1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4
<!ENTITY % globalent SYSTEM "../../libs/global.ent">
6
<!ENTITY % gnome-menus-C SYSTEM "../../libs/gnome-menus-C.ent">
8
<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
10
<!ENTITY language "&EnglishAmerican;">
12
<chapter id="windows-networking" status="review">
13
<title>Windows Networking</title>
16
Computer networks are often comprised of diverse systems, and while operating a network
17
made up entirely of Ubuntu desktop and server computers would certainly be fun, some network environments
18
must consist of both Ubuntu and <trademark class='registered'>Microsoft</trademark>
19
<trademark class='registered'>Windows</trademark> systems working together in harmony.
20
This section of the &ubuntu; &sg-title; introduces principles and tools used in
21
configuring your Ubuntu Server for sharing network resources with Windows computers.
24
<sect1 id="windows-networking-introduction" status="review">
25
<title>Introduction</title>
28
Successfully networking your Ubuntu system with Windows clients involves providing and integrating with services
29
common to Windows environments. Such services assist the sharing of data and information about the computers
30
and users involved in the network, and may be classified under three major categories of functionality:
36
<emphasis role="bold">File and Printer Sharing Services</emphasis>. Using the Server Message Block (SMB)
37
protocol to facilitate the sharing of files, folders, volumes, and the sharing of printers throughout the network.
42
<emphasis role="bold">Directory Services</emphasis>. Sharing vital information about the computers and users of
43
the network with such technologies as the Lightweight Directory Access Protocol (LDAP) and Microsoft
44
<trademark class='registered'>Active Directory</trademark>.
49
<emphasis role="bold">Authentication and Access</emphasis>. Establishing the identity of a computer or user of
50
the network and determining the information the computer or user is authorized to access using such principles
51
and technologies as file permissions, group policies, and the Kerberos authentication service.
57
Fortunately, your Ubuntu system may provide all such facilities to Windows clients and share network resources
58
among them. One of the principal pieces of software your Ubuntu system includes for Windows networking is the Samba
59
suite of SMB server applications and tools.
63
This section of the &ubuntu; &sg-title; will introduce some of the common Samba use cases, and how to
64
install and configure the necessary packages. Additional detailed documentation and information on Samba can be found
65
on the <ulink url="http://www.samba.org">Samba website</ulink>.
69
<sect1 id="samba-fileserver" status="review">
70
<title>Samba File Server</title>
73
One of the most common ways to network Ubuntu and Windows computers is to configure Samba as a File Server. This section
74
covers setting up a <application>Samba</application> server to share files with Windows clients.
78
The server will be configured to share files with any client on the network without prompting for a password. If
79
your environment requires stricter Access Controls see <xref linkend="samba-fileprint-security"/>
82
<sect2 id="samba-fileserver-installation" status="review">
83
<title>Installation</title>
86
The first step is to install the <application>samba</application> package. From a terminal prompt enter:
90
<command>sudo apt-get install samba</command>
94
That's all there is to it; you are now ready to configure Samba to share files.
98
<sect2 id="samba-fileserver-configuration" status="review">
99
<title>Configuration</title>
102
The main Samba configuration file is located in <filename>/etc/samba/smb.conf</filename>. The default configuration file
103
has a significant amount of comments in order to document various configuration directives.
107
Not all the available options are included in the default configuration file. See the <filename>smb.conf</filename>
108
<application>man</application> page or the
109
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/">Samba HOWTO Collection</ulink> for more details.
117
First, edit the following key/value pairs in the <emphasis>[global]</emphasis> section of
118
<filename>/etc/samba/smb.conf</filename>:
128
The <emphasis>security</emphasis> parameter is farther down in the [global] section, and is commented by default.
129
Also, change <emphasis>EXAMPLE</emphasis> to better match your environment.
136
Create a new section at the bottom of the file, or uncomment one of the examples, for the directory to be shared:
141
comment = Ubuntu File Server Share
142
path = /srv/samba/share
152
<emphasis>comment:</emphasis> a short description of the share. Adjust to fit your needs.
157
<emphasis>path:</emphasis> the path to the directory to share.
160
This example uses <filename>/srv/samba/sharename</filename> because, according to the
161
<emphasis>Filesystem Hierarchy Standard (FHS)</emphasis>,
162
<ulink url="http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM">/srv</ulink>
163
is where site-specific data should be served. Technically Samba shares can be placed anywhere on the filesystem
164
as long as the permissions are correct, but adhering to standards is recommended.
169
<emphasis>browsable:</emphasis> enables Windows clients to browse the shared directory using
170
<application>Windows Explorer</application>.
175
<emphasis>guest ok:</emphasis> allows clients to connect to the share without supplying a password.
180
<emphasis>read only:</emphasis> determines if the share is read only or if write privileges are granted. Write privileges are allowed only when the value is <emphasis>no</emphasis>, as is seen in this example. If the value is <emphasis>yes</emphasis>, then access to the share is read only.
