Samba as PDC for NT clients

Samba 2.0.x can act as PDC only to NT4 clients. If  you have Windows2000 clients, you'll have to use Samba 2.2.x or the forked branch Samba TNG ("The New Generation.") As of June 2001, I have only tested the 2.2.x version, which seems to work.

Setup

1. Install Samba 2.2.x
2. Create an empty smbpasswd file: touch /etc/samba/smbpasswd ; chmod go-rwx /etc/samba/smbpasswd
3. Create a group to contain computer accounts: grpadd machines
4. Create an administrator account that is allowed to add hosts to the domain: useradd -c "Samba admin account" -s /bin/false -d /dev/null ntadmin ; smbpasswd -a ntadmin
5. Create a computer account for the new W2K host you wish to add to the domain: useradd -g machines -c "W2K host" -s /bin/false -d /dev/null w2kclient$ ; smbpasswd -a -m w2kclient$
6. Create a user account for the W2K user: useradd -c "User account" -s /bin/bash -d /home/jdoe jdoe ; smbpasswd -a jdoe
7. Edit smb.conf:
   workgroup = MYDOMAIN
security = user
encrypt passwords = yes
#Just to make sure this host wins any election to become master browser
os level = 255
local master = yes
domain master = yes
preferred master = yes
domain logons = yes

;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat
 
# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
#   logon path = \\%L\Profiles\%U
#logon drive = H:
#logon home = \\%N\%U\profile
wins support = yes

[netlogon]
comment = Network Logon Service
write list = ntadmin
path = /var/log/samba/netlogon
;   guest ok = yes
writable = no
;   share modes = no
 
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path = /var/log/samba/ntprofile
writable = yes
create mask = 0600
directory mask = 0700
;    browseable = no
;    guest ok = yes
On the W2K client, right-click on My Computer, followed by Properties | Network Identification | Properties, and select Domain. Use the ntadmin account defined above to add this host to the domain. There is a 60s wait until you get the "Welcome to xxx domain" dialog. Reboot.
Log on with the user account that you defined above (jdoe, here)

Winbind: Delegating Unix authentication to an NT PDC

Haven't tried yet. http://www.ibiblio.org/pub/packages/samba/docs/htmldocs/winbind.html

Sharing a Linux printer through Samba

[global]
        printing = BSD
        print command = /usr/bin/lpr -r  %s
	printcap file = /etc/printcap

[printers]
        path = /var/spool/printer
        printable = true 
        guest ok = true
        guest account = pcguest

[printer1]
        printable = yes
        printer = lp
        read only = yes
        guest ok = yes

1. Install the drivers for the printer on a Windows client (the printer need not be attached).
2. Create a printer definition file from the information on a Windows machine: Go into c:\windows\inf\, and grep through MSPRINT?.INF to find the record for the driver. Once you found which MSPRINT?.INF contains the right driver, make_printerdef MSPRINT3.INF "HP DeskJet 560C Printer" >printers.def.
3. Create a PRINTER$ share where the resulting driver files can be placed, as indicated by make_printerdef. Remember to also copy printers.def into the directory pointed to by PRINTER$ [PRINTER$] path = /usr/local/samba/print read only = yes browsable = no guest ok = yes
4. Modify the Samba configuration file accordingly. [global] printer driver file = /usr/local/samba/print/printers.def [hpdeskjet] path = /var/spool/samba/printers printable = yes printer driver = HP DeskJet 560C Printer printer driver location = \\%L\PRINTER$

Disabling use of encrypted password mode in 9x/NT

The best solution is to set up the Samba server to handle encrypted passwords by adding "encrypt password=yes" in smb.conf, and managing encrypted passwords, either by converting hashed passwords from /etc/shadow into /etc/smbpasswd when using security=[ share | user ] (which is a better solution than having users set their Unix password into /etc/shadow by using the standard passwd command, and then adding their password a second time in the /etc/smbpasswd Samba password file by running the smbpasswd command), or by delegating authentication to an NT server (security = [ server | domain ].

