Recently I got the opportunity to setup a new lab for a small school. The server runs Linux and the workstations run WindowsXP. There are 3 levels of access on the workstations (admin, teacher, and student) and security on the workstations is based on Windows policies applied at logon.
admin – full access to workstation
teacher – almost full access to workstation – minus certain control panel functions
student – lockdown city – no network browsing, no software installation, no control panel
Workstations are joined to the Samba domain and function the same way they would in a Windows server based domain.
I will detail the steps to get a Samba lab up and running plus some caveats you may encounter.
Install Samba
This step is very distribution specific. Make sure you that the version you install is at least version 3.x and not 2.x.
Create Your Base Users And Groups
groupadd admins<br>
groupadd teachers<br>
groupadd students<br>
useradd -m -s /bin/false -c "Samba Admin" -G admins administrator<br>
useradd -m -s /bin/false -c "Samba Generic Teacher" -G teachers teacher<br>
useradd -m -s /bin/false -c "Samba Generic Student" -G students student<br>
smbpasswd -a administrator<br>
smbpasswd -a teacher<br>
smbpasswd -a student<br>
Setup A Basic Config
a. Determine your NETBIOS server name and domain name
In my example I use FS1 as the server name and ‘IDOM’ as the domain name. Make sure that neither contains spaces and avoiding any punctuation marks is preferable.
b. Create your share directories and permissions
mkdir /home/samba<br>
mkdir /home/samba/netlogon<br>
mkdir /home/samba/teachers<br>
mkdir /home/samba/software<br>
chgrp teachers /home/samba/teachers<br>
chgrp admins /home/samba/software<br>
chmod 775 /home/samba/teachers<br>
chmod 775 /home/samba/software<br>
c. Example config
[global]<br>
netbios name = FS1<br>
workgroup = IDOM<br>
passdb backend = smbpasswd<br>
os level = 33<br>
preferred master = yes<br>
domain master = yes<br>
local master = yes<br>
security = user<br>
domain logons = yes<br>
#logon path = \\%N\profiles\%u<br>
logon path =<br>
#logon drive = H:<br>
#logon home = \\homeserver\%u\winprofile<br>
logon script = logon.bat<br>
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u<br>
# username map = /etc/samba/smbusers<br>
admin users = @admins<br>
printer admin = @admins<br>
printing = cups<br>
load printers = yes<br>
printcap name = /etc/printcap<br>
# print command = lp -c -d%p -oraw; rm %s<br>
print command = lpr -l %s<br>
# prevent mp3 files from being stored on the server<br>
veto files = /*.mp3/*.divx/*.eml/<br>
<br>
[homes]<br>
comment = Home Directories<br>
valid users = %S<br>
browseable = No<br>
read only = No<br>
create mask = 0640<br>
directory mask = 0750<br>
<br>
[netlogon]<br>
path = /home/samba/netlogon<br>
read only = yes<br>
write list = @admins<br>
read list = @admins, @teachers, @students<br>
<br>
[profiles]<br>
path = /var/lib/samba/profiles<br>
read only = no<br>
create mask = 0600<br>
directory mask = 0700<br>
<br>
[printers]<br>
comment = All Printers<br>
path = /var/tmp<br>
create mask = 0666<br>
printable = Yes<br>
guest ok = Yes<br>
browseable = No<br>
<br>
[print$]<br>
comment = Printer Drivers<br>
path = /var/lib/samba/drivers<br>
write list = @admins, root<br>
force group = admins<br>
create mask = 0664<br>
directory mask = 0775<br>
<br>
[teachers]<br>
comment = Shared area for teachers<br>
path = /home/samba/teachers<br>
valid users = @teachers<br>
read list = @teachers<br>
write list = @teachers<br>
force group = teachers<br>
read only = No<br>
create mask = 0774<br>
directory mask = 0775<br>
<br>
[software]<br>
comment = storage area for software and drivers<br>
path = /home/samba/software<br>
valid users = @teachers, @admins<br>
admin users = @admins<br>
read list = @teachers, @admins<br>
write list = @admins<br>
force group = admins<br>
read only = No<br>
create mask = 0774<br>
directory mask = 0775<br>
Mapping Groups
You need to map your unix groups to the domain groups using the ‘net‘ command. The ‘net‘ command is relatively new to Samba. To view a list of the commands available type ‘net view‘ at the console.
net groupmap modify ntgroup="Domain Admins" unixgroup=admins<br>
net groupmap modify ntgroup="Domain Users" unixgroup=users<br>
net groupmap add ntgroup="Teachers" unixgroup=teachers<br>
net groupmap add ntgroup="Students" unixgroup=students<br>
The Login Script
Setup a login script named ‘logon.bat‘ in the /home/samba/netlogon directory. This script MUST be in DOS format meaning that it must have a CRLF at the end of each line as opposed to the Linux LF only way. It is easiest to do the logon script in Notepad and put it in a share on the server, then use the ‘mv’ command to move it to the /home/samba/netlogon dir.
