Title: Installing Samba 3 on OpenServer 6 Kirk Farquhar, SCO Canada kirkf@sco.com
1Installing Samba 3 on OpenServer 6Kirk Farquhar,
SCO Canada kirkf_at_sco.com
2Agenda
3What is Samba?
- Samba is an open-source application suite that
enables SMB/CIFS based services on Unix servers - SMB Server Message Block is the underlying
protocol for Windows File Print Sharing - Licensed under the GPL
- Maintained by the Samba Team (12-20 people)
- Web Site for resources www.samba.org
4Business Benefits of Samba
- Samba allows you to merge the resources of your
Windows Unix networks - Provides seamless access to Unix based files from
Windows clients - Provides a secure stable file server
- Provides an upgrade path from Windows to big
iron - Eliminates the need for Windows servers in
organizations that dont require Windows Server
based applications
5Samba 3
6OSR6-Installing from Media
- Insert the OpenServer 6 CD
- Start scoadmin
- Select Software Manager, Software, Install New
- Select From Servername
- Select the media device CDROM 0
- Expand SCO OpenServer Release 6.0.0
- Expand Connectivity
- Highlight SAMBA and click on Install
- N.B. If Heimdal Kerberos was not installed,
install it in the same manor. - Run mkdev samba
7OSR6-Installing from Downloads
- Download CPIO file from the SCO site to /tmp
- Extract the VOL files
- cat .cpio cpio ivcd .
- Start scoadmin
- Select Software Manager, Software, Install New
- Select From Servername
- Select the media images option and directory /tmp
- Highlight samba and click Install
- Run mkdev samba
8mkdev samba
- Run the command mkdev samba
- Choose 1 Configure and Activate Samba
- Enter your Windows Domain or Workgroup name
- Accept the default machine name provided
- If your network has a WINS server select yes and
provide its IP address - If there is no WINS server on Windows this server
can be set as a WINS server - Select whether you want to participate in an MS
Domain - Provide the NetBIOS name of the PDC
9mkdev samba command - Workgroup
10mkdev samba command-Workgroup
Defaults
11mkdev samba command-Workgroup
- Changes made to /etc/samba/smb.conf
- workgroup WORKGROUP
- netbios name FANGORN
- Security User
- WINS server 192.168.0.2
12State of Server after this mkdev samba
- nmbd and smbd are running
- The server is a member of the workgroup named
WORKGROUP - No shares are created and only root can connect
13mkdev samba Domain Member
14mkdev samba Domain Member
- Changes to /etc/samba/smb.conf
- workgroup ME
- netbios name FANGORN
- security domain
- password server RIVENDELL
- wins server 192.168.0.2
15State of Server after this mkdev samba
- nmbd and smbd are running
- The server is a member of the domain ME
- The only user is root/administrator
- Shares arent set-up
- Password backend is smbpasswd
- Passwords are encrypted
16 17What is SWAT?
- SWAT Samba Web Administration Tool
- Included and configured by default with SCO Samba
implementations - Swat will allow you to perform most Samba
administration functions from any browser that
can contact the server - Alternative to command line interfaces or
configuring smb.conf - Available on port 901 by default
- Controlled by inet and services file entry
18Issues Concerns with SWAT
- Completely replaces smb.conf on each use
- Only stores non-default settings in intermediate
file - Doesnt retain set-up comments
- Can be viewed as a security risk
- Never run in demo mode
- Never run outside firewalls
- Doesnt like some passwords
19SWAT Connection Login
Use your browser to connect to http//192.168.0.4
901
20SWAT HomePage
- Primary use of the home page is to access the docs
21SWAT Screens -
- Allows you to set all Global variables that
control the servers behaviour - Server Type
- Security Settings
- Master Browser status participation
- WINS Options
22SWAT Screens -
- Allows you to configure File Shares on the
Server, including the specific permissions and
performance modifiers for the shares.
23SWAT Screens -
Allows you to set-up the Unix printers to be
shared by the server and to configure the
printing and security options for those printers
24SWAT Screens -
This screen allows you to re-write the smb.conf
file and easily re-set the Server type, WINS
status and basic security access. Probably the
first screen youll use, but this is very
dangerous as it can undo much configuration work.
25SWAT Screens -
Displays current status of the Samba Server
including active connections. Can be used to
shut-down or restart the server.
26SWAT Screens -
View the current smb.conf file. Note you cannot
change the file here. By default shows only the
non-default entries youve created for the file.
