SAMBA 3 Helper
This web page is primarily for setting up Samba 3 on a BSD or Linux computer as a primary domain controller. If you simply want to share files and printers with windows machines on your network, using Samba 3, most of the things on this page will still be relevant to you. However, you will need to make changes to a few of the 'smb.conf' entries, such as security, local master, domain master, preferred master, domain logons, wins support, dns proxy, msdfs root, and host msdfs. These entries would typically be removed from smb.conf so that the default values will apply.
Setting up SAMBA 3 for a Domain Controller is a bit more difficult than setting up DHCP or DNS, or CUPS (for printing). But in order to get it 'up and running' as quickly as possible, you can follow the general instructions on this web page, which are intended as a quick 'how to' guide for Samba 3 as a Domain Controller. All of the necessary files for setting up a Samba-based domain controller for FreeBSD are included 'in line' and may be 'clipped out' and used as you see fit. For other operating systems, such as Linux, you may need to edit them slightly to get them to work. In particular, the shell scripts make use of the 'pw' application to add and modify users and groups, which is specific to FreeBSD.
Additional information can be found in the Samba documentation, which is installed in the local documentation tree on your computer, specifically the file 'samba/howto/FastStart.html' under the heading of 'Domain Controller'.
The following is a 'short list' of the things that need to be accomplished using the sample files, plus some additional information. The first step, of course, is to install the latest version of Samba 3 on your computer. Following that, you should do each of these steps in the order specified.
- modify and add the contents of the sample 'group' file to the /etc/group file on your system. You will need to check for 'overlap' to make sure that no duplicate groups (or duplicate group ID's) already exist in the file.
- Add the user 'administrator' using the appropriate utility (such as 'adduser'), and using the 'samba' group as the primary group. Then, add it to the wheel group.
- Copy the 'smb-' scripts into the /usr/local/sbin/ directory, and mark them 'executable'. This can be done using 'chmod 555' on each of them.
- Copy the 'samba_dns_update' script to /usr/local/sbin/, and mark it 'executable'.
- modify 'smb.conf', specifically those entries that contain the following:
- the IP address '192.168.1.1'
- The domain name 'WORKGROUP.local'
- The machine name 'FreeBSDServer'
- Create a directory /usr/local/lib/samba/profiles/, make it world-writable
- Create a directory /usr/local/lib/samba/drivers/, make it world-readable
- Create a directory /usr/local/lib/samba/netlogon/, make it world-writable
- Start Samba (or re-start the system). Once Samba is up and running, perform the following:
- Run the script 'mapgroup.sh'.
- smbpasswd -a root (and enter root password)
- smbpasswd -a administrator (and enter administrator password)
- If necessary, perform the following manually
- add a machine to the domain by first creating a user 'machinename$' (where 'machinename' is the NETBIOS name of the machine) as a member of the group 'machines'. The 'smb-add-machine' script should perform this action.
- use smbpasswd -m machinename$ to make it 'official'.
NOTE: The paths '/usr/local/lib/samba', '/usr/local/sbin', and '/usr/local/etc' are all implementation-dependent. You can use 'whereis' and other utilities to determine where the files and applications reside.
At this point, so long as DHCP, DNS, and CUPS are correctly configured, your Samba installation should allow your UNIX or Linux server to operate as a Primary Domain Controller (PDC) and DHCP server for your network.
The Files
The contents of the various files are shown here. You can 'clip' the text out of the html text and paste it into the appropriately named file, modifying the text as needed for your operating system, machine name, domain name, and network settings.
smb.conf
#======================= Global Settings =====================================
[global]
# modify these for your domain name
workgroup = WORKGROUP.local
realm = WORKGROUP.local
# modify these for your server name
netbios name = FreeBSDServer
server string = FreeBSDServer Domain Controller for WORKGROUP.local
# modify these next entries for your IP address and netmask. The settings
# below reflects 192.168.1/24 and 127/8, with IP addres 192.168.1.1 and 127.0.0.1
hosts allow = 192.168.1. 127.