Oddly enough, Microsoft doesn’t include an ‘if member of group’ in the login script processor so you need to download a DOS ‘ifmember.exe’ executable and place it in the netlogon share manually in order to perform mappings based on group membership. You can download it from here . This login script also syncs the workstation time to the server time.
TITLE Domain Login script<br>
net time \\FS1 /set /y<br>
net use h: /home<br>
net use g: \\FS1\apps<br>
<br>
:a<br>
%logonserver%\netlogon\ifmember "teachers"<br>
if not errorlevel 1 goto quit<br>
net use f: \\fs1\teachers<br>
goto quit<br>
<br>
:quit<br>
Workstation Policies
Policies allow an administrator to ‘lock down’ a workstation. For instance, with policies the adminstrator and teachers can have access on the workstations to change control panel settings and add new programs while students can be denied access to the control panel, display settings, command prompt, etc.
Use ‘poledit.exe’ to create an ‘ntconfig.pol’ permissions file and place it in the \\server\netlogon share. This file will contain the permissions for the ‘Domain Admins’, ‘Teachers’, and ‘Students’ groups. Poledit.exe is available from the NT Resource Kit ( from http://www.microsoft.com ) but in order to support XP workstations, custom control files (called ADM files) need to be downloaded and loaded into the Poledit utility. The custom ADM files can be downloaded from – http://www.snipes.org/admfiles.zip .
Importing Workstations
In order to import the Windows 2000/XP workstations into your new Samba domain, you MUST run add the following registry entries into the workstation. The easiest way is to save the following text as a file called ‘samba.reg‘ and then double-click to run it from the workstation.
Windows Registry Editor Version 5.00<br>
<br>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]<br>
"requiresignorseal"=dword:00000000<br>
After rebooting, right-click on the ‘My Computer’ icon and choose properties. On the resulting screen change the computer from Workgroup to Domain and enter an administrator username and password (ie. a user that is in the ‘Domain Admins’ group). You will be thanked for joining and you will be told to reboot.
Finishing Thoughts
Setting up Samba can be a very interesting adventure but well worth the effort. Once the basics are understood, a new lab can be setup in just a couple of hours and should require very little maintenance. There are many online references for Samba. I suggest going to your closest Samba mirror via http://www.samba.org and looking at the documentation section for further info.
About the Author:
Brian Snipes’ Certifications: RHCE, LCP, MCNE, MCP, CCNA. Brian is the President of Dynamic Network Integrations, Inc.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
Thanks for this, so useful article, on Samba 3.x. I had some hard times after I upgraded from 2.x to 3.x. Now, I hope I’ll resolve all my problems. 🙂
Did the “server schannel” and/or “server signing” options not make signorseal (or whatever the feature is called) work? The man page (http://au1.samba.org/samba/docs/man/smb.conf.5.html) says that setting the “server schannel” option to no means that the registry patch needs to be applied on the clients.
I’ve been running Samba with XP clients (part of a domain, that my server is also a member of, that I don’t have administrative control over) for a while now, and I’ve never had a problem with Sign or Seal not working.
http://sloppyadm.sourceforge.net (I know the page hasn’t been updated for a while, but right now there are no known bugs (other than #TODOs in the code)) for mixed linux/windows networks. (right now some things are gentoo client specific, but there is redhat/apt-get support in there.)
Bug reports are appreciated.
chmod 775 /home/samba/teachers
…
directory mask = 0775
Well, in order to disallow users (of group “teachers” here) to just remove the whole dir, maybe by mistake… I’d change set the “sticky” bit on it, ie:
chmod 1775 /home/samba/teachers
directory mask = 1775
But while we’re at it, since Linux supports “inheritance” of the GID bit on files when a directory is setgid, why not use that, like:
chmod 3775 /home/samba/teachers
directory mask = 3775
And when useing a filesystem that supports it (such as ext2 or ext3) you can set the inmuteable attribute on it, as well:
chattr +i /home/samba/teachers
Furthermore, the 2.6.x kernel series support POSIX ACLs and Samba 3.x can translate that to MS-Windows ACLs in such a way that the Linux box would look very much like a NT server… (From the perspective of a “Windows Explorer” session on the client.)
http://www.bluelightning.org/linux/samba_acl_howto/
http://networking.earthweb.com/netsysm/article.php/10954_3077971_1
Kernel 2.4.x can be patched to support it, BTW:
http://acl.bestbits.at/
Have fun …
Great article… learned a few things I didn’t know before. Any chance you would do one with integrating LDAP?
Correction, leave allone the directive:
directory mask = 0775
That was stupid of me, heh. The rest of that post seems ok though. (It must be weekend or something … :-))
@OP
Instead of:
%logonserver%
etlogonifmember “teachers”
One could probably do something like:
net user “%username%” /domain |find /i “teachers” >nul
Or maybe, the other way around:
net group “teachers” /domain |find /i “%username%” >nul
(You may have to test for some other errorlevel then BTW.)
IIRC there is a “whoami” command in NT, maybe of interest.
what can i use the samba server for ?
its not like Active Directory where you can set permissions on how their windows should behave, is that what LDAP is used for ?
Very nice tutorial. 🙂 Lots of details, even though there is a lack of screenshots, I found this article very useful. Kudos! Good job!
