Follow the installation instructions on your particular Samba image
installed.
These steps orginated with Samba v2.2.6c and some still apply to later
releases. However, certain command sets will change. For example,
smbpasswd is not longer valid in Samba v3.0.10 for joining Samba to a
Windows Domain. This command is not replaced with the "net" command
within the Samba bin directory. Whilst every effort is made to keep
the content correct it may be necessary to check the latest syntax at:
http://www.samba.org/samba/docs/
Use the following steps below to configure your SAMBA installation:
Post Installation
-----------------
1. Add /usr/lib/samba/bin to your PATH statement as:
# PATH=$PATH:/usr/lib/samba/bin; export PATH
2. Create a normal user using "useradd", "scoadmin account" or the
legacy "sysadmsh".
Ensure that the $HOME directory has been created.
3. Check that SWAT (Samba Web Configuration Tool) is working
by using your favorite browser and connecting to the URL:
http://<my_server>:901 or http://<my_server>:901/
This should be listed as a service in the /etc/services file:
# grep 901 /etc/services
swat 901/tcp samba web configuration tool
This is what needs to be started in the /etc/inetd.conf file:
# grep swat /etc/inetd.conf
swat stream tcp nowait root /usr/sbin/swat swat
The location of swat may differ to /usr/lib/samba/sbin/swat
depending on the OS.
The "inetd" process will need to be restarted or the server
rebooted.
You should be prompted for a username/password when you
connect.
You will need to provide the username "root" and the correct
root password.
See: /usr/lib/samba/swat/README
If Webmin is installed then remember to point it's modules to
/usr/lib/samba rather than the default of /usr/local/samba.
4. To ensure that Samba will be started at boot time and stopped
at shutdown time use the commands:
# /etc/init.d/samba enable
See the RCSCRIPT entry in /etc/init.d/samba
This will create a link to $RCSCRIPT/S99samba.
It is also recommended to run:
# ln -s /etc/init.d/samba /etc/rc0.d/K01samba
# ln -s /etc/init.d/samba /usr/lib/samba/bin/samba
Please note that this might vary per Samba release and may be
in /etc/rc2.d.
5. Samba requires two daemons to be running: smbd and nmbd, once a
valid "smb.conf" is in place in /etc/samba.d. To start, copy
the example smb.conf.default to smb.conf in the /etc/samba.d
directory. Then start the daemons.
These are started by clicking on the "Status" icon and clicking
on "Start" for each of the two daemons within SWAT.
Double check by running at the prompt:
# ps -ef | grep mbd
The "Status" web page will tell you who is connected to your
server.
You can also run the command:
# smbstatus
These daemons will be active once a "smb.conf" file has been
created--see below.
Test to see what shares are available with:
# smbtree
and:
# smbclient -L <server name>
If you are experiencing problems at this level and have issues
with further steps then see:
Technical Article 114823, "How do I download, compile and install the latest
version of SAMBA for UnixWare/Open UNIX 8.0.0 "
and:
Technical Article 114822, "How do I download, compile and install the latest
version of SAMBA for OpenServer? "
or:
# smbclient //<server name>/<user> -N -L <server
name>
6. To test Samba is correct running, use your favourite text
editor to configure the smb.conf file, so that it looks
like this, by default this should be in /usr/lib/samba/lib.
# Samba config file created using SWAT
# from 192.168.0.1 (192.168.0.1)
# Date: 2005/04/29 14:09:11
# Global parameters
[global]
security = SHARE
[PUBLIC]
path = /home2
read only = No
guest ok = Yes
and run "/etc/init.d/samba restart"
Please note that many releases of Samba are different, if you
do not have a 'samba' command then use:
# /etc/rc2.d/S99nmbd [stop/start]
# /etc/rc2.d/S99smbd [stop/start]
and any user should now be able to gain access
to the server's UNC (\\<server>) and see a PUBLIC share and
be able to write folders there.
The assumption here is that /home2 is a folder with 777
(full access) permissions.
Once that has been attained, let's look at assigning access
rights in the various scenarios below:
At the end of this exercise we should have been able to see how to
configure SAMBA and have started it on the server.
Scenario 1 - Create a simple WorkGroup and access it via a normal user
---------- from a Windows client.