Another, less-satisfactory solution is to force those Windows hosts to send the user's password in clear-text. For this, edit the following key in the Registry:

	[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]
	" EnablePlainTextPassword"=dword:00000001

Keeping smbpasswd and /etc/shadow in sync

        unix password sync = yes
        passwd program = /usr/bin/passwd %u

Using Samba as time server

Resolving NetBIOS names

Browsing, a.k.a. Network Neighborhood

Each subnet runs a Local Master Browser. Those lists are uploaded to a Domain Master Browser, which Local Master Browsers queries to download a complete, up-to-date list of hosts available. For synchronization to occur, use remote announce = . If your network has several sub-nets (and routers do not forward broadcasts), you must have a host acting as WINS server so that clients can resolve their NetBIOS name into IP addresses.

Note that an NT PDC will always be the Domain Master Browser for a domain, so it's not a good idea to set a Samba server to become one (ie. do not use domain master = yes if an NT PDC is available in your domain.) To allow the Samba to participate in the election to become the Local Master Browser, set local master = yes. Although not recommended, if you want Samba to win against NT Servers, set os level = 65.

(CHECK) To find out which host is the Local Master Browser (ie. registered resource __MSBROWSE__ <01> for the domain), run #nmblookup SIMPLE#01 .

(CHECK) To find out which host is the Domain Master Browser (ie. registered resource <1B> for the domain), run #nmblookup SIMPLE#1B .

Note that in a Windows 2000 environment, browsing has been replaced with Active Directory, and has been kept only for backwards compatibility.

Smbclient

Instant Messaging, a.k.a. WinPopUp/net send

Backing up remote Windows hosts with Samba

Smbtar

	for host in `cat ./hosts.txt`
	do
		smbtar -s $host -u test%tttttttt -x backup -d / -t /dev/tape -v *.c *.cpp *.h
	done
	

Smbclient

Downloading files into a directory

	#!/bin/bash
	#------- Remove old log files
	if [ -f ./log.txt ]
	then
	        mv ./log.txt ./log.txt.prev
	fi
	
	if [ -f ./log.err.txt ]
	then
	        mv ./log.err.txt ./log.err.txt.prev
	fi
	
	exec >./log.txt 2>./log.err.txt
	
	#----------- Start copying
	if [ ! -d ./AcmeBackup ]
	then
	        mkdir ./AcmeBackup
	fi 
	
	cd ./AcmeBackup
	
	for host in `cat ../acme.txt`
	do
	        if [ ! -d ./$host ]
	        then
	                mkdir ./$host
	        fi 
	
	        cd ./$host
	
	        echo Started backing up $host at `date`
	
	        smbclient //$host/backup -U BackupExec%password -R wins << EOF > /dev/null
	        prompt off
	        recurse
	
	        mask *.c
	        mget *
	
	        mask *.cpp
	        mget *
	
	        mask *.h
	        mget *
	
	        exit
	EOF
	
	        echo Back up of $host ended at `date`
	
	        cd ..
	
	done
	

Downloading files into a tarball

Mounting remote SMB shares

Setting up Windows hosts with NetBeui and TCP/IP

Moving from Samba 3 to Samba 4

Q&A

Why can I copy/delete a file on an SD card, but not overwrite?

If the SD card is formatted in VFAT(FAT32), it's because it doesn't support Linux access rights: They are set through the settings in /etc/fstab.

Syslog complains with "At this time the 'samba' binary should only be used for either"

# systemctl disable samba-ad-dc

# systemctl enable samba nmbd.service smbd.service

How to force new files to be 644?

Don't know which does the trick, but this works:

force create mode = 0644

create mask = 0664

security mask = 0664

force security mode = 0664

readonly vs. writable? guest ok vs. public?

"readonly=no" and "writ(e)able=yes" mean the same thing.

Likewise for "guest ok = yes" and "public = yes".

If "security=share option is deprecated", how to build a free-for-all share?

Just add those two lines to enable anyone to read/write files in a share without being prompted for a login/password:

security = user

map to guest = Bad User

Unable to connect to CUPS server localhost:631 - Connection refused

If the server will not handle printers, add "printing = bsd" and "printcap name = /dev/null" to get rid of this warning in the log:

Unable to connect to CUPS server localhost:631 - Connection refused

failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

How to make network browsing work with two Samba hosts on the LAN?

After adding a second Samba server on the same LAN with no browser-related settings, I reconfigured the second host thusly:

[global]

...

netbios name = UBUNTU

 

wins support = yes

domain master = yes

local master = yes

preferred master = yes

os level = 255

... and the first host thusly:

local master = no

Reload nmbd on the new domain/local master and check that it won the election.

How to sync Windows login + passwd with Linux?

