source: trunk-3.0/docs/htmldocs/Samba3-HOWTO/FastStart.html@ 101

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 2. Fast Start: Cure for Impatience</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="introduction.html" title="Part I. General Installation"><link rel="prev" href="install.html" title="Chapter 1. How to Install and Test SAMBA"><link rel="next" href="type.html" title="Part II. Server Configuration Basics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Fast Start: Cure for Impatience</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><th width="60%" align="center">Part I. General Installation</th><td width="20%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="FastStart"></a>Chapter 2. Fast Start: Cure for Impatience</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="FastStart.html#id320338">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id320357">Description of Example Sites</a></span></dt><dt><span class="sect1"><a href="FastStart.html#id320424">Worked Examples</a></span></dt><dd><dl><dt><span class="sect2"><a href="FastStart.html#id320439">Standalone Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id322292">Domain Member Server</a></span></dt><dt><span class="sect2"><a href="FastStart.html#id323205">Domain Controller</a></span></dt></dl></dd></dl></div><p>
When we first asked for suggestions for inclusion in the Samba HOWTO documentation,
someone wrote asking for example configurations  and lots of them. That is remarkably
difficult to do without losing a lot of value that can be derived from presenting
many extracts from working systems. That is what the rest of this document does.
It does so with extensive descriptions of the configuration possibilities within the
context of the chapter that covers it. We hope that this chapter is the medicine 
that has been requested.
</p><p>
The information in this chapter is very sparse compared with the book &#8220;<span class="quote">Samba-3 by Example</span>&#8221;
that was written after the original version of this book was nearly complete. &#8220;<span class="quote">Samba-3 by Example</span>&#8221;
was the result of feedback from reviewers during the final copy editing of the first edition. It
was interesting to see that reader feedback mirrored that given by the original reviewers.
In any case, a month and a half was spent in doing basic research to better understand what
new as well as experienced network administrators would best benefit from. The book &#8220;<span class="quote">Samba-3 by Example</span>&#8221;
is the result of that research. What is presented in the few pages of this book is covered
far more comprehensively in the second edition of &#8220;<span class="quote">Samba-3 by Example</span>&#8221;. The second edition
of both books will be released at the same time.
</p><p>
So in summary, the book &#8220;<span class="quote">The Official Samba-3 HOWTO &amp; Reference Guide</span>&#8221; is intended
as the equivalent of an auto mechanic's repair guide. The book &#8220;<span class="quote">Samba-3 by Example</span>&#8221; is the
equivalent of the driver's guide that explains how to drive the car. If you want complete network
configuration examples, go to <a href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by
Example</a>.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id320338"></a>Features and Benefits</h2></div></div></div><p>
Samba needs very little configuration to create a basic working system.
In this chapter we progress from the simple to the complex, for each providing
all steps and configuration file changes needed to make each work. Please note
that a comprehensively configured system will likely employ additional smart
features. These additional features are covered in the remainder of this document.
</p><p>
The examples used here have been obtained from a number of people who made
requests for example configurations. All identities have been obscured to protect
the guilty, and any resemblance to unreal nonexistent sites is deliberate.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id320357"></a>Description of Example Sites</h2></div></div></div><p>
In the first set of configuration examples we consider the case of exceptionally simple system requirements.
There is a real temptation to make something that should require little effort much too complex.
</p><p>
<a href="FastStart.html#anon-ro" title="Anonymous Read-Only Document Server">???</a> documents the type of server that might be sufficient to serve CD-ROM images,
or reference document files for network client use. This configuration is also discussed in <a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">???</a>, <a href="StandAloneServer.html#RefDocServer" title="Reference Documentation Server">???</a>.  The purpose for this configuration
is to provide a shared volume that is read-only that anyone, even guests, can access.
</p><p>
The second example shows a minimal configuration for a print server that anyone can print to as long as they
have the correct printer drivers installed on their computer. This is a mirror of the system described in
<a href="StandAloneServer.html" title="Chapter 7. Standalone Servers">???</a>, <a href="StandAloneServer.html#SimplePrintServer" title="Central Print Serving">???</a>.
</p><p>
The next example is of a secure office file and print server that will be accessible only to users who have an
account on the system. This server is meant to closely resemble a workgroup file and print server, but has to
be more secure than an anonymous access machine.  This type of system will typically suit the needs of a small
office. The server provides no network logon facilities, offers no domain control; instead it is just a
network-attached storage (NAS) device and a print server.
</p><p>
The later example consider more complex systems that will either integrate into existing MS Windows networks
or replace them entirely. These cover domain member servers as well as Samba domain control (PDC/BDC) and
finally describes in detail a large distributed network with branch offices in remote locations.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id320424"></a>Worked Examples</h2></div></div></div><p>
The configuration examples are designed to cover everything necessary to get Samba 
running. They do not cover basic operating system platform configuration, which is
clearly beyond the scope of this text.
</p><p>
It is also assumed that Samba has been correctly installed, either by way of installation
of the packages that are provided by the operating system vendor or through other means.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id320439"></a>Standalone Server</h3></div></div></div><p>
        <a class="indexterm" name="id320446"></a>
        A standalone server implies no more than the fact that it is not a domain controller
        and it does not participate in domain control. It can be a simple, workgroup-like
        server, or it can be a complex server that is a member of a domain security context.
        </p><p>
        As the examples are developed, every attempt is made to progress the system toward greater capability, just as
        one might expect would happen in a real business office as that office grows in size and its needs change.
        </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="anon-ro"></a>Anonymous Read-Only Document Server</h4></div></div></div><p>
                <a class="indexterm" name="id320475"></a>
                The purpose of this type of server is to make available to any user
                any documents or files that are placed on the shared resource. The
                shared resource could be a CD-ROM drive, a CD-ROM image, or a file
                storage area.
                </p><div class="itemizedlist"><ul type="disc"><li><p>
                        The file system share point will be <code class="filename">/export</code>.
                        </p></li><li><p>
                        All files will be owned by a user called Jack Baumbach.
                        Jack's login name will be <span class="emphasis"><em>jackb</em></span>. His password will be
                        <span class="emphasis"><em>m0r3pa1n</em></span>  of course, that's just the example we are
                        using; do not use this in a production environment because
                        all readers of this document will know it.
                        </p></li></ul></div><div class="procedure"><a name="id320519"></a><p class="title"><b>Procedure 2.1. Installation Procedure: Read-Only Server</b></p><div class="example"><a name="anon-example"></a><p class="title"><b>Example 2.1. Anonymous Read-Only Server Configuration</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id320652"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id320665"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id320677"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id320699"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id320711"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id320724"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id320736"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
                        Add user to system (with creation of the user's home directory):
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong>
</pre><p>
                        </p></li><li><p>
                        Create directory, and set permissions and ownership:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chmod u+rwx,g+rx,o+rx /export</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chown jackb.users /export</code></strong>
</pre><p>
                        </p></li><li><p>
                        Copy the files that should be shared to the <code class="filename">/export</code>
                        directory.
                        </p></li><li><p>
                        Install the Samba configuration file (<code class="filename">/etc/samba/smb.conf</code>)
                        as shown in <a href="FastStart.html#anon-example" title="Example 2.1. Anonymous Read-Only Server Configuration">Anonymous Read-Only Server Configuration</a>.
                        </p></li><li><p>
                        Test the configuration file by executing the following command:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>testparm</code></strong>
</pre><p>
                        Alternatively, where you are operating from a master configuration file called
                        <code class="filename">smb.conf.master</code>, the following sequence of commands might prove
                        more appropriate:
</p><pre class="screen">
<code class="prompt">root# </code> cd /etc/samba
<code class="prompt">root# </code> testparm -s smb.conf.master &gt; smb.conf
<code class="prompt">root# </code> testparm
</pre><p>
                        Note any error messages that might be produced. Proceed only if error-free output has been
                        obtained. An example of typical output that should be generated from the above configuration
                        file is shown here:
</p><pre class="screen">
Load smb config files from /etc/samba/smb.conf
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
<strong class="userinput"><code>[Press enter]</code></strong>