You will need to have a Windows client available to access the server.
1. Visit the online configuration tool (SWAT), as above.
2. Within "Globals" enter "SMBTEST", for example, as the name of
the WorkGroup. The default will be WORKGROUP.
3. To start with, set the "encrypt passwords" to Yes.
4. Click on Commit Changes
5. Click on "Password" and enter the same user name as you created
in the Post Installation section above and ensure that the
password matches the UNIX one, then click on "Add User".
This will create an entry in /etc/samba.d/smbpasswd
6. By default, the user, when they log in, should have access to
their $HOME directory. To do this you can modify the "Shares"
icon or simply go to:
/etc/samba.d/smb.conf
and using your favourite editor, change the existing file so
that it reads, for example:
# Samba config file created using SWAT
# from <my_server> (my_ip)
# Date: 2002/10/24 15:01:02
# Global parameters
[global]
workgroup = SMBTEST
encrypt passwords = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[public]
comment = Public Share
path = /u/public
read only = No
NOTE:
The public share is not necessary for the users' home
directory maps but is a general shared resource.
NOTE:
The "encrypt passwords = Yes" line states that the
Windows client connecting the Samba server must have the
Encrypted Password registry setting turned on.
This is the default for Windows clients with the exception of
early releases of Windows 95 which in the past used plain
(cleartext) text passwords.
If you need to have a mixed Windows client environment that
require connection to the server that include Windows 95
you will need to turn off "encrypt passwords" in smb.conf and
ensure that Windows clients other than Windows 95 have the
Registry Key installed and it is turned off.
NOTE:
If domain level policy settings are defined, they
override local policy changes.
These keys are detailed in:
Technical Article 116828, "VisionFS 3, When I access a server I only see the
global shares that a guest account would see."
More details of Password Encryption is explained at:
http://samba.linuxbe.org/en/samba/learn/encryption.html
http://freebooks.by.ru/view/LinuxNetworkSolution/31620085.htm
http://enterprise.iet.auc.dk/Computer_ressources/Samba/plain_password.html
http://netsys.syr.edu/ops/printing/printencrypt.html
http://www.jsanten.demon.nl/samba/smb_conf_adv.htm
to name but a few.
By default, it is recommended to leave encrypted passwords
turned on.
7. Once you have saved this file you will need to restart it using
"samba restart". You have already included the "samba"
start-up file directory in your $PATH above.
8. To connect, log in a Windows client into the
WorkGroup "SMBTEST" as the user you created above.
It may take some time for the Master Browser List to update the
Network Neighbourhood, so click on Start -> Run and enter:
\\<my_server>
and you should see the shares for printers, public and $HOME.
Alternatively, you will be able to access the server from
another client in a different workgroup or domain as long as
the username and passwords are the same.
If the $HOME directory was not created you would not see
it because it is not browseable.
By default, Home Directories shares on the server, except your
own when the home shares are configured, as above, are not
browseable.
This is so you don't see all the Home Directory shares on the
server.
If the public directory was not created you will see the
error message:
The network name cannot be found.
If you made the public directory non-browseable, no one
would be able to see it but you could access it via the UNC or
Universal Naming Convention path, i.e.:
\\<my_server>\public
If you cannot connect to the server use the
"nmblookup <client>" command to check that the client can see
the server.
At the end of this exercise we should be able to access the server and
see shares from a Windows Client.
Scenario 2 - Configure the server as a Primary Domain Controller (PDC):
----------
You will need to have a Windows NT/2000 or XP client to be able to log
the client in as a member of the domain.
1. Change your /etc/samba.d/smb.conf configuration file to look
like this:
# Global parameters
[global]
workgroup = SMBTEST
encrypt passwords = Yes
password level = 8
username level = 8
log file = /var/log/samba.d/log.%m
max log size = 50
name resolve order = hosts bcast
logon script = netlogon.bat
logon path = \\%N\profiles\%u
logon drive = G:
domain logons = Yes
os level = 35
preferred master = True
domain master = True
printing = sysv
load printers = Yes
hide unreadable = Yes
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
share modes = No
[homes]
comment = Home Directories
read only = No
browseable = No
[public]
comment = Public Share
path = /u/public
read only = No
[profiles]
comment = Windows Profiles
path = /home/samba/profiles
read only = no
inherit acls = yes
guest ok = yes
2. Stop and start samba with the command:
# samba restart
3. Within SWAT, click on "Password" and enter "root" and the root
password, i.e., ensure that the password matches the UNIX one,
then click on "Add User".