Which user.group does Samba use to run?

Just run "/etc/init.d/smbd start" and "/etc/init.d/nmbd start", followed by "ps aux | grep mbd" to check

How to tell Samba to run under a non-root user?

It's not possible, as Samba must bind to priviledged ports anyway. Also, Samba must run as root so it can change the Euid of the process to perform some operations.

Running Samba as chroot is a good way to run Samba securely.

What happens if the Windows account doesn't exist on Samba?

;reason to handle unknown user

;other possible reasons: never, bad password, bad uid

map to guest = bad user

;allow guest account

guest ok = yes

;which guest account to use instead

guest account = smbguest

Samba-TNG? LikeWise?

Samba-TNG is a fork of Samba that occured in 2000, but seems to have not achieved much.

Likewise is a dual-licensed that lets a Unix server be part of a Windows Active Directory and thus, delegates authentication. Apparently, it also includes a full alternative to Samba as SMB/CIFS server.

Likewise, I'm Sure - After the dust settled, it turns out that Samba and Likewise can co-exist after all.

CEO Perspective: History Behind Likewise-CIFS

What do those error messages mean?

• smbd/files.c:file_init(193) file_init: Information only: requested 10000 open files, 5401 are available.
• smbd/server.c:open_sockets_smbd(527) open_sockets_smbd: accept: Software caused connection abort
• lib/util_sock.c:get_peer_addr(1232) getpeername failed. Error was Socket is not connected

How to hide Unix .files?

veto files = /.??*/

When connecting to a Samba share, I'm prompted for a password for user IPC$

1. If not done already, run useradd jdoe to create a matching user account on the Samba server
2. In smb.conf, go to the [global] section, and add encrypt password=yes
3. smbpasswd -a jdoe (where jdoe must have been created above with useradd)

Voilà! User jdoe has an account on the Samba server (/etc/password), an MD5-hashed password (/etc/shadow), and his password is also available in Samba's database /etc/smbpasswd to keep Windows happy.

What is the difference between security=share and security=user?

security=share is deprecated anyway.

Removing a computer account

As root, run smbpasswd -x w2kclient$

Checking connection to Samba

Open a DOS box, and run "net use \\mylinux\ipc$ /user:jdoe", where jdoe is the user account that you created above

Mapping a drive letter to a Samba share

Open a DOS box, and run "net use x: \\mylinux\jdoe". If you are not logged on as user jdoe on the Windows host, run "net use x: \\mylinux\jdoe /user:jdoe", and type jdoe's password as entered when you ran smbpasswd to create this user's encrypted password

Removing a drive letter

net use x: /d

Finding which host is running as local master browser

On a host running Samba, type nmblookup -M - (or nmblookup -M MYDOMAIN)

Resources

Books

• Using Samba, 3rd Edition, 2007
• Samba3-HOWTO
• Samba3-ByExample

Sites

• The Samba user mailing list can also be reached through Google (moderated): https://groups.google.com/forum/#!forum/linux.samba
• A free online version O'Reilly's Using Samba is available from their web site.
• http://www.linuxworld.com/linuxworld/lw-2000-11/lw-11-samba_p.html
• http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba_p.html
• All about browsing (ie. Network Neighborhood) http://www.microsoft.com/ntserver/zipdocs/ntbrowse.exe, http://support.microsoft.com/support/kb/articles/Q188/3/05.ASP, http://support.microsoft.com/support/kb/articles/Q102/8/78.ASP, http://support.microsoft.com/support/kb/articles/Q188/0/01.ASP, http://support.microsoft.com/support/kb/articles/Q232/5/11.ASP, http://support.microsoft.com/support/kb/articles/Q150/8/00.ASP
• LSP utility to automate migration from NT to Linux
• Build A Primary Domain Controller With Samba
• Dancing The Samba (part 1)
• Fast start with Samba
• Myths About Samba by Andrew Tridgell
• Managing Samba: Choose your weapon -- Windows network ID basics by John H Terpstra
• Fedora 13 Samba Standalone Server With tdbsam Backend by Falko Timme

Temp stuff

• http://us1.samba.org/samba/ftp/appliance/winbind.pdf
• http://www.mami.net/univr/tng-ldap/howto/
• http://www.openldap.org/lists/openldap-software/200010/msg00097.html
• http://www.rage.net/ldap/nss.shtm
• /usr/bin/smbadduser