Using samba in linux is easy. You get performance and stability right away. Linux should be your file hosting choice from day 1. It is mine.

Contents

  1. Install Samba
    1. Status
  2. Quick: Connect to samba share
  3. Quick: Mount Shared Folder
  4. Quick: Enable Writable Share Folder
  5. Quick: Ping netbios names from linux
  6. Print Server
    1. Install CUPS
    2. Add Printers
    3. Enable samba Printer sharing
    4. Upload Printer Drivers to Samba
  7. Configure Samba for Domain
    1. Root/Administrator user
    2. Routs
    3. pre-configuration
    4. Add users
    5. netlogon.bat
    6. simple working smb.conf
    7. Shared folder
    8. test smb.conf
  8. Explain smb.conf
    1. smb.conf explained
      1. WINS support
      2. Share options
      3. Homes
    2. Add Shared Folder to Samba
    3. Add Writable share Folder
    4. Add Printer to Samba
  9. More smb.conf
    1. Profiles
    2. Netlogon
      1. Update hosts file on computers
    3. smb.conf
  10. Samba Status
    1. What is available
  11. User management
    1. Manage users
      1. pdbedit
      2. Add user
      3. Delete user
      4. Change account
      5. Reset password expiration for account
      6. Account flag, disable
      7. Default account settings
    2. Unix passwords to samba passwords
    3. Change password backend
    4. Administrtor
      1. Add unix group to samba
  12. Migrate NT4 domain to Samba
    1. Clean up NT4 Domain
    2. smb.conf
    3. Join the samba BDC to NT domain
    4. Migrate User Accounts
  13. Troubleshooting
    1. Can't Join Samba Domain
      1. The network path was not found
      2. No mapping between account names and security IDs was done
      3. Access is denied
      4. Logon failure: unknown user name or bad password
      5. domain could not be contacted
  14. Webmin
    1. Install Webmin
  15. Performance
    1. windows max tcp/ip speed windows speed
  16. external samba
    1. time
  17. Samba LDAP, DC, Postfix, IMAP
    1. Mysql
    2. Mail server
      1. maildir
      2. Mutt
    3. Imap
      1. courier-imap
    4. System tools
      1. ntp
      2. ssh server
    5. LDAP Settings
      1. samba
      2. openldap
      3. Configure unix to use ldap
      4. Configure samba
  18. NT4 to samba3
    1. Setup samba config
  19. Troubleshooting
  20. References

Install Samba

apt-get update
apt-get install samba

Status

smbclient -L servername

Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 3.0.24)
Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        SERVERNAME         Samba 3.0.24

        Workgroup            Master
        ---------            -------
                             DEBIAN
        MSHOME               NTSERVERNAME
        mydomainname         DOMAINSERVER

Quick: Connect to samba share

   security = user

read only = no

smbpasswd -a myusername

/etc/init.d/samba restart

Quick: Mount Shared Folder

apt-get update
apt-get install smbfs

mkdir somefolder

mount -t cifs -o username=administrator,password=password
//windowsservername/folder /home/lucas/somefolder
or
mount -t cifs -o user=administrator //windowsservername/folder /home/lucas/somefolder

mount -t cifs -o UID=lucas,username=administrator,password=password //windowsservername/folder /home/lucas/somefolder

mount -t cifs -o UID=lucas,username=administrator,password=password,domain=mydomainname //windowsservername/folder /home/lucas/somefolder

[Optional] You can replace administrator with your username. You can also replace windowsservername with ip address //192.168.1.10/folder ....

Quick: Enable Writable Share Folder

#;   security = user
   security = share

Then at the buttom add the following lines.

