Linux/Samba/Domain Controller

Tutorial #1
SAMBA (Domain Controller) Server For Small Workgroups With Ubuntu 5.10 "Breezy Badger"

yum install samba samba-client samba-common

Edit /etc/samba/smb.conf: [global] workgroup = T0E netbios name = TESTLAB server string = %h server

passdb backend = tdbsam security = user username map = /etc/samba/smbusers name resolve order = wins bcast hosts domain logons = yes preferred master = yes wins support = yes # Set CUPS for printing #printcap name = CUPS #printing = CUPS # Default logon #logon drive = H:  #logon script = scripts/logon.bat #logon path = \\server1\profile\%U

# Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u idmap uid = 15000-20000 idmap gid = 15000-20000

# sync smb passwords woth linux passwords passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n. passwd chat debug = yes unix password sync = yes # set the loglevel log level = 3

[homes] comment = Home valid users = %S read only = no  browsable = no

[printers] comment = All Printers path = /var/spool/samba printable = yes guest ok = yes browsable = no

[netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = Administrator valid users = %U read only = no

[profile] comment = User profiles path = /home/samba/profiles valid users = %U create mode = 0600 directory mode = 0700 writable = yes browsable = no

Create the directories for domain logons and profiles: mkdir /home/samba mkdir /home/samba/netlogon mkdir /home/samba/profiles mkdir /var/spool/samba chmod 777 /var/spool/samba/ chown -R root:users /home/samba/ chmod -R 771 /home/samba/

/etc/init.d/samba restart

Edit /etc/nsswitch.conf. Change the line: hosts: files dns to: hosts: files wins dns

Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain. smbpasswd -a root

Create the file /etc/samba/smbusers and add the line by executing: echo "root = Administrator" > /etc/samba/smbusers

This will allow us to use the common windows username "Administrator" as alias for the Linux root user. Now I will test if the setup is correct: smbclient -L localhost -U% The output should look similar to this: Domain=[T0E] OS=[Unix] Server=[Samba 3.0.23c-2.el5.2.0.2]

Sharename      Type      Comment -            ---        netlogon        Disk      Network Logon Service IPC$           IPC       IPC Service (testlab server) Domain=[T0E] OS=[Unix] Server=[Samba 3.0.23c-2.el5.2.0.2]

Server              Comment -           ---        TESTLAB              testlab server

Workgroup           Master -           ---        T0E                  TESTLAB

Setup the default domain groups for windows: net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup or: net groupmap add ntgroup="Domain Admins" unixgroup=root net groupmap add ntgroup="Domain Users" unixgroup=users net groupmap add ntgroup="Domain Guests" unixgroup=nogroup

Adding Users To Our SAMBA Domain

Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

1) Add a linux user tom: useradd tom -m -G users

2) Add the linux user tom to the SAMBA password database: smbpasswd -a tom

Adding Shares

Now I will add a share that is accessible by all users. mkdir -p /home/shares/allusers chown -R root:users /home/shares/allusers/ chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines: [allusers] comment = All Users path = /home/shares/allusers valid users = @users force group = users create mask = 0660 directory mask = 0771 writable = yes

/etc/init.d/samba restart

Password Change
I was unable to change my user password from my Windows XP machine.

A thread asked the same question. The answer was to: Change: unix password sync = Yes To: unix password sync = no

This appeared to work. This may be because all of the samba users are the same user, and not individual Linux accounts.

Another suggestion:

A comment suggested to: Try to change the "passwd chat" line in smb.conf to this: passwd chat = *password* %n\n *password* %n\n *success*

Domain Administration
From what I can tell all new users will need to be added via the command line on the PDC. I was unable to connect to the PDC using mmc "Users" snap-in.

Security
It appears that the domain groups and security permission are either ignored or simply not used.

Linux Client Authentication
How will this work with a Linux workstation? It doesn't appear you can use Samba on a Linux workstation to authenticate against a Samba Domain Controller without some serious reconfiguration.

It seems that joining the domain is no problem, but using the Samba Domain Controller for login authentication appears to be another issue.


 * Using Samba to join a Windows NT domain
 * Configuring Samba to use the Domain Security Mode

How do force Passwords Restrictions and Expiration?
How do force Passwords Restrictions and Expiration?