This will create an entry in /etc/samba.d/smbpasswd for root.
This account will be what is known to the MS Windows network as
the "Administrator" and is needed to allow MS Windows
NT/2000/XP machines to be added to the domain.
4. However, this will only work once the OpenServer server has
created an account for the Computer Account wishing to access
this server, as defined below. The client name must have a "$"
appended to the end of the account.
a) add the account without the $ using the "useradd
<my_client>" command, eg:
# useradd -d /home -s /bin/false <my_client>
NOTE:
It may be advisable to use the "-u <uid>" flag and set
the UID for the machine account to be in a different numeric
range from that of the users so that it is clear which are
users and which are machines.
b) using your favourite editor, edit the files:
/etc/passwd and /etc/shadow
manually adding the $ at the end of account name and change
the $HOME directory to /dev/null.
c) Update the security database with these commands:
# cd /tcb/files/auth/
# cd m (Note: use the first character of the account name)
# mv myclient myclient\$
# /tcb/bin/authck -a (and answer Yes to fix discrepancies)
5. From a Windows client, such as Windows NT4, log in as the
Administrator on the client and right click the Network
Neighbourhood. Within Properties and Identification, click on
"Change" and change the Workgroup to Domain, enter the domain
name, in our case, SMBTEST and then click on "Create a
Computer Account in the Domain". Then enter "root" and the
root password for the Administrator account.
6. Also, if you are adding an MS Windows XP machine you need to
apply the Windows XP Registry patch that disables "SignOrSeal".
It can be found under the samba documentation area in:
http://us1.samba.org/samba/ftp/docs/Registry/WinXP_SignOrSeal.reg
All you need to do to install this is double-click on the file
in MS Windows explorer.
At the end of this exercise we should be able to attach a Windows
client as a member of the domain we have configured and be able to log
into that domain and be authenticated by our OpenServer server which
is now a Primary Domain Controller (PDC).
Scenario 3 - Configure another OpenServer as a member server, i.e.,
---------- to use the password server facility.
You will need another OpenServer server to install Samba on.
1. Install Samba on a second OpenServer you wish to act as the
member server as above and configure the /etc/samba.d/smb.conf
file to appear as:
# Global parameters
[global]
workgroup = SMBTEST
security = DOMAIN
encrypt passwords = Yes
log file = /var/log/samba.d/log.%m
password server = <my_pdc>.fqdn
[public]
comment = Public Share
path = /u/public
read only = No
guest ok = Yes
Here we are assuming that there will be a public share on the
server in /u/public which must have directory permissions of
777 (see the man page for the chmod command).
The <my_pdc>.fqdn is the PDC we configured earlier where anyone
trying to access this server will be authenticated against.
It is assumed that the <my_pdc>.fqdn hostname can be resolved
by this server either via the /etc/hosts file or by DNS.
SAMBA supports several security modes: 'user','share','server'
and 'domain'.
These mainly affect the way the client authenticates itself.
'user' is the default setting and validates each connecting
user as they connect in the smbpasswd file.
You want to set this to 'share' if your server mainly provides
guest accounts (accounts without password) or you wish to
restrict access to certain shares, for example:
[private]
comment = A share with password
path = /u/private
# all users defined here must be in /etc/passwd and in
# smbpasswd (we use encrypted=yes)
username = my_user
read list = my_user
write list = my_user
The user "my_user" would have access to any share where guest
was allowed, any $HOME directory and the "private" share as
defined above.
However, if the "guest ok = Yes" was removed for this security
model, then "my_user" would not have access to the "public"
folder but would if the security model was 'domain'. This is
because the authentication for this mode is done by each share.
'server' level security is useful if the password file is
stored on another server in the network which can be another
Samba server, a Window NT server or any other implementation
of SMB in a different workgroup.
'domain' level security requires adding the clients to a
Windows NT domain using smbpasswd. SAMBA will validate login
requests via a Windows NT Primary or Backup Domain Controller.
