Samba

INSTALLING

Samba 3.0.0-Debian Primary Domain Controller (PDC) with WinXP and Win2k / Win 2000 clients Howto in 10 steps checklist format.

After downloading the packages samba-common samba_3.0.0 and getting them installed with dpkg,

1) edit /etc/samba/smb.conf and make sure it has stuff like this in it

workgroup = DOMAINNAME server string = SERVERNAME netbios name = SERVERNAME

security = user obey pam restrictions = yes password server = passdb backend = smbpasswd

hosts allow = 192.168.

local master = yes os level = 65 domain master = yes preferred master = yes domain logons = yes server signing = auto logon script = logon.bat logon drive = X: logon home = time server = yes add machine script = /usr/sbin/adduser --ingroup machine --system --home /dev/null --no-create-home --force-badname %u logon path = wins support = yes

log level = 2

2) Explanation

workgroup is the domainname. Keep it under 8 characters and uppercase. You will need to use this often, so make sure you like it.

server string is the name the server has for itself. Also under 8 chars and uppercase, and the same as netbios name (