Samba: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 88: Line 88:
Users (S-1-5-32-545) -> -1
Users (S-1-5-32-545) -> -1
Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1
Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1
The last numbers are the RID numbers and they need to be a specific value for them to work.


shows the group mappings it expects. So these need to be made in /etc/group
shows the group mappings it expects. So these need to be made in /etc/group
Line 129: Line 131:
Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use  
Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use  
#net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname
#net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname
THESE need to be as follows:
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=domusr rid=514 type=d
(http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id344099)
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=domgsts rid=514 type=d
net groupmap add ntgroup="Print Operators" unixgroup=printops rid=550 type=d
net groupmap add ntgroup="Administrators" unixgroup=ntadmin rid=544 type=d
net groupmap add ntgroup="Users" unixgroup=usrs rid=545 type=d
net groupmap add ntgroup="Guests" unixgroup=guests rid=546 type=d
net groupmap add ntgroup="Power Users" unixgroup=pwrusr rid=547 type=d
net groupmap add ntgroup="Account Operators" unixgroup=acctops rid=548 type=d
net groupmap add ntgroup="System Operators" unixgroup=sysops rid=549 type=d
net groupmap add ntgroup="Backup Operators" unixgroup=backops rid=551 type=d
net groupmap add ntgroup="Replicators" unixgroup=repl rid=552 type=d
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#set-group-map (table 12.1)
More on groupmapping here:
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html


so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr.
so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr.

Revision as of 17:10, 1 October 2007

INSTALLING
----------

Samba 3.0.0-Debian Primary Domain Controller (PDC) with WinXP and Win2k / Win 2000 clients Howto in 10 steps checklist format.

After downloading the packages samba-common samba_3.0.0 and getting them installed with dpkg,

1) edit /etc/samba/smb.conf and make sure it has stuff like this in it

workgroup = DOMAINNAME
server string = SERVERNAME
netbios name = SERVERNAME

security = user
obey pam restrictions = yes
password server =
passdb backend = smbpasswd

hosts allow = 192.168.

local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
server signing = auto
logon script = logon.bat
logon drive = X:
logon home =
time server = yes
add machine script = /usr/sbin/adduser --ingroup machine --system --home /dev/null --no-create-home --force-badname %u
logon path =
wins support = yes

log level = 2

2) Explanation

workgroup is the domainname. Keep it under 8 characters and uppercase. You will need to use this often, so make sure you like it.

server string is the name the server has for itself. Also under 8 chars and uppercase, and the same as netbios name (this is for windows name resolution - wins).

security = there are several options, but i'm assuming you have one samba machine (the one being configured) and no other servers handling authentication. All the options apart from 'user' assume there is another machine taking care of authentication!

password server is left empty, because I found it gave some weird results if I uncommented it. This is related to security, any other value tells samba to do the authentication elsewhere.

passdb backend tells samba how to handle authentication. Best to leave it on whatever it is you have now (if you're migrating) or smbpasswd - at least untill you have everything up and running. this file can be found in /etc/samba/smbpasswd and is a text file that maps unix accounts to samba accounts (see later).

hosts allow is there for security. Add as many netmasks as you like (ie this will let in ip adresses from 192.168.0.0 - 192.168.255.255). You can put more subnets in if you need them there.

local master, preferred master, domain master and domain logons are what makes samba the domain master. If you have more samba running machines in the network, set them to 'no' on the ones that aren't PDC's. 

os level - the lower this is, the more chance it will have to beat other machines trying to act as PDCs on the network. 65 will allow you to beat any NT machines you have floating around on the network, but obviously, you shouldn't have more than 1 PDC on any network.

logon script is the name of the logon script that will run. There are better howto's than this one how to build one of them - just remember they have to be in msdos format, so convert any unix file to msdos format should you make one in unix. I do like putting
net time /domain:DOMAINNNAME /set /y
into the logon script as it keeps all the machines on the network at the same time.
Make sure there is a [netlogon] setting, as the script is where that setting is set to. You can use stuff like %Gnetlogon.bat which will start a file called groupnamenetlogon.bat. I set the browseable = No, Read Only = Yes, etc. none of anyone's business what all my groups connect to!

