1.0: Configuring Samba: Difference between revisions
No edit summary |
No edit summary |
||
Line 15: | Line 15: | ||
---- |
---- |
||
== [[1.0: Configuring Samba]] == |
|||
Revision as of 15:48, 25 January 2007
3.0: Initialization LDAP Database
5.0: Heartbeat HA Configuration
1.0: Configuring Samba
Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows.
If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration.
We are building a fault tolerant domain controller, which provides you with the following;
Samba Configuration
- Primary Domain Controller
- Backup Domain Controller
A master domain controller, that provides authentication through the use of LDAP
A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database.
Step1
Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz
It is essential that both the PDC and BDC are running the same version of samba.
[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz --19:28:04-- http://us4.samba.org/samba/ftp/samba-latest.tar.gz => `samba-latest.tar.gz' Resolving us4.samba.org... 192.48.170.15 Connecting to us4.samba.org|192.48.170.15|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 17,704,221 (17M) [application/x-tar] 100%[====================================>] 17,704,221 53.01K/s ETA 00:00 19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221]
Step2
[root@node1 samba]# tar zxvf samba-latest.tar.gz [root@node1 samba]# cd samba-3.0.23d/
Choose the appropriate distribution.
[root@node1 samba-3.0.23d]# cd packaging/ bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/ Debian/ LSB/ README RHEL/ Solaris/ sysv/
Step3
This will take some time.
[root@node1 samba-3.0.23d]# cd packaging/RHEL/ [root@node1 RHEL]# ls makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup
[root@node1 RHEL]# chmod 777 makerpms.sh [root@node1 RHEL]# ./makerpms.sh Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm makerpms.sh: Done. [root@node1 RHEL]#
Step4
Install the RPM files we built from source.
[root@node2]# cd /usr/src/redhat/RPMS/i386/
[root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba- swat-3.0.23d-1.i386.rpm Preparing... ########################################### [100%] 1:samba-common ########################################### [ 17%] 2:samba ########################################### [ 33%] 3:samba-client ########################################### [ 50%] 4:samba-debuginfo ########################################### [ 67%] 5:samba-doc ########################################### [ 83%] 6:samba-swat ########################################### [100%] [root@node1 i386]#
Step5
Login to node2 – the backup domain controller and repeat the above steps.
1.1 smb.conf PDC
You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful.
[root@node2 ~]# mkdir /data [root@node1 ~]# vi /etc/samba/smb.conf
# # Primary Domain Controller smb.conf # # Global parameters [global] unix charset = LOCALE workgroup = DDESIGN netbios name = node1 #passdb backend = ldapsam:ldap://127.0.0.1 #passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" passdb backend =ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u' add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g' delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g' add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat #logon path = \\192.168.0.4\profiles\%u logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes domain master = Yes wins support = Yes ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = root printing = cups #========================Share Definitions========================= [homes] comment = Home Directories valid users = %S browseable = yes writable = yes create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /data/samba/netlogon writeable = yes browseable = yes read only = no [profiles] path = /data/samba/profiles writeable = yes browseable = no read only = no create mode = 0777 directory mode = 0777 [Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users"
1.2 smb.conf BDC
[root@node2 ~]# mkdir /data [root@node2 ~]# vi /etc/samba/smb.conf
# # Backup Domain Controller # # Global parameters [global] unix charset = LOCALE workgroup = DDESIGN netbios name = node2 #passdb backend = ldapsam:ldap://127.0.0.1 #passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No logon script = %u.bat #logon path = \\192.168.0.4\profiles\%u logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes os level = 63 domain master = No wins server = node1.differentialdesign.org ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org utmp = Yes idmap backend = ldap://node1.differentialdesign.org idmap uid = 10000-20000 idmap gid = 10000-20000 printing = cups #========================Share Definitions========================= [homes] comment = Home Directories valid users = %S browseable = yes writable = yes create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /data/samba/netlogon writeable = yes browseable = yes read only = no [profiles] path = /data/samba/profiles writeable = yes browseable = no read only = no create mode = 0777 directory mode = 0777 [Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users"
1.3 /etc/hosts
In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0: BIND DNS; however it is desirable to have a backup feature such as entries in the /etc/hosts file.
Step1.
On node1 we will edit the hosts file to reflect our configuration.
[root@node1 ~]# vi /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 node1 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org
Step2.
Login to node2 and edit the /etc/hosts file.
[root@node2 ~]# vi /etc/hosts
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 node2 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org
1.4 Samba Security
There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this.
One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both.
The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf.
## /etc/samba/smb.conf
## Global parameters [global] workgroup = DDESIGN security = user hosts allow = 192.168.0.0/24
For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability.
This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses.
## /etc/samba/smb.conf ## ==== Share Definitions ===== [Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users" hosts allow = 192.168.0.100/24