1.0: Configuring Samba: Difference between revisions
From SambaWiki
Whitеcraig (talk | contribs) m (1.0. Configuring Samba moved to 1.0: Configuring Samba) |
Whitеcraig (talk | contribs) No edit summary |
||
Line 1: | Line 1: | ||
<center><big><big><big><big>Welcome to '''the Internet!''' |
|||
'''[[Replicated Failover Domain Controller and file server using LDAP]]''' |
|||
[[1.0. Configuring Samba]] |
|||
[[2.0. Configuring LDAP]] |
|||
[[Image:Internet.jpg|center]] |
|||
[[3.0. Initialization LDAP Database]] |
|||
[[4.0. User Management]] |
|||
[[5.0. Heartbeat HA Configuration]] |
|||
[[6.0. DRBD]] |
|||
[[7.0. BIND DNS]] |
|||
---- |
|||
== [[1.0. Configuring Samba]] == |
|||
Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows. |
|||
If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration. |
|||
We are building a fault tolerant domain controller, which provides you with the following; |
|||
'''Samba Configuration''' |
|||
'''''- Primary Domain Controller''''' |
|||
'''''- Backup Domain Controller''''' |
|||
A master domain controller, that provides authentication through the use of LDAP |
|||
A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database. |
|||
'''Step1.''' |
|||
Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz |
|||
It is essential that both the PDC and BDC are running the same version of samba. |
|||
[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz |
|||
--19:28:04-- http://us4.samba.org/samba/ftp/samba-latest.tar.gz |
|||
=> `samba-latest.tar.gz' |
|||
Resolving us4.samba.org... 192.48.170.15 |
|||
Connecting to us4.samba.org|192.48.170.15|:80... connected. |
|||
HTTP request sent, awaiting response... 200 OK |
|||
Length: 17,704,221 (17M) [application/x-tar] |
|||
100%[====================================>] 17,704,221 53.01K/s ETA 00:00 |
|||
19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221] |
|||
'''Step2.''' |
|||
[root@node1 samba]# tar zxvf samba-latest.tar.gz |
|||
[root@node1 samba]# cd samba-3.0.23d/ |
|||
Choose the appropriate distribution. |
|||
[root@node1 samba-3.0.23d]# cd packaging/ |
|||
bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/ |
|||
Debian/ LSB/ README RHEL/ Solaris/ sysv/ |
|||
'''Step3.''' |
|||
This will take some time. |
|||
[root@node1 samba-3.0.23d]# cd packaging/RHEL/ |
|||
[root@node1 RHEL]# ls |
|||
makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup |
|||
[root@node1 RHEL]# chmod 777 makerpms.sh |
|||
[root@node1 RHEL]# ./makerpms.sh |
|||
Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm |
|||
makerpms.sh: Done. |
|||
[root@node1 RHEL]# |
|||
'''Step4.''' |
|||
Install the RPM files we built from source. |
|||
[root@node2]# cd /usr/src/redhat/RPMS/i386/ |
|||
[root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba- swat-3.0.23d-1.i386.rpm |
|||
Preparing... ########################################### [100%] |
|||
1:samba-common ########################################### [ 17%] |
|||
2:samba ########################################### [ 33%] |
|||
3:samba-client ########################################### [ 50%] |
|||
4:samba-debuginfo ########################################### [ 67%] |
|||
5:samba-doc ########################################### [ 83%] |
|||
6:samba-swat ########################################### [100%] |
|||
[root@node1 i386]# |
|||
'''Step5.''' |
|||
Login to node2 – the backup domain controller and repeat the above steps. |
|||
== [[1.1. smb.conf PDC]] == |
|||
You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful. |
|||
[root@node1 ~]# mkdir /data |
|||
[root@node1 ~]# vi /etc/samba/smb.conf |
|||
# # Primary Domain Controller smb.conf |
|||
# # Global parameters |
|||
[global] |
|||
unix charset = LOCALE |
|||
workgroup = DDESIGN |
|||
netbios name = node1 |
|||
#passdb backend = ldapsam:ldap://127.0.0.1 |
|||
#passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" |
|||
passdb backend =ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org" |
|||
username map = /etc/samba/smbusers |
|||
log level = 1 |
|||
syslog = 0 |
|||
log file = /var/log/samba/%m |
|||
max log size = 0 |
|||
name resolve order = wins bcast hosts |
|||
time server = Yes |
|||
printcap name = CUPS |
|||
add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' |
|||
delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u' |
|||
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g' |
|||
delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g' |
|||
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u' |
|||
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u' |
|||
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' |
|||
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' |
|||
shutdown script = /var/lib/samba/scripts/shutdown.sh |
|||
abort shutdown script = /sbin/shutdown -c |
|||
logon script = %u.bat |
|||
#logon path = \\192.168.0.4\profiles\%u |
|||
logon path = \\nodes.differentialdesign.org\profiles\%u |
|||
logon drive = H: |
|||
domain logons = Yes |
|||
domain master = Yes |
|||
wins support = Yes |
|||
ldap suffix = dc=differentialdesign,dc=org |
|||