# Global parameters
[global]
        workgroup = MIDEARTH
        netbios name = HOBBIT
        security = share

[data]
        comment = Data
        path = /export
        read only = Yes
        guest only = Yes
</pre><p>
                        </p></li><li><p>
                        Start Samba using the method applicable to your operating system platform. The method that
                        should be used is platform dependent. Refer to <a href="compiling.html#startingSamba" title="Starting the smbd nmbd and winbindd">Starting Samba</a>
                        for further information regarding the starting of Samba.
                        </p></li><li><p>
                        Configure your MS Windows client for workgroup <span class="emphasis"><em>MIDEARTH</em></span>,
                        set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes,
                        then open Windows Explorer and visit the Network Neighborhood.
                        The machine HOBBIT should be visible. When you click this machine
                        icon, it should open up to reveal the <span class="emphasis"><em>data</em></span> share. After
                        you click the share, it should open up to reveal the files previously
                        placed in the <code class="filename">/export</code> directory.
                        </p></li></ol></div><p>
                The information above (following # Global parameters) provides the complete
                contents of the <code class="filename">/etc/samba/smb.conf</code> file.
                </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id320872"></a>Anonymous Read-Write Document Server</h4></div></div></div><p>
                <a class="indexterm" name="id320880"></a>
                We should view this configuration as a progression from the previous example.
                The difference is that shared access is now forced to the user identity of jackb
                and to the primary group jackb belongs to. One other refinement we can make is to
                add the user <span class="emphasis"><em>jackb</em></span> to the <code class="filename">smbpasswd</code> file.
                To do this, execute:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong>
New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
Added user jackb.
</pre><p>
                Addition of this user to the <code class="filename">smbpasswd</code> file allows all files
                to be displayed in the Explorer Properties boxes as belonging to <span class="emphasis"><em>jackb</em></span>
                instead of to <span class="emphasis"><em>User Unknown</em></span>.
                </p><p>
                The complete, modified <code class="filename">smb.conf</code> file is as shown in <a href="FastStart.html#anon-rw" title="Example 2.2. Modified Anonymous Read-Write smb.conf">???</a>.
                </p><div class="example"><a name="anon-rw"></a><p class="title"><b>Example 2.2. Modified Anonymous Read-Write smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id320988"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id321000"></a><em class="parameter"><code>netbios name = HOBBIT</code></em></td></tr><tr><td><a class="indexterm" name="id321013"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[data]</code></em></td></tr><tr><td><a class="indexterm" name="id321034"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id321047"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id321060"></a><em class="parameter"><code>force user = jackb</code></em></td></tr><tr><td><a class="indexterm" name="id321072"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id321085"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id321097"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id321112"></a>Anonymous Print Server</h4></div></div></div><p>
                <a class="indexterm" name="id321120"></a>
                An anonymous print server serves two purposes:
                </p><div class="itemizedlist"><ul type="disc"><li><p>
                        It allows printing to all printers from a single location.
                        </p></li><li><p>
                        It reduces network traffic congestion due to many users trying
                        to access a limited number of printers.
                        </p></li></ul></div><p>
                In the simplest of anonymous print servers, it is common to require the installation
                of the correct printer drivers on the Windows workstation. In this case the print
                server will be designed to just pass print jobs through to the spooler, and the spooler
                should be configured to do raw pass-through to the printer. In other words, the print
                spooler should not filter or process the data stream being passed to the printer.
                </p><p>
                In this configuration, it is undesirable to present the Add Printer Wizard, and we do
                not want to have automatic driver download, so we disable it in the following
                configuration. <a href="FastStart.html#anon-print" title="Example 2.3. Anonymous Print Server smb.conf">???</a> is the resulting <code class="filename">smb.conf</code> file.
                </p><div class="example"><a name="anon-print"></a><p class="title"><b>Example 2.3. Anonymous Print Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id321195"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id321207"></a><em class="parameter"><code>netbios name = LUTHIEN</code></em></td></tr><tr><td><a class="indexterm" name="id321220"></a><em class="parameter"><code>security = share</code></em></td></tr><tr><td><a class="indexterm" name="id321232"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id321245"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321257"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id321270"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id321292"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id321304"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id321317"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321329"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321342"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321354"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p>
                The above configuration is not ideal. It uses no smart features, and it deliberately
                presents a less than elegant solution. But it is basic, and it does print. Samba makes
                use of the direct printing application program interface that is provided by CUPS.
                When Samba has been compiled and linked with the CUPS libraries, the default printing
                system will be CUPS. By specifying that the printcap name is CUPS, Samba will use
                the CUPS library API to communicate directly with CUPS for all printer functions.
                It is possible to force the use of external printing commands by setting the value
                of the <em class="parameter"><code>printing</code></em> to either SYSV or BSD, and thus the value of