socket address = 192.168.1.1 127.0.0.1
# setting up as a domain controller. 'man smb.conf' for explanation
security = user
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
wins support = yes
dns proxy = yes
os level = 33
msdfs root = yes
host msdfs = yes
obey pam restrictions = yes
time server = yes
# force LM announcements every 2 minutes
lm announce = yes
lm interval = 120
# global file masks
directory mask = 0777
force directory mode = 0555
create mask = 0666
force create mode = 0444
# name resolution
name resolve order = wins bcast
# printers - configured to use CUPS and automatically load them
load printers = yes
printcap name = cups
printing = cups
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
# if you want to have a backup domain controller, or participate
# as part of a larger domain, you will need to use 'ldapsam' and
# do some additional configuration.
; passdb backend = ldapsam
passdb backend = tdbsam
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/etc/smb.conf.%m
# scripts invoked by Samba
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts;
# NOTE: the original entries are commented out. They may be valid on
# some operating systems. The ones not commented out invoke the
# script files that are copied to '/usr/local/sbin'. You should
# update this section based upon the requirements of your OS.
#
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
add user script = /usr/local/sbin/smb-add-user %u
add group script = /usr/local/sbin/smb-add-group %g
add machine script = /usr/local/sbin/smb-add-machine %u
add user to group script = /usr/local/sbin/smb-add-user-group %u %g
delete user script = /usr/local/sbin/smb-rm-user %u
delete user from group script = /usr/local/sbin/smb-rm-user-group %u %g
delete group script = /usr/local/sbin/smb-rm-group %g
# 'wins hook' script - call to 'nsupdate' to update DNS automatically
wins hook = /usr/local/sbin/samba_dns_update
# log files
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# login scripts
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# user profiles (default is sufficient, see 'profiles' share)
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
logon path = \\%L\Profiles\%U
# socket options
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
#============================ Share Definitions ==============================
# netlogon directory, necessary for Domain Logons
[netlogon]
comment = Network Logon Service
path = /usr/local/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
# 'Roving Profile' share (in lieu of the user's home directory)
[Profiles]
path = /usr/local/lib/samba/profiles
browseable = no
guest ok = yes
writable = yes
# 'printers' share (no need to individually declare them if the printers
# are being automatically loaded and CUPS is properly configured)
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = yes
writable = no
printable = yes
printer admin = @wheel
# path to printer drivers (see CUPS documentation)
[print$]
comment = Printer Drivers
path = /usr/local/lib/samba/drivers
browseable = yes
guest ok = yes
writable = no
printable = no
group
You will need to add the following text to the end of the '/etc/group' file. Make sure that there are no overlaps with names or ID's for any existing groups. You can edit the group ID's as needed.
(You should also change 'WORKGROUP' to the name of your domain, or else remove it if you do not want a group that represents the domain)
# these group entries need to be added to the '/etc/group' file
#
# samba requires a 'machines' group equal to 100
machines:*:100:
# locally defined groups. the first is the domain group 'WORKGROUP'
# you should change this depending upon the domain
WORKGROUP:*:1001:
# group added for 'dhcpd'
dhcpd:*:1002:
# group added for 'samba' (default for all new Samba users)
samba:*:1003:administrator,root
# additional 'operator' groups for Samba - print, account, backup
print:*:1004:
account:*:1005:
backup:*:1006:
mapgroup.sh
The following script will associate the various 'Samba' groups (compatible with Windows) with UNIX groups defind in the '/etc/group' file. Some of the examples were left 'as-is' and commented out, using examples obtained from the Samba documentation. Additional information as comments has been placed at the end of the script in order to document the correct 'RID' values, should you need to re-create the groups yourself.
(You should make sure that each of the groups referenced in the script actually exist, and add them to the '/etc/group' file if they do not).
#!/bin/sh
#### Keep this as a shell script for future re-use
# assign well known groups for the domain
# net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=d rid=512
# net groupmap add ntgroup="Domain Users" unixgroup=samba type=d rid=513
# net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d rid=514
net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
net groupmap modify ntgroup="Domain Users" unixgroup=samba
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
# now, do the local groups. Change 'WORKGROUP' to the group that is
# associated with the domain name.
net groupmap modify ntgroup="Administrators" unixgroup=wheel
net groupmap modify ntgroup="Users" unixgroup=samba
net groupmap modify ntgroup="Guests" unixgroup=guest
net groupmap modify ntgroup="Power Users" unixgroup=WORKGROUP
net groupmap modify ntgroup="Account Operators" unixgroup=account
net groupmap modify ntgroup="System Operators" unixgroup=operator
net groupmap modify ntgroup="Print Operators" unixgroup=print
net groupmap modify ntgroup="Backup Operators" unixgroup=backup
net groupmap modify ntgroup="Replicators" unixgroup=staff
# list of domain groups and RID's
# Domain Admins 200H
# Domain Users 201H
# Domain Guests 202H
# list of local groups
# Administrators 26
# Users 27
# Guests 28
# Power Users 29
# Account Operators 30
# System Operators 31
# Print Operators 32
# Backup Operators 33
# Replicators 34
samba_dns_update
This script is called by Samba to automatically update DNS. You should modify it as necessary for your system, and change the 'WORKGROUP.local' and IP address information accordingly.
