Docstoc

Farquhar_Forum05-Samba

Document Sample
Farquhar_Forum05-Samba Powered By Docstoc
					Installing Samba 3 on OpenServer 6
Kirk Farquhar, SCO Canada            kirkf@sco.com
                                                     1
Agenda




2
What is Samba?




Samba is an open-source application suite that enables
  SMB/CIFS based services on Unix servers
    SMB – Server Message Block – is the underlying protocol for Windows
      File & Print Sharing
Licensed under the GPL
Maintained by the Samba Team (12-20 people)
Web Site for resources – www.samba.org




3
Business Benefits of Samba




Samba allows you to merge the resources of your Windows &
   Unix networks
Provides seamless access to Unix based files from Windows
   clients
Provides a secure & stable file server
Provides an upgrade path from Windows to “big iron”
Eliminates the need for Windows servers in organizations that
   don’t require Windows Server based applications




4
Samba 3




Installation
OSR6-Installing from Media




Insert the OpenServer 6 CD
Start scoadmin
Select Software Manager, Software, Install New
    Select “From Servername”
    Select the media device CDROM 0
    Expand SCO OpenServer Release 6.0.0
    Expand Connectivity
    Highlight SAMBA and click on Install
N.B. If Heimdal Kerberos was not installed, install it in the
  same manor.
Run mkdev samba

6
OSR6-Installing from Downloads




Download CPIO file from the SCO site to /tmp
Extract the VOL files
    cat *.cpio | cpio – ivcd “*.*”
Start scoadmin
Select Software Manager, Software, Install New
    Select “From Servername”
    Select the media images option and directory /tmp
    Highlight samba and click Install
Run mkdev samba


7
mkdev samba




Run the command mkdev samba
    Choose 1 – Configure and Activate Samba
    Enter your Windows Domain or Workgroup name
    Accept the default machine name provided
    If your network has a WINS server select yes and provide
       its IP address
    If there is no WINS server on Windows this server can be
       set as a WINS server
    Select whether you want to participate in an MS Domain
    Provide the NetBIOS name of the PDC


8
mkdev samba command - Workgroup




9
mkdev samba command-Workgroup




Defaults




10
mkdev samba command-Workgroup




Changes made to /etc/samba/smb.conf
 workgroup = WORKGROUP
 netbios name = FANGORN
 Security = User
 WINS server = 192.168.0.2




11
State of Server after this mkdev samba




nmbd and smbd are running
The server is a member of the workgroup named
  WORKGROUP
No shares are created and only root can connect




12
mkdev samba – Domain Member




13
mkdev samba – Domain Member




Changes to /etc/samba/smb.conf
 workgroup = ME
 netbios name = FANGORN
 security = domain
 password server = RIVENDELL
 wins server = 192.168.0.2




14
State of Server after this mkdev samba




nmbd and smbd are running
The server is a member of the domain ME
The only user is root/administrator
Shares aren’t set-up
Password backend is smbpasswd
Passwords are encrypted




15
Introduction to SWAT
What is SWAT?




SWAT = Samba Web Administration Tool
Included and configured by default with SCO Samba
  implementations
Swat will allow you to perform most Samba
  administration functions from any browser that
  can contact the server
Alternative to command line interfaces or configuring
  smb.conf
Available on port 901 by default
Controlled by inet and services file entry

17
Issues & Concerns with SWAT




Completely replaces smb.conf on each use
Only stores non-default settings in intermediate file
Doesn’t retain set-up comments
Can be viewed as a security risk
     Never run in demo mode
     Never run outside firewalls
Doesn’t like some passwords



18
SWAT Connection & Login




     Use your browser to connect to http://192.168.0.4:901




19
SWAT HomePage




                Primary use of the
                   home page is to
                   access the docs




20
SWAT Screens -




     Allows you to set all Global
     variables that control the
     servers behaviour:
     •Server Type
     •Security Settings
     •Master Browser status &
     participation
     •WINS Options




21
SWAT Screens -




Allows you to configure File
    Shares on the Server,
    including the specific
    permissions and
    performance modifiers for
    the shares.