[SHARED]
comment = PMS files
path = /home/lucas/Unique
browseable = yes
#printable = no
guest account = nobody
guest ok = yes
write ok = yes
force user = lucas
#force group = lucas

Quick: Ping netbios names from linux

Keywords: linux to windows by "full computer name", netbios lookup, nslookup

  1. Every pc can ping each other using the netbios name which corresponds to ip address.
  2. In windows ping netbios names is working ping mycomputer2 will ping the ip behind the name mycomputer2

  3. You are able to ping a pc that is on dhcp.

This will enable same feature in linux

apt-get update
apt-get install winbind

vi /etc/nsswitch.conf

hosts: files dns
to
hosts: files dns wins

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
to
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 wins

ping mycomputer2

Print Server

Install CUPS

apt-get update
apt-get install cupsys cupsys-client

/etc/init.d/cupsys start

Add Printers

This page tells you how to do it: DebianPrinting

Enable samba Printer sharing

 printing = cups
 printcap name = cups

smbclient -L localhost
password: [hit Enter]  --password is empty

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (faxserver server)
        Departent1-Kyocera-9520DN Printer   Kyocera-9520DN
        Departent1-Kyocera-9500DN Printer   Kyocera-9500DN
        Departent1-HP--8000 Printer   HP-8000
        Departent2-Kyocera-C5020DN Printer   Kyocera-C5020N
        Departent2-Kyocera-9520DN Printer   Kyocera-9520DN
        Departent2-HP-P3005 Printer   HP-3005
        Departent2-HP-4000  Printer   HP-4000
        Accounting-Kyocera-9520DN Printer   Kyocera-9520DN
Anonymous login successful

Upload Printer Drivers to Samba

Configure Samba for Domain

uname -n
hostname -f

Root/Administrator user

smbpasswd -a root

root# smbpasswd -a root
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX

#####################
#File Format
#Unix_ID = Windows_ID
#Example:
#root = Administrator
#janes = "Jane Smith"
#####################

root = Administrator

username map = /etc/samba/smbusers

Routs

hosts:    files dns wins

pre-configuration

mkdir /home/samba
mkdir -p /home/samba/{netlogon,profiles}
chmod ug+rw /home/samba/profiles

mkdir /data
mkdir /apps

Add users

adduser username
smbpasswd -a username

mkdir /home/samba/profiles/username
chown username:users /home/samba/profiles/username

netlogon.bat

net time \\servername /set /yes
net use h: /home

apt-get update
apt-get install tofrodos

todos /home/samba/netlogon/netlogon.bat

* If you replacing a current drive you might want to remvoe the unmount the old one and mount a new one

net use u: /delete
net use u: \\SERVERNAME\SOME_FOLDER

simple working smb.conf

[global]
  #Domain name
  workgroup = yourdomainname
  #The Server Name
  netbios name = servername
  #server string = Samba
  #Time server, Workstations will set their time by this server
  time server =yes
  passdb backend = tdbsam

  #SECURITY AND LOGIN SETTINGS
  #This must be a user in PDC
  security = user
  bind interfaces only = yes
  #Windows XP/2000
  encrypt passwords = yes
  #Login in settings.
  domain logons = Yes
  #Error Logs, Comment it out when you in production.
  log level = 3

  #PDC and MASTER BROWSER SETTINGS
  #os level = 64 #Windows for master PDC. Highers windows can get is 32
  preferred master = yes
  #local master = yes
  domain master = yes ;This defines it as the Primary Domain Controller
  #Add delete users on linux and samba (keeps linux and samba accounts in sync)
  add user script = /usr/sbin/useradd -m %u
  add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
  delete user script = /usr/sbin/userdel -r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -G %g %u

  #User Profiles and Home directory.
  logon drive = H:
  logon path =
  logon home =
  logon script = netlogon.bat   #Login script. Location is defined in [netlogon]

  #Define user mappings. root = Administrator
  #You don't need this if you have created Administrator SMB user.
  username map = /etc/samba/smbusers
  wins support = yes

  passwd program = /usr/bin/passwd %u

  # ---   shares ---

[netlogon]
  comment = Domain Logon Service
  path = /home/samba/netlogon
  valid users = %U
  admin users = Administrator
  read only = no
  browseable = no
  write list =@admins
  guest ok = Yes
  #For read only purposes. File is not locked per user.
  locking = no


