Installing Samba 3 on OpenServer 6 Kirk Farquhar, SCO Canada kirkf@sco.com

1
Installing Samba 3 on OpenServer 6Kirk Farquhar,
SCO Canada kirkf_at_sco.com
2
Agenda
3
What is Samba?

• Samba is an open-source application suite that
  enables SMB/CIFS based services on Unix servers
• SMB Server Message Block is the underlying
  protocol for Windows File Print Sharing
• Licensed under the GPL
• Maintained by the Samba Team (12-20 people)
• Web Site for resources www.samba.org

4
Business Benefits of Samba

• Samba allows you to merge the resources of your
  Windows Unix networks
• Provides seamless access to Unix based files from
  Windows clients
• Provides a secure stable file server
• Provides an upgrade path from Windows to big
  iron
• Eliminates the need for Windows servers in
  organizations that dont require Windows Server
  based applications

5
Samba 3

• Installation

6
OSR6-Installing from Media

• Insert the OpenServer 6 CD
• Start scoadmin
• Select Software Manager, Software, Install New
• Select From Servername
• Select the media device CDROM 0
• Expand SCO OpenServer Release 6.0.0
• Expand Connectivity
• Highlight SAMBA and click on Install
• N.B. If Heimdal Kerberos was not installed,
  install it in the same manor.
• Run mkdev samba

7
OSR6-Installing from Downloads

• Download CPIO file from the SCO site to /tmp
• Extract the VOL files
• cat .cpio cpio ivcd .
• Start scoadmin
• Select Software Manager, Software, Install New
• Select From Servername
• Select the media images option and directory /tmp
• Highlight samba and click Install
• Run mkdev samba

8
mkdev samba

• Run the command mkdev samba
• Choose 1 Configure and Activate Samba
• Enter your Windows Domain or Workgroup name
• Accept the default machine name provided
• If your network has a WINS server select yes and
  provide its IP address
• If there is no WINS server on Windows this server
  can be set as a WINS server
• Select whether you want to participate in an MS
  Domain
• Provide the NetBIOS name of the PDC

9
mkdev samba command - Workgroup
10
mkdev samba command-Workgroup
Defaults
11
mkdev samba command-Workgroup

• Changes made to /etc/samba/smb.conf
• workgroup WORKGROUP
• netbios name FANGORN
• Security User
• WINS server 192.168.0.2

12
State of Server after this mkdev samba

• nmbd and smbd are running
• The server is a member of the workgroup named
  WORKGROUP
• No shares are created and only root can connect

13
mkdev samba Domain Member
14
mkdev samba Domain Member

• Changes to /etc/samba/smb.conf
• workgroup ME
• netbios name FANGORN
• security domain
• password server RIVENDELL
• wins server 192.168.0.2

15
State of Server after this mkdev samba

• nmbd and smbd are running
• The server is a member of the domain ME
• The only user is root/administrator
• Shares arent set-up
• Password backend is smbpasswd
• Passwords are encrypted

16

• Introduction to SWAT

17
What is SWAT?

• SWAT Samba Web Administration Tool
• Included and configured by default with SCO Samba
  implementations
• Swat will allow you to perform most Samba
  administration functions from any browser that
  can contact the server
• Alternative to command line interfaces or
  configuring smb.conf
• Available on port 901 by default
• Controlled by inet and services file entry

18
Issues Concerns with SWAT

• Completely replaces smb.conf on each use
• Only stores non-default settings in intermediate
  file
• Doesnt retain set-up comments
• Can be viewed as a security risk
• Never run in demo mode
• Never run outside firewalls
• Doesnt like some passwords

19
SWAT Connection Login
Use your browser to connect to http//192.168.0.4
901
20
SWAT HomePage

• Primary use of the home page is to access the docs

21
SWAT Screens -

• Allows you to set all Global variables that
  control the servers behaviour
• Server Type
• Security Settings
• Master Browser status participation
• WINS Options

22
SWAT Screens -

• Allows you to configure File Shares on the
  Server, including the specific permissions and
  performance modifiers for the shares.