logon drive tells windows which drive will be mapped to the home directory.

logon home is where win9x/Me will store roaming profiles. My profiles are local (because they can get really big!) so I've explicitly left it to empty - otherwise samba will default it to some other value. The same goes for logon path, but this is for 200x/XP profiles

time server is not necessary (unless you go for roaming profiles) but is nice as it allows you to synchronise all the clients on the network to the same time (see logon script)

add machine script - this one adds machines for DEBIAN - red hat users find another one! (hint: it doesn't use adduser, the redhat script uses useradd) Later on this gets explained.

log level - set to 2 for debugging - most errors will be logged fairly verbosely like this. Reset it to 1 once you're no longer getting any errors.

3) make sure there is a user nobody and a user guest (both can be made with 'null' passwords) in both smbpasswd and passwd
and a user root (with a different password than that in passwd - ie. the unix root) in smbpasswd
# smbpasswd -a root
# smbpasswd -a guest

4) Groups you need NT groups mapped to Unix groups for the users to be recognised.
# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-3687569591-2717907897-2748310743-513) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Admins (S-1-5-21-3687569591-2717907897-2748310743-512) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1

The last numbers are the RID numbers and they need to be a specific value for them to work.

shows the group mappings it expects. So these need to be made in /etc/group

sysops:x:500:
repl:x:501:
guests:x:502:
domusr:x:503:
pwrusr:x:504:
printops:x:505:
ntadmin:x:506:administrator
acctops:x:507:
domadm:x:508:
backops:x:509:
usrs:x:510:
domgsts:x:511:
machine:x:512:

then the unix groups get mapped  to the NT groups:

net groupmap modify ntgroup="System Operators" unixgroup=sysops
net groupmap modify ntgroup="Replicators" unixgroup=repl
net groupmap modify ntgroup="Guests" unixgroup=guests
net groupmap modify ntgroup="Domain Users" unixgroup=domusr
net groupmap modify ntgroup="Power Users" unixgroup=pwrusr
net groupmap modify ntgroup="Print Operators" unixgroup=printops
net groupmap modify ntgroup="Administrators" unixgroup=ntadmin
net groupmap modify ntgroup="Account Operators" unixgroup=acctops
net groupmap modify ntgroup="Backup Operators" unixgroup=backops
net groupmap modify ntgroup="Users" unixgroup=usrs
net groupmap modify ntgroup="Domain Guests" unixgroup=domgsts
net groupmap modify ntgroup="Domain Admins" unixgroup=domadm

Note: case + quotes for ntgroups.

in windows doing a "net group /domain" from cmd will show the groups.

So to add a domain user to an ntgroup they have to be listed in the /etc/group file at the right place.
http://www.it.lut.fi/~doc/samba-3.0.0beta3/htmldocs/groupmapping.html

Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use 
#net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname

THESE need to be as follows:
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=domusr rid=514 type=d
(http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id344099)

net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=domgsts rid=514 type=d
net groupmap add ntgroup="Print Operators" unixgroup=printops rid=550 type=d
net groupmap add ntgroup="Administrators" unixgroup=ntadmin rid=544 type=d
net groupmap add ntgroup="Users" unixgroup=usrs rid=545 type=d
net groupmap add ntgroup="Guests" unixgroup=guests rid=546 type=d
net groupmap add ntgroup="Power Users" unixgroup=pwrusr rid=547 type=d
net groupmap add ntgroup="Account Operators" unixgroup=acctops rid=548 type=d
net groupmap add ntgroup="System Operators" unixgroup=sysops rid=549 type=d
net groupmap add ntgroup="Backup Operators" unixgroup=backops rid=551 type=d
net groupmap add ntgroup="Replicators" unixgroup=repl rid=552 type=d

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#set-group-map (table 12.1)

More on groupmapping here:
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html

so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr.