[homes]
  #If you want to set home directory somwhere other thean the unix home use below path.
  # path = \\otherservername\%U
  volume = %U Home
  comment = Home Folder
  valid users = %S
  read only = No
  browseable = No
  public = no
  create mode = 0750

[printers]
  comment = All Printers
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  browseable = No

#These are Optional if you want to use them
[apps]
  comment = Application Files
  path = /apps
  admin users = Administrator
  read only = No

[data]
  comment = Application Files
  path = /data
  admin users = Administrator
  read only = No

Shared folder

[SHARED]
comment = PMS files
path = /home/lucas/shared
browseable = yes
#printable = no
guest account = guest
guest ok = yes
write ok = yes
force user = lucas
#force group = lucas

test smb.conf

testparm

Explain smb.conf

smb.conf explained

Workgroup it will join. It is equivalent to the Windows NT Domain or Workgroup name.

WINS support

you specify the IP address of WINS server then, wins support must be set to “no”.

Share options

Homes

[homes]
comment = Home Directories
path = %H
valid users = %S
browseable = no
writable = yes
create mode = 0700
directory mode = 0700

is equal to the username.

Add Shared Folder to Samba

[share]
  path = /path/to/data
  comment = Data Directory on servername
  read only= yes
  valid users = @users
  write list = manager

Add Writable share Folder

[everybody]
comment = Everybody files
path = /path/to/folder
browseable = yes
printable = no
writable = yes
write list = @users

Add Printer to Samba

[global]
...
printcap name = cups
printer admin = admin
printing = cups

[printers]
path = /var/lib/samba/printers
create maske = 0600
printable = yes
browseable = no

More smb.conf

Profiles

after having created an account for them on the server, simply logon to the server and the existing Windows profile on the local machine will be used (as there won't be one already on the server) and copied over to the server. This is fine if they only ever use the same computer but beware, the profile may have references to software installed only on their machine, so if they want to login from other machines it is probably worth starting over with a fresh profile and setting up each machine exactly the same; see the next method

or

configure a Windows user account on a workstation the way you want it (if you try to create a user account after you've created a machine account for this machine on the Samba server, creating the account on the workstation will fail and elicit a message saying you can't create accounts in that domain. We don't know what this is about but to work around it you can use Users and Passwords' Advanced → Advanced → Users → Action → New User... option (or create the account without the workstation being part of a domain (do so before-hand, or temporarily revert back to a workgroup).
            This will be a 'Restricted User' account.
            This account will be the template user profile. (We use TWEAK - The Windows Environment and Application Konfigurator, available from http://thegoldenear.org/tweak/, to configure the template user account quickly and easily (you only need run the per-user options (including Roaming Computing System specific options, A → P → P)).
            create the template without running any applications, that will be done later; consider where you're going to keep icons for applications by reading the section on applications further on.
            Any applications that require their preferences pre-installing manually (rather than dealing with it themselves) in the Windows profile will want that doing so now (see applications section further on)

mkdir /home/samba
mkdir /home/samba/profiles
chmod 1757 /home/samba/profiles

mkdir /home/samba/profiles/template

Netlogon

cd /home/samba
ls
mkdir netlogon
chmod 0755 /home/samba/netlogon
cd /home/samba/netlogon

rem ###########################################
rem logon script
rem version 0.7.0
rem
rem remember this file needs DOS CR/LF to work
rem ###########################################
rem Change Log
rem 0.7.0 13-Dec-2003
rem  - added a new system and user TEMP location of e:\%username%\windows and e:\windows
rem  - changed 'cooledit' directory name to 'audition' to reflect that program's name change
rem  - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively
rem 0.6.5 08-April-2003
rem  - renamed 'server' to 'file-server'
rem  - removed '/PERSISTANT:YES'
rem -------------------------------------------

net use P: \\file-server\programs
rem (only admins group can write there in our Samba configuration)