23
SWAT Screens -
Allows you to set-up the Unix printers to be
shared by the server and to configure the
printing and security options for those printers
24
SWAT Screens -
This screen allows you to re-write the smb.conf
file and easily re-set the Server type, WINS
status and basic security access. Probably the
first screen youll use, but this is very
dangerous as it can undo much configuration work.
25
SWAT Screens -
Displays current status of the Samba Server
including active connections. Can be used to
shut-down or restart the server.
26
SWAT Screens -
View the current smb.conf file. Note you cannot
change the file here. By default shows only the
non-default entries youve created for the file.
The Full View option shows the entire smb.conf
file.
27
SWAT Screens -
Add, enable and disable users as well as
resetting passwords for users.
28

• Files Directories

29
Files Directories

• /etc/samba
• smb.conf primary samba configuration file
• lmhosts file of netbios host names ip
  addresses
• secrets.tdb holds SID information
• smbusers maps Unix to Windows account names
• smbpasswd Equivalent to the Unix Password file
• smbstab Info about file print shares
• /usr/sbin
• Daemons smbd and nmbd
• /usr/bin
• Executables, testparm, smbnet etc

30
smb.conf file

• The smb.conf file contains all non-default
  entries you make to configure the Samba server
• Other entries are automatically set to defaults
  by Samba
• Re-read on each new connection and every 60
  seconds
• Rebuilt dynamically if you use SWAT

31
S99smbd S99nmbd

• Located in /etc/rc2.d linked to smb nmb in
  /etc/init.d
• Created by mkdev samba or you can manually create
  links
• /etc/init.d/smb enable, /etc/init.d/nmb enable
• Starts and stops daemons
• Syntax
• /etc/rc2.d/S99smbd startstoprestartenabledisab
  le
• /etc/rc2.d/S99nmbd startstoprestartenabledisab
  le
• Can be modified to change location of Samba files
• Attempts to delete PID files and starts smbd and
  nmbd

32
Daemons

• Located in /usr/sbin
• smbd
• tcp/ip daemon handles all file and print requests
  as well as authentication and security
• nmbd
• Handles name look-up and resolution and manages
  network browsing
• Handles all UDP traffic
• smbd will not work without nmbd

33
Using testparm

• Utility to test syntax of smb.conf file
• Located in /usr/lib/samba/bin
• Usage
• testparm (-v) (smb.conf file location)
• By default only lists changes youve made
• The v option will show all defaults added by
  Samba
• Giving smb.conf file location lets you test
  multiple files
• Besides displaying data does a very simple syntax
  check Note this doesnt guarantee your server
  will work

34

• Configuring Your Server

35
Configuring the Samba Server

• Decisions to be made
• Do you have an existing Windows Network?
• Is it a Workgroup or Domain?
• If a Domain, what security profile?
• What type of Server will this be?
• What Security Mode do you want?
• Will you join an existing Workgroup or Domain?
• Do you have a Windows Domain?
• Do you use Active Directory?
• Is the Samba Server to be a Domain Controller?
• Are Unix userids and network ids to be the same?
• What type of clients will you have, Win95, Win2K?

36
Prerequisites

• You need to have a running network interface
• DNS should be configured
• Optionally use /etc/hosts
• Test with ping nslookup
• If joining an AD domain DNS should probably be
  running from the Win2K server
• i.e. nslookup fangorn.me.local returns
  192.168.0.4
• nslookup 192.168.0.4 should return
  fangorn.me.local
• Apache is necessary for SWAT to function
• Other smb services must not be operating (AFPS
  VFS)
• Ports 137,139, and 901 must be available

