Software installation
With the help of apt command, install the following packages:
samba, the actual server.
samba-tools, a set of utilities.
samba-doc - note that we NEED samba-doc, as this package contains a configuration file that we need (the LDAP schema file).
smbclient, that can make your Linux server work with a Windows or samba server; we need this to test our own server.As usual, Debian is asking us for the configuration details. For Samba 3, there are only two simple questions:
Wich name you want for Windows workgroup ? (we provide the name "Myworkgroup_name")
Do you want to modify smb.conf to use WINS setting from DHCP? we will say no!Now we have our Samba configuration file as /etc/samba/smb.conf, now for future references we will save the original config file.
cd /etc/samba
cp smb.conf smb.conf.sample
mv smb.conf smb.conf.org
testparm smb.conf.org
testparm -s smb.conf.org > smb.confTo enable WINS, we add the following lines to smb.conf:
## Browsing/Identification ###
workgroup = myworkgroup_name
netbios name = MynetBios_name
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
wins support = yes
os level = 33
domain master = yes
local master = yes
preferred master = yes
name resolve order = wins lmhosts hosts bcast
dns proxy = yesWINS configuration
Now this does a whole lot of things with the Samba nmbd daemon – at least when you remember to save the master config file, test it with testparm and write the actual smb.conf as desribed previously, AND then restart your nmbd daemon:
/etc/init.d/samba restartOK so what do the configuration lines mean?
workgroup = myworkgroup_name – this line makes the Sammba server a member of workgroup.
netbios name = mynetbios_name – here we define the server NetBIOS name.
wins support = yes – this line actually turns on the WINS support, so it instructs the nmbd daemon to start acting as a WINS server.
os level = 33 – this gives our WINS server a “rank” of 33, meaning that it will be sure to become the WINS master browser, even if there are Windows servers on the network tat act as domain controllers.
domain master = yes – this will tell our server that it will not be just any master browser, but a domain master browser, so that our server will be the master browser on each and every subnet that it is connected to.
local master = yes – this setting is vital to being a domain master browser, as it ensures that our WINS server is also the local master browser.
preferred master = yes – adding this line makes the nmbd daemon initiate a browser election as soon as it starts up, so that it essentially gets the master browser role as fast as possible.
name resolve order = wins lmhosts hosts bcast – this ensures that for a WINS request, the nmbd daemon not only checks its WINS database, but also the local lmhosts file (if it exists), the Linux /etc/hosts file, and finally, to revert to a broadcast to see if it can locate the requested name by shouting out for it.
dns proxy = yes – this makes nmbd to check a requested name with the DNS server, if it cannot be found in the WINS database itself.
After restarting, we can see if our Linux server acting like a WINS master browser by inspecting the Samba log file, by default /var/log/samba/nmbd.log. It should show something like this:
[2021/11/21 16:18:03, 0] nmbd/nmbd.c:main(849)
nmbd version 3.2.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
[2021/11/21 16:18:03, 0] nmbd/asyncdns.c:start_async_dns(155)
started asyncdns process 25707
[2021/11/21 16:18:03, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(336)
become_domain_master_browser_wins:
Attempting to become domain master browser on workgroup myworkgroup_name, subnet UNICAST_SUBNET.
[2021/11/21 16:18:03, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(350)
become_domain_master_browser_wins: querying WINS server from IP 192.168.9.100 for domain master browser name myworkgroup_name<1b> on workgroup myworkgroup_name
[2021/11/21 16:18:03, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(110)
*****
Samba server MynetBios_name is now a domain master browser for workgroup myworkgroup_name on subnet UNICAST_SUBNET
*****
[2021/11/21 16:18:03, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291)
become_domain_master_browser_bcast:
Attempting to become domain master browser on workgroup myworkgroup_name on subnet 192.168.9.100
[2021/11/21 16:18:03, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(304)
become_domain_master_browser_bcast: querying subnet 192.168.67.9 for domain master browser on workgroup myworkgroup_name
[2021/11/21 16:18:11, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(110)
*****
Samba server MynetBios_name is now a domain master browser for workgroup myworkgroup_name on subnet 192.168.9.100
*****
[2021/11/21 16:18:26, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(395)
*****
Samba name server MynetBios_name is now a local master browser for workgroup myworkgroup_name on subnet 192.168.9.100
*****Furthermore, we can test on the server itself if a WINS lookup succeeds:
sambasrv:# nmblookup -M myworkgroup_name
querying myworkgroup_name on 127.255.255.255
192.168.9.100 myworkgroup_name<1d>Finally, we tell our DHCP server to provide clients with the IP address of our WINS server.
We do this by adding the following line to /etc/dhcp3-server/dhcpd.conf:
option netbios-name-servers 192.168.9.100;This line can either be added to the global section, or a specific within the subnet.
OpenLDAP adaptation.
In order for our OpenLDAP server to recognise the samba-specific attributes that we’re going to use, we need to add the “samba” schema to the OpenLDAP server.
After installation of samba-doc, we can find this schema in /usr/share/doc/samba-doc/examples/LDAP, where it sits gzipped between some other schema files.