22
SWAT Screens -




Allows you to set-up the Unix
printers to be shared by the
server and to configure the
printing and security options for
those printers




 23
SWAT Screens -




This screen allows you to re-
write the smb.conf file and
easily re-set the Server type,
WINS status and basic security
access. Probably the first screen
you’ll use, but this is very
dangerous as it can undo much
configuration work.




24
SWAT Screens -




Displays current status of the
Samba Server including active
connections. Can be used to
shut-down or restart the server.




 25
SWAT Screens -




View the current smb.conf file.
Note – you cannot change the
file here.


By default shows only the
non-default entries you’ve
created for the file. The Full
View option shows the entire
smb.conf file.




26
SWAT Screens -




Add, enable and disable users
as well as resetting passwords
for users.




27
Files & Directories
Files & Directories




/etc/samba
     smb.conf           primary samba configuration file
     lmhosts            file of netbios host names & ip addresses
     secrets.tdb        holds SID information
     smbusers           maps Unix to Windows account names
     smbpasswd          Equivalent to the Unix Password file
     smbstab            Info about file & print shares
/usr/sbin
     Daemons smbd and nmbd
/usr/bin
     Executables, testparm, smbnet etc


29
smb.conf file




 The smb.conf file contains all non-default entries
  you make to configure the Samba server
 Other entries are automatically set to defaults by
  Samba
 Re-read on each new connection and every 60
  seconds
 Rebuilt dynamically if you use SWAT



30
S99smbd & S99nmbd




Located in /etc/rc2.d – linked to smb & nmb in /etc/init.d
Created by mkdev samba or you can manually create links
     /etc/init.d/smb enable, /etc/init.d/nmb enable
Starts and stops daemons
Syntax
     /etc/rc2.d/S99smbd start|stop|restart|enable|disable
     /etc/rc2.d/S99nmbd start|stop|restart|enable|disable
Can be modified to change location of Samba files
Attempts to delete PID files and starts smbd and nmbd




31
Daemons




Located in /usr/sbin
smbd
      tcp/ip daemon handles all file and print requests as well
       as authentication and security
nmbd
      Handles name look-up and resolution and manages
       network browsing
      Handles all UDP traffic
      smbd will not work without nmbd


32
Using testparm




Utility to test syntax of smb.conf file
Located in /usr/lib/samba/bin
Usage
     testparm (-v) (smb.conf file location)
By default only lists changes you’ve made
The –v option will show all defaults added by Samba
Giving smb.conf file location lets you test multiple files
Besides displaying data does a very simple syntax check –
  Note: this doesn’t guarantee your server will work



33
Configuring Your Server
Configuring the Samba Server




Decisions to be made
     Do you have an existing Windows Network?
         Is it a Workgroup or Domain?
              If a Domain, what security profile?
     What type of Server will this be?
     What Security Mode do you want?
     Will you join an existing Workgroup or Domain?
         Do you have a Windows Domain?
              Do you use Active Directory?
         Is the Samba Server to be a Domain Controller?
         Are Unix userids and network ids to be the same?
     What type of clients will you have, Win95, Win2K?

35
Prerequisites




You need to have a running network interface
DNS should be configured
      Optionally use /etc/hosts
      Test with ping & nslookup
      If joining an AD domain DNS should probably be running from the
       Win2K server
        i.e. nslookup fangorn.me.local returns 192.168.0.4
        nslookup 192.168.0.4 should return fangorn.me.local
Apache is necessary for SWAT to function
Other smb services must not be operating (AFPS VFS)
Ports 137,139, and 901 must be available


36
Windows Networking Issues




Existing Win2K+ Domains with AD need to be
  configured with a Domain Functional Level of:
      Windows 2000 Mixed
         This allows servers using NT4 style Domain functionality to participate
          in the Domain
      Or Native
         This allows for native AD authentication using kerberos – this will
          require the Heimdal modules