                the parameter <em class="parameter"><code>printcap name</code></em> must be set to something other than
                CUPS. In such case, it could be set to the name of any file that contains a list
                of printers that should be made available to Windows clients.
                </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
                Windows users will need to install a local printer and then change the print
                to device after installation of the drivers. The print to device can then be set to
                the network printer on this machine.
                </p></div><p>
                Make sure that the directory <code class="filename">/var/spool/samba</code> is capable of being used
                as intended. The following steps must be taken to achieve this:
                </p><div class="itemizedlist"><ul type="disc"><li><p>
                        The directory must be owned by the superuser (root) user and group:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>chown root.root /var/spool/samba</code></strong>
</pre><p>
                        </p></li><li><p>
                        Directory permissions should be set for public read-write with the
                        sticky bit set as shown:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>chmod a+twrx /var/spool/samba</code></strong>
</pre><p>
                The purpose of setting the sticky bit is to prevent who does not own the temporary print file
                from being able to take control of it with the potential for devious misuse.
                        </p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
                <a class="indexterm" name="id321457"></a>
                <a class="indexterm" name="id321466"></a>
                On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
                intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
                it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
                handler in the <code class="filename">/etc/mime.conv</code> and <code class="filename">/etc/mime.types</code>
                files. Refer to <a href="CUPS-printing.html#cups-raw" title="Explicitly Enable &#8220;raw&#8221; Printing for application/octet-stream">???</a>.
                </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id321496"></a>Secure Read-Write File and Print Server</h4></div></div></div><p>
                We progress now from simple systems to a server that is slightly more complex.
                </p><p>
                Our new server will require a public data storage area in which only authenticated
                users (i.e., those with a local account) can store files, as well as a home directory.
                There will be one printer that should be available for everyone to use.
                </p><p>
                In this hypothetical environment (no espionage was conducted to obtain this data),
                the site is demanding a simple environment that is <span class="emphasis"><em>secure enough</em></span>
                but not too difficult to use. 
                </p><p>
                Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have
                a password (not shown in further examples). Mary will be the printer administrator and will
                own all files in the public share.
                </p><p>
                This configuration will be based on <span class="emphasis"><em>user-level security</em></span> that
                is the default, and for which the default is to store Microsoft Windows-compatible
                encrypted passwords in a file called <code class="filename">/etc/samba/smbpasswd</code>.
                The default <code class="filename">smb.conf</code> entry that makes this happen is
                <a class="indexterm" name="id321544"></a>passdb backend = smbpasswd, guest. Since this is the default,
                it is not necessary to enter it into the configuration file. Note that the guest backend is
                added to the list of active passdb backends no matter whether it specified directly in Samba configuration
                file or not.
                </p><div class="procedure"><a name="id321554"></a><p class="title"><b>Procedure 2.2. Installing the Secure Office Server</b></p><div class="example"><a name="OfficeServer"></a><p class="title"><b>Example 2.4. Secure Office Server smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id321657"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id321670"></a><em class="parameter"><code>netbios name = OLORIN</code></em></td></tr><tr><td><a class="indexterm" name="id321682"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id321695"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321708"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id321720"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id321742"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id321754"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id321767"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id321779"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id321801"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id321813"></a><em class="parameter"><code>path = /export</code></em></td></tr><tr><td><a class="indexterm" name="id321826"></a><em class="parameter"><code>force user = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id321838"></a><em class="parameter"><code>force group = users</code></em></td></tr><tr><td><a class="indexterm" name="id321851"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id321872"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id321885"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id321898"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id321910"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id321923"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321935"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321948"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id321960"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
                <a class="indexterm" name="id321565"></a>
                        Add all users to the operating system:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Mary Orville" -m -g users -p secret maryo</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>useradd -c "Amed Sehkah" -m -g users -p secret ameds</code></strong>
</pre><p>
                        </p></li><li><p>
                        Configure the Samba <code class="filename">smb.conf</code> file as shown in <a href="FastStart.html#OfficeServer" title="Example 2.4. Secure Office Server smb.conf">???</a>.
                        </p></li><li><p>
                        Initialize the Microsoft Windows password database with the new users:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a root</code></strong>
New SMB password: <strong class="userinput"><code>bigsecret</code></strong>
Reenter smb password: <strong class="userinput"><code>bigsecret</code></strong>
Added user root.