The Full View option shows the entire smb.conf
file.
27SWAT Screens -
Add, enable and disable users as well as
resetting passwords for users.
28 29Files Directories
- /etc/samba
- smb.conf primary samba configuration file
- lmhosts file of netbios host names ip
addresses - secrets.tdb holds SID information
- smbusers maps Unix to Windows account names
- smbpasswd Equivalent to the Unix Password file
- smbstab Info about file print shares
- /usr/sbin
- Daemons smbd and nmbd
- /usr/bin
- Executables, testparm, smbnet etc
30smb.conf file
- The smb.conf file contains all non-default
entries you make to configure the Samba server - Other entries are automatically set to defaults
by Samba - Re-read on each new connection and every 60
seconds - Rebuilt dynamically if you use SWAT
31S99smbd S99nmbd
- Located in /etc/rc2.d linked to smb nmb in
/etc/init.d - Created by mkdev samba or you can manually create
links - /etc/init.d/smb enable, /etc/init.d/nmb enable
- Starts and stops daemons
- Syntax
- /etc/rc2.d/S99smbd startstoprestartenabledisab
le - /etc/rc2.d/S99nmbd startstoprestartenabledisab
le - Can be modified to change location of Samba files
- Attempts to delete PID files and starts smbd and
nmbd
32Daemons
- Located in /usr/sbin
- smbd
- tcp/ip daemon handles all file and print requests
as well as authentication and security - nmbd
- Handles name look-up and resolution and manages
network browsing - Handles all UDP traffic
- smbd will not work without nmbd
33Using testparm
- Utility to test syntax of smb.conf file
- Located in /usr/lib/samba/bin
- Usage
- testparm (-v) (smb.conf file location)
- By default only lists changes youve made
- The v option will show all defaults added by
Samba - Giving smb.conf file location lets you test
multiple files - Besides displaying data does a very simple syntax
check Note this doesnt guarantee your server
will work
34 35Configuring the Samba Server
- Decisions to be made
- Do you have an existing Windows Network?
- Is it a Workgroup or Domain?
- If a Domain, what security profile?
- What type of Server will this be?
- What Security Mode do you want?
- Will you join an existing Workgroup or Domain?
- Do you have a Windows Domain?
- Do you use Active Directory?
- Is the Samba Server to be a Domain Controller?
- Are Unix userids and network ids to be the same?
- What type of clients will you have, Win95, Win2K?
36Prerequisites
- You need to have a running network interface
- DNS should be configured
- Optionally use /etc/hosts
- Test with ping nslookup
- If joining an AD domain DNS should probably be
running from the Win2K server - i.e. nslookup fangorn.me.local returns
192.168.0.4 - nslookup 192.168.0.4 should return
fangorn.me.local - Apache is necessary for SWAT to function
- Other smb services must not be operating (AFPS
VFS) - Ports 137,139, and 901 must be available
37Windows Networking Issues
- Existing Win2K Domains with AD need to be
configured with a Domain Functional Level of - Windows 2000 Mixed
- This allows servers using NT4 style Domain
functionality to participate in the Domain - Or Native
- This allows for native AD authentication using
kerberos this will require the Heimdal modules
38Server Types
- Stand-alone Server
- A stand-alone server is a Workgroup member, but
does not participate in Domain Security. Domain
members may access it using local authentication. - Domain Member Server
- A Domain Member Server participates in a Domain
and provides for a Single Sign-on Environment - Domain Controller
- Acts as either a Primary or Back-up Domain
Controller
39Security Levels
- User Security
- Securityuser
- Client sends session request as username/password
- Server checks user and hostname only since no
share info is available - Once authenticated client expects to be able to
mount shares with a tree connection without
further authentication - Client can send multiple session requests and
gets a separate UID for each - Share Security
- Securityshare
- Each tree connection request has a password
submitted - Unlike NT, Unix needs a username/password combo
- Samba will try to resolve a username by checking
the PW against possible users - Not recommended may create problems with newer
Win Clients - Primarily to support legacy implementations
Win9?