37
Server Types




Stand-alone Server
     A stand-alone server is a Workgroup member, but does not
       participate in Domain Security. Domain members may access it
       using local authentication.
Domain Member Server
     A Domain Member Server participates in a Domain and provides for a
       Single Sign-on Environment
Domain Controller
     Acts as either a Primary or Back-up Domain Controller




38
Security Levels




User Security
      Security=user
      Client sends session request as username/password
      Server checks user and hostname only since no share info is
       available
      Once authenticated client “expects” to be able to mount shares
       with a tree connection without further authentication
      Client can send multiple session requests and gets a separate UID
       for each
Share Security
      Security=share
      Each tree connection request has a password submitted
      Unlike NT, Unix needs a username/password combo
         Samba will try to resolve a username by checking the PW against possible users
      Not recommended – may create problems with newer Win Clients
      Primarily to support legacy implementations – Win9?

39
Security Levels




Domain Security (NT4 Domains)
      Security=Domain
      Workgroup=ME
      Encrypt Passwords=Yes
     Server has a trust account on the domain server –gotcha!
     Authentication requests passed to domain server to be resolved
     You must join a domain after Samba is started ( you only need to do
       this once)
        As root execute:
             /usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw

            You must have a standard Unix user account for each user of the server or
              define acceptable users by share
     Populate /etc/passwd with
        /usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw


40
Security Levels




Domain Security (Native AD Domains)
      Security=Domain
      Workgroup=ME
      Encrypt Passwords=Yes
     Server has a trust account on the domain server –gotcha!
     Authentication requests passed to domain server to be resolved
     You must join a domain after Samba is started ( you only need to do
       this once)
        As root execute:
             /usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw

            You must have a standard Unix user account for each user of the server or
              define acceptable users by share
     Populate /etc/passwd with
        /usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw


41
Security Levels




Server Security
     smb.conf entries needed
         Security=Server
         Encrypt passwords=yes
         Password Server=nbnameofserver
     Variation of user level security – client “thinks” this is user level
     When the server gets a session setup request it uses the
       username/password combo to try to login to the password
       server
     Requires a standard Unix user account on the Samba Server
         You may want to block shell connections for this account
     May cause account lockouts on servers for failed authentications
     If the PW server shuts down Samba won’t work


42
Setting Up a Standalone Server
Setting up a Stand-alone Server -




In the Globals Screen:
•Define your Workgroup name
•Define the netbios name
•Set security level
•Set Encrypted Passwords to Yes
•Set Password Backend to
smbpasswd
•Commit changes




44
Setting up a Stand-alone Server -




In the Wizard Screen:
•Select Stand-alone Server
•Configure WINS Server
•Expose Home Dirs?
•Commit changes




45
Create Machine Accounts for Workstations




You need to create machine accounts for workstations running W2K or
  above
 Create a Unix Group machines
      groupadd machines
 Add an account for each machine
      useradd –g machines –d /var/nobody –c “Kirks Workstation” –s /bin/false
       bilbo$
 Note $ at end of machine name




46
Add Users -




In the Password Screen
 Add users
 Set passwords to match
   Windows PW
 Click Add New User for
   each user
 Click Enable User




47
Setting up a Stand-alone Server -




In the Status screen:
Click on Restart All to shutdown and restart the Server
From a windows Workstation go to My Network Places, and select
     Entire Network,
     Microsoft Windows Network
     Your Domain
     Your Samba Server
     To display current shares.