rem make mappings to shared areas, i.e.:
rem H: is made by smb.conf
net use S: \\file-server\shared

rem sync the workstation's time to that of the file-server
net time \\file-server /set /yes

rem make connections to any printer(s):
rem net use LPT1:

rem create temporary directories for %USERNAME% on TEMP partition
rem (remove any for applications not used on your system):
if not exist "e:\%username%" md "e:\%username%"

if not exist "e:\%username%\winnt" md "e:\%username%\winnt"
if not exist "e:\%username%\windows" md "e:\%username%\windows"
rem ('winnt' remains for backwards compatibility. we changed to 'windows' on 12 Dec 03 / TWEAK 0.8.32)

if not exist "e:\%username%\ie" md "e:\%username%\ie"
if not exist "e:\%username%\ie\Temporary Internet Files" md "e:\%username%\ie\Temporary Internet Files"
if not exist "e:\%username%\mozilla" md "e:\%username%\mozilla"
if not exist "e:\%username%\java" md "e:\%username%\java"
if not exist "e:\%username%\nero" md "e:\%username%\nero"
if not exist "e:\%username%\audacity" md "e:\%username%\audacity"
if not exist "e:\%username%\audition" md "e:\%username%\audition"

:EOF

chmod a+r /home/samba/netlogon/NETLOGON.BAT

Update hosts file on computers

copy \\MYPDC\netlogon\hosts %systemroot%\system32\drivers\etc\hosts

smb.conf

netbios name

cp /etc/samba/smb.conf /etc/samba/smb.conf-original

# Smb.conf, samba domain controller
# Replacing windows nt domain controller
# Need to change workgroup, netbios name, allowed host allow/deny
[global]
  #Domain name
  workgroup = domainname
  #The Server Name
  netbios name = domainserver
  #server string = Samba
  #Time server, Workstations will set their time by this server
  time server =yes
  passdb backend = tdbsam

  #SECURITY AND LOGIN SETTINGS
  #This must be a user in PDC
  security = user
  #Allow connection from specified addresses 10.1.1.*
  #Change it to your ip network, example: 192.168.0.
  #hosts allow = 127.0.0.1 10.1.1.
  #Deny others
  #hosts deny 0.0.0.0/0
  #Only allow connection through network card
  #interfaces =eth* lo
  #bind interfaces only = yes
  #Windows XP/2000
  encrypt passwords = yes
  #Login in settings.
  domain logons = Yes
  #Error Logs, Comment it out when you in production.
  log level = 5

  #PDC and MASTER BROWSER SETTINGS
  #os level = 64 #Windows for master PDC. Highers windows can get is 32
  preferred master = yes
  #preferred master = auto
  local master = yes
  domain master = yes ;This defines it as the Primary Domain Controller
  #Add delete users on linux and samba (keeps linux and samba accounts in sync)
  add user script = /usr/sbin/useradd -m %u
  add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
  delete user script = /usr/sbin/userdel -r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -G %g %u

  #User Profiles and Home directory.
  logon path = \\%L\profiles\%U
  logon home = \\%L\%U
  logon script = netlogon.bat   #Login script. Location is defined in [netlogon]

  #Define user mappings between this system and windows system.
  #Without this you get ask for password.
  #You don't need this if you have created SMB user here.
  username map = /etc/samba/smbusers
  wins support = yes
  admin users = root

  #Keep the case in file/directory names.Matching is done without regard to case.
  #It allows transition from non-case system (windows) to case system(unix)
  preserve case = yes
  short preserve case = yes
  case sensitive = no

  #Sync Unix passwords from windows workstation using PAM
  #Allow users to change their password
  unix password sync = yes
  #pam password change = yes

  #Optimized of samba for increased speed
  #SO_KEEPALIVE -sends a probe every 4 hours to check that a connection is still active
  #TCP_NODELAY
  #IPTOS_LOWDELAY
  #SO_SNDBUF=14596 -14596 is roughly the best in most circumstances,
  # it may be optimized better for your system.
  #SO_RCVBUF = 14596
  socket options =TCP_NODELAY,IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596

