Samba is a versatile open-source package that allows UNIX/Linux servers to provide Windows file sharing and print services to Windows clients. The release of Samba 3.0 enabled Samba servers to operate as fully integrated members of a Windows 2000 domain, including pass-through authentication using Microsoft Kerberos tickets. This guide presents an overview of the steps needed to create a Samba server for file sharing that is integrated into the IASTATE.EDU Windows domain. The notes here are based on using Red Hat Enterprise Linux, though the general idea should work with just about any current UNIX, Linux, or *BSD platform.

• Getting Your Machine Ready
• Using NTP to Synchronize with the Time Server
• Configure Kerberos
• Installing the Samba Packages
• Configuring LDAP
• Configuring Samba
• Joining Your Server to the Domain
• Testing If Your Server is Joined to the Domain

Install RHEL on your server. Both the Server and Desktop versions of RHEL include Samba, though RHEL Server is preferred for dedicated servers. 

It's a good idea to create a dedicated partition or logical volume to hold the data that will be served by Samba.  Make sure the file system that stores the data you will be sharing Samba is an ext3 file system.

Samba can support Access Control Lists (ACLs) for folders. In order for this to work, the back-end filesystem must be told to store ACLs. Let's assume that our disk partition is mounted as /data. You will need to mount that filesystem with the acl option turned on. Also, if you plan to use filesystem quotas, you must turn on the usrquota mount option. So, in /etc/fstab you would set the filesystem mount options as:

LABEL=/data     /data      ext3    defaults,acl,usrquota        1 2

After you add these options, you will want to remount the filesystem:

# umount /data

# mount /data

It is essential that your server be synchronized to the same time of day as the kerberos server on the domain controllers.  To do this, we need to install the NTP daemon and configure it to point to the .iastate.edu time server:

1. Install the NTP daemon:
   
   

   #  yum install ntp

   
   
2. The file /etc/ntp.conf should contain the following lines (only):
   
   

   server time.iastate.edu

   restrict time.iastate.edu mask 255.255.255.255 nomodify notrap noquery

3. Next, do a manual sync of the time:
   
   

   # rdate -s time.iastate.edu

4. Then make ntpd start at boot time:
   
   

   # chkconfig ntpd on

   
   
5. Then start ntpd:
   
   

   # service ntpd start

   
   
   

The first step in setting up Samba correctly in the IASTATE.EDU domain is to configure Kerberos so that it talks directly to the IASTATE.EDU domain controllers. You will need to modify the file /etc/krb5.conf. Configuring Kerberos for this is pretty straightforward, actually. The lines below show a fairly typical /etc/krb5.conf configuration:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = IASTATE.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 IASTATE.EDU = {
  kdc = windc1.iastate.edu:88, windc2.iastate.edu:88, windc3.iastate.edu:88, windc4.iastate.edu:88
  admin_server = windc1.iastate.edu:749
 }

[domain_realm]
 #The domain to realm mappings below are very important!, 
 #If the FQDN of your machine uses a subdomain (e.g. server1.engineering.iastate.edu)
 # then you must include all of the subdomains of the machines along with the
 # top-level .iastate.edu domain.  All of the DNS domains that your machines use must be mapped 
 # to the IASTATE.EDU kerberos realm (that points to the Windows domain controllers above). 

.iastate.edu = IASTATE.EDU
iastate.edu = IASTATE.EDU
.engineering.iastate.edu = IASTATE.EDU
engineering.iastate.edu = IASTATE.EDU
.yoursubdomain.iastate.edu = IASTATE.EDU
 yoursubdomain.iastate.edu = IASTATE.EDU

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

If you are using RHEL 3 or 4, you will need to make sure the following packages are installed:

1. samba
2. samba-common
3. samba-client
4. samba-swat

To install the packages with up2date, do this:

# up2date -i samba samba-common samba-client samba-swat

After the packages are installed, ensure that Samba will start up automatically after a system reboot:

# chkconfig smb on

# chkconfig winbind on

One of the trickiest aspects to integrating UNIX (or Linux) with Windows world is unifying user and groups names across all platforms. If you are going to seamlessly provide file sharing with Windows clients then it is vital that you have a uniform name space for users and groups. Fortunately, Microsoft provides an LDAP interface to the Active Directory contents that the Samba server can use.

To begin with, we must configure the Samba server to use LDAP for user and group lookups. Edit the file /etc/nsswitch.conf and change the entries for passwd and group to be:

passwd:  files ldap

group:	files ldap

Then we need to configure the Samba server as an LDAP client. The WIndows domain controllers will be serving as the LDAP servers. The file /etc/ldap.conf contains the LDAP configurations that the nss_ldap system library uses for LDAP lookups. We will not list the entire contents of the /etc/ldap.conf file here, rather we will list only those lines necessary for our situation:

uri ldaps://windc4.iastate.edu ldaps://windc1.iastate.edu ldaps://windc2.iastate.edu ldaps://windc3.iastate.edu
base dc=iastate,DC=edu
ldap_version 3
binddn cn=someuser,ou=Users,ou=ENGR,dc=iastate,dc=edu
bindpw ldapP@ssw0rd
scope sub
nss_map_objectclass posixAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_filter objectclass=user
pam_password ad

ssl start_tls
ssl on
tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt

Note above that the disinguished name (dn) of a user in the domain is required to "bind" queries to the LDAP server.  An account name (binddn) and cleartext password (bindpw) are required(!).  For this reason, the account used should be an unprivileged account that does not have login privileges.