185
<emphasis>create mask:</emphasis> determines the permissions new files will have when created.
194
Now that <application>Samba</application> is configured, the directory needs to be created and the permissions
195
changed. From a terminal enter:
199
<command>sudo mkdir -p /srv/samba/share</command>
200
<command>sudo chown nobody.nogroup /srv/samba/share/</command>
205
The <emphasis>-p</emphasis> switch tells mkdir to create the entire directory tree if it doesn't exist.
213
Finally, restart the <application>samba</application> services to enable the new configuration:
217
<command>sudo restart smbd</command>
218
<command>sudo restart nmbd</command>
226
Once again, the above configuration gives all access to any client on the local network. For a more secure
227
configuration see <xref linkend="samba-fileprint-security"/>.
232
From a Windows client you should now be able to browse to the Ubuntu file server and see the shared directory. To
233
check that everything is working try creating a directory from Windows.
237
To create additional shares simply create new <emphasis>[dir]</emphasis> sections in
238
<filename>/etc/samba/smb.conf</filename>, and restart <emphasis>Samba</emphasis>. Just make sure that the directory
239
you want to share actually exists and the permissions are correct.
244
The file share named <emphasis>"[share]"</emphasis> and the path <filename>/srv/samba/share</filename> are just examples.
245
Adjust the share and path names to fit your environment. It is a good idea to name a share after a directory on the
246
file system. Another example would be a share name of <emphasis>[qa]</emphasis> with a path of <filename>/srv/samba/qa</filename>.
251
<sect2 id="samba-fileserver-resources" status="review">
252
<title>Resources</title>
257
For in depth Samba configurations see the
258
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/">Samba HOWTO Collection</ulink>
263
The guide is also available in
264
<ulink url="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228">printed format</ulink>.
269
O'Reilly's <ulink url="http://www.oreilly.com/catalog/9780596007690/">Using Samba</ulink> is another good
275
The <ulink url="https://help.ubuntu.com/community/Samba">Ubuntu Wiki Samba </ulink> page.
282
<sect1 id="samba-printserver" status="review">
283
<title>Samba Print Server</title>
286
Another common use of Samba is to configure it to share printers installed, either locally or over the network, on
287
an Ubuntu server. Similar to <xref linkend="samba-fileserver"/> this section will configure Samba to allow any client
288
on the local network to use the installed printers without prompting for a username and password.
292
For a more secure configuration see <xref linkend="samba-fileprint-security"/>.
295
<sect2 id="samba-printserver-installation" status="review">
296
<title>Installation</title>
299
Before installing and configuring Samba it is best to already have a working <application>CUPS</application>
300
installation. See <xref linkend="cups"/> for details.
304
To install the <application>samba</application> package, from a terminal enter:
308
<command>sudo apt-get install samba</command>
312
<sect2 id="samba-printserver-configuration" status="review">
313
<title>Configuration</title>
315
After installing samba edit <filename>/etc/samba/smb.conf</filename>. Change the <emphasis>workgroup</emphasis>
316
attribute to what is appropriate for your network, and change <emphasis>security</emphasis> to
317
<emphasis role="italic">share</emphasis>:
327
In the <emphasis>[printers]</emphasis> section change the <emphasis>guest ok</emphasis> option to <emphasis role="italic">yes</emphasis>:
336
After editing <filename>smb.conf</filename> restart Samba:
340
<command>sudo restart smbd</command>
341
<command>sudo restart nmbd</command>
345
The default Samba configuration will automatically share any printers installed. Simply install the printer locally
346
on your Windows clients.
350
<sect2 id="samba-printserver-resources" status="review">
351
<title>Resources</title>
356
For in depth Samba configurations see the
357
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/">Samba HOWTO Collection</ulink>
362
The guide is also available in
363
<ulink url="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228">printed format</ulink>.
368
O'Reilly's <ulink url="http://www.oreilly.com/catalog/9780596007690/">Using Samba</ulink> is another good
374
Also, see the <ulink url="http://www.cups.org/">CUPS Website</ulink> for more information on configuring CUPS.
379
The <ulink url="https://help.ubuntu.com/community/Samba">Ubuntu Wiki Samba </ulink> page.
386
<sect1 id="samba-fileprint-security" status="review">
387
<title>Securing a Samba File and Print Server</title>
389
<sect2 id="samba-security-mode" status="review">
390
<title>Samba Security Modes</title>
393
There are two security levels available to the Common Internet Filesystem (CIFS) network protocol
394
<emphasis>user-level</emphasis> and <emphasis>share-level</emphasis>. Samba's <emphasis>security mode</emphasis>
395
implementation allows more flexibility, providing four ways of implementing user-level security and one way to
396
implement share-level:
402
<emphasis>security = user:</emphasis> requires clients to supply a username and password to connect to shares.