<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a jackb</code></strong>
New SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
Retype new SMB password: <strong class="userinput"><code>m0r3pa1n</code></strong>
Added user jackb.

<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a maryo</code></strong>
New SMB password: <strong class="userinput"><code>secret</code></strong>
Reenter smb password: <strong class="userinput"><code>secret</code></strong>
Added user maryo.

<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -a ameds</code></strong>
New SMB password: <strong class="userinput"><code>mysecret</code></strong>
Reenter smb password: <strong class="userinput"><code>mysecret</code></strong>
Added user ameds.
</pre><p>
                        </p></li><li><p>
                        Install printer using the CUPS Web interface. Make certain that all
                        printers that will be shared with Microsoft Windows clients are installed
                        as raw printing devices.
                        </p></li><li><p>
                        Start Samba using the operating system administrative interface.
                        Alternately, this can be done manually by executing:
                        <a class="indexterm" name="id322092"></a>
                        <a class="indexterm" name="id322099"></a>
                        <a class="indexterm" name="id322106"></a>
                        <a class="indexterm" name="id322115"></a>
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code> nmbd; smbd;</code></strong>
</pre><p>
                        Both applications automatically execute as daemons. Those who are paranoid about
                        maintaining control can add the <code class="constant">-D</code> flag to coerce them to start
                        up in daemon mode.
                        </p></li><li><p>
                        Configure the <code class="filename">/export</code> directory:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>mkdir /export</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.users /export</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chmod u=rwx,g=rwx,o-rwx /export</code></strong>
</pre><p>
                        </p></li><li><p>
                        Check that Samba is running correctly:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>smbclient -L localhost -U%</code></strong>
Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.20]

Sharename      Type      Comment
---------      ----      -------
public         Disk      Data
IPC$           IPC       IPC Service (Samba-3.0.20)
ADMIN$         IPC       IPC Service (Samba-3.0.20)
hplj4          Printer   hplj4

Server               Comment
---------            -------
OLORIN               Samba-3.0.20

Workgroup            Master
---------            -------
MIDEARTH             OLORIN
</pre><p>
                        The following error message indicates that Samba was not running:
</p><pre class="screen">
<code class="prompt">root# </code> smbclient -L olorin -U%
Error connecting to 192.168.1.40 (Connection refused)
Connection to olorin failed
</pre><p>
                        </p></li><li><p>
                        Connect to OLORIN as maryo:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>smbclient //olorin/maryo -Umaryo%secret</code></strong>
OS=[UNIX] Server=[Samba-3.0.20]
smb: \&gt; <strong class="userinput"><code>dir</code></strong>
.                              D        0  Sat Jun 21 10:58:16 2003
..                             D        0  Sat Jun 21 10:54:32 2003
Documents                      D        0  Fri Apr 25 13:23:58 2003
DOCWORK                        D        0  Sat Jun 14 15:40:34 2003
OpenOffice.org                 D        0  Fri Apr 25 13:55:16 2003
.bashrc                        H     1286  Fri Apr 25 13:23:58 2003
.netscape6                    DH        0  Fri Apr 25 13:55:13 2003
.mozilla                      DH        0  Wed Mar  5 11:50:50 2003
.kermrc                        H      164  Fri Apr 25 13:23:58 2003
.acrobat                      DH        0  Fri Apr 25 15:41:02 2003