  #lpq command = %p
  #name resolve order = wins bcast hosts
  #passwd chat debug = Yes
  #idmap gid = 15000-20000
  #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n
  #lprm command =
  passwd program = /usr/bin/passwd %u
  #print command =
  #printing = cups
  #idmap uid = 15000-20000
  #printcap name = CUPS
  #null passwords = yes

  # ---   shares ---

[netlogon]
  comment = Domain Logon Service
  path = /home/samba/netlogon
  valid users = %U
  admin users = Administrator
  read only = no
  browseable = no
  write list =@admins
  guest ok = Yes
  #For read only purposes. File is not locked per user.
  locking = No

[profiles]
comment = Network PRofiles Share
path = /home/samba/profiles
browseable = yes
guest ok = yes
writeable = yes
read only = no
profile acls = yes
csc policy = disable
create mode = 0600
directory mode = 0700

[homes]
  #If you want to set home directory somwhere other thean the unix home use below path.
  # path =
  volume = %U Home
  comment = Home Folder
  valid users = %S
  read only = No
  browseable = No
  public = no
  create mode = 0750

[printers]
  comment = All Printers
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  browseable = No

#These are Optional
[apps]
  comment = Application Files
  path = /apps
  admin users = Administrator
  read only = No

[data]
  comment = Application Files
  path = /data
  admin users = Administrator
  read only = No

Samba Status

What is available

smbclient -L servername

Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 3.0.24)
        Dept1-HP-P3005N Printer   Dept1
Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        DOMAINSERVER         Samba 3.0.24

        Workgroup            Master
        ---------            -------
                             DEBIAN
        MSHOME               NTSERVERNAME
        mydomainname         DOMAINSERVER

User management

Manage users

*Ther are two tools to manage users. We will use the second one because it gives us more control.

smbpasswd:

  1. add user or machine accounts.
  2. delete user or machine accounts.
  3. enable user or machine accounts.
  4. disable user or machine accounts.
  5. set to NULL user passwords.
  6. manage interdomain trust accounts.

pdbedit:

  1. add, remove, or modify user accounts.
  2. list user accounts.
  3. migrate user accounts.
  4. migrate group accounts.
  5. manage account policies.
  6. manage domain access policy settings.

pdbedit

pdbedit -Lv username

pdbedit -Lv |less

space to view next page. q to quit

Add user

smbpasswd: Add username to debian linux account and samba account.

adduser 'username'
smbpasswd -a 'username'

Add user with pdbedit. Unix account need to exist already:

pdbedit -a username

Delete user

Delete samba account:

pdbedit -x username

Change account

pdbedit -r --fullname="First Last name" username

Reset password expiration for account

pdbedit -z username

Account flag, disable

D       Account is disabled.
H       A home directory is required.
I       An inter-domain trust account.
L       Account has been auto-locked.
M       An MNS (Microsoft network service) logon account.
N       Password not required.
S       A server trust account.
T       Temporary duplicate account entry.
U       A normal user account.
W       A workstation trust account.
X       Password does not expire.

pdbedit -r -c "[DLX]" username

pdbedit -r -c "[]" username

Default account settings

pdbedit -P ?

pdbedit -P "min password length" -C 8

Unix passwords to samba passwords

cat /etc/passwd | /usr/sbin/mksmbpasswd > /etc/samba.d/smbpasswd

Change password backend

pdbedit -i smbpasswd -e tdbsam

passdb backend = tdbsam:/etc/samba/passdb.tdb

Administrtor

addgroup domainadmin
  1. Add to this group the users that must be “Administrators”. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:

domainadmin:x:502:joe,john,mary
  1. Map this domadm group to the “Domain Admins” group by executing the command:

root# net groupmap add ntgroup="Domain Admins" unixgroup=domainadmin rid=512 type=d