#!/bin/sh
#
# Example script for "wins hook". This attempts to update the DNS with
# new A records for the NETBIOS name that Samba passes us. We do this
# the simple way, by deleting all DNS records for the name and then
# readding all the expected 'A' records.
#
# Written by Stephen Rothwell
#
#
# Configurable things
#
# The domain in which to create names
# YOU MUST CHANGE THIS
# N.B. include the trailing dot
#
# It is a good idea to use a subdomain of your primary domain to ensure
# that rogue machines can't take over (or delete) important names on
# your network.
DOMAIN=WORKGROUP.local.
#
# The DNS TTL to give the records (in seconds)
#
TTL=3600
#
# NETBIOS name types that we want to create DNS records for:
# 20 is server
# 00 is workstation
# 03 is user
#
USEFUL_TYPES="20 00 03"
#
# The name of a cache file to use to avoid continual updates
# of the same name and IP addresses. If you comment this out
# then the cache is not kept at all.
#
#CACHE_FILE=/usr/local/samba/var/wins_update.cache
if [ $# -lt 4 ]; then
echo "Usage: $0 op name type ttl [ip_addr ...]" 1>&2
echo " op is one of add, refresh, delete" 1>&2
echo " name is the NETBIOS name" 1>&2
echo " type is the NETBIOS name type" 1>&2
echo " ttl is the NETBIOS time to live" 1>&2
echo " ip_addr's are the remaining IP addresses for this name" 1>&2
exit 1
fi
NSUPDATE=`which nsupdate`
[ -x "$NSUPDATE" ] || NSUPDATE=/usr/bin/nsupdate
[ -x "$NSUPDATE" ] || NSUPDATE=/sbin/nsupdate
[ -x "$NSUPDATE" ] || NSUPDATE=/usr/sbin/nsupdate
[ -x "$NSUPDATE" ] || {
echo "Cannot find nsupdate." 1>&2
exit 1
}
OP=$1
NAME=$2
TYPE=$3
WINS_TTL=$4
shift 4
IP_ADDRS="$@"
do_update=0
for i in $USEFUL_TYPES
do
[ "$TYPE" = "$i" ] && do_update=1
done
[ $do_update = 1 ] || exit 0
if [ -n "$CACHE_FILE" ]; then
if [ -r "$CACHE_FILE" ]; then
fgrep -q -x -i "$NAME $IP_ADDRS" "$CACHE_FILE" &&
exit 0
grep -v -i "^$NAME " "$CACHE_FILE" >"$CACHE_FILE".$$
fi
echo "$NAME $IP_ADDRS" >>"$CACHE_FILE".$$
mv "$CACHE_FILE" "$CACHE_FILE".old 2>/dev/null
mv "$CACHE_FILE".$$ "$CACHE_FILE"
fi
{
echo update delete $NAME.$DOMAIN
for i in $IP_ADDRS
do
echo update add $NAME.$DOMAIN $TTL A $i
done
echo
} 2>/dev/null | $NSUPDATE >/dev/null 2>&1 &
exit 0
smb-add-group
Script called by Samba to add a group. Modify this for your system, as needed.
#!/bin/sh
# called by samba to add a group
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
x=`pw groupnext`
if $( test ! -n "$x" )
then
echo "unable to get next group ID";
else
if $( test -n "$1" )
then
pw groupadd -n $1 -g $x ;
fi
fi
smb-add-machine
Script called by Samba to add a machine, by adding a user to the 'machines' group. Modify this for your system, as needed. If this script does not function correctly, you will not be able to join a domain without manually adding the machine as a user, both to the UNIX password database and the Samba password database.
#!/bin/sh
# called by samba to add a machine as a special user
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
x=`pw usernext`
if $( test ! -n "$x" )
then
echo "unable to get next user ID";
else
if $( test -n "$1" )
then
pw useradd -q -n $1 -u $x -d /dev/null -s /sbin/nologin -g machines ;
fi
fi
smb-add-user
Script called by Samba to add a user. Modify this for your system, as needed.
#!/bin/sh
# called by samba to add a user
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
x=`pw usernext`
if $( test ! -n "$x" )
then
echo "unable to get next user ID";
else
if $( test -n "$1" )
then
pw useradd -q -n $1 -u $x -d /dev/null -s /sbin/nologin -g samba ;
fi
fi
smb-add-user-group
Script called by Samba to add a user to a group. Modify this for your system, as needed.
#!/bin/sh -f
# the '-f' parameter prevents file name expansion
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
if ( test -n "$1" )
then
if ( test -z "$2" )
then
echo "missing group name";
else
x=`pw groupshow -n $2 | sed s/:/,/g ` ;
y=1
u="$1"
g="$2"
m=
IFS=,
c=""
for i in $x ; do
if ( test $y -gt 3 )
then
if ( test "$u" = "$i" )
then
exit 1;
fi
fi
y=$(expr $y + 1)
done
unset IFS
pw groupmod -n $g -m $u ;
fi
fi
smb-rm-group
Script called by Samba to remove a group. Modify this for your system, as needed.