                55817 blocks of size 524288. 34725 blocks available
smb: \&gt; <strong class="userinput"><code>q</code></strong>
</pre><p>
                        </p></li></ol></div><p>
                        By now you should be getting the hang of configuration basics. Clearly, it is time to
                        explore slightly more complex examples. For the remainder of this chapter we abbreviate
                        instructions, since there are previous examples.
                        </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id322292"></a>Domain Member Server</h3></div></div></div><p>
        <a class="indexterm" name="id322299"></a>
        In this instance we consider the simplest server configuration we can get away with
        to make an accounting department happy. Let's be warned, the users are accountants and they
        do have some nasty demands. There is a budget for only one server for this department.
        </p><p>
        The network is managed by an internal Information Services Group (ISG), to which we belong.
        Internal politics are typical of a medium-sized organization; Human Resources is of the
        opinion that they run the ISG because they are always adding and disabling users. Also,
        departmental managers have to fight tooth and nail to gain basic network resources access for
        their staff. Accounting is different, though, they get exactly what they want. So this should
        set the scene.
        </p><p>
        We use the users from the last example. The accounting department
        has a general printer that all departmental users may use. There is also a check printer
        that may be used only by the person who has authority to print checks. The chief financial
        officer (CFO) wants that printer to be completely restricted and for it to be located in the
        private storage area in her office. It therefore must be a network printer.
        </p><p>
        The accounting department uses an accounting application called <span class="emphasis"><em>SpytFull</em></span>
        that must be run from a central application server. The software is licensed to run only off
        one server, there are no workstation components, and it is run off a mapped share. The data
        store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our
        problem.
        </p><p>
        The accounting department manager (maryo) wants a general filing system as well as a separate
        file storage area for form letters (nastygrams). The form letter area should be read-only to
        all accounting staff except the manager. The general filing system has to have a structured
        layout with a general area for all staff to store general documents as well as a separate
        file area for each member of her team that is private to that person, but she wants full
        access to all areas. Users must have a private home share for personal work-related files
        and for materials not related to departmental operations.
        </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id322348"></a>Example Configuration</h4></div></div></div><p>
                The server <span class="emphasis"><em>valinor</em></span> will be a member server of the company domain.
                Accounting will have only a local server. User accounts will be on the domain controllers,
                as will desktop profiles and all network policy files.
                </p><div class="procedure"><div class="example"><a name="fast-member-server"></a><p class="title"><b>Example 2.5. Member Server smb.conf (Globals)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id322428"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id322441"></a><em class="parameter"><code>netbios name = VALINOR</code></em></td></tr><tr><td><a class="indexterm" name="id322454"></a><em class="parameter"><code>security = DOMAIN</code></em></td></tr><tr><td><a class="indexterm" name="id322466"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id322479"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322491"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id322504"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id322516"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id322529"></a><em class="parameter"><code>winbind use default domain = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322542"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="fast-memberserver-shares"></a><p class="title"><b>Example 2.6. Member Server smb.conf (Shares and Services)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id322579"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id322592"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id322604"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id322617"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[spytfull]</code></em></td></tr><tr><td><a class="indexterm" name="id322638"></a><em class="parameter"><code>comment = Accounting Application Only</code></em></td></tr><tr><td><a class="indexterm" name="id322651"></a><em class="parameter"><code>path = /export/spytfull</code></em></td></tr><tr><td><a class="indexterm" name="id322663"></a><em class="parameter"><code>valid users = @Accounts</code></em></td></tr><tr><td><a class="indexterm" name="id322676"></a><em class="parameter"><code>admin users = maryo</code></em></td></tr><tr><td><a class="indexterm" name="id322688"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id322710"></a><em class="parameter"><code>comment = Data</code></em></td></tr><tr><td><a class="indexterm" name="id322722"></a><em class="parameter"><code>path = /export/public</code></em></td></tr><tr><td><a class="indexterm" name="id322735"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id322756"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id322769"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id322781"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id322794"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id322807"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322819"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322832"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id322844"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
                        Do not add users to the UNIX/Linux server; all of this will run off the
                        central domain.
                        </p></li><li><p>
                        Configure <code class="filename">smb.conf</code> according to <a href="FastStart.html#fast-member-server" title="Example 2.5. Member Server smb.conf (Globals)">Member server smb.conf
                        (globals)</a> and <a href="FastStart.html#fast-memberserver-shares" title="Example 2.6. Member Server smb.conf (Shares and Services)">Member server smb.conf (shares
                        and services)</a>.
                        </p></li><li><p>
                        <a class="indexterm" name="id322863"></a>
                        Join the domain. Note: Do not start Samba until this step has been completed!
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>net rpc join -Uroot%'bigsecret'</code></strong>
Joined domain MIDEARTH.
</pre><p>
                        </p></li><li><p>
                        Make absolutely certain that you disable (shut down) the <code class="literal">nscd</code>
                        daemon on any system on which <code class="literal">winbind</code> is configured to run.
                        </p></li><li><p>
                        Start Samba following the normal method for your operating system platform.
                        If you wish to do this manually, execute as root:
                        <a class="indexterm" name="id322917"></a>
                        <a class="indexterm" name="id322924"></a>
                        <a class="indexterm" name="id322931"></a>
                        <a class="indexterm" name="id322937"></a>
                        <a class="indexterm" name="id322947"></a>
                        <a class="indexterm" name="id322956"></a>
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>nmbd; smbd; winbindd;</code></strong>
</pre><p>
                        </p></li><li><p>
                        Configure the name service switch (NSS) control file on your system to resolve user and group names
                        via winbind. Edit the following lines in <code class="filename">/etc/nsswitch.conf</code>:
</p><pre class="programlisting">
passwd: files winbind
group:  files winbind
hosts:  files dns winbind
</pre><p>
                        </p></li><li><p>
                        Set the password for <code class="literal">wbinfo</code> to use:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>wbinfo --set-auth-user=root%'bigsecret'</code></strong>
</pre><p>
                        </p></li><li><p>
                        Validate that domain user and group credentials can be correctly resolved by executing:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -u</code></strong>
MIDEARTH\maryo
MIDEARTH\jackb
MIDEARTH\ameds
...
MIDEARTH\root