The various security = levels of Samba are explained at:
http://samba.linuxbe.org/en/samba/learn/security.html
http://samba.linuxbe.org/en/samba/samples.html
http://us6.samba.org/samba/ftp/docs/textdocs/security_level.txt
For example, with a Windows NT4 Server as the Primary Domain
Controller, here is a matrix of where access is granted/denied
for different clients:
Client Domain User Server Share Encrypted
Passwords
---------------------------------------------------------
Any Windows Y Y Y Y Y
client with
Encrypted Passwords
set to "Y"
Any Windows N N Y Y N
client with
Encrypted Passwords
set to "N"
The clients used were Windows 95/98/MEN/NT4/2000/XP.
Where "N" you are asked for the IPC$ password from Windows
95/98 and ME. For Windows NT4 onwards you may get "The
account is not authorized to logon from this station".
By default it is recommended to leave encrypted passwords
turned on and the choice for the type of access defaulted
to 'user'.
2. On the PDC we need to add a machine account for your member
samba server as in step 5 for scenario 2.
You then also need to run:
# smbpasswd -a -m <my_member_server>
Again, the hostname must be resolved by either the /etc/hosts
file or by DNS.
NOTE:
You do NOT need to create a machine account for the PDC
itself. That is already implied.
3. On the Member Samba Server:
# samba stop
# rm /etc/samba.d/secrets.tdb
# rm /var/locks/samba.d/*
# smbpasswd -j SMBTEST -r <my_pdc>
# samba start
If you do not remove the existing files above you may get
the following errors:
# smbpasswd -r <my_pdc> -j <my_domain>
cli_net_req_chal: Error NT_STATUS_INVALID_COMPUTER_NAME
cli_nt_setup_creds: request challenge failed
modify_trust_password: unable to setup the PDC credentials to
machine <my_pdc> Error was : NT_STATUS_UNSUCCESSFUL.
2002/10/31 15:43:56 : change_trust_account_password: Failed to
change password for domain <my_domain>.
Unable to join domain <my_domain>.
You should see:
2002/10/31 17:22:22 : change_trust_account_password: Changed
password for domain SMBTEST.
Joined domain SMBTEST.
NOTE:
You can join a Windows NT or Windows 2000 Domain this way
as well.
4. You should now have access to the [public] share on the member
samba server. Any files created will be owned by "nouser" as
there is no local account for the user you have logged in as.
You will need a local account on every machine. OpenServer does
not have the Linux PAM (Plugable Authentication Module), so use
of "pam_mkhomedir.so" will not work.
Winbind is also limited for the same reason. So that means you
have no choice but to create a local home account. You can lock
the password on this account if you like since the password
will be authenticated from the domain controller (only for MS
Windows clients).
For example, create a local user on the member samba server as
you did in Post Installation step 2.
It is recommended to keep the same UID when creating the user
so files can be transferred easily between servers.
Add to /etc/samba.d/smb.conf:
[homes]
comment = Home Directories
read only = No
browseable = No
and run "samba restart".
For the client you should now be able to see a $HOME directory
if you have logged in as that user.
Files created will be owned by that user.
If this is not correctly configured, when you try to access the
member server from a client it will prompt you for a login and password
and will never give you access.
At the end of this exercise you should be able to create a member
server in the domain and have access to it authenticated by the PDC.
Scenario 4 - I wish to join my OpenServer server to an existing Windows
---------- NT4 Domain/2000 as a member server
You will need an existing Windows NT4 Primary Domain Controller (PDC)
or Windows 2000 PDC operating in "mixed mode".
1. Follow the steps for the previous scenario with the exception
of /etc/samba.d/smb.conf, which should not detail exactly the
name of the PDC (password) server. Rather it should look like
this:
[global]
workgroup = SMBTEST
security = DOMAIN
encrypt passwords = Yes
log file = /var/log/samba.d/log.%m
password server = *
2. In addition, in order to add the OpenServer computer to the NT
Domain you must at the console of the Windows NT PDC server,
use the Server Manager tool to add a machine account for an
MS Windows NT WorkStation / Server to the domain.
3. This must be done before the command:
# smbpasswd -j <my_domain> -r <my_pdc>
If not, you may find that you are prompted for a login and
password when you try to connect to a share on the OpenServer
server.