403
Samba user accounts are separate from system accounts, but the <application>libpam-smbpass</application>
404
package will sync system users and passwords with the Samba user database.
409
<emphasis>security = domain:</emphasis> this mode allows the Samba server to appear to Windows clients as a Primary
410
Domain Controller (PDC), Backup Domain Controller (BDC), or a Domain Member Server (DMS). See
411
<xref linkend="samba-dc"/> for further information.
416
<emphasis>security = ADS:</emphasis> allows the Samba server to join an Active Directory domain as a native
417
member. See <xref linkend="samba-ad-integration"/> for details.
422
<emphasis>security = server:</emphasis> this mode is left over from before Samba could become a member server, and
423
due to some security issues should not be used. See the
424
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id349531">Server Security</ulink>
425
section of the Samba guide for more details.
430
<emphasis>security = share:</emphasis> allows clients to connect to shares without supplying a username and
437
The security mode you choose will depend on your environment and what you need the Samba server to accomplish.
441
<sect2 id="samba-user-security" status="review">
442
<title>Security = User</title>
445
This section will reconfigure the Samba file and print server, from <xref linkend="samba-fileserver"/> and
446
<xref linkend="samba-printserver"/>, to require authentication.
450
First, install the <application>libpam-smbpass</application> package which will sync the system users to the Samba
455
<command>sudo apt-get install libpam-smbpass</command>
460
If you chose the <emphasis>Samba Server</emphasis> task during installation <application>libpam-smbpass</application>
461
is already installed.
466
Edit <filename>/etc/samba/smb.conf</filename>, and in the <emphasis>[share]</emphasis> section change:
474
Finally, restart Samba for the new settings to take effect:
478
<command>sudo restart smbd</command>
479
<command>sudo restart nmbd</command>
483
Now when connecting to the shared directories or printers you should be prompted for a username and password.
488
If you choose to map a network drive to the share you can check the <quote>Reconnect at Logon</quote> check
489
box, which will require you to only enter the username and password once, at least until the password changes.
494
<sect2 id="samba-share-security" status="review">
495
<title>Share Security</title>
498
There are several options available to increase the security for each individual shared directory. Using the
499
<emphasis>[share]</emphasis> example, this section will cover some common options.
502
<sect3 id="windows-networking-groups" status="review">
503
<title>Groups</title>
506
Groups define a collection of computers or users which have a common level of access to particular network
507
resources and offer a level of granularity in controlling access to such resources. For example, if a group
508
<emphasis role="italic">qa</emphasis> is defined and contains the users <emphasis role="italic">freda</emphasis>,
509
<emphasis role="italic">danika</emphasis>, and <emphasis role="italic">rob</emphasis> and a second group
510
<emphasis role="italic">support</emphasis> is defined and consists of users <emphasis role="italic">danika</emphasis>,
511
<emphasis role="italic">jeremy</emphasis>, and <emphasis role="italic">vincent</emphasis> then certain network
512
resources configured to allow access by the <emphasis role="italic">qa</emphasis> group will subsequently enable
513
access by freda, danika, and rob, but not jeremy or vincent. Since the user <emphasis role="italic">danika</emphasis>
514
belongs to both the <emphasis role="italic">qa</emphasis> and <emphasis role="italic">support</emphasis> groups, she
515
will be able to access resources configured for access by both groups, whereas all other users will have only access
516
to resources explicitly allowing the group they are part of.
520
By default Samba looks for the local system groups defined in <filename>/etc/group</filename> to determine which users
521
belong to which groups. For more information on adding and removing users from groups see
522
<xref linkend="adding-deleting-users"/>.
526
When defining groups in the Samba configuration file, <filename>/etc/samba/smb.conf</filename>, the recognized syntax
527
is to preface the group name with an "@" symbol. For example, if you wished to define a group named
528
<emphasis role="italic">sysadmin</emphasis> in a certain section of the <filename>/etc/samba/smb.conf</filename>,
529
you would do so by entering the group name as <emphasis role="bold">@sysadmin</emphasis>.
533
<sect3 id="samba-file-permissions" status="review">
534
<title>File Permissions</title>
537
File Permissions define the explicit rights a computer or user has to a particular directory, file, or set of
538
files. Such permissions may be defined by editing the <filename>/etc/samba/smb.conf</filename> file and specifying
539
the explicit permissions of a defined file share.
543
For example, if you have defined a Samba share called <emphasis>share</emphasis> and wish to give
544
<emphasis role="italic">read-only</emphasis> permissions to the group of users known as
545
<emphasis role="italic">qa</emphasis>, but wanted to allow writing to the share by the group called
546
<emphasis role="italic">sysadmin</emphasis> and the user named <emphasis role="italic">vincent</emphasis>,
547
then you could edit the <filename>/etc/samba/smb.conf</filename> file, and add the following entries under
548
the <emphasis>[share]</emphasis> entry:
553
write list = @sysadmin, vincent
557
Another possible Samba permission is to declare <emphasis>administrative</emphasis> permissions to a
558
particular shared resource. Users having administrative permissions may read, write, or modify any information
559
contained in the resource the user has been given explicit administrative permissions to.