<code class="prompt">root# </code><strong class="userinput"><code>wbinfo -g</code></strong>
MIDEARTH\Domain Users
MIDEARTH\Domain Admins
MIDEARTH\Domain Guests
...
MIDEARTH\Accounts
</pre><p>
                        </p></li><li><p>
                        Check that <code class="literal">winbind</code> is working. The following demonstrates correct
                        username resolution via the <code class="literal">getent</code> system utility:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>getent passwd maryo</code></strong>
maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
</pre><p>
                        </p></li><li><p>
                        A final test that we have this under control might be reassuring:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>touch /export/a_file</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chown maryo /export/a_file</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>ls -al /export/a_file</code></strong>
...
-rw-r--r--    1 maryo    users       11234 Jun 21 15:32 a_file
...

<code class="prompt">root# </code><strong class="userinput"><code>rm /export/a_file</code></strong>
</pre><p>
                        </p></li><li><p>
                        Configuration is now mostly complete, so this is an opportune time
                        to configure the directory structure for this site:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /export/{spytfull,public}</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chmod ug=rwxS,o=x /export/{spytfull,public}</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>chown maryo.Accounts /export/{spytfull,public}</code></strong>
</pre><p>
                        </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id323205"></a>Domain Controller</h3></div></div></div><p>
        <a class="indexterm" name="id323213"></a>
        For the remainder of this chapter the focus is on the configuration of domain control.
        The examples that follow are for two implementation strategies. Remember, our objective is
        to create a simple but working solution. The remainder of this book should help to highlight
        opportunity for greater functionality and the complexity that goes with it.
        </p><p>
        A domain controller configuration can be achieved with a simple configuration using the new
        tdbsam password backend. This type of configuration is good for small
        offices, but has limited scalability (cannot be replicated), and performance can be expected
        to fall as the size and complexity of the domain increases.
        </p><p>
        The use of tdbsam is best limited to sites that do not need
        more than a Primary Domain Controller (PDC). As the size of a domain grows the need
        for additional domain controllers becomes apparent. Do not attempt to under-resource
        a Microsoft Windows network environment; domain controllers provide essential
        authentication services. The following are symptoms of an under-resourced domain control
        environment:
        </p><div class="itemizedlist"><ul type="disc"><li><p>
                 Domain logons intermittently fail.
                </p></li><li><p>
                File access on a domain member server intermittently fails, giving a permission denied
                error message.
                </p></li></ul></div><p>
        A more scalable domain control authentication backend option might use
        Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
        for both options as a domain member server. As a PDC, Samba-3 is not able to provide
        an exact alternative to the functionality that is available with Active Directory.
        Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
        </p><p>
        The tdbsam authentication backend provides no facility to replicate
        the contents of the database, except by external means (i.e., there is no self-contained protocol
        in Samba-3 for Security Account Manager database [SAM] replication).
        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
        If you need more than one domain controller, do not use a tdbsam authentication backend.
        </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id323270"></a>Example: Engineering Office</h4></div></div></div><p>
                The engineering office network server we present here is designed to demonstrate use
                of the new tdbsam password backend. The tdbsam
                facility is new to Samba-3. It is designed to provide many user and machine account controls
                that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
                </p><div class="procedure"><div class="example"><a name="fast-engoffice-global"></a><p class="title"><b>Example 2.7. Engineering Office smb.conf (globals)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id323337"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id323349"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id323362"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id323374"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id323387"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m %u</code></em></td></tr><tr><td><a class="indexterm" name="id323400"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r %u</code></em></td></tr><tr><td><a class="indexterm" name="id323412"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd %g</code></em></td></tr><tr><td><a class="indexterm" name="id323425"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel %g</code></em></td></tr><tr><td><a class="indexterm" name="id323438"></a><em class="parameter"><code>add user to group script = /usr/sbin/groupmod -A %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id323451"></a><em class="parameter"><code>delete user from group script = /usr/sbin/groupmod -R %u %g</code></em></td></tr><tr><td><a class="indexterm" name="id323464"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u</code></em></td></tr><tr><td># Note: The following specifies the default logon script.</td></tr><tr><td># Per user logon scripts can be specified in the user account using pdbedit </td></tr><tr><td><a class="indexterm" name="id323485"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td># This sets the default profile path. Set per user paths with pdbedit</td></tr><tr><td><a class="indexterm" name="id323502"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id323514"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id323527"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id323539"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323552"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id323564"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323577"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323589"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id323602"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id323614"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="fast-engoffice-shares"></a><p class="title"><b>Example 2.8. Engineering Office smb.conf (shares and services)</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id323651"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id323664"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id323677"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id323689"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># Printing auto-share (makes printers available thru CUPS)</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id323714"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id323727"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id323740"></a><em class="parameter"><code>printer admin = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id323752"></a><em class="parameter"><code>create mask = 0600</code></em></td></tr><tr><td><a class="indexterm" name="id323765"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323777"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323790"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id323811"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id323824"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id323837"></a><em class="parameter"><code>write list = maryo, root</code></em></td></tr><tr><td><a class="indexterm" name="id323849"></a><em class="parameter"><code>printer admin = maryo, root</code></em></td></tr><tr><td># Needed to support domain logons</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id323874"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id323887"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id323900"></a><em class="parameter"><code>admin users = root, maryo</code></em></td></tr><tr><td><a class="indexterm" name="id323912"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323925"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td># For profiles to work, create a user directory under the path</td></tr><tr><td>#  shown. i.e., mkdir -p /var/lib/samba/profiles/maryo</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id323954"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id323967"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id323979"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id323992"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td># Other resource (share/printer) definitions would follow below.</td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
                        A working PDC configuration using the tdbsam
                        password backend can be found in <a href="FastStart.html#fast-engoffice-global" title="Example 2.7. Engineering Office smb.conf (globals)">Engineering Office smb.conf
                        (globals)</a> together with <a href="FastStart.html#fast-engoffice-shares" title="Example 2.8. Engineering Office smb.conf (shares and services)">Engineering Office smb.conf
                        (shares and services)</a>:
                        <a class="indexterm" name="id323306"></a>
                        </p></li><li><p>
                        Create UNIX group accounts as needed using a suitable operating system tool:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>groupadd ntadmins</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>groupadd designers</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>groupadd engineers</code></strong>
<code class="prompt">root# </code><strong class="userinput"><code>groupadd qateam</code></strong>
</pre><p>
                        </p></li><li><p>
                        Create user accounts on the system using the appropriate tool
                        provided with the operating system. Make sure all user home directories
                        are created also. Add users to groups as required for access control
                        on files, directories, printers, and as required for use in the Samba
                        environment.
                        </p></li><li><p>
                        <a class="indexterm" name="id324078"></a>
                        <a class="indexterm" name="id324087"></a>
                        Assign each of the UNIX groups to NT groups by executing this shell script
                        (You could name the script <code class="filename">initGroups.sh</code>):
</p><pre class="screen">
#!/bin/bash
#### Keep this as a shell script for future re-use
                        