37
Windows Networking Issues

• Existing Win2K Domains with AD need to be
  configured with a Domain Functional Level of
• Windows 2000 Mixed
• This allows servers using NT4 style Domain
  functionality to participate in the Domain
• Or Native
• This allows for native AD authentication using
  kerberos this will require the Heimdal modules

38
Server Types

• Stand-alone Server
• A stand-alone server is a Workgroup member, but
  does not participate in Domain Security. Domain
  members may access it using local authentication.
• Domain Member Server
• A Domain Member Server participates in a Domain
  and provides for a Single Sign-on Environment
• Domain Controller
• Acts as either a Primary or Back-up Domain
  Controller

39
Security Levels

• User Security
• Securityuser
• Client sends session request as username/password
• Server checks user and hostname only since no
  share info is available
• Once authenticated client expects to be able to
  mount shares with a tree connection without
  further authentication
• Client can send multiple session requests and
  gets a separate UID for each
• Share Security
• Securityshare
• Each tree connection request has a password
  submitted
• Unlike NT, Unix needs a username/password combo
• Samba will try to resolve a username by checking
  the PW against possible users
• Not recommended may create problems with newer
  Win Clients
• Primarily to support legacy implementations
  Win9?

40
Security Levels

• Domain Security (NT4 Domains)
• SecurityDomain
• WorkgroupME
• Encrypt PasswordsYes
• Server has a trust account on the domain server
  gotcha!
• Authentication requests passed to domain server
  to be resolved
• You must join a domain after Samba is started (
  you only need to do this once)
• As root execute
• /usr/lib/samba/bin/smbnet rpc join U
  Administratoradminpw
• You must have a standard Unix user account for
  each user of the server or define acceptable
  users by share
• Populate /etc/passwd with
• /usr/lib/samba/bin/smbnet rpc vampire S
  pdcnbname U administratorpw

41
Security Levels

• Domain Security (Native AD Domains)
• SecurityDomain
• WorkgroupME
• Encrypt PasswordsYes
• Server has a trust account on the domain server
  gotcha!
• Authentication requests passed to domain server
  to be resolved
• You must join a domain after Samba is started (
  you only need to do this once)
• As root execute
• /usr/lib/samba/bin/smbnet rpc join U
  Administratoradminpw
• You must have a standard Unix user account for
  each user of the server or define acceptable
  users by share
• Populate /etc/passwd with
• /usr/lib/samba/bin/smbnet rpc vampire S
  pdcnbname U administratorpw

42
Security Levels

• Server Security
• smb.conf entries needed
• SecurityServer
• Encrypt passwordsyes
• Password Servernbnameofserver
• Variation of user level security client
  thinks this is user level
• When the server gets a session setup request it
  uses the username/password combo to try to login
  to the password server
• Requires a standard Unix user account on the
  Samba Server
• You may want to block shell connections for this
  account
• May cause account lockouts on servers for failed
  authentications
• If the PW server shuts down Samba wont work

43

• Setting Up a Standalone Server

44
Setting up a Stand-alone Server -

• In the Globals Screen
• Define your Workgroup name
• Define the netbios name
• Set security level
• Set Encrypted Passwords to Yes
• Set Password Backend to smbpasswd
• Commit changes

45
Setting up a Stand-alone Server -

• In the Wizard Screen
• Select Stand-alone Server
• Configure WINS Server
• Expose Home Dirs?
• Commit changes

46
Create Machine Accounts for Workstations

• You need to create machine accounts for
  workstations running W2K or above
• Create a Unix Group machines
• groupadd machines
• Add an account for each machine
• useradd g machines d /var/nobody c Kirks
  Workstation s /bin/false bilbo
• Note at end of machine name

47
Add Users -

• In the Password Screen
• Add users
• Set passwords to match Windows PW
• Click Add New User for each user
• Click Enable User

48
Setting up a Stand-alone Server -

• In the Status screen
• Click on Restart All to shutdown and restart the
  Server
• From a windows Workstation go to My Network
  Places, and select
• Entire Network,
• Microsoft Windows Network
• Your Domain
• Your Samba Server
• To display current shares.

