: Working with CIFS, NetBIOS, and Active Directory Configure Samba as a WINS server Either a Samba server or a Windows NT server machine may be set up as a WINS server. To configure a Samba server to be a WINS server, you must add to the smb.conf file on the selected Server the following line to the [global] section: wins support = yes
  197. 197. Topic 314: Working with CIFS, NetBIOS, and Active Directory WINS replication Samba-3 does not support native WINS replication. There was an approach to implement it, called wrepld, but it was never ready for action and the development is now discontinued. Meanwhile, there is a project named samba4WINS, which makes it possible to run the Samba-4 WINS server parallel to Samba-3 since version 3.0.21
  198. 198. Topic 314: Working with CIFS, NetBIOS, and Active Directory Understand NetBIOS browsing, service announcements and elections Each server on the network announces itself to the network to allow the master and backup browsers to build their browse lists. When first joining the network, a host sends server announcements every minute, but the interval is gradually stretched out to every 12 minutes. When a server is shut down gracefully, it sends an announcement that it is going offline to allow the master and backup browsers to remove it from the browse list. However, when a server goes offline by crashing or by some other failure, the master browser notices its disappearance only because it stops receiving server announcements. The master browser waits for three of the server’s announcement periods before deciding that it is offline, which can take up to 36 minutes. Because backup browsers have their browse lists updated from the master browser once every 15 minutes, it can take up to 51 minutes for clients to be informed of a failed server.
  199. 199. Topic 314: Working with CIFS, NetBIOS, and Active Directory 314.3 Integrating with Active Directory Weight: 2 Description: Candidates should be able to integrate Linux servers into an environment where Active Directory is present. Key Knowledge Areas: * List remove Active Directory / LDAP users * Configure Samba in ADS security mode * Knowledge of the DNS requirements for Active Directory
  200. 200. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  201. 201. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  202. 202. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  203. 203. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  204. 204. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  205. 205. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  206. 206. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  207. 207. Topic 314: Working with CIFS, NetBIOS, and Active Directory
  208. 208. Topic 314: Working with CIFS, NetBIOS, and Active Directory