563
For example, if you wanted to give the user <emphasis role="italic">melissa</emphasis> administrative permissions to
564
the <emphasis role="italic">share</emphasis> example, you would edit the
565
<filename>/etc/samba/smb.conf</filename> file, and add the following line under the
566
<emphasis>[share]</emphasis> entry:
570
admin users = melissa
574
After editing <filename>/etc/samba/smb.conf</filename>, restart Samba for the changes to take effect:
578
<command>sudo restart smbd</command>
579
<command>sudo restart nmbd</command>
584
For the <emphasis>read list</emphasis> and <emphasis>write list</emphasis> to work the Samba security mode
585
must <emphasis>not</emphasis> be set to <emphasis role="italic">security = share</emphasis>
590
Now that Samba has been configured to limit which groups have access to the shared directory, the filesystem permissions
595
Traditional Linux file permissions do not map well to Windows NT Access Control Lists (ACLs). Fortunately POSIX ACLs
596
are available on Ubuntu servers providing more fine grained control. For example, to enable ACLs on
597
<filename>/srv</filename> an EXT3 filesystem, edit <filename>/etc/fstab</filename> adding the
598
<emphasis>acl</emphasis> option:
602
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv ext3 noatime,relatime,acl 0 1
606
Then remount the partition:
610
<command>sudo mount -v -o remount /srv</command>
615
The above example assumes <filename>/srv</filename> on a separate partition. If <filename>/srv</filename>,
616
or wherever you have configured your share path, is part of the <filename>/</filename> partition a reboot may be
622
To match the Samba configuration above the <emphasis>sysadmin</emphasis> group will be given read, write, and execute
623
permissions to <filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group will be given read and execute
624
permissions, and the files will be owned by the username <emphasis>melissa</emphasis>. Enter the following in a
629
<command>sudo chown -R melissa /srv/samba/share/</command>
630
<command>sudo chgrp -R sysadmin /srv/samba/share/</command>
631
<command>sudo setfacl -R -m g:qa:rx /srv/samba/share/</command>
636
The <application>setfacl</application> command above gives <emphasis>execute</emphasis> permissions to all files in
637
the <filename>/srv/samba/share</filename> directory, which you may or may not want.
642
Now from a Windows client you should notice the new file permissions are implemented. See the
643
<application>acl</application> and <application>setfacl</application> man pages for more information on POSIX ACLs.
648
<sect2 id="samba-apparmor" status="review">
649
<title>Samba AppArmor Profile</title>
652
Ubuntu comes with the <application>AppArmor</application> security module, which provides mandatory access controls.
653
The default AppArmor profile for Samba will need to be adapted to your configuration. For more details on using
654
AppArmor see <xref linkend="apparmor"/>.
658
There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the
659
Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package,
660
from a terminal prompt enter:
664
<command>sudo apt-get install apparmor-profiles</command>
669
This package contains profiles for several other binaries.
674
By default the profiles for <application>smbd</application> and <application>nmbd</application> are in
675
<emphasis>complain</emphasis> mode allowing Samba to work without modifying the profile, and only logging errors.
676
To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as
677
expected, the profile will need to be modified to reflect any directories that are shared.
681
Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information for <emphasis>[share]</emphasis> from the
687
/srv/samba/share/** rwkix,
691
Now place the profile into <emphasis>enforce</emphasis> and reload it:
695
<command>sudo aa-enforce /usr/sbin/smbd</command>
696
<command>cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r</command>
700
You should now be able to read, write, and execute files in the shared directory as normal, and the
701
<application>smbd</application> binary will have access to only the configured files and directories.
702
Be sure to add entries for each directory you configure Samba to share. Also, any errors will be logged
703
to <filename>/var/log/syslog</filename>.
707
<sect2 id="samba-security-resources" status="review">
708
<title>Resources</title>
713
For in depth Samba configurations see the
714
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/">Samba HOWTO Collection</ulink>
719
The guide is also available in
720
<ulink url="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228">printed format</ulink>.
725
O'Reilly's <ulink url="http://www.oreilly.com/catalog/9780596007690/">Using Samba</ulink> is also a good
731
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html">Chapter 18</ulink>
732
of the Samba HOWTO Collection is devoted to security.
737
For more information on Samba and ACLs see the
738
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568">Samba ACLs page
744
The <ulink url="https://help.ubuntu.com/community/Samba">Ubuntu Wiki Samba </ulink> page.
751
<sect1 id="samba-dc" status="review">
752
<title>Samba as a Domain Controller</title>
755
Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to
756
appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize
757
user and machine credentials. Samba can also use multiple backends to store the user information.
760
<sect2 id="samba-pdc-smbpasswd" status="review">
761
<title>Primary Domain Controller</title>
764
This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.