See for a possible example: min password length = 6 null passwords = No

NetBIOS name resolution failure
I am unable to visit \\t0e without having to add it to the ...\etc\hosts file

Testing Samba Configuration
Quick HOWTO : Ch12 : Samba Security and Troubleshooting

This will test the Samba configuration file: testparm -s

This will report the Samba details (hit enter when prompted for password): smbclient -L

or you can use: smbclient -L -U%

To check if the Samba software is running correctly: nmblookup -B 192.168.1.100 __SAMBA__ nmblookup -B 192.168.1.103 "*" nmblookup -d 2 '*' nmblookup -M homenet # check for master browser

Linux as SMB Client
Samba as a NT Domain Member

[global] workgroup = T0E security = DOMAIN password server = T0E

net join T0E -U Administrator

Iptables and Samba
Quick HOWTO : Ch12 : Samba Security and Troubleshooting

Configure it to allow through such Microsoft protocols as NetBIOS (UDP ports 137 and 138, TCP ports 139) and TCP port 445 for SMB file sharing without NetBIOS. Here is sample script snippet:

SAMBA_SERVER="192.168.1.100 " NETWORK="192.168.1.0/24"   # Local area network BROADCAST="192.168.255.255" # Local area network Broadcast Address iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \ -m multiport --dports 137,138 -j ACCEPT iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \ --dports 139,445 -j ACCEPT iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \ -j ACCEPT iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \ --dports 137,138 -j DROP iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \ --dports 139,445 -j DROP iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \ ESTABLISHED,RELATED -j ACCEPT
 * 1) !/bin/bash

Samba PAM authentication
pam_smb pam_smb FAQ pam_smb README

/lib/security/pam_smb_auth.so

Samba and Winbind
" I'm not sure if it was connected, but I'd just run wbinfo -D workground_name which seemed to hang, but I went to do something else, forgetting that is was hanging. Only it wasn't. Eventually it came back with correct answers, at which point, wbinfo -u|g worked and the authentication was back, too. Wow. Weird. I was trying to get Samba and winbind working for Squid today. Most wbinfo tests seemed fine, but "wbinfo -u" and "wbinfo -g" kept giving that "Error looking up domain users" (or groups) error. I found your post, and tried running "wbinfo -D domain_name", just to see if it made a difference. While it did not hang on my system (returned info immediately), after that, "wbinfo -u" and "wbinfo -g" started working. So whatever's going on, that "-D" switch seems to help unwedge things somehow.  Magic." Samba, Pam, winbind and ADS

Samba Winbind - wbinfo -u works, getent passwd only gives local users: wbinfo --own-domain wbinfo -t # does not work wbinfo -D T0E wbinfo -g wbinfo -u # does not work?

Samba: wbinfo -I not responding: wbinfo -p

[Samba wbinfo can't list users]: net rpc join -U Administrator wbinfo -u wbinfo -g wbinfo -m winbindd -d 3 -i

Samba - Winbind: Use of Domain Accounts

Less See Also

 * Linux Magazine: Using Samba as a PDC
 * Samba Setup Guide for Linux
 * Linux Magazine: Samba
 * Linux-Windows Single Sign-On
 * Samba-3 Server Types and Security Modes
 * Using Samba - 6.3 Authentication Security
 * Using Samba (HTML eBook)
 * Samba authentication through PAM with MySQL
 * Setting up Samba to use an NT PDC for authentication
 * Chapter 7. Adding Domain Member Servers and Clients - Part II. Domain Members, Updating Samba and Migration
 * Samba Setup Guide for Linux - Samba as a Primary Domain Controller
 * Chapter 4. Domain Control - Part II. Server Configuration Basics


 * Common threads: Samba domain controller support
 * SAMBA (Domaincontroller) Server For Small Workgroups With Ubuntu 6.10
 * HOWTO SAMBA-LDAP Domain Controller (with Real Time antivirus)
 * Samba PDC mini-HOWTO
 * Samba as Primary Domain Controller - HowTo
 * Samba Winbind wbinfo -u fails with "Error looking up domain users"
 * The Official Samba-3 HOWTO and Reference Guide

To Read

 * http://justlinux.com/forum/archive/index.php/t-118512.html
 * http://joseph.randomnetworks.com/archives/2005/11/08/freebsd-users-and-groups-with-samba-winbind-and-active-directory/
 * http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci1243858,00.html