Add unix group to samba

root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d

Migrate NT4 domain to Samba

Clean up NT4 Domain

smb.conf

[global]
    workgroup = [domainname]
    netbios name = SAMBASERVER
    passdb backend = tdbsam
    domain master = No
    domain logons = Yes
    os level = 33
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
    wins server = [IP of wins server]

/etc/init.d/samba restart

testparm

Join the samba BDC to NT domain

net rpc join -S [NT netbios name or IP] -U Administrator
or
net rpc join BDC  -I ip_address_of_the_server -UAdministrator -w domainname -S domainname_servername

net rpc join -S domaincomputername -U Administrator

server:/etc/samba#  net rpc join -S domaincomputername -U Administrator
Password:
Joined domain LIABILITY.

Migrate User Accounts

index  objectClass      eq
index  cn               pres,sub,eq
index  sn               pres,sub,eq
index  uid              pres,sub,eq
index  displayName      pres,sub,eq
index  uidNumber        eq
index  gidNumber        eq
index  memberUid        eq
index  sambaSID         eq
index  sambaDomainName  eq
index  default          sub

net rpc vampire -S [NT netbios name or IP] -W [domainname] -U Administrator

net rpc vampire -S domaincomputername -W xyzdomain -U Administrator

Fetching DOMAIN database
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Claims'
Creating unix group: 'Accounting'
Creating account: Administrator
Creating account: Guest
...
Creating unix group: 'Administrators'
Creating unix group: 'Backup Operators'
Creating unix group: 'Guests'
Creating unix group: 'Print Operators'
Creating unix group: 'Replicator'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'

pdbedit -L

{{ domain master = yes wins support = yes }}}

/etc/init.d/samba restart

Troubleshooting

Can't Join Samba Domain

The network path was not found

The following error occurred attempting to join the domain "DOMAINNAME": The network path was not found.

No mapping between account names and security IDs was done

The following error occurred attempting to join the domain "DOMAINNAME": No mapping between account names and security IDs was done

Access is denied

The following error occurred attempting to join the domain "DOMAINNAME": Access is denied.

smbpasswd -a root

smbpasswd -a -m <machine-name>$

Logon failure: unknown user name or bad password

The following error occurred attempting to join the domain "DOMAINNAME": Logon failure: unknown user name or bad password.

smbpasswd -a root

domain could not be contacted

A domain controller for the domain "DOMAINNAME" could not be contacted.

smbclient -L localhost

Password:
Domain=[DOMAINNAME] OS=[Unix] Server=[Samba 3.0.24]

ps ax|grep nmbd

you will see:
3589 ?        Ss     0:00 /usr/sbin/nmbd -D

Webmin

Install Webmin

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.350_all.deb

dpkg --install webmin_1.350_all.deb

Performance

windows max tcp/ip speed windows speed

The problem is in the old tcp/ip setting in windows. Back in the beging windows had a small tcp window size and it never changed. By adding the following to the registry you can increase it to something more apropriate for 100M nic's

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"GlobalMaxTcpWindowsSize"=dword:00020148
"TcpWindowsSize"=dword:00020148
"Tcp1323Opts"=dword:00000003

This help me no end with my backups. Increased network thru put by a factor of 30. So give it ago.

http://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm will explain it a bit more.

external samba

time

The relationship of "net time" and a real ntp server seems to be a one
time sync only anyway. However, you can have the PC really use ntp:

:: setup ntp client
:: need to be an admin - one time setup
sc stop w32time
w32tm /unregister
w32tm /register
net time /setsntp:ntpd-server
sc config w32time start= auto
sc start w32time
w32tm /resync
w32tm /stripchart /computer:ntpd-server /samples:1

Could instead use a real Policy or manually jam it into the registry:

:: setup ntp client
:: need to be an admin - one time setup
reg add HKLM\SOFTWARE\Policies\microsoft\w32time /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v NtpServer
/d ntpd-server /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v Type /d
NTP /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v Enabled /t REG_DWORD /d 0x1 /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v CrossSiteSyncFlags /t REG_DWORD /d 0x2
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v ResolvePeerBackoffMinutes /t REG_DWORD /d 0xf
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v ResolvePeerBackoffMaxTimes /t REG_DWORD /d 0x7
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v SpecialPollInterval /t REG_DWORD /d 0xe10
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v EventLogFlags /t REG_DWORD /d 0x0
gpudate /target:computer /force

* These might be usefull as well

"How to configure an authoritative time server in Windows XP:
Configuring the Windows Time service to use an external time source"

http://support.microsoft.com/kb/314054/EN-US/#EXTERNAL
or http://support.microsoft.com/kb/314054/EN-US

Samba LDAP, DC, Postfix, IMAP

Mysql

aptitude update
aptitude install mysql-server

Mail server

aptitude install postfix

Pick internet site and provide your http address for your mail host. You will need to add this address to your domain.

maildir

postconf -e "home_mailbox = Maildir/"
postconf -e "mailbox_command ="

Mutt

vi /etc/Muttrc

set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

Imap

courier-imap

aptitude install courier-imap courier-imap-ssl

System tools

ntp

date
aptitude install ntp
/etc/init.d/ntp start
date

ssh server

aptitude install openssh-server

LDAP Settings

samba

aptitude install samba samba-doc
aptitude instal smbldap-tools


      Domain Name: mycompany.com
      Use Password Encryption: Yes
      Modify smb.conf to use WINS settings via DHCP: No
      How to run Samba: daemons
      Create password database: Yes

openldap

aptitude install slapd ldap-utls

dpkg-reconfigure slapd

    * Omit OpenLDAP server configuration? No
    * DNS domain name: mycompany.com
    * Organization name: mycompany.com
    * Administrator password: ****
    * Database backend to use: HDB  (default)
    * Do you want the database to be removed when slapd is purged? No
    * Allow LDAPv2 protocol? No

Configure unix to use ldap

aptitude install libnss-ldap libpam-ldap

LDAP Server Host: 127.0.0.1
DN of Search Base: dc=mycompany,dc=com
LDAP Version: 3
Database requires login: no
Make config readable by owner only: yes

dpkg-reconfigure libnss-ldap
dpkg-reconfigure libpam-ldap

passwd: compat ldap
group: compat ldap
shadow: compat ldap

getent group
ssh:x:103:
users:x:20001:
guests:x:20002:
admins:x:20000:
.....

vi /etc/pam.d/common-account

# Comment out the next line
#account required pam_unix.so

# and add these two
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass

vi /etc/pam.d/common-auth

# from
#auth required pam_unix.so nullok_secure

# to
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password

# from
#password required pam_unix.so nullok obscure min=4 max=8 md5

# to
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

vi /etc/pam.d/common-session

session optional        pam_ldap.so
session required        pam_unix.so

 *Restart samba and ssh
{{{
/etc/init.d/ssh restart
/etc/init.d/samba restart

addgroup --system nvram
addgroup --system rdma
addgroup --system fuse
addgroup --system kvm
addgroup --system scanner
adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss

Configure samba

Tell ldap about samba schema

aptitude install samba-doc

cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schema/

include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

/etc/init.d/slapd restart

Tell samba to use ldap

aptitude install smbldap-tools

passdb backend = tdbsam guest

passdb backend = ldapsam:ldap://127.0.0.1

#######################################################################
#COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
#######################################################################
#
#       Begin: Custom LDAP Entries
#
ldap admin dn = cn=admin,dc=mycompany,dc=com
ldap suffix = dc=mycompany, dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
#
#       End: Custom LDAP Entries
#
#####################################################
#STOP COPYING HERE!
#####################################################

testparm

/etc/init.d/samba restart

smbpasswd -w mypasswordforldap

net getlocalsid
#or for remote domain
net rpc info -S domain_machinename -U Administrator