ldap machine suffix = ou=Computers,ou=Users |
|||
ldap user suffix = ou=People,ou=Users |
|||
ldap group suffix = ou=Groups |
|||
ldap idmap suffix = ou=Idmap |
|||
ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org |
|||
idmap backend = ldap://127.0.0.1 |
|||
idmap uid = 10000-20000 |
|||
idmap gid = 10000-20000 |
|||
printer admin = root |
|||
printing = cups |
|||
#========================Share Definitions========================= |
|||
[homes] |
|||
comment = Home Directories |
|||
valid users = %S |
|||
browseable = yes |
|||
writable = yes |
|||
create mask = 0600 |
|||
directory mask = 0700 |
|||
[netlogon] |
|||
comment = Network Logon Service |
|||
path = /data/samba/netlogon |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
[profiles] |
|||
path = /data/samba/profiles |
|||
writeable = yes |
|||
browseable = no |
|||
read only = no |
|||
create mode = 0777 |
|||
directory mode = 0777 |
|||
[Documents] |
|||
comment = share to test samba |
|||
path = /data/documents |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
valid users = "@Domain Users" |
|||
== [[1.2. smb.conf BDC]] == |
|||
[root@node2 ~]# mkdir /data |
|||
[root@node2 ~]# vi /etc/samba/smb.conf |
|||
# # Backup Domain Controller |
|||
# # Global parameters |
|||
[global] |
|||
unix charset = LOCALE |
|||
workgroup = DDESIGN |
|||
netbios name = node2 |
|||
#passdb backend = ldapsam:ldap://127.0.0.1 |
|||
#passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" |
|||
passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org" |
|||
username map = /etc/samba/smbusers |
|||
log level = 1 |
|||
syslog = 0 |
|||
log file = /var/log/samba/%m |
|||
max log size = 50 |
|||
name resolve order = wins bcast hosts |
|||
printcap name = CUPS |
|||
show add printer wizard = No |
|||
logon script = %u.bat |
|||
#logon path = \\192.168.0.4\profiles\%u |
|||
logon path = \\nodes.differentialdesign.org\profiles\%u |
|||
logon drive = H: |
|||
domain logons = Yes |
|||
os level = 63 |
|||
domain master = No |
|||
wins server = node1.differentialdesign.org |
|||
ldap suffix = dc=differentialdesign,dc=org |
|||
ldap machine suffix = ou=Computers,ou=Users |
|||
ldap user suffix = ou=People,ou=Users |
|||
ldap group suffix = ou=Groups |
|||
ldap idmap suffix = ou=Idmap |
|||
ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org |
|||
utmp = Yes |
|||
idmap backend = ldap://node1.differentialdesign.org |
|||
idmap uid = 10000-20000 |
|||
idmap gid = 10000-20000 |
|||
printing = cups |
|||
#========================Share Definitions========================= |
|||
[homes] |
|||
comment = Home Directories |
|||
valid users = %S |
|||
browseable = yes |
|||
writable = yes |
|||
create mask = 0600 |
|||
directory mask = 0700 |
|||
[netlogon] |
|||
comment = Network Logon Service |
|||
path = /data/samba/netlogon |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
[profiles] |
|||
path = /data/samba/profiles |
|||
writeable = yes |
|||
browseable = no |
|||
read only = no |
|||
create mode = 0777 |
|||
directory mode = 0777 |
|||
[Documents] |
|||
comment = share to test samba |
|||
path = /data/documents |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
valid users = "@Domain Users" |
|||
== [[1.3. /etc/hosts]] == |
|||
In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section [[7.0. BIND DNS]]; however it is desirable to have a backup feature such as entries in the /etc/hosts file. |
|||
'''Step1.''' |
|||
On node1 we will edit the hosts file to reflect our configuration. |
|||
[root@node1 ~]# vi /etc/hosts |
|||
# Do not remove the following line, or various programs |
|||
# that require network functionality will fail. |
|||
127.0.0.1 node1 localhost.localdomain localhost |
|||
192.168.0.2 node1.differentialdesign.org |
|||
192.168.0.3 node2.differentialdesign.org |
|||
192.168.0.4 nodes.differentialdesign.org |
|||
'''Step2.''' |
|||
Login to node2 and edit the /etc/hosts file. |
|||
[root@node2 ~]# vi /etc/hosts |
|||
# Do not remove the following line, or various programs |
|||
# that require network functionality will fail. |
|||
127.0.0.1 node2 localhost.localdomain localhost |
|||
192.168.0.2 node1.differentialdesign.org |
|||
192.168.0.3 node2.differentialdesign.org |
|||
192.168.0.4 nodes.differentialdesign.org |
|||
== [[1.4. Samba Security]] == |
|||
There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this. |
|||
One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both. |
|||
The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf. |
|||
## /etc/samba/smb.conf |
|||
## Global parameters |
|||
[global] |
|||
workgroup = DDESIGN |
|||
security = user |
|||
hosts allow = 192.168.0.0/24 |
|||
For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability. |
|||
This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses. |
|||
## /etc/samba/smb.conf |
|||
## ==== Share Definitions ===== |
|||
[Documents] |
|||
comment = share to test samba |
|||
path = /data/documents |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
valid users = "@Domain Users" |
|||
hosts allow = 192.168.0.100/24 |
Revision as of 01:49, 26 February 2007