Funny that you mention that… I have a client that is looking at migrating from Win2K servers and Exchange and I am looking into Samba with LDAP. http://LDAPAdmin.sf.net looks like a very good answer for management of a Samba/LDAP system. If this comes about I will send my results to OSNews for article consideration. There is an excellent article on Mandrake’s website on actually setting up Samba and LDAP if you are using the Mandrake distro.
Brian
Cost savings would be the primary reason for setting up a Samba server as opposed to a Linux or NetWare server for file and printer sharing. It also has some useful features not found on either Windows or NetWare – ‘veto files’ to disallow certain file types being the best example.
Using poledit is just like using Group Policies to restrict users from changing key settings on their workstations. This is especially useful in a school environment where you don’t want the students to change things like the screensaver or desktop colors.
Brian
I know there was a ‘whoami’ on NetWare but didn’t know that it was available in NT. The ‘ifmember.exe’ file is pretty small but I like the way Novell does login scripts better. I wonder if you could load an alternative shell processor at the top of a login script….
Brian
what i wish is for there to be a linux distro come out that focuses on using ldap/acls/samba/nfs/etc… already set up when you install it. a distro that does the initial ldap configuration with you during installation. i want a tool to use like novell’s nwadmn32 for adding users and setting up file permissions, basically i want to see the entire network on a tree and be able to administrate accordingly (even if i am doing said administration through a web page)
setting up an ldap server manually is a pain in the arse for someone who has never done it before (and i was following a howto, it just didnt work exactly with the distro i was trying it on. finally got it to work, decided to go back to /etc/passwd because of far less headache)
i dont want to have to wait on novell making netware linux for this to happen
Ophidian
I agree. I would willingly pay for a distro that had a nice admin utility for Windows and Linux (similiar to LDAPAdmin and NetWare Administrator). It would need to be able upon installation to join an existing system and provide login credentials on its own via its copy of the network directory – not by forwarding them to one master server. Administration of the system must be easier to make inroads in businesses. Webmin is full featured but NWAdmin beats most (if not all) utils for User and Group administration.
Brian
what can i use the samba server for ?
its not like Active Directory where you can set permissions on how their windows should behave, is that what LDAP is used for ?
Samba servers can be standalone windows file sharing servers, windows file sharing servers as part of an NT domain, NT domain controllers, and windows file sharing servers as part of an active directory (native mode) domain. They cannot, be an active directory domain controller, and cannot currently function as part of a non active directory Kerberos realm in combination with an LDAP server. They can however, retrieve user account information from an LDAP server, just not if those accounts have their passwords stored in an MIT Kerberos KDC.
what i wish is for there to be a linux distro come out that focuses on using ldap/acls/samba/nfs/etc… already set up when you install it. a distro that does the initial ldap configuration with you during installation. i want a tool to use like novell’s nwadmn32 for adding users and setting up file permissions, basically i want to see the entire network on a tree and be able to administrate accordingly (even if i am doing said administration through a web page)
This distro is called Mac OS X Server. Apple has integrated all of these components together (OpenLDAP, Samba, Kerberos, NFS, etc) and slapped an easy to use admin GUI on them called workgroup manager. It works really well and can out of the box. It works in such a way that your users can use the same name/pw to securely log into Linux, Mac OS X, and Windows clients and have their files and settings follow them wherever they go. (It translates between the roaming profile on windows, and a NFS network home directory for OSX, *NIX.) Really quite amazing, the Windows clients see it as an NT domain controller and the Linux and OSX clients see it as an LDAP/Kerberos server. Best part, no client access licenses.
Now your forcing me to look at Mac OS X and expand my horizons… which apparently needs to be done. Thanks!
Brian
whoa nice. i have never looked at osx server (never had the opportunity).
I had no clue the option existed. Thanks for the info.
Brian
Easy, with the program unix2dos:
$ unix2dos inputfile outputfile
The counterpart dos2unix also exists and might be helpful for other tasks.
Why does this guy use NT policies on Windows XP? Its best to use Group Policy, by running gpedit.msc at the run prompt….NT policies are old news.
I’ve just set up a Samba/XP domain, and I have not needed to alter any registry settings for this. Everything worked out of the box with Samba 3 – it wad great. However, this is vanilla XP, so if you are running with a further service pack things may be different.
AMSR, will you post some of your experiences w/ setting up OS X server? Or perhaps would you be willing to email me offline?
Using poledit and the modified adm files allows you to administer rights from one workstation that affect anyone that logs in to the network. I don’t want to go to every workstation and run ‘gpedit.msc’ and setup policies a hundred times for a hundred workstations. The modified adm files contain the most useful policies of gpedit and can be applied to an individual computer, an individual user, or a group of users without having to visit each pc.
Brian
Novell has a new thing out called Linux Enterprise services which ports most of the features of Novell administration to the Linux platform, and the are going to be doing even more. They have made the comitment to have the next version of their software, to be called Open Enterprise Server, run on Linux and even have a linux desktop avaiable as well. Novell is going gang busters for Linux, this is why they bought SUSE and Ximian.