As the README explains, what we need is samba.schema.gz, so we unzip it and copy it to our OpenLDAP schema directory.
cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schemaWe will include this schema into our LDAP configuration, by adding the following line to /etc/ldap/slapd.conf under # Schema and objectClass definitions:
include /etc/ldap/schema/samba.schemaNot only do we need schema updates, we could also do with some more indices. Thus, we change the relevant section of /etc/ldap/slapd.conf to read:
# Indexing options for database #1
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eqOf course, it’s not just enough to add these parameters, we also need to generate the indices, and restart our LDAP server:
sudo invoke-rc.d slapd stop
sudo -u openldap slapindex
sudo invoke-rc.d slapd startCheck to see if the Samba objects are now usable in your LDAP server, e.g. by opening your LDAP Account Manager or phpldapadmin and check the scheams and objectclass.
If everything was imported properly we should objects like “sambaConfig” and “sambaDomain”.
Feed OpenLDAP with Samba information
Now we can add the Samba3 account information to our LDAP server. There are two ways of doing that:
Create an LDAP ldif file with the necessary information.
Or use the graphic LDAP manager to add it. For small amounts of users, the last way is quickest.
To start this part we have to get the Samba SID, so as root we perform the following command:
net getlocalsidWe will get a string like “SID for domain MynetBios_name is: S-1-5-21-2406862991-3150385097-213705319”.
With this SID, we can create the LDAP object that represents the samba domain.
Since we are using PhpLdapAdmin to manage our LDAP Tree, we log in to it, and create our domain.
There are only three pieces of information that are mandatory:
The domain name, in our example "myworkgroup_name"
The mentioned SID, in our example "S-1-5-21-2406862991-3150385097-213705319".
the RID base; this has a default of 1000, which you should not change unless you know exactly what you're doing.There are other options that you might find it worth setting, like the minimal password length, password history length, if users should be disconnected “outside logon hours”, and so on… We would advise you to not set too many options until you’ve finished testing.
Add the Samba account information to LDAP user accounts
Now, lets take our LDAP admin account , and with help of phpldapadmin we now go to a user that we want to provide access to SaMBa.
We will add to the user data the objectClass:
objectclass: sambaSamAccountAnd after this we will populate the user with following attributes :
sambaacctflags: [UX ]
sambahomedrive: Z:
sambahomepath: \\samba\user_name
sambalmpassword: => Write the password you want
sambantpassword: => Write the password you want
sambaprimarygroupsid: S-1-5-21-2406862991-3150385097-213705319
sambasid: S-1-5-21-2406862991-3150385097-213705319-20102 Special attention to the attribute “sambasid”, because this one is calculated by the following way :
sambaprimarygroupsid + 2 x uidnumber of the userThis way every user that you will add a sambasid with the diffrent end.
Samba configuration for LDAP authentication.
To get samba using OpenLDAP as a backend is quite straightforward.
The main work is done in smb.conf. where we are going to add the following section:
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passdb backend = ldapsam:ldap://ldap.your_domain.local
ldap admin dn = cn=admin,dc=your_domain,dc=local
ldap suffix = dc=your_domain,dc=local
ldap machine suffix = ou=computaers
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap delete dn = no
# allow user privileges
enable privileges = yes
ldap ssl = off
ldap ssl = start tlsWrite this to your samba conf and exit to shell.
Then type the following to store the password of the admin in secrets.tdb :
smbpasswd -W
Setting stored password for "cn=admin,dc=your_domain,dc=local" in secrets.tdb
New SMB password:
Retype new SMB password:If we used a lowercase -w, then we could have specified the password on the command line (smbpasswd -w SuperSecret).
Samba share configuration.
At this point we should now be able to create a share, and make it available to our LDAP accounts.
To this end, we create a directory that we’re going to share, and give it a workable set of permissions.
Suppose we have an LDAP user “user_name” and an LDAP group “networkusers”. We could then, as root, do this:
cd /home/samba
mkdir Tutorials
chown user_name:networkusers Tutorials
chmod g+rwxs,o-rwx TutorialsThis ensures that user “user_name”, as well as every user that’s a member of “networkusers”, is allowed to read and write in this share.
However, thanks to the “sticky bit” set for the group with the chmod command, files that are written to this directory are automatically owned by the group “networkusers”, who have read & write rights.
Next step would be to share this directory, by adding the following section to smb.conf.master:
[Tutorials]
comment = Data directory for us all
browseable = yes
path = /home/samba/Tutorials
guest ok = no
read only = no
create mask = 0660
create directory mask = 0770
force group = @networkusers
read only = No
valid users = @networkusers
write list = @networkusers
vfs objects = recycle
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = /home/samba/Tutorials/.recycleThis makes the directory usable via the share “Tutorials”.
Notice that we do not allow unauthenticated users (“guest ok = no”), that we allow writing in this share (“read only = no”, although we could also have used “writeable = yes”, which is the same), and that we mask every create operation (for both files and directories) so that they can set any right under “user” and “group”, but cannot set any rights under “other”. This prevents anyone other than the “networkusers” to read and write.