SID for domain DELLDEBIAN2 is: S-1-5-21-1372832259-xxxxxxxx-xxxxxxxx

cd /usr/share/doc/smbldap-tools/examples/
cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/
gzip -d /etc/smbldap-tools/smbldap.conf.gz

vi /etc/smbldap-tools/smbldap.conf

SID="S-1-5-21-1372832259-xxxxxxxx-xxxxxxxx" ## This line must have the same SID as when you ran "net getlocalsid"
sambaDomain="mydomainname"
ldapTLS="0"
suffix="dc=mycompany,dc=com"
userHome="/home/%U" ## This is found in the UNIX section.
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="mycompany.com"

vi /etc/smbldap-tools/smbldap_bind.conf

slaveDN="cn=admin,dc=mycompany,dc=com"
slavePw="mypassword"
masterDN="cn=admin,dc=mycompany,dc=com"
masterPw="mypassword"

chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

smbldap-populate -u 30000 -g 30000

adding new entry: ou=Users,dc=......
adding new entry: ou=Groups,dc=......
adding new entry: ou=Computers,dc=......
adding new entry: ou=Idmap,dc=....
adding new entry: uid=root,ou=Users,dc=....
adding new entry: uid=nobody,ou=Users,dc=....
adding new entry: cn=Domain Admins,ou=Groups,dc=...

Adding users

smbldap-useradd -a -m -M ricky -c "Richard M" ricky

-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home directory.
-M sets up the username part of their email address
-c specifies their full name

change password

smbldap-passwd ricky

*Some information gethered from

NT4 to samba3

Setup samba config

[global]
     workgroup = [domainname]
     netbios name = SAMBASERVER
     passdb backend = tdbsam
     domain master = No
     domain logons = Yes
     os level = 33
     add user script = /usr/sbin/useradd -m '%u'
     delete user script = /usr/sbin/userdel -r '%u'
     add group script = /usr/sbin/groupadd '%g'
     delete group script = /usr/sbin/groupdel '%g'
     add user to group script = /usr/sbin/usermod -G '%g' '%u'
     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
     wins server = [IP of wins server] 

net rpc getsid -S myoldserverOR_ip_address -U Administrator

net rpc info -S myoldserverOR_ip_address -U Administrator

Domain Name: mydomainname
Domain SID: S-1-x-xx-xxxxx-xxxxx-xxxxx
Sequence number: 80xx
Num users: 277
Num domain groups: 5
Num local groups: 0

net setlocalsid S-1-x-xx-xxxxx-xxxxx-xxxxx

Done already?
smbldap-populate -a root -k 0 -m 0

fire up Server Manager on your NT4 domain controller and create a BDC account for the Samba box. 

Troubleshooting

Jul 24 11:46:02 delldebian2 slapd[2602]: <= bdb_equality_candidates: (uidNumber) not indexed
Jul 24 11:46:05 delldebian2 slapd[2602]: <= bdb_equality_candidates: (uid) not indexed
Jul 24 11:46:05 delldebian2 slapd[2602]: <= bdb_equality_candidates: (uidNumber) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (gidNumber) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaSID) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaSID) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Jul 24 11:46:06 delldebian2 slapd[2602]: <= bdb_equality_candidates: (sambaSIDList) not indexed

index  objectClass      eq
index  cn               pres,sub,eq
index  sn               pres,sub,eq
index  uid              pres,sub,eq
index  displayName      pres,sub,eq
index  uidNumber        eq
index  gidNumber        eq
index  memberUid        eq
index  sambaSID         eq
index  sambaDomainName  eq
index  default          sub

References

Based on:

  1. http://www.phptr.com/content/images/013188221X/downloads/013188221X_book.pdf

  2. http://www.redbooks.ibm.com/redpapers/pdfs/redp0023.pdf

  3. http://us1.samba.org/samba/docs/Samba3-HOWTO.pdf

  4. http://pserver.samba.org/samba/ftp/cifs-cvs/linux-cifs-client-guide.pdf

MyWiki: SambaDomainController (last edited 2009-09-06 02:49:59 by localhost)