# First assign well known groups
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d
net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d

# Now for our added Domain Groups
net groupmap add ntgroup="Designers" unixgroup=designers type=d
net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
net groupmap add ntgroup="QA Team"   unixgroup=qateam    type=d
</pre><p>
                        </p></li><li><p>
                        Create the <code class="filename">scripts</code> directory for use in the 
                        <em class="parameter"><code>[NETLOGON]</code></em> share:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>mkdir -p /var/lib/samba/netlogon/scripts</code></strong>
</pre><p>
                        Place the logon scripts that will be used (batch or cmd scripts)
                        in this directory.
                        </p></li></ol></div><p>
                The above configuration provides a functional PDC
                system to which must be added file shares and printers as required.
                </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id324155"></a>A Big Organization</h4></div></div></div><p>
                In this section we finally get to review in brief a Samba-3 configuration that
                uses a Lightweight Directory Access (LDAP)-based authentication backend. The
                main reasons for this choice are to provide the ability to host primary
                and Backup Domain Control (BDC), as well as to enable a higher degree of
                scalability to meet the needs of a very distributed environment.
                </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id324167"></a>The Primary Domain Controller</h5></div></div></div><p>
                        This is an example of a minimal configuration to run a Samba-3 PDC
                        using an LDAP authentication backend. It is assumed that the operating system
                        has been correctly configured.
                        </p><p>
                        The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or
                        SambaSamAccounts. The Idealx scripts may be downloaded from the <a href="http://www.idealx.org" target="_top">
                        Idealx</a> Web site. They may also be obtained from the Samba tarball. Linux
                        distributions tend to install the Idealx scripts in the 
                        <code class="filename">/usr/share/doc/packages/sambaXXXXXX/examples/LDAP/smbldap-tools</code> directory.
                        Idealx scripts version <code class="constant">smbldap-tools-0.9.1</code> are known to work well.
                        </p><div class="procedure"><div class="example"><a name="fast-ldap"></a><p class="title"><b>Example 2.9. LDAP backend smb.conf for PDC</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id324384"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id324396"></a><em class="parameter"><code>netbios name = FRODO</code></em></td></tr><tr><td><a class="indexterm" name="id324409"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id324421"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id324434"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id324447"></a><em class="parameter"><code>add user script = /usr/local/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id324460"></a><em class="parameter"><code>delete user script = /usr/local/sbin/smbldap-userdel %u</code></em></td></tr><tr><td><a class="indexterm" name="id324472"></a><em class="parameter"><code>add group script = /usr/local/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id324485"></a><em class="parameter"><code>delete group script = /usr/local/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id324498"></a><em class="parameter"><code>add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id324511"></a><em class="parameter"><code>delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id324525"></a><em class="parameter"><code>set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id324538"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id324551"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id324563"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id324576"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id324588"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id324601"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324614"></a><em class="parameter"><code>os level = 35</code></em></td></tr><tr><td><a class="indexterm" name="id324626"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324639"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324651"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id324664"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id324676"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id324689"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id324702"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id324714"></a><em class="parameter"><code>ldap admin dn = cn=Manager</code></em></td></tr><tr><td><a class="indexterm" name="id324727"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id324740"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324752"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id324765"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id324777"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
                                Obtain from the Samba sources <code class="filename">~/examples/LDAP/samba.schema</code>
                                and copy it to the <code class="filename">/etc/openldap/schema/</code> directory.
                                </p></li><li><p>
                                Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x.
                                The <code class="filename">/etc/openldap/slapd.conf</code> file.
                                <a class="indexterm" name="id324233"></a>
<font color="red">&lt;title&gt;Example slapd.conf File&lt;/title&gt;</font>
</p><pre class="screen">
# Note commented out lines have been removed
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