48
smb.conf Entries




Security = User
Workgroup = SCO
Encrypted Passwords = Yes
Password Backend = smbpasswd




49
Check Access to Resources




50
Try to Access Resources




51
Try to Access Resources




52
Setting Up a Domain Member Server
    Setting up a Domain Member




In the Globals screen:
•        Add the Domain name in the
         Workgroup field
•        Add the Server’s name in the
         NetBIOS name Field
•        Set Security to DOMAIN
•        Commit changes




    54
Setting up a Domain Member




In the Wizard screen:
•        Jump to Parameter Edit
•        Configure the Server Type as
         Domain Member
•        Configure WINS as Client of
         another Server
•        Set security=Domain
•        Set the IP address of your
         primary WINS Server
•        Expose Home Dirs?
•        Commit changes


    55
    Setting up a Domain Member




In the Status screen:
•        Click on Restart All to shutdown and restart the Server
•        At a Unix prompt as root run the command:
         •    /usr/bin/smbnet rpc join –U administrator%password
From a windows Workstation go to My Network Places, and select
•        Entire Network,
•        Microsoft Windows Network
•        Your Domain
•        Your Samba Server
To display current shares.




    56
smb.conf Entries



[global] workgroup = ME
server string = Fangorn Samba 3 Server
interfaces = net0, lo0
bind interfaces only = Yes
security = DOMAIN
password server = rivendell
log file = /var/log/samba/log.%m max
log size = 50
dns proxy = No
wins server = 192.168.0.2
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No

57
ADS Authentication – Globals Screen




Essentially same as a
domain member, but:
•Add realm
•Set Security to ADS




58
ADS Authentication – Wizard Screen




 The wizard should pick
  up correct changes from
  the Globals commit
 Note addition of realm




59
Changes to the Globals section of smb.conf




[global]
workgroup = ME
realm = ME.LOCAL
server string = Fangorn Samba 3 Server
interfaces = net0, lo0
bind interfaces only = Yes
security = ADS
password server = rivendell
log file = /var/log/samba/log.%m
max log size = 50
dns proxy = No
wins server = 192.168.0.2

60
Getting Kerberos to Work




To authenticate natively to AD you need kerberos services to
   work
In smb.conf Globals section we need
     security = ADS     (use AD for Authentication)
     realm = ME.LOCAL (the realm is your local DNS domain name)
     password server = RIVENDELL (Netbios name of the Windows PDC)
SID must be correct
     If errors show in SID use
         smbnet getlocalsid domainname
         smbnet setlocalsid S-1-5-21-x-y-z
         Run smbnet ads status –U administrator (you should get a big dump of data)
         Re-run smbnet ads join –U administrator

61
Sharing Directories
Sharing Directories




In SWAT Shares screen
     Enter a new share name & click
       on Create Share




63
Sharing Directories




Fill in options for this share
Optionally
     Add special user conditions
     Turn on/off Guest Access
     Control host access
     Set Browseable
NB- blank entry for valid users
    means anyone can access the
    share
If hosts are allowed then only
    those hosts are allowed
Click on Commit Changes when
    done

64
smb.conf Entries




This will create a section in smb.conf for this share
[U Filesystem]
  path = /u
  valid users = kirk, @Administrators
  hosts deny = 192.168.0.5




65
Sharing Unix Printers
Configuring the Print Server




By default Samba will load all of the printers in the
  /etc/printcap file
     This is done by the Global option Load Printers=yes
Printing mode is sysv
     Optionally on Legend you can use CUPS
In the Globals screen/Advanced View you can set
  print spooler options (defaults work well)




67
Sharing all printers




In the Printers tab:
•Choose “printers”
•Note Browseable option
•Set Hosts to allow & Deny




68
Adding a Specific Printer




    Enter Printer Name
    Click on Create Printer
    Make printer specific settings
    Set Browseable to Yes
    Commit changes




69
Accessing the Printer from Windows




To use this printer from Windows:
•Start
•Printers
•Add a Printer
•Choose a Network Printer
•Choose connect to this Printer
     •(leave name blank)
•Drill down to printer




70
Setting Up Windows Clients
Configuring the Windows Clients




From the Control panel select Networking-Local
   Area Connetion
Select Properties
Ensure File & Print Sharing for Microsoft Networks
   is installed
Select Internet Protocol (TCP/IP) and then
   Properties