5) Make sure that all the machine and domain names are in CAPITAL LETTERS!

6) in /etc/services make sure you have the following lines:
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                         # NETBIOS session service
netbios-ssn     139/udp
microsoft-ds    445/tcp                         # Microsoft Naked CIFS
microsoft-ds    445/udp                         # Microsoft Naked CIFS

allthough this might no longer be strictly necessary with samba 3.0.0

7) Migrating the existing local profiles in XP to domain profiles without roaming
As I'm not roaming my profiles, first login to the machine as local administrator, rightclick on my computer -> properties -> computername tab. Here click 'change' and fill in the domainname. Enter the samba 'root' account we made earlier and you should be welcomed. Reboot the machine and log in as the new user. This will create the domain profile. Reboot and log in as the domain administrator user and go to computer properties again. tab Advanced and the user profiles settings. Here you can choose the local profile and select 'copy to' - choose the directory that's just been made (usually c:\documents and settings\username.DOMAINNAME) and in permitted to use select 'everyone'. Once the copy is done, reboot the machine and log in as the new user. The local profile should now be copied over to the domain profile on that machine, and when you log in 99% of settings should work and look the same.

Under win2k it's slightly different - open control panel -> users, click on the advanced tab, advanced button and go to groups. Select the administrator group and doubleclick it. click 'add' and choose as location the domain, then (Because I don't just want domain admins, but domain users to be administrators for the machine) choose DOMAIN\Domain Users.

8) try
rpcclient -U username -W DOMAIN SERVERNAME
or
smbclient -L ftp -I SERVERNAME

for some more info on why you're not logging in

9) Check your settings for typo's :)

10) Upgrading the samba password mechanism from smbpasswd to tdbsam using 
# pdbedit -i smbpasswd -e tdbsam
then changing 
passdb backend = tdbsam 
from 
passdb backend = smbpasswd
in /etc/samba/smb.conf

From here on in we're using the pdbedit tool to manage samba users instead of smbpasswd. Or we're upgrading to ldap, but we'll see about that.


TROUBLESHOOTING
---------------


Problems with an XP Client:
---------------------------

If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these...
1) Registry:

----- cut ------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000000
"maximumpasswordage"=dword:0000001e
"requiresignorseal"=dword:00000000
"requirestrongkey"=dword:00000000
"sealsecurechannel"=dword:00000001
"signsecurechannel"=dword:00000001
"Update"="no"

---------- paste into sambalogin.reg -----------------

Event ID: 3036
Source 	MRxSmb 
Type 	Warning 
Description 	The redirector detected a security signature mismatch. The connection has been disconnected. 
Comments 	Adrian Grigorof
From a newsgroup posting: "Use Regedit and set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
To: FALSE
This will prevent the computer from attempting to become a Domain Master Browser and compete with Domain Controllers."

In certain conditions, this can also occur when a Windows 2000 computer is trying to connect to a Windows NT machine with SMB signing enable. See Q259698.

Jason S. Rundle (Last update 5/15/2003):
See Microsoft Knowledge Base Article - Q325487.

Greg Donovan
When trying to browse a master domain resource from an untrusted domain or workstation, you are not allowed to view the master (untrusing domain) and the event log shows the 3036 error. The solution is to set HKLM\System\CurrentControlSet
\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
to 1 instead of to 0 on the client workstation and reboot (or stop workstation and restart workstation, messenger and netlogon). Acknowledgements to Alexander Lobodzinski for solving and posting this on samba @ lists.samba.org.  

If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these...
1) Registry:


2) If you find application errors in Event Viewer going on about auto-enrollment:

Solution: This is straight from Microsoft's Knowledgebase article (Q318266): 
Click Start, and then click Control Panel. 
If you are using Classic view in Control Panel, double-click Administrative Tools , and then double-click Local Security Policy. 
If you are using Category view in Control Panel, click Performance and Maintenance , click Administrative Tools , and then double-click Local Security Policy. 
Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it. 
Click Disabled , and then click OK. 