Also not that the nss_map_ entries above tell the nss_ldap system with LDAP attributes map to which generic identifiers.

Ultimately, the way you configure Samba will depend entirely on the kinds of resources you plan to make available. There are several typical uses: 1) home directories where each user can store their files, 2) a place for project or team shared folders that have access restricted to a few users, and 3) a read only folder for tools and such. The configuration described below will show sample configurations for each of these scenarios.

In the sample /etc/samba/smb.conf file below, there are three shares defined: homes, projects, and tools. Each directory in homes will be mapped to folder owned by each user.  This can be used as home directories, or simply as auxiallary storage for users. The projects share will be used for shared folders owned by project teams. The tools share is a read only share that contains software.

Sample /etc/samba/smb.conf file

# Samba config file 
# 
# 

# Global parameters
[global]
        #unix charset = UTF8
        workgroup = IASTATE
        realm = IASTATE.EDU
        server string = Samba 3 server
        security = ADS
        client ntlmv2 auth = yes

        password server = windc1.iastate.edu, windc2.iastate.edu, windc3.iastate.edu, windc4.iastate.edu
        username map = /etc/samba/smbusers
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        wins server = 129.186.142.179, 129.186.142.189

    # ID maps are used internally by Samba for assigning UIDs 
    # for users and groups that don't have UIDs defined
    # in LDAP.  Because the Samba server is using LDAP, it can get the UIDs for 
    # users.  Groups in LDAP, however, do not have UIDs, so winbind needs
    # a reserved range to draw from for assigning them.

        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind trusted domains only = yes

        idmap config IASTATE:backend = ad
        idmap domains = IASTATE
        idmap config IASTATE:backend = rid
        idmap config IASTATE:base_rid = 1000
        idmap config IASTATE:range = 10000 - 300000

    # Some useful Windows-isms
        wins support = no
        map hidden = no
        map archive = no
        map system = no

    # The following option is often useful. It turns off file caching
    # on the client which can be a problem for some applications.
        oplocks = no

[tools]
    # The path to the tools directory
        path = /data/tools 
    

    #  We make it read only but browseable.
        read only = yes
        browseable = yes
        create mask = 0711
        directory mask = 0711
        valid users = %U
        profile acls = yes
        hide files = /DESKTOP.INI/desktop.ini/Desktop.ini
        dos filemode = yes

[projects]
     #  The path to the projects folder.
        path = /data/projects
        read only = no
        browseable = no
        create mask = 0711
        directory mask = 0711
        valid users = %U
        profile acls = yes
        hide files = /DESKTOP.INI/desktop.ini/Desktop.ini
        dos filemode = yes
        force security mode = 0200

[homes]
     #  The path where the home directories live on the server.
        path = /data/homes
        read only = no
        browseable = no
        create mask = 0711
        directory mask = 0711
        valid users = %U
        profile acls = yes
        hide files = /DESKTOP.INI/desktop.ini/Desktop.ini
        dos filemode = yes
        force security mode = 0200

Once you have a working version of a Samba configuration file (as described above), you can join your server to the domain.  To do this, you will use the net ads join command as follows:

#  net ads join -U {MyNetID} createcomputer="{MYOU}/{MYCONTAINER}

where:
   {MyNetID} is your ISU NetID
   {MYOU} is domain OU where you have permissions to create computer objects.
   {MYCONTAINER} is a container where you store computer objects you create (typically servers).

For instance, I would use the following 'net ads join' command to join a Samba server to the IASTATE domain under the ENGR OU in the "Servers" container:

 

# net ads join -U ecssjedi createcomputer="ENGR/Servers"
  Password:  xxxxxxxx

Note that the command prompts me for my password.

Occasionally you will encounter errors when joining your machine to the domain.  In particular, you may need to remove any existing .tdb files in /var/cache/samba/

After you run the 'net ads join' command, you can test to see if your server is correctly joined as a domain member server:

1. Type the command:
   
   # wbinfo -t
   
   If you get the result "checking the trust secret via RPC calls succeeded" then your machine is properly joined to the domain.
   
   
2. Type the command:
   
   # wbinfo -g
   
   This should list all of the security groups in the domain. 
   
   
3. Type the command:
   
   # wbinfo -u
   
   This command takes a few moments to execute, but it should list every user account in the domain.