40Security Levels
- Domain Security (NT4 Domains)
- SecurityDomain
- WorkgroupME
- Encrypt PasswordsYes
- Server has a trust account on the domain server
gotcha! - Authentication requests passed to domain server
to be resolved - You must join a domain after Samba is started (
you only need to do this once) - As root execute
- /usr/lib/samba/bin/smbnet rpc join U
Administratoradminpw - You must have a standard Unix user account for
each user of the server or define acceptable
users by share - Populate /etc/passwd with
- /usr/lib/samba/bin/smbnet rpc vampire S
pdcnbname U administratorpw
41Security Levels
- Domain Security (Native AD Domains)
- SecurityDomain
- WorkgroupME
- Encrypt PasswordsYes
- Server has a trust account on the domain server
gotcha! - Authentication requests passed to domain server
to be resolved - You must join a domain after Samba is started (
you only need to do this once) - As root execute
- /usr/lib/samba/bin/smbnet rpc join U
Administratoradminpw - You must have a standard Unix user account for
each user of the server or define acceptable
users by share - Populate /etc/passwd with
- /usr/lib/samba/bin/smbnet rpc vampire S
pdcnbname U administratorpw
42Security Levels
- Server Security
- smb.conf entries needed
- SecurityServer
- Encrypt passwordsyes
- Password Servernbnameofserver
- Variation of user level security client
thinks this is user level - When the server gets a session setup request it
uses the username/password combo to try to login
to the password server - Requires a standard Unix user account on the
Samba Server - You may want to block shell connections for this
account - May cause account lockouts on servers for failed
authentications - If the PW server shuts down Samba wont work
43- Setting Up a Standalone Server
44Setting up a Stand-alone Server -
- In the Globals Screen
- Define your Workgroup name
- Define the netbios name
- Set security level
- Set Encrypted Passwords to Yes
- Set Password Backend to smbpasswd
- Commit changes
45Setting up a Stand-alone Server -
- In the Wizard Screen
- Select Stand-alone Server
- Configure WINS Server
- Expose Home Dirs?
- Commit changes
46Create Machine Accounts for Workstations
- You need to create machine accounts for
workstations running W2K or above - Create a Unix Group machines
- groupadd machines
- Add an account for each machine
- useradd g machines d /var/nobody c Kirks
Workstation s /bin/false bilbo - Note at end of machine name
47Add Users -
- In the Password Screen
- Add users
- Set passwords to match Windows PW
- Click Add New User for each user
- Click Enable User
-
48Setting up a Stand-alone Server -
- In the Status screen
- Click on Restart All to shutdown and restart the
Server - From a windows Workstation go to My Network
Places, and select - Entire Network,
- Microsoft Windows Network
- Your Domain
- Your Samba Server
- To display current shares.
49smb.conf Entries
- Security User
- Workgroup SCO
- Encrypted Passwords Yes
- Password Backend smbpasswd
50Check Access to Resources
51Try to Access Resources
52Try to Access Resources
53- Setting Up a Domain Member Server
54Setting up a Domain Member
- In the Globals screen
- Add the Domain name in the Workgroup field
- Add the Servers name in the NetBIOS name Field
- Set Security to DOMAIN
- Commit changes
55Setting up a Domain Member
- In the Wizard screen
- Jump to Parameter Edit
- Configure the Server Type as Domain Member
- Configure WINS as Client of another Server
- Set securityDomain
- Set the IP address of your primary WINS Server
- Expose Home Dirs?
- Commit changes
56Setting up a Domain Member
- In the Status screen
- Click on Restart All to shutdown and restart the
Server - At a Unix prompt as root run the command
- /usr/bin/smbnet rpc join U administratorpassword
- From a windows Workstation go to My Network
Places, and select - Entire Network,
- Microsoft Windows Network
- Your Domain
- Your Samba Server
- To display current shares.