49
smb.conf Entries

• Security User
• Workgroup SCO
• Encrypted Passwords Yes
• Password Backend smbpasswd

50
Check Access to Resources
51
Try to Access Resources
52
Try to Access Resources
53

• Setting Up a Domain Member Server

54
Setting up a Domain Member

• In the Globals screen
• Add the Domain name in the Workgroup field
• Add the Servers name in the NetBIOS name Field
• Set Security to DOMAIN
• Commit changes

55
Setting up a Domain Member

• In the Wizard screen
• Jump to Parameter Edit
• Configure the Server Type as Domain Member
• Configure WINS as Client of another Server
• Set securityDomain
• Set the IP address of your primary WINS Server
• Expose Home Dirs?
• Commit changes

56
Setting up a Domain Member

• In the Status screen
• Click on Restart All to shutdown and restart the
  Server
• At a Unix prompt as root run the command
• /usr/bin/smbnet rpc join U administratorpassword
  
• From a windows Workstation go to My Network
  Places, and select
• Entire Network,
• Microsoft Windows Network
• Your Domain
• Your Samba Server
• To display current shares.

57
smb.conf Entries

• global workgroup ME
• server string Fangorn Samba 3 Server
• interfaces net0, lo0
• bind interfaces only Yes
• security DOMAIN
• password server rivendell
• log file /var/log/samba/log.m max
• log size 50
• dns proxy No
• wins server 192.168.0.2
• homes
• comment Home Directories
• read only No
• browseable No
• printers
• comment All Printers
• path /usr/spool/samba
• printable Yes
• browseable No

58
ADS Authentication Globals Screen

• Essentially same as a domain member, but
• Add realm
• Set Security to ADS

59
ADS Authentication Wizard Screen

• The wizard should pick up correct changes from
  the Globals commit
• Note addition of realm

60
Changes to the Globals section of smb.conf

• global
• workgroup ME
• realm ME.LOCAL
• server string Fangorn Samba 3 Server
• interfaces net0, lo0
• bind interfaces only Yes
• security ADS
• password server rivendell
• log file /var/log/samba/log.m
• max log size 50
• dns proxy No
• wins server 192.168.0.2

61
Getting Kerberos to Work

• To authenticate natively to AD you need kerberos
  services to work
• In smb.conf Globals section we need
• security ADS (use AD for Authentication)
• realm ME.LOCAL (the realm is your local DNS
  domain name)
• password server RIVENDELL (Netbios name of the
  Windows PDC)
• SID must be correct
• If errors show in SID use
• smbnet getlocalsid domainname
• smbnet setlocalsid S-1-5-21-x-y-z
• Run smbnet ads status U administrator (you
  should get a big dump of data)
• Re-run smbnet ads join U administrator

62

• Sharing Directories

63
Sharing Directories

• In SWAT Shares screen
• Enter a new share name click on Create Share

64
Sharing Directories

• Fill in options for this share
• Optionally
• Add special user conditions
• Turn on/off Guest Access
• Control host access
• Set Browseable
• NB- blank entry for valid users means anyone can
  access the share
• If hosts are allowed then only those hosts are
  allowed
• Click on Commit Changes when done

65
smb.conf Entries

• This will create a section in smb.conf for this
  share
• U Filesystem
• path /u
• valid users kirk, _at_Administrators
• hosts deny 192.168.0.5

66

• Sharing Unix Printers

67
Configuring the Print Server

• By default Samba will load all of the printers in
  the /etc/printcap file
• This is done by the Global option Load
  Printersyes
• Printing mode is sysv
• Optionally on Legend you can use CUPS
• In the Globals screen/Advanced View you can set
  print spooler options (defaults work well)

68
Sharing all printers

• In the Printers tab
• Choose printers
• Note Browseable option
• Set Hosts to allow Deny