4. Run the command:
# samba restart
5. From a Windows client in the Windows NT Domain you should be
able to access the public shares and HOME directories for the
users in the Windows NT Domain.
NOTE:
For Windows 2000 Domains use the Computer Account Manager to add
the Computer Account as a Domain Controller controller and not a normal
WorkStation or Server, otherwise you may get the error:
# smbpasswd -j <W2K_DOMAIN> -r <W2K_PDC>
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
cli_nt_setup_creds: auth2 challenge failed
modify_trust_password: unable to setup the PDC credentials to machine
<W2K_PDC>.
Error was : NT_STATUS_ACCESS_DENIED.
2002/11/04 19:10:43 : change_trust_account_password: Failed to change
password f or domain W2K_DOMAIN.
Unable to join domain W2K_DOMAIN.
At the end of this exercise you should be able to create a member
server in an NT domain and have access to it authenticated by the PDC.
NOTES:
Components from the OpenServer 5.0.7 Optional Services CD are not
supported on earlier releases of OpenServer.
Connections made to the server via clients should remain open at all
times as there is no timeout set for the connections when idle within
Samba.
The "smbmount" command is not supported on the OpenServer
implementation of Samba.
See Technical Article 118208, "I am not able to use the SAMBA "smbmount" command."
For additional security use the "hosts allow" or "hosts deny"
options to restrict the clients accessing your server, eg.
[global]
hosts allow = <my_client>.fqdn
The "smbclient -M <my_client>" doesn't work with this Samba
implementation.
# echo "Hello World" | smbclient -M <my_client>
added interface ip=<my_server_ip> bcast=<my_bcast>
nmask=<my_netmask>
error connecting to <my_client_ip>:139 (Unknown error)
Error connecting to <my_client_ip> (Unknown error)
Connection to <my_client> failed
If you try to run this on the same server you get the error:
message start: ERRSRV - ERRmsgoff (Not receiving messages.)
This problem has been reported to SCO Engineering.
If you receive the following error messages when trying to start Samba
and you run the command "smbstatus":
Samba version 2.2.6
Service uid gid pid machine
----------------------------------------------
Failed to open byte range locking database
ERROR: Failed to initialize locking database
Can't initialize locking module - exiting
This problem has been reported to SCO Engineering and is caused by
ports 137 and 139 already being in use.
See /var/log/samba.d/log.nmbd
[2002/12/16 16:22:12, 0] lib/util_sock.c:open_socket_in(804)
bind failed on port 137 socket_addr = 0.0.0.0.
Error = Address already in use
and /var/log/samba.d/log.smbd
[2002/12/16 16:03:54, 0] lib/util_sock.c:open_socket_in(804)
bind failed on port 139 socket_addr = 0.0.0.0.
Error = Address already in use
This can be caused by having another SMB package installed such as the
Lan Manager Client or by having "SCO TPI NetBIOS for TCP/IP" in the
TCP/IP stack, which you can see by running "netconfig".
If you remove it from the stack, re-link the kernel and re-boot you
should be able to start Samba with the following correct messages in
the log file:
/var/log/samba.d/log.nmbd
Attempting to become domain master browser on workgroup SMBTEST on
subnet ...
[2002/12/16 16:26:08, 0] nmbd/nmbd_become_dmb.c:
become_domain_master_browser_bcast(305)
become_domain_master_browser_bcast: querying subnet ... for domain
master browser on workgroup SMBTEST
[2002/12/16 16:26:12, 0] nmbd/nmbd_logonnames.c:
become_logon_server_success(124) become_logon_server_success:
Samba is now a logon server for workgroup SMBTEST
on subnet ...
To debug your "smb.conf" run the command:
# /usr/lib/samba/bin/testparm /etc/samba.d/smb.conf
If you are trying to add your Windows WorkStation NT4, 2000 or XP
client to the domain, as defined in Scenario 2 and get the following:
This fails with "Unable to add or change account on the domain.
The account information entered does not grant sufficient priviledge
to create or change account"
The server has the following errors listed in /usr/adm/syslog:
Jan 21 13:53:58 teamref1 smbd[3111]: [2003/01/21 13:53:58, 0]
libsmb/smbencrypt.c:decode_pw_buffer(263)
Jan 21 13:53:58 teamref1 smbd[3111]: decode_pw_buffer: incorrect password
length (402379906).