72
Configuring the Windows Clients




Select Control Panel-System       Choose the Network Identification Wizard
                                  (Network ID button) and enter your machine
                                  name and Domain Name or Workgroup
                                  You will be prompted for an admin user
                                  name and password on the domain
                                  controller




73
Configuring the Windows Clients




If using DHCP select “Obtain
    Address Automatically”
Otherwise populate all fields
Select the Advanced tab




74
Configuring the Windows Clients




If not using DHCP you must add
    the IP Address and Gateway
Likewise, DHCP will automatically
    add DNS & WINS information




75
Configuring the Windows Clients




     If not using DHCP populate DNS & WINS Screens




76
Configuring Windows Clients




From the Desktop
     -My Network Places
     -Microsoft Windows Network
Choose your Domain (ME)
The Samba Server should be
    displayed (FANGORN)
Expand the Server and Shares should
    appear
Double click on the Server’s name to
    see Shares
Alt-click on a Share to consume it
Double click on it to Browse




77
Using Windows Resources
Using smbclient




smbclient is a CIFS client that allows the Samba
  system to consume resources from other CIFS
  servers
Usage: [-?EgVNkP] [--usage] [-R NAME-RESOLVE-ORDER] [-M HOST] [-I
  IP] [-L HOST] [-t CODE] [-m LEVEL] [-T<c|x>IXFqgbNan] [-D DIR] [-c
  ARG] [-b BYTES] [-p PORT] [-d DEBUGLEVEL] [-s CONFIGFILE] [-l
  LOGFILEBASE] [-O SOCKETOPTIONS] [-n NETBIOSNAME] [-W
  WORKGROUP] [-i SCOPE] [-U USERNAME] [-A FILE] [-S
  on|off|required] service <password>




79
smbclient - L




Use to list shared resources on a server
         rohan:~$ smbclient -L bilbo
         Password:
         Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

             Sharename      Type       Comment
             --------- ----     -------
             E$        Disk      Default share
             IPC$       IPC       Remote IPC
             D$        Disk      Default share
             downloads     Disk
             ADMIN$        Disk      Remote Admin
             C$        Disk      Default share
             ExchangeData Disk
         Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

             Server         Comment
             ---------     -------

              Workgroup        Master
              ---------    -------
         rohan:~$




80
Accessing Windows Files




Use smbclient to connect to a File Share and get an
  FTP-like interface
       rohan:~$ smbclient //bilbo/downloads -Ukirk
       Password:
       Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
       smb: \>


At the smb prompt you can use commands similar to
  FTP, cd, dir, get, mget etc.


81
Listing Files




rohan:~$ smbclient //bilbo/downloads -Ukirk
Password:
Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> dir
 .                        D      0 Mon May 30 14:46:16 2005
 ..                       D      0 Mon May 30 14:46:16 2005
 AdbeRdr60_enu_full.exe            A 16706160 Wed Apr 13 16:40:49 2005
 bilbo01_1024x768.jpg             A 317087 Tue Jul 6 12:59:22 2004
 casedge                     D      0 Tue Nov 30 16:20:08 2004
 genica                     D      0 Tue Nov 30 14:26:54 2004
 gn788.zip                   A 565618 Thu Oct 14 14:58:33 2004
 ISA2004Enterprise.iso           A 114960384 Sun Apr 24 18:50:35 2005
 iTunesSetup.exe                A 21904216 Mon May 30 14:46:16 2005
 ppviewer.exe                  A 1951432 Wed Apr 13 16:26:26 2005
 Product_Training_April_v_4.ppt     A 4551680 Wed Apr 13 16:30:37 2005
 RealPlayer10-5GOLD.exe            A 10827296 Thu Apr 21 23:25:11 2005
 RiskFilter_403.ISO             A 376932352 Mon Jan 10 15:21:51 2005
 threatdetector.exe             A 17345027 Mon May 16 16:02:34 2005
 W2KSP2.exe                    A 106278016 Tue Nov 30 16:33:23 2004
 W2Ksp3.exe                    A 32913953 Tue Dec 14 14:42:37 2004

