Introduction
Samba is a versatile open-source package that allows UNIX/Linux servers to provide Windows file sharing and print services to Windows clients. The release of Samba 3.0 enabled Samba servers to operate as fully integrated members of a Windows 2000 domain, including pass-through authentication using Microsoft Kerberos tickets. This guide presents a quick overview to the steps needed to create a Samba server for file sharing that is integrated into the IASTATE.EDU Windows domain. The notes here are based on using Red Hat Enterprise Linux 3 or 4, though the general idea should work with just about any current UNIX, Linux, or *BSD platform.
Getting Your Machine Ready
Install RHEL 3 or 4 on your server. It's a good idea to create a dedicated partition or logical volume to hold the data that will be served by Samba. Also, with RHEL you will want to make an ext3 filesystem to store the data.
Samba can support Access Control Lists (ACLs) for folders. In order for this to work, the back-end filesystem must be told to store ACLs. Let's assume that our disk partition is mounted as /data. You will need to mount that filesystem with the acl option turned on. Also, if you plan to use filesystem quotas, you must turn on the usrquota mount option. So, in /etc/fstab you would set the filesystem mount options as:
LABEL=/data /data ext3 defaults,acl,usrquota 1 2
After you add these options, you will want to remount the filesystem:
# umount /data
# mount /data
Installing the Samba Packages
If you are using RHEL 3 or 4, you will need to make sure the following packages are installed:
- samba
- samba-common
- samba-client
- samba-swat
To install the packages with up2date, do this:
# up2date -i samba samba-common samba-client samba-client
After the packages are installed, ensure that Samba will start up automatically after a system reboot:
# chkconfig smb on
Configure Kerberos
The first step in setting up Samba correctly in the IASTATE.EDU domain is to configure Kerberos so that it talks directly to the IASTATE.EDU domain controllers. You will need to modify the file /etc/krb5.conf. Configuring Kerberos for this is pretty straightforward, actually. The lines below show a fairly typical /etc/krb5.conf configuration:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = IASTATE.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
IASTATE.EDU = {
kdc = windc1.iastate.edu:88
kdc = windc2.iastate.edu:88
admin_server = windc1.iastate.edu:749
}
[domain_realm]
#The domain to realm mappings below aren't really important for Samba,
# they're included for completeness.
.yourdomain.iastate.edu = IASTATE.EDU
yourdomain.iastate.edu = IASTATE.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Configuring LDAP
One of the trickiest aspects to integrating UNIX (or Linux) with Windows world is unifying user and groups names across all platforms. If you are going to seamlessly provide file sharing with Windows clients then it is vital that you have a uniform name space for users and groups. Fortunately, Microsoft provides an LDAP interface to the Active Directory contents that the Samba server can use.
To begin with, we must configure the Samba server to use LDAP for user and group lookups. Edit the file /etc/nsswitch.conf and change the entries for passwd and group to be:
passwd: files ldap
group: files ldap
Then we need to configure the Samba server as an LDAP client. The WIndows domain controllers will be serving as the LDAP servers. The file /etc/ldap.conf contains the LDAP configurations that the nss_ldap system library uses for LDAP lookups. We will not list the entire contents of the /etc/ldap.conf file here, rather we will list only those lines necessary for our situation:
HOST windc1.iastate.edu
BASE DC=engr,DC=iastate,DC=edu
URI ldap://windc1.iastate.edu/
ldap_version 3
binddn someuser@IASTATE.EDU
bindpw ldapP@ssw0rd
scope sub
nss_map_objectclass posixAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
pam_filter objectclass=user
pam_password ad
Note that to query the LDAP server, an account name and password is required. The account used should be an unpriveleged account that does not have login privileges. The nss_map_ entries above tell the nss_ldap system with LDAP attributes map to which generic identifiers.
Configuring Samba
Ultimately, the way you configure Samba will depend entirely on the kinds of resources you plan to make available. There are several typical uses: 1) home directories where each user can store their files, 2) a place for project or team shared folders that have access restricted to a few users, and 3) a read only folder for tools and such. The configuration described below will show sample configurations for each of these scenarios.
In the sample /etc/samba/smb.conf file below, there are three shares defined: homes, projects, and tools. Each directory in homes will be mapped to folder owned by each user. This can be used as home directories, or simply as auxiallary storage for users. The projects share will be used for shared folders owned by project teams. The tools share is a read only share that contains software.
Sample /etc/samba/smb.conf file
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2004/03/09 11:39:49
# Global parameters
[global]
#unix charset = UTF8
workgroup = IASTATE.EDU
realm = IASTATE.EDU
server string = Samba 3 server
security = ADS
password server = windc1.iastate.edu, windc2.iastate.edu
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
wins server = 129.186.142.179, 129.186.142.189
# ID maps are used internally by Samba for assigning UIDs
# for users and groups that don't have UIDs defined
# in LDAP. Because the Samba server is using LDAP, it can get the UIDs for
# users. Groups in LDAP, however, do not have UIDs, so winbind needs
# a reserved range to draw from for assigning them.
idmap uid = 100000-200000
idmap gid = 100000-200000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind trusted domains only = yes
# Some useful Windows-isms
wins support = no
map hidden = no
map archive = no
map system = no
# The following option is often useful. It turns off file caching
# on the client which can be a problem for some applications.
oplocks = no
[tools]
# The path to the tools directory
path = /data/tools
# We make it read only but browseable.
read only = yes
browseable = yes
create mask = 0711
directory mask = 0711
valid users = %U
profile acls = yes
hide files = /DESKTOP.INI/desktop.ini/Desktop.ini
dos filemode = yes
[projects]
# The path to the projects folder.
path = /data/projects
read only = no
browseable = no
create mask = 0711
directory mask = 0711
valid users = %U
profile acls = yes
hide files = /DESKTOP.INI/desktop.ini/Desktop.ini
dos filemode = yes
force security mode = 0200
[homes]
# The path where the home directories live on the server.
path = /data/homes
read only = no
browseable = no
create mask = 0711
directory mask = 0711
valid users = %U
profile acls = yes
hide files = /DESKTOP.INI/desktop.ini/Desktop.ini
dos filemode = yes
force security mode = 0200