database        bdb
suffix          "dc=quenya,dc=org"
rootdn          "cn=Manager,dc=quenya,dc=org"
rootpw          {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
# The password for the above is 'nastyon3'

directory     /var/lib/ldap

index   objectClass     eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub
</pre><p>
                                </p></li><li><p>
                                Create the following file <code class="filename">initdb.ldif</code>:
                                <a class="indexterm" name="id324271"></a>
</p><pre class="programlisting">
# Organization for SambaXP Demo
dn: dc=quenya,dc=org
objectclass: dcObject
objectclass: organization
dc: quenya
o: SambaXP Demo
description: The SambaXP Demo LDAP Tree

# Organizational Role for Directory Management
dn: cn=Manager,dc=quenya,dc=org
objectclass: organizationalRole
cn: Manager
description: Directory Manager

# Setting up the container for users
dn: ou=People, dc=quenya, dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

# Set up an admin handle for People OU
dn: cn=admin, ou=People, dc=quenya, dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb
# The password for above is 'mordonL8'
</pre><p>
                                </p></li><li><p>
                                Load the initial data above into the LDAP database:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>slapadd -v -l initdb.ldif</code></strong>
</pre><p>
                                </p></li><li><p>
                                Start the LDAP server using the appropriate tool or method for
                                the operating system platform on which it is installed.
                                </p></li><li><p>
                                Install the Idealx script files in the <code class="filename">/usr/local/sbin</code> directory,
                                then configure the smbldap_conf.pm file to match your system configuration.
                                </p></li><li><p>
                                The <code class="filename">smb.conf</code> file that drives this backend can be found in example <a href="FastStart.html#fast-ldap" title="Example 2.9. LDAP backend smb.conf for PDC">LDAP backend smb.conf for PDC</a>. Add additional stanzas
                                as required.
                                </p></li><li><p>
                                Add the LDAP password to the <code class="filename">secrets.tdb</code> file so Samba can update
                                the LDAP database:
</p><pre class="screen">
<code class="prompt">root# </code><strong class="userinput"><code>smbpasswd -w mordonL8</code></strong>
</pre><p>
                                </p></li><li><p>
                                Add users and groups as required. Users and groups added using Samba tools
                                will automatically be added to both the LDAP backend and the operating
                                system as required.
                                </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id324830"></a>Backup Domain Controller</h5></div></div></div><p>
                        <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">???</a> shows the example configuration for the BDC. Note that
                        the <code class="filename">smb.conf</code> file does not specify the smbldap-tools scripts  they are
                        not needed on a BDC. Add additional stanzas for shares and printers as required.
                        </p><div class="procedure"><div class="example"><a name="fast-bdc"></a><p class="title"><b>Example 2.10. Remote LDAP BDC smb.conf</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id324905"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id324918"></a><em class="parameter"><code>netbios name = GANDALF</code></em></td></tr><tr><td><a class="indexterm" name="id324930"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://frodo.quenya.org</code></em></td></tr><tr><td><a class="indexterm" name="id324943"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id324956"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id324968"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id324981"></a><em class="parameter"><code>logon path = \\%L\Profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id324994"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id325006"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id325019"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325031"></a><em class="parameter"><code>os level = 33</code></em></td></tr><tr><td><a class="indexterm" name="id325044"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325056"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id325069"></a><em class="parameter"><code>ldap suffix = dc=quenya,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id325082"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id325094"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id325107"></a><em class="parameter"><code>ldap group suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id325120"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id325132"></a><em class="parameter"><code>ldap admin dn = cn=Manager</code></em></td></tr><tr><td><a class="indexterm" name="id325145"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id325157"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325170"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id325182"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id325195"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
                                Decide if the BDC should have its own LDAP server or not. If the BDC is to be
                                the LDAP server, change the following <code class="filename">smb.conf</code> as indicated. The default
                                configuration in <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">Remote LDAP BDC smb.conf</a>
                                uses a central LDAP server.
                                </p></li><li><p>
                                Configure the NETLOGON and PROFILES directory as for the PDC in <a href="FastStart.html#fast-bdc" title="Example 2.10. Remote LDAP BDC smb.conf">???</a>.
                                </p></li></ol></div></div></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="install.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="introduction.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="type.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. How to Install and Test SAMBA </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Server Configuration Basics</td></tr></table></div></body></html>