SYMPTOMS
The following Event ID 15 error entries are logged at 8-hour intervals in the Application event log: 

Event Type: Error 
Event Source: AutoEnrollment 
Event Category: None 
Event ID: 15 
Date: date
Time: time
User: N/A 
Computer: computer name
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. 
CAUSE
This behavior can occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available, so Autoenrollment cannot work. In an Active Directory domain with Microsoft Windows 2000 or later domain controllers, the problem can be caused by a DNS name resolution or network connectivity issue. 
RESOLUTION
For a Windows XP-based or a Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to disable Autoenrollment in the Local Group Policy, follow these steps on the local workstation: 
Click Start, click Run, type gpedit.msc, and then press ENTER.
In the left pane, expand the following branches: 
User Configuration
Computer Configuration
Windows Settings
Security Settings
Public Key Policies


Double-click Autoenrollment Settings.
Click Do not enroll certificates automatically.
Click OK.
Close the Group Policy window.
For a computer that is a member of a Windows 2000 or later Active Directory domain, make sure that the domain member has network connectivity with at least one domain controller. 

After you have determined that you have good Internet Protocol (IP) connectivity between the member and a domain controller, correct the DNS modifyress in the IP properties of the workstation: 
Start the Network Connections tool in Control Panel.
Right-click Local Area Connection, and then click Properties. 
Click Internet Protocol (TCP/IP), and then click Properties. 
Type the correct DNS modifyress in the Preferred DNS server box.
Click OK.

Notes for Samba 2
#flat files that map Unix groups to NT type groups. 
#these files take the form unix_group = `Windows NT group'' 
domain group map = /usr/local/samba/private/domaingroup.map 
domain alias map = /usr/local/samba/private/domainalias.map 

but maybe the above is just for samba-tng
domain admin group = @ntadmin
in [global] seems to be the way to go for now...

Also the add machine script = is add user script = in 2 (confusing huh?!)

Using swat makes life easier!

SYMPTOMS
If Office (Word or Excel) is writing files with strange permissions, but is correctly writing the swap file, the the offending line is probably
#       profile acls = Yes NB THIS IS THE ROOT OF EVIL!!!
in the Globals section. Just remark it out.

SYMPTOMS
If you find that you can create a file on a samba share on an NFS mount but get locking error messages after editing and then saving (and stupidly being able to save as over the old file):
# strict locking solves the process cannot access the file because "another proc
ess has locked a portion of the file" with files over nfs mounts
        strict locking = no

ON MIGRATION
------------
When moving a PDC to another machine, the setup creates different SIDs (see 'net groupmap list') than on the first PDC. The windows machines want to connect to the same SIDs, so will refuse to connect to the new PDC, giving all sorts of problems.
What can you do? Theoretically you should be able to net groupmap modify the SIDs of the new server so that they will be the same as the old servers. I didn't do it that way - I created and left the new SIDs. There seems to be some residue of the old SIDs in the password files.

Remove the machine accounts from /etc/passwd and /etc/samba/smbpasswd.
Start up machine, log in as local administrator (not on the domain, silly!)
remove the machine from the domain (doesn't matter which PDC as long as you remember the correct root account password for samba) - rightclick my computer, tab Identification, change ID and put it in a workgroup.
check the registry settings (see above)
rename my documents - username.DOMAIN to username.DOMAIN.old
remove the samba users (the usernames your clients log into) from /etc/passwd and /etc/smbpasswd
Reboot client
log in as local administrator
join the domain
reboot the machine
create the new client users in /etc/passwd and /etc/smbpasswd (use adduser and smbpasswd -a - don't copy and paste from any old ones!)
log in with the user on the client on the domain
when the default profile has finished building, reboot
log in as local administrator
copy the contents of /documents and settings/username.DOMAIN.old/* to /documents and settings/username.DOMAIN/
make sure that ntuser.dat has been copied
log out, log in as the user on the domain.

Migration complete!