#!/bin/sh
# called by samba to delete a user
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
if $( test -n "$1" )
then
pw groupdel -n $1;
fi
smb-rm-user
Script called by Samba to remove a user. Modify this for your system, as needed.
#!/bin/sh
# called by samba to delete a user
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
if $( test -n "$1" )
then
pw userdel -n $1;
fi
smb-rm-user-group
Script called by Samba to remove a user from a group. Modify this for your system, as needed.
(I am rather proud of this script, actually, being one of the more creative things I've done recently)
#!/bin/sh -f
# the '-f' parameter prevents file name expansion
echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log
if ( test -n "$1" )
then
if ( test -z "$2" )
then
echo "missing group name";
else
x=`pw groupshow -n $2 | sed s/:/,/g ` ;
y=1
u="$1"
g="$2"
m=""
IFS=,
c=""
for i in $x ; do
if ( test $y -gt 3 )
then
if ( test "$u" = "$i" )
then
c="pw groupmod -n $g -M";
elif ( test -z "$m")
then
m="$i";
else
m="$m,$i";
fi
fi
y=$(expr $y + 1)
done
unset IFS
if ( test -n "$c" )
then
eval $c $m ;
fi
fi
fi
Additional Configuration
Of course, you will need to add shares to your 'smb.conf' file, but this should be relatively straightforward. For more information you can use 'man smb.conf' or look at the sample 'smb.conf' file that was installed when you installed Samba. The shares that were put into the 'smb.conf' sample, above, are the minimum required to get the system running properly. Still, they can serve as examples for setting up your own shares. A few were commented out that demonstrate typical read/write shares. If you want to set up access lists, make the shares unlistable or read-only, you should check the documentation on Samba and smb.conf for information on how to do that. The point of the files here is to "get you started" and not be a general guide for administering your system.
Backing Up your Configuration
It is VERY VERY IMPORTANT that you back up your system configuration as often as you can. Samba, like any software, is not perfect, and files can occasionally become corrupted for a number of reasons, including power outages. Because this is a domain controller, you should back your initial configuration at the very least, and each time you add a workstation or a user to the system. This way, if the database becomes corrupt or loses data, you can restore everything without having to 'rejoin the domain' on every workstation. The configuration nightmare of THAT scenario is not something I'd wish upon anyone. And this goes double if you are using the 'TDB' system rather than LDAP (or if you are using LDAP without a backup domain controller to restore from).
If you are using the TDB method (the default) to store the configuration data, you should make sure you shut down 'smbd' and 'nmbd' before you back up the data. To do this, you can use the following commands:
smbcontrol nmbd shutdown
smbcontrol smbd shutdown
This will shut down all running instances of nmbd and smbd. Next, you need to know where all of the files are stored. If you enter 'man tdbbackup' you will get a hint of where they MIGHT be, but this is sometimes less than helpful. However, on a FreeBSD system, the files you are interested in are located in the following directories:
/var/db/samba
/usr/local/private
Again, on your system it may differ slightly (see 'man tdbbackup'). Once you have located the files, backing them up is as changing to the appropriate directory, and entering the following command:
tdbbackup *.tdb
This will generate a group of files with '.bak' extensions that are backups of the TDB files in the directory. Using the same application you can also verify AND automatically restore any backed up tdb files.
Since the password information is stored in the 'private' directory ('/usr/local/private' on a FreeBSD system), it is extremely important that you back THIS up. Not making a backup of the password information for a domain controller might mean a weekend or all-night stay at 'the office' re-configuring everybody's workstation for the 'new' domain because when you re-initialize a domain controller, all of the security ID's change, and windows machines will recognize that as a DIFFERENT domain, and all of the user settings for the OLD logon will be lost, and though you can recover them with a little creativity, it's not the easiest process in the world, and requires knowledge of the registry, re-assignment of security settings. and some creativity in 'hacking' certain registry entries. But someday I might write an application to do just this. It IS something that can be rather painful to deal with if your domain controller ever goes down, and you have to create a new one. And I've seen this happen before.
NOTE: The procedure to recover user settings after a domain crash on a Windows 2000 or XP workstation can be found HERE.
Additional SAMBA-related Links
www.Samba.org | Official Samba web site, with the latest code, patches, and announcements |
9-user Server Example | Article from 'www.informit.com', regarding an example 9 user network configuration using Samba 3. It details the necessary configuration file entries for 'smb.conf' and for CUPS to meet the requirements of the example network. |
©2005 by Stewart~Frazier Tools, Inc. - all rights reserved
Last Update: 6/28/2005
Back to 'Windows to Unix' page
Back to S.F.T. Inc. main page