57smb.conf Entries
- global workgroup ME
- server string Fangorn Samba 3 Server
- interfaces net0, lo0
- bind interfaces only Yes
- security DOMAIN
- password server rivendell
- log file /var/log/samba/log.m max
- log size 50
- dns proxy No
- wins server 192.168.0.2
- homes
- comment Home Directories
- read only No
- browseable No
- printers
- comment All Printers
- path /usr/spool/samba
- printable Yes
- browseable No
58ADS Authentication Globals Screen
- Essentially same as a domain member, but
- Add realm
- Set Security to ADS
59ADS Authentication Wizard Screen
- The wizard should pick up correct changes from
the Globals commit - Note addition of realm
60Changes to the Globals section of smb.conf
- global
- workgroup ME
- realm ME.LOCAL
- server string Fangorn Samba 3 Server
- interfaces net0, lo0
- bind interfaces only Yes
- security ADS
- password server rivendell
- log file /var/log/samba/log.m
- max log size 50
- dns proxy No
- wins server 192.168.0.2
61Getting Kerberos to Work
- To authenticate natively to AD you need kerberos
services to work - In smb.conf Globals section we need
- security ADS (use AD for Authentication)
- realm ME.LOCAL (the realm is your local DNS
domain name) - password server RIVENDELL (Netbios name of the
Windows PDC) - SID must be correct
- If errors show in SID use
- smbnet getlocalsid domainname
- smbnet setlocalsid S-1-5-21-x-y-z
- Run smbnet ads status U administrator (you
should get a big dump of data) - Re-run smbnet ads join U administrator
62 63Sharing Directories
- In SWAT Shares screen
- Enter a new share name click on Create Share
64Sharing Directories
- Fill in options for this share
- Optionally
- Add special user conditions
- Turn on/off Guest Access
- Control host access
- Set Browseable
- NB- blank entry for valid users means anyone can
access the share - If hosts are allowed then only those hosts are
allowed - Click on Commit Changes when done
65smb.conf Entries
- This will create a section in smb.conf for this
share - U Filesystem
- path /u
- valid users kirk, _at_Administrators
- hosts deny 192.168.0.5
66 67Configuring the Print Server
- By default Samba will load all of the printers in
the /etc/printcap file - This is done by the Global option Load
Printersyes - Printing mode is sysv
- Optionally on Legend you can use CUPS
- In the Globals screen/Advanced View you can set
print spooler options (defaults work well)
68Sharing all printers
- In the Printers tab
- Choose printers
- Note Browseable option
- Set Hosts to allow Deny
69Adding a Specific Printer
- Enter Printer Name
- Click on Create Printer
- Make printer specific settings
- Set Browseable to Yes
- Commit changes
70Accessing the Printer from Windows
- To use this printer from Windows
- Start
- Printers
- Add a Printer
- Choose a Network Printer
- Choose connect to this Printer
- (leave name blank)
- Drill down to printer
71- Setting Up Windows Clients
72Configuring the Windows Clients
- From the Control panel select Networking-Local
Area Connetion - Select Properties
- Ensure File Print Sharing for Microsoft
Networks is installed - Select Internet Protocol (TCP/IP) and then
Properties
73Configuring the Windows Clients
- Select Control Panel-System
- Choose the Network Identification Wizard (Network
ID button) and enter your machine name and Domain
Name or Workgroup - You will be prompted for an admin user name and
password on the domain controller
74Configuring the Windows Clients
- If using DHCP select Obtain Address
Automatically - Otherwise populate all fields
- Select the Advanced tab
75Configuring the Windows Clients
- If not using DHCP you must add the IP Address and
Gateway - Likewise, DHCP will automatically add DNS WINS
information
76Configuring the Windows Clients
- If not using DHCP populate DNS WINS Screens
77Configuring Windows Clients
- From the Desktop
- -My Network Places
- -Microsoft Windows Network
- Choose your Domain (ME)
- The Samba Server should be displayed (FANGORN)
- Expand the Server and Shares should appear
- Double click on the Servers name to see Shares
- Alt-click on a Share to consume it
- Double click on it to Browse
78 79Using smbclient
- smbclient is a CIFS client that allows the Samba
system to consume resources from other CIFS
servers - Usage -?EgVNkP --usage -R
NAME-RESOLVE-ORDER -M HOST -I IP -L HOST
-t CODE -m LEVEL -TltcxgtIXFqgbNan -D DIR
-c ARG -b BYTES -p PORT -d DEBUGLEVEL -s
CONFIGFILE -l LOGFILEBASE -O SOCKETOPTIONS
-n NETBIOSNAME -W WORKGROUP -i SCOPE -U
USERNAME -A FILE -S onoffrequired service
ltpasswordgt
80smbclient - L
- Use to list shared resources on a server
- rohan smbclient -L bilbo
- Password
- DomainME OSWindows 5.0 ServerWindows 2000
LAN Manager - Sharename Type Comment
- --------- ---- -------
- E Disk Default share
- IPC IPC Remote IPC
- D Disk Default share
- downloads Disk
- ADMIN Disk Remote Admin
- C Disk Default share
- ExchangeData Disk
- DomainME OSWindows 5.0 ServerWindows 2000
LAN Manager - Server Comment
- --------- -------
81Accessing Windows Files
- Use smbclient to connect to a File Share and get
an FTP-like interface - rohan smbclient //bilbo/downloads -Ukirk
- Password
- DomainME OSWindows 5.0 ServerWindows 2000
LAN Manager - smb \gt
- At the smb prompt you can use commands similar to
FTP, cd, dir, get, mget etc.