          51740 blocks of size 524288. 44090 blocks available
smb: \>
smb: \>


82
Getting a file




smb: \> cd casedge
smb: \casedge\> dir
 .                        D        0 Tue Nov 30 16:20:08 2004
 ..                       D        0 Tue Nov 30 16:20:08 2004
 audio                        D      0 Tue Nov 30 16:23:03 2004
 audio_0050.exe                   A 19342431 Tue Nov 30 16:22:32 2004
 lan                       D        0 Tue Nov 30 14:19:29 2004
 usb                       D         0 Tue Nov 30 14:21:29 2004
 video                      D        0 Tue Nov 30 14:20:39 2004

           51740 blocks of size 524288. 44090 blocks available
smb: \casedge\> cd video
smb: \casedge\video\> dir
 .                        D       0 Tue Nov 30 14:20:39 2004
 ..                       D      0 Tue Nov 30 14:20:39 2004
 autorun.inf                  A     34 Thu Jul 11 16:07:42 2002
 Graphics                     D     0 Tue Nov 30 14:20:39 2004
 ReadMe.txt                    A 27090 Thu Jul 11 18:02:00 2002

             51740 blocks of size 524288. 44090 blocks available
smb: \casedge\video\> get ReadMe.txt
getting file \casedge\video\ReadMe.txt of size 27090 as ReadMe.txt (464.1 kb/s)
(average 464.1 kb/s)
smb: \casedge\video\>


83
Using a Printer




Configure CUPS printing on the Unix Server
Use smbclient –L servername to identify the
  sharename of the available printers
Create a PPD file for the Windows printer
Install the printer to CUPS
     root#lpadmin –p winprinter –v smb: //frodo/psc2200 \ -P
       /path/to/PPDfile




84
Special Considerations
Special Considerations




Real Time updates of smb.conf
     The smb.conf file is reread on each new connection and every 60
       seconds
     Manually changing smb.conf can interrupt existing connections
Sharing datafiles with Windows & Unix Apps
     By default Samba enables Opportunistic locking for local data caching
     This should only be used where shares are used exclusively
     In the Globals-Advanced View-Locking set the oplocks and level2
        oplocks to No
     You can also disable oplocks on a per share basis in Shares-Share
        Properties-Advanced-Locking




86
Securing your Samba Server




If possible Samba servers should be behind the
   firewall
Host-Based Protection
     You can restrict access to certain systems in the Globals-
       Host Allow/Deny options to create entries
        hosts allow = 127.0.0.1, 192.168.0.0/24
        hosts deny = 0.0.0.0/0
     These entries allow only local and from the 192.168.0 net
       and deny everyone else
User Based Protection
     You can restrict access to certain users or groups from
       Globals-(in)valid users option
87
Securing your Samba Server




You can control access by Interface with Globals-Interfaces
     eth0 lo as an example will only listen on the loopback and eth0, but not on
        eth1, eth2 etc
     You must set Bind Interfaces Only in the Advanced screen for this to work
     Useful on dual-homed systems
Blocking IPC$ Shares
      Cannot be done from SWAT
     Add lines to smb.conf
         [IPC$]
         Hosts Allow = 127.0.0.1, 192.168.0.0/24
         Hosts Deny = 0.0.0.0/0
     NB – this will be overwritten if you use SWAT to rebuild smb.conf



88
  Resources




   http://www.samba.org
   http://us1.samba.org/samba/docs/man/samba.7.html

   The Official Samba-3 HOWTO and Reference Guide
                by                     John Terpstra and
      and Jelmer R. Vernooij




Samba – Installation & Configuration
  89
90
91
Questions

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:6
posted:3/4/2010
language:English
pages:92