771
First, install Samba, and <application>libpam-smbpass</application> to sync the user accounts,
772
by entering the following in a terminal prompt:
776
<command>sudo apt-get install samba libpam-smbpass</command>
783
Next, configure Samba by editing <filename>/etc/samba/smb.conf</filename>.
784
The <emphasis>security</emphasis> mode should be set to <emphasis role="italic">user</emphasis>, and
785
the <emphasis>workgroup</emphasis> should relate to your organization:
798
In the commented <quote>Domains</quote> section add or uncomment the following:
803
logon path = \\%N\%U\profile
806
logon script = logon.cmd
807
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u
812
If you wish to not use <emphasis>Roaming Profiles</emphasis> leave the <emphasis>logon home</emphasis>
813
and <emphasis>logon path</emphasis> options commented.
820
<emphasis>domain logons:</emphasis> provides the netlogon service causing Samba to act as a domain controller.
825
<emphasis>logon path:</emphasis> places the user's Windows profile into their home directory. It is also
826
possible to configure a <emphasis>[profiles]</emphasis> share placing all profiles under a single directory.
831
<emphasis>logon drive:</emphasis> specifies the home directory local path.
836
<emphasis>logon home:</emphasis> specifies the home directory location.
841
<emphasis>logon script:</emphasis> determines the script to be run locally once a user has logged in.
842
The script needs to be placed in the <emphasis>[netlogon]</emphasis> share.
847
<emphasis>add machine script:</emphasis> a script that will automatically create the
848
<emphasis>Machine Trust Account</emphasis> needed for a workstation to join the domain.
851
In this example the <emphasis>machines</emphasis> group will need to be created using the
852
<application>addgroup</application> utility see <xref linkend="adding-deleting-users"/> for details.
862
Uncomment the <emphasis>[homes]</emphasis> share to allow the <emphasis role="italic">logon home</emphasis>
868
comment = Home Directories
872
directory mask = 0700
880
When configured as a domain controller a <emphasis>[netlogon]</emphasis> share needs to be configured. To
881
enable the share, uncomment:
886
comment = Network Logon Service
887
path = /srv/samba/netlogon
895
The original <emphasis>netlogon</emphasis> share path is <filename>/home/samba/netlogon</filename>, but according
896
to the Filesystem Hierarchy Standard (FHS),
897
<ulink url="http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM">/srv</ulink> is the
898
correct location for site-specific data provided by the system.
906
Now create the <filename role="directory">netlogon</filename> directory, and an empty (for now)
907
<filename>logon.cmd</filename> script file:
911
<command>sudo mkdir -p /srv/samba/netlogon</command>
912
<command>sudo touch /srv/samba/netlogon/logon.cmd</command>
916
You can enter any normal Windows logon script commands in <filename>logon.cmd</filename> to customize the
917
client's environment.
924
Restart Samba to enable the new domain controller:
928
<command>sudo restart smbd</command>
929
<command>sudo restart nmbd</command>
936
Lastly, there are a few additional commands needed to setup the appropriate rights.
940
With <emphasis>root</emphasis> being disabled by default, in order to join a workstation to the domain, a system
941
group needs to be mapped to the Windows <emphasis>Domain Admins</emphasis> group.
942
Using the <application>net</application> utility, from a terminal enter:
946
<command>sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d</command>
951
Change <emphasis role="italic">sysadmin</emphasis> to whichever group you prefer. Also, the user
952
used to join the domain needs to be a member of the <emphasis>sysadmin</emphasis> group, as well
953
as a member of the system <emphasis>admin</emphasis> group. The <emphasis>admin</emphasis> group allows
954
<application>sudo</application> use.
957
If the user does not have Samba credentials yet, you can add them with
958
the <application>smbpasswd</application> utility, change the <emphasis>sysadmin</emphasis> username appropriately:
961
<command>sudo smbpasswd -a sysadmin</command>
967
Also, rights need to be explicitly provided to the <emphasis>Domain Admins</emphasis> group to allow the
968
<emphasis>add machine script</emphasis> (and other admin functions) to work. This is achieved by executing:
971
<command>net rpc rights grant -U sysadmin "EXAMPLE\Domain Admins" SeMachineAccountPrivilege \
972
SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege</command>
979
You should now be able to join Windows clients to the Domain in the same manner as joining them to an
980
NT4 domain running on a Windows server.
987
<sect2 id="samba-bdc-smbpasswd" status="review">
988
<title>Backup Domain Controller</title>
991
With a Primary Domain Controller (PDC) on the network it is best to have a Backup Domain Controller (BDC) as well.
992
This will allow clients to authenticate in case the PDC becomes unavailable.
996
When configuring Samba as a BDC you need a way to sync account information with the PDC. There are multiple ways of
997
accomplishing this <application>scp</application>, <application>rsync</application>, or by using <application>LDAP</application> as
998
the <emphasis>passdb backend</emphasis>.
