Sign in to follow this  
Followers 0

[Tutorial] Setting Up Samba 3.x

1 post in this topic

Posted · Report post

Found this on osnews.com

Recently I got the opportunity to setup a new lab for a small school. The server runs Linux and the workstations run WindowsXP. There are 3 levels of access on the workstations (admin, teacher, and student) and security on the workstations is based on Windows policies applied at logon.

Setting up Samba

admin - full access to workstation

teacher - almost full access to workstation - minus certain control panel functions

student - lockdown city - no network browsing, no software installation, no control panel

Workstations are joined to the Samba domain and function the same way they would in a Windows server based domain.

I will detail the steps to get a Samba lab up and running plus some caveats you may encounter.

Install Samba

This step is very distribution specific. Make sure you that the version you install is at least version 3.x and not 2.x.

Create Your Base Users And Groups

groupadd admins

groupadd teachers

groupadd students

useradd -m -s /bin/false -c "Samba Admin" -G admins administrator

useradd -m -s /bin/false -c "Samba Generic Teacher" -G teachers teacher

useradd -m -s /bin/false -c "Samba Generic Student" -G students student

smbpasswd -a administrator

smbpasswd -a teacher

smbpasswd -a student

Setup A Basic Config

a. Determine your NETBIOS server name and domain name In my example I use FS1 as the server name and 'IDOM' as the domain name. Make sure that neither contains spaces and avoiding any punctuation marks is preferable.

b. Create your share directories and permissions

mkdir /home/samba

mkdir /home/samba/netlogon

mkdir /home/samba/teachers

mkdir /home/samba/software

chgrp teachers /home/samba/teachers

chgrp admins /home/samba/software

chmod 775 /home/samba/teachers

chmod 775 /home/samba/software

c. Example config

[global]

netbios name = FS1

workgroup = IDOM

passdb backend = smbpasswd

os level = 33

preferred master = yes

domain master = yes

local master = yes

security = user

domain logons = yes

#logon path = %Nprofiles%u

logon path =

#logon drive = H:

#logon home = homeserver%uwinprofile

logon script = logon.bat

add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

# username map = /etc/samba/smbusers

admin users = @admins

printer admin = @admins

printing = cups

load printers = yes

printcap name = /etc/printcap

# print command = lp -c -d%p -oraw; rm %s

print command = lpr -l %s

# prevent mp3 files from being stored on the server

veto files = /*.mp3/*.divx/*.eml/

[homes]

comment = Home Directories

valid users = %S

browseable = No

read only = No

create mask = 0640

directory mask = 0750

[netlogon]

path = /home/samba/netlogon

read only = yes

write list = @admins

read list = @admins, @teachers, @students

[profiles]

path = /var/lib/samba/profiles

read only = no

create mask = 0600

directory mask = 0700

[printers]

comment = All Printers

path = /var/tmp

create mask = 0666

printable = Yes

guest ok = Yes

browseable = No

[print$]

comment = Printer Drivers

path = /var/lib/samba/drivers

write list = @admins, root

force group = admins

create mask = 0664

directory mask = 0775

[teachers]

comment = Shared area for teachers

path = /home/samba/teachers

valid users = @teachers

read list = @teachers

write list = @teachers

force group = teachers

read only = No

create mask = 0774

directory mask = 0775

[software]

comment = storage area for software and drivers

path = /home/samba/software

valid users = @teachers, @admins

admin users = @admins

read list = @teachers, @admins

write list = @admins

force group = admins

read only = No

create mask = 0774

directory mask = 0775

Mapping Groups

You need to map your unix groups to the domain groups using the 'net' command. The 'net' command is relatively new to Samba. To view a list of the commands available type 'net view' at the console.

net groupmap modify ntgroup="Domain Admins" unixgroup=admins

net groupmap modify ntgroup="Domain Users" unixgroup=users

net groupmap add ntgroup="Teachers" unixgroup=teachers

net groupmap add ntgroup="Students" unixgroup=students

The Login Script

Setup a login script named 'logon.bat' in the /home/samba/netlogon directory. This script MUST be in DOS format meaning that it must have a CRLF at the end of each line as opposed to the Linux LF only way. It is easiest to do the logon script in Notepad and put it in a share on the server, then use the 'mv' command to move it to the /home/samba/netlogon dir.

Oddly enough, Microsoft doesn't include an 'if member of group' in the login script processor so you need to download a DOS 'ifmember.exe' executable and place it in the netlogon share manually in order to perform mappings based on group membership. You can download it from here . This login script also syncs the workstation time to the server time.

TITLE Domain Login script

net time FS1 /set /y

net use h: /home

net use g: FS1apps

:a

%logonserver%netlogonifmember "teachers"

if not errorlevel 1 goto quit

net use f: fs1teachers

goto quit

:quit

Workstation Policies

Policies allow an administrator to 'lock down' a workstation. For instance, with policies the adminstrator and teachers can have access on the workstations to change control panel settings and add new programs while students can be denied access to the control panel, display settings, command prompt, etc.

Use 'poledit.exe' to create an 'ntconfig.pol' permissions file and place it in the servernetlogon share. This file will contain the permissions for the 'Domain Admins', 'Teachers', and 'Students' groups. Poledit.exe is available from the NT Resource Kit ( from http://www.microsoft.com ) but in order to support XP workstations, custom control files (called ADM files) need to be downloaded and loaded into the Poledit utility. The custom ADM files can be downloaded from - http://www.snipes.org/admfiles.zip .

Importing Workstations

In order to import the Windows 2000/XP workstations into your new Samba domain, you MUST run add the following registry entries into the workstation. The easiest way is to save the following text as a file called 'samba.reg' and then double-click to run it from the workstation.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters]

"requiresignorseal"=dword:00000000

After rebooting, right-click on the 'My Computer' icon and choose properties. On the resulting screen change the computer from Workgroup to Domain and enter an administrator username and password (ie. a user that is in the 'Domain Admins' group). You will be thanked for joining and you will be told to reboot.

Finishing Thoughts

Setting up Samba can be a very interesting adventure but well worth the effort. Once the basics are understood, a new lab can be setup in just a couple of hours and should require very little maintenance. There are many online references for Samba. I suggest going to your closest Samba mirror via http://www.samba.org and looking at the documentation section for further info.

Source: here

other Samba Tutorials:

Linux Orbit

Suse.de (german)

Nickles (german - LINUX ALS DATEI-SERVER FÃœR WINDOWS NETZE)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0