69
Adding a Specific Printer

• Enter Printer Name
• Click on Create Printer
• Make printer specific settings
• Set Browseable to Yes
• Commit changes

70
Accessing the Printer from Windows

• To use this printer from Windows
• Start
• Printers
• Add a Printer
• Choose a Network Printer
• Choose connect to this Printer
• (leave name blank)
• Drill down to printer

71

• Setting Up Windows Clients

72
Configuring the Windows Clients

• From the Control panel select Networking-Local
  Area Connetion
• Select Properties
• Ensure File Print Sharing for Microsoft
  Networks is installed
• Select Internet Protocol (TCP/IP) and then
  Properties

73
Configuring the Windows Clients

• Select Control Panel-System

• Choose the Network Identification Wizard (Network
  ID button) and enter your machine name and Domain
  Name or Workgroup
• You will be prompted for an admin user name and
  password on the domain controller

74
Configuring the Windows Clients

• If using DHCP select Obtain Address
  Automatically
• Otherwise populate all fields
• Select the Advanced tab

75
Configuring the Windows Clients

• If not using DHCP you must add the IP Address and
  Gateway
• Likewise, DHCP will automatically add DNS WINS
  information

76
Configuring the Windows Clients

• If not using DHCP populate DNS WINS Screens

77
Configuring Windows Clients

• From the Desktop
• -My Network Places
• -Microsoft Windows Network
• Choose your Domain (ME)
• The Samba Server should be displayed (FANGORN)
• Expand the Server and Shares should appear
• Double click on the Servers name to see Shares
• Alt-click on a Share to consume it
• Double click on it to Browse

78

• Using Windows Resources

79
Using smbclient

• smbclient is a CIFS client that allows the Samba
  system to consume resources from other CIFS
  servers
• Usage -?EgVNkP --usage -R
  NAME-RESOLVE-ORDER -M HOST -I IP -L HOST
  -t CODE -m LEVEL -TltcxgtIXFqgbNan -D DIR
  -c ARG -b BYTES -p PORT -d DEBUGLEVEL -s
  CONFIGFILE -l LOGFILEBASE -O SOCKETOPTIONS
  -n NETBIOSNAME -W WORKGROUP -i SCOPE -U
  USERNAME -A FILE -S onoffrequired service
  ltpasswordgt

80
smbclient - L

• Use to list shared resources on a server
• rohan smbclient -L bilbo
• Password
• DomainME OSWindows 5.0 ServerWindows 2000
  LAN Manager
• Sharename Type Comment
• --------- ---- -------
• E Disk Default share
• IPC IPC Remote IPC
• D Disk Default share
• downloads Disk
• ADMIN Disk Remote Admin
• C Disk Default share
• ExchangeData Disk
• DomainME OSWindows 5.0 ServerWindows 2000
  LAN Manager
• Server Comment
• --------- -------

81
Accessing Windows Files

• Use smbclient to connect to a File Share and get
  an FTP-like interface
• rohan smbclient //bilbo/downloads -Ukirk
• Password
• DomainME OSWindows 5.0 ServerWindows 2000
  LAN Manager
• smb \gt
• At the smb prompt you can use commands similar to
  FTP, cd, dir, get, mget etc.