This problem has been reported to SCO Engineering and has been seen
with Samba 2.2.6b and fixed with 2.2.6c.
NOTES:
VisionFS is no longer supported and will not function on later releases
of OpenServer, such as OpenServer6.
AFPS is no longer supported.
Samba is the recommended route for Windows connectivity providing file
and print services.
NOTES:
Where do I find the Samba files for v3.0.20?:
/bin/smb*
/usr/sbin/smb*
/etc/samba
/usr/lib/samba
/etc/init.d/?mb
/opt/K/SCO/samba
/var/opt/K/SCO/samba
/var/spool/samba
/var/run/samba
/usr/share/samba
/usr/share/doc/samba*
/usr/include/samba
Linked to:
/opt/K/SCO/samba
and also ensure 'swat' is also in your /etc/services file as:
# grep swat /etc/services
swat 901/tcp # samba web configuration tool
NOTES:
For Active Directory Support:
----------------------------
v3.0.24 on UnixWare714 and above has support for Active Directory.
However, there is no support for PAM/NSS under SCO OSR6 so ANY
versions of Samba 3.0.XX under OSR600 will not be able to access a AD
server, even though the latest Samba release itself might have AD
support.
NOTES:
To prevent your Samba server from competing as a Master Browser on the
network and reduce network traffic, set "os level = 0" in the global
section of the smb.conf, ie:
# Global parameters
[global]
os level = 0
NOTES:
To determine how many users are connecting to Samba, use:
# /usr/sbin/smbd -D -s /etc/samba/smb.conf | wc -l
SEE ALSO:
chmod(C)
useradd(ADM)
The Samba help Pages are available from SWAT "Home" or via "lynx" from:
/usr/lib/samba/swat
and from OpenServer's docview at:
http://<my_server>:8457/en/samba/index.html
Other existing Technical Articles are:
Troubleshooting a Samba Server (Ref. #000412-0020)
File and Print Server: Samba on OpenLinux 3.1 (Ref. #011101-0012)
Technical Article 118844, "Samba fails to compile on OpenServer 5.0.6 with supplement
RS506A installed."
Technical Article 118223, "Is there any documentation for OpenLinux on how to
configure an OpenLinux 3.1.1 as a BackOffice Server?"
Technical Article 118707, "When I try to connect to user's share whose username is
greater than 12 characters, I get the error, "The network name cannot
be found"."
Technical Article 118208, "I am not able to use the SAMBA "smbmount" command."
Technical Article 116828, "VisionFS 3, When I access a server I only see the global
shares that a guest account would see."
Technical Article 114823, "How do I download, compile and install the latest version
of SAMBA for UnixWare/Open UNIX 8.0.0"
Technical Article 114822, "How do I download, compile and install the latest version
of SAMBA for OpenServer?"
Samba Security Levels:
http://samba.linuxbe.org/en/samba/learn/security.html
http://samba.linuxbe.org/en/samba/samples.html
http://us6.samba.org/samba/ftp/docs/textdocs/security_level.txt
Configuring as a Backup Domain Controller:
http://us4.samba.org/samba/ftp/docs/htmldocs/Samba-BDC-HOWTO.html
Encyption Passwords:
http://samba.linuxbe.org/en/samba/learn/encryption.html
http://freebooks.by.ru/view/LinuxNetworkSolution/31620085.htm
http://enterprise.iet.auc.dk/Computer_ressources/Samba/plain_password.html
http://netsys.syr.edu/ops/printing/printencrypt.html
http://www.jsanten.demon.nl/samba/smb_conf_adv.htm
Configuring Windows Clients:
http://www.oreilly.com/catalog/samba/chapter/book/ch03_01.html
http://www.oreilly.com/catalog/samba/chapter/book/ch03_02.html
Troubleshooting Samba:
http://www.oreilly.com/catalog/samba/chapter/book/ch09_01.html
http://www.oreilly.com/catalog/samba/chapter/book/ch09_02.html
http://www.oreilly.com/catalog/samba/chapter/book/ch09_03.html
http://www.samba.org
|