82Listing Files
- rohan smbclient //bilbo/downloads -Ukirk
- Password
- DomainME OSWindows 5.0 ServerWindows 2000
LAN Manager - smb \gt dir
- . D 0
Mon May 30 144616 2005 - .. D 0
Mon May 30 144616 2005 - AdbeRdr60_enu_full.exe A 16706160
Wed Apr 13 164049 2005 - bilbo01_1024x768.jpg A 317087
Tue Jul 6 125922 2004 - casedge D 0
Tue Nov 30 162008 2004 - genica D 0
Tue Nov 30 142654 2004 - gn788.zip A 565618
Thu Oct 14 145833 2004 - ISA2004Enterprise.iso A 114960384
Sun Apr 24 185035 2005 - iTunesSetup.exe A 21904216
Mon May 30 144616 2005 - ppviewer.exe A 1951432
Wed Apr 13 162626 2005 - Product_Training_April_v_4.ppt A 4551680
Wed Apr 13 163037 2005 - RealPlayer10-5GOLD.exe A 10827296
Thu Apr 21 232511 2005 - RiskFilter_403.ISO A 376932352
Mon Jan 10 152151 2005 - threatdetector.exe A 17345027
Mon May 16 160234 2005 - W2KSP2.exe A 106278016
Tue Nov 30 163323 2004
83Getting a file
- smb \gt cd casedge
- smb \casedge\gt dir
- . D 0
Tue Nov 30 162008 2004 - .. D 0
Tue Nov 30 162008 2004 - audio D 0
Tue Nov 30 162303 2004 - audio_0050.exe A 19342431
Tue Nov 30 162232 2004 - lan D 0
Tue Nov 30 141929 2004 - usb D 0
Tue Nov 30 142129 2004 - video D 0
Tue Nov 30 142039 2004 - 51740 blocks of size 524288.
44090 blocks available - smb \casedge\gt cd video
- smb \casedge\video\gt dir
- . D 0
Tue Nov 30 142039 2004 - .. D 0
Tue Nov 30 142039 2004 - autorun.inf A 34
Thu Jul 11 160742 2002 - Graphics D 0
Tue Nov 30 142039 2004 - ReadMe.txt A 27090
Thu Jul 11 180200 2002
84Using a Printer
- Configure CUPS printing on the Unix Server
- Use smbclient L servername to identify the
sharename of the available printers - Create a PPD file for the Windows printer
- Install the printer to CUPS
- rootlpadmin p winprinter v smb
//frodo/psc2200 \ -P /path/to/PPDfile
85 86Special Considerations
- Real Time updates of smb.conf
- The smb.conf file is reread on each new
connection and every 60 seconds - Manually changing smb.conf can interrupt existing
connections - Sharing datafiles with Windows Unix Apps
- By default Samba enables Opportunistic locking
for local data caching - This should only be used where shares are used
exclusively - In the Globals-Advanced View-Locking set the
oplocks and level2 oplocks to No - You can also disable oplocks on a per share basis
in Shares-Share Properties-Advanced-Locking
87Securing your Samba Server
- If possible Samba servers should be behind the
firewall - Host-Based Protection
- You can restrict access to certain systems in the
Globals-Host Allow/Deny options to create entries - hosts allow 127.0.0.1, 192.168.0.0/24
- hosts deny 0.0.0.0/0
- These entries allow only local and from the
192.168.0 net and deny everyone else - User Based Protection
- You can restrict access to certain users or
groups from Globals-(in)valid users option
88Securing your Samba Server
- You can control access by Interface with
Globals-Interfaces - eth0 lo as an example will only listen on the
loopback and eth0, but not on eth1, eth2 etc - You must set Bind Interfaces Only in the Advanced
screen for this to work - Useful on dual-homed systems
- Blocking IPC Shares
- Cannot be done from SWAT
- Add lines to smb.conf
- IPC
- Hosts Allow 127.0.0.1, 192.168.0.0/24
- Hosts Deny 0.0.0.0/0
- NB this will be overwritten if you use SWAT to
rebuild smb.conf
89Resources
- http//www.samba.org
- http//us1.samba.org/samba/docs/man/samba.7.html
- The Official Samba-3 HOWTO and Reference Guide
by John Terpstra and and Jelmer R.
Vernooij
Samba Installation Configuration
90(No Transcript)
91(No Transcript)
92