82
Listing Files

• rohan smbclient //bilbo/downloads -Ukirk
• Password
• DomainME OSWindows 5.0 ServerWindows 2000
  LAN Manager
• smb \gt dir
• . D 0
  Mon May 30 144616 2005
• .. D 0
  Mon May 30 144616 2005
• AdbeRdr60_enu_full.exe A 16706160
  Wed Apr 13 164049 2005
• bilbo01_1024x768.jpg A 317087
  Tue Jul 6 125922 2004
• casedge D 0
  Tue Nov 30 162008 2004
• genica D 0
  Tue Nov 30 142654 2004
• gn788.zip A 565618
  Thu Oct 14 145833 2004
• ISA2004Enterprise.iso A 114960384
  Sun Apr 24 185035 2005
• iTunesSetup.exe A 21904216
  Mon May 30 144616 2005
• ppviewer.exe A 1951432
  Wed Apr 13 162626 2005
• Product_Training_April_v_4.ppt A 4551680
  Wed Apr 13 163037 2005
• RealPlayer10-5GOLD.exe A 10827296
  Thu Apr 21 232511 2005
• RiskFilter_403.ISO A 376932352
  Mon Jan 10 152151 2005
• threatdetector.exe A 17345027
  Mon May 16 160234 2005
• W2KSP2.exe A 106278016
  Tue Nov 30 163323 2004

83
Getting a file

• smb \gt cd casedge
• smb \casedge\gt dir
• . D 0
  Tue Nov 30 162008 2004
• .. D 0
  Tue Nov 30 162008 2004
• audio D 0
  Tue Nov 30 162303 2004
• audio_0050.exe A 19342431
  Tue Nov 30 162232 2004
• lan D 0
  Tue Nov 30 141929 2004
• usb D 0
  Tue Nov 30 142129 2004
• video D 0
  Tue Nov 30 142039 2004
• 51740 blocks of size 524288.
  44090 blocks available
• smb \casedge\gt cd video
• smb \casedge\video\gt dir
• . D 0
  Tue Nov 30 142039 2004
• .. D 0
  Tue Nov 30 142039 2004
• autorun.inf A 34
  Thu Jul 11 160742 2002
• Graphics D 0
  Tue Nov 30 142039 2004
• ReadMe.txt A 27090
  Thu Jul 11 180200 2002

84
Using a Printer

• Configure CUPS printing on the Unix Server
• Use smbclient L servername to identify the
  sharename of the available printers
• Create a PPD file for the Windows printer
• Install the printer to CUPS
• rootlpadmin p winprinter v smb
  //frodo/psc2200 \ -P /path/to/PPDfile

85

• Special Considerations

86
Special Considerations

• Real Time updates of smb.conf
• The smb.conf file is reread on each new
  connection and every 60 seconds
• Manually changing smb.conf can interrupt existing
  connections
• Sharing datafiles with Windows Unix Apps
• By default Samba enables Opportunistic locking
  for local data caching
• This should only be used where shares are used
  exclusively
• In the Globals-Advanced View-Locking set the
  oplocks and level2 oplocks to No
• You can also disable oplocks on a per share basis
  in Shares-Share Properties-Advanced-Locking

87
Securing your Samba Server

• If possible Samba servers should be behind the
  firewall
• Host-Based Protection
• You can restrict access to certain systems in the
  Globals-Host Allow/Deny options to create entries
• hosts allow 127.0.0.1, 192.168.0.0/24
• hosts deny 0.0.0.0/0
• These entries allow only local and from the
  192.168.0 net and deny everyone else
• User Based Protection
• You can restrict access to certain users or
  groups from Globals-(in)valid users option

88
Securing your Samba Server

• You can control access by Interface with
  Globals-Interfaces
• eth0 lo as an example will only listen on the
  loopback and eth0, but not on eth1, eth2 etc
• You must set Bind Interfaces Only in the Advanced
  screen for this to work
• Useful on dual-homed systems
• Blocking IPC Shares
• Cannot be done from SWAT
• Add lines to smb.conf
• IPC
• Hosts Allow 127.0.0.1, 192.168.0.0/24
• Hosts Deny 0.0.0.0/0
• NB this will be overwritten if you use SWAT to
  rebuild smb.conf

89
Resources

• http//www.samba.org
• http//us1.samba.org/samba/docs/man/samba.7.html
• The Official Samba-3 HOWTO and Reference Guide
  by John Terpstra and and Jelmer R.
  Vernooij

Samba Installation Configuration
90
(No Transcript)
91
(No Transcript)
92

• Questions