1002
Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time.
1003
However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts.
1004
See <xref linkend="samba-ldap"/> for details.
1011
First, install <application>samba</application> and <application>libpam-smbpass</application>. From a terminal enter:
1015
<command>sudo apt-get install samba libpam-smbpass</command>
1022
Now, edit <filename>/etc/samba/smb.conf</filename> and uncomment the following in the <emphasis>[global]</emphasis>:
1035
In the commented <emphasis>Domains</emphasis> uncomment or add:
1047
Make sure a user has rights to read the files in <filename>/var/lib/samba</filename>. For example, to allow users in the
1048
<emphasis>admin</emphasis> group to <application>scp</application> the files, enter:
1052
<command>sudo chgrp -R admin /var/lib/samba</command>
1059
Next, sync the user accounts, using <application>scp</application> to copy the <filename>/var/lib/samba</filename>
1060
directory from the PDC:
1064
<command>sudo scp -r username@pdc:/var/lib/samba /var/lib</command>
1069
Replace <emphasis>username</emphasis> with a valid username and <emphasis>pdc</emphasis> with the hostname or IP Address of your
1078
Finally, restart <application>samba</application>:
1082
<command>sudo restart smbd</command>
1083
<command>sudo restart nmbd</command>
1090
You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a
1091
Windows client joined to the domain.
1095
Another thing to keep in mind is if you have configured the <emphasis>logon home</emphasis> option as a directory on the PDC,
1096
and the PDC becomes unavailable, access to the user's <emphasis>Home</emphasis> drive will also be unavailable. For this reason
1097
it is best to configure the <emphasis>logon home</emphasis> to reside on a separate file server from the PDC and BDC.
1101
<sect2 id="samba-dc-resources" status="review">
1102
<title>Resources</title>
1107
For in depth Samba configurations see the
1108
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/">Samba HOWTO Collection</ulink>
1113
The guide is also available in
1114
<ulink url="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228">printed format</ulink>.
1119
O'Reilly's <ulink url="http://www.oreilly.com/catalog/9780596007690/">Using Samba</ulink> is also a good
1125
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html">Chapter 4</ulink>
1126
of the Samba HOWTO Collection explains setting up a Primary Domain Controller.
1131
<ulink url="http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html">Chapter 5</ulink>
1132
of the Samba HOWTO Collection explains setting up a Backup Domain Controller.
1137
The <ulink url="https://help.ubuntu.com/community/Samba">Ubuntu Wiki Samba </ulink> page.
1144
<sect1 id="samba-ad-integration" status="review">
1145
<title>Samba Active Directory Integration</title>
1147
<sect2 id="ad-integration-samba-share" status="review">
1148
<title>Accessing a Samba Share</title>
1151
Another, use for Samba is to integrate into an existing Windows network. Once part of an Active Directory domain,
1152
Samba can provide file and print services to AD users.
1156
The simplest way to join an AD domain is to use <application>Likewise-open</application>. For detailed instructions
1157
see <xref linkend="likewise-open"/>.
1161
Once part of the domain, enter the following command in the terminal prompt:
1165
<command>sudo apt-get install samba smbfs smbclient</command>
1169
Since the <application>likewise-open</application> and <application>samba</application> packages use separate
1170
<filename>secrets.tdb</filename> files, a symlink will need to be created in <filename role="directory">/var/lib/samba</filename>:
1174
<command>sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig</command>
1175
<command>sudo ln -s /etc/samba/secrets.tdb /var/lib/samba</command>
1179
Next, edit <filename>/etc/samba/smb.conf</filename> changing:
1188
idmap backend = lwopen
1189
idmap uid = 50-9999999999
1190
idmap gid = 50-9999999999
1194
Restart <application>samba</application> for the new settings to take effect:
1198
<command>sudo restart smbd</command>
1199
<command>sudo restart nmbd</command>
1203
You should now be able to access any <application>Samba</application> shares from a Windows client. However, be sure to give
1204
the appropriate AD users or groups access to the share directory. See <xref linkend="samba-fileprint-security"/> for
1209
<sect2 id="ad-integration-windows-share" status="review">
1210
<title>Accessing a Windows Share</title>
1213
Now that the Samba server is part of the Active Directory domain you can access any Windows server shares:
1220
To mount a Windows file share enter the following in a terminal prompt:
1223
<command>mount.cifs //fs01.example.com/share mount_point</command>
1227
It is also possible to access shares on computers not part of an AD domain, but a username and password
1228
will need to be provided.
1235
To mount the share during boot place an entry in <filename>/etc/fstab</filename>, for example:
1239
//192.168.0.5/share /mnt/windows cifs auto,username=steve,password=secret,rw 0 0
1246
Another way to copy files from a Windows server is to use the <application>smbclient</application> utility. To
1247
list the files in a Windows share:
1251
<command>smbclient //fs01.example.com/share -k -c "ls"</command>
1258
To copy a file from the share, enter:
1262
<command>smbclient //fs01.example.com/share -k -c "get file.txt"</command>
1266
This will copy the <filename>file.txt</filename> into the current directory.
1273
And to copy a file to the share:
1277
<command>smbclient //fs01.example.com/share -k -c "put /etc/hosts hosts"</command>
1281
This will copy the <filename>/etc/hosts</filename> to <filename>//fs01.example.com/share/hosts</filename>.
1288
The <emphasis>-c</emphasis> option used above allows you to execute the <application>smbclient</application> command
1289
all at once. This is useful for scripting and minor file operations. To enter the <emphasis>smb: \></emphasis>
1290
prompt, a FTP like prompt where you can execute normal file and directory commands, simply execute:
1294
<command>smbclient //fs01.example.com/share -k</command>
1302
Replace all instances of <emphasis>fs01.example.com/share</emphasis>, <emphasis>//192.168.0.5/share</emphasis>,
1303
<emphasis>username=steve,password=secret</emphasis>, and <emphasis>file.txt</emphasis> with your server's IP, hostname,
1304
share name, file name, and an actual username and password with rights to the share.
1309
<sect2 id="ad-integration-resources" status="review">
1310
<title>Resources</title>
1313
For more <application>smbclient</application> options see the man page: <command>man smbclient</command>, also available
1314
<ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man1/smbclient.1.html">online</ulink>.
1318
The <application>mount.cifs</application>
1319
<ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man8/mount.cifs.8.html">man page</ulink> is also useful for
1320
more detailed information.
1324
The <ulink url="https://help.ubuntu.com/community/Samba">Ubuntu Wiki Samba </ulink> page.
1329
<sect1 id="likewise-open" status="review">
1330
<title>Likewise Open</title>
1333
<application>Likewise Open</application> simplifies the necessary configuration needed to authenticate a Linux machine to an
1334
Active Directory domain. Based on <application>winbind</application>, the <application>likewise-open</application> package
1335
takes the pain out of integrating Ubuntu authentication into an existing Windows network.
1338
<sect2 id="likewise-open-install" status="review">
1339
<title>Installation</title>
1342
There are two ways to use Likewise Open, <application>likewise-open</application> the command line utility and
1343
<application>likewise-open-gui</application>. This section focuses on the command line utility.
1347
To install the <application>likewise-open</application> package, open a terminal prompt and enter:
1351
<command>sudo apt-get install likewise-open</command>
1355
<sect2 id="likewise-open-configuration" status="review">
1356
<title>Joining a Domain</title>
1359
The main executable file of the <application>likewise-open</application> package is
1360
<filename>/usr/bin/domainjoin-cli</filename>, which is used to join your computer to the domain. Before you join
1361
a domain you will need to make sure you have:
1367
Access to an Active Directory user with appropriate rights to join the domain.
1372
The <emphasis>Fully Qualified Domain Name</emphasis> (FQDN) of the domain you want to join. If your AD domain
1373
does not match a valid domain such as <emphasis role="italic">example.com</emphasis>, it is likely that it has
1374
the form of <emphasis>domainname.local</emphasis>.
1379
DNS for the domain setup properly. In a production AD environment this should be the case. Proper Microsoft
1380
DNS is needed so that client workstations can determine the Active Directory domain is available.
1383
If you don't have a Windows DNS server on your network, see <xref linkend="likewise-open-ms-dns"/> for details.
1390
To join a domain, from a terminal prompt enter:
1394
<command>sudo domainjoin-cli join example.com Administrator</command>
1399
Replace <emphasis>example.com</emphasis> with your domain name, and <emphasis>Administrator</emphasis> with the
1400
appropriate user name.
1405
You will then be prompted for the user's password. If all goes well a <emphasis>SUCCESS</emphasis> message should be
1406
printed to the console.
1411
After joining the domain, it is necessary to reboot before
1412
attempting to authenticate against the domain.
1417
After successfully joining an Ubuntu machine to an Active Directory domain you can authenticate using any valid AD user.
1418
To login you will need to enter the user name as 'domain\username'. For example to ssh to a server joined to the domain
1423
<command>ssh 'example\steve'@hostname</command>
1428
If configuring a Desktop the user name will need to be prefixed with <emphasis role="italic">domain\</emphasis> in the
1429
graphical logon as well.
1434
To make likewise-open use a default domain, you can add the following statement to <filename>/etc/samba/lwiauthd.conf</filename>:
1438
winbind use default domain = yes
1442
Then restart the <application>likewise-open</application> daemons:
1446
<command>sudo /etc/init.d/likewise-open restart</command>
1451
Once configured for a <emphasis>default domain</emphasis> the <emphasis role="italic">'domain\'</emphasis> is no longer required,
1452
users can login using only their username.
1457
The <application>domainjoin-cli</application> utility can also be used to leave the domain. From a terminal:
1461
<command>sudo domainjoin-cli leave</command>
1465
<sect2 id="likewise-open-utilities" status="review">
1466
<title>Other Utilities</title>
1469
The <application>likewise-open</application> package comes with a few other utilities that may be useful for gathering
1470
information about the Active Directory environment. These utilities are used to join the machine to the domain, and are
1471
the same as those available in the <application>samba-common</application> and <application>winbind</application>
1478
<application>lwinet</application>: Returns information about the network and the domain.
1483
<application>lwimsg</application>: Allows interaction with the <application>likewise-winbindd</application> daemon.
1488
<application>lwiinfo</application>: Displays information about various parts of the Domain.
1494
Please refer to each utility's man page specific for details.
1498
<sect2 id="likewise-open-troubleshooting" status="review">
1499
<title>Troubleshooting</title>
1504
If the client has trouble joining the domain, double check that the Microsoft DNS is listed first in <filename>/etc/resolv.conf</filename>.
1509
nameserver 192.168.0.1
1514
For more information when joining a domain, use the <emphasis>--loglevel verbose</emphasis> or <emphasis>--advanced</emphasis> option of the
1515
<application>domainjoin-cli</application> utility:
1519
<command>sudo domainjoin-cli --loglevel verbose join example.com Administrator</command>
1524
If an Active Directory user has trouble logging in, check the <filename>/var/log/auth.log</filename> for details.
1529
When joining an Ubuntu Desktop workstation to a domain, you may need to edit <filename>/etc/nsswitch.conf</filename> if your AD domain
1530
uses the <emphasis role="italic">.local</emphasis> syntax. In order to join the domain the <emphasis>"mdns4"</emphasis> entry should be removed from the
1531
<emphasis>hosts</emphasis> option. For example:
1535
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
1539
Change the above to:
1543
hosts: files dns [NOTFOUND=return]
1547
Then restart networking by entering:
1551
<command>sudo /etc/init.d/networking restart</command>
1555
You should now be able to join the Active Directory domain.
1561
<sect2 id="likewise-open-ms-dns" status="review">
1562
<title>Microsoft DNS</title>
1565
The following are instructions for installing DNS on an Active Directory domain controller running Windows Server 2003,
1566
but the instructions should be similar for other versions:
1569
<!-- Translators: please check http://www.microsoft.com/language/en/us/search.mspx to see how this string is translated in Windows to your language -->
1576
<guimenuitem>Start</guimenuitem><guimenuitem>Administrative Tools</guimenuitem><guimenuitem>Manage Your Server</guimenuitem>
1578
This will open the <application>Server Role Mangement</application> utility.
1581
<listitem><para>Click <guilabel>Add or remove a role</guilabel></para></listitem>
1582
<listitem><para>Click Next</para></listitem>
1583
<listitem><para>Select "DNS Server"</para></listitem>
1584
<listitem><para>Click Next</para></listitem>
1585
<listitem><para>Click Next again to proceed </para></listitem>
1586
<listitem><para>Select "Create a forward lookup zone" if it is not selected.</para></listitem>
1587
<listitem><para>Click Next</para></listitem>
1588
<listitem><para>Make sure "This server maintains the zone" is selected and click Next.</para></listitem>
1589
<listitem><para>Enter your domain name and click Next</para></listitem>
1590
<listitem><para>Click Next to "Allow only secure dynamic updates"</para></listitem>
1593
Enter the IP for DNS servers to forward queries to, or Select "No, it should not forward queries" and click Next.
1596
<listitem><para>Click Finish</para></listitem>
1597
<listitem><para>Click Finish</para></listitem>
1600
DNS is now installed and can be further configured using the <application>Microsoft Management Console</application> DNS snap-in.
1605
Next, configure the Server to use itself for DNS queries:
1607
<listitem><para>Click Start</para></listitem>
1608
<listitem><para>Control Panel</para></listitem>
1609
<listitem><para>Network Connections</para></listitem>
1610
<listitem><para>Right Click "Local Area Connection"</para></listitem>
1611
<listitem><para>Click Properties</para></listitem>
1612
<listitem><para>Double click "Internet Protocol (TCP/IP)"</para></listitem>
1613
<listitem><para>Enter the Server's IP Address as the "Preferred DNS server"</para></listitem>
1614
<listitem><para>Click Ok</para></listitem>
1615
<listitem><para>Click Ok again to save the settings</para></listitem>
1621
<sect2 id="likewise-open-references" status="review">
1622
<title>References</title>
1625
Please refer to the <ulink url="http://www.likewisesoftware.com/">Likewise</ulink> home page for further information.
1629
For more <application>domainjoin-cli</application> options see the man page: <command>man domainjoin-cli</command>.
1633
Also, see the <ulink url="https://help.ubuntu.com/community/LikewiseOpen">Ubuntu Wiki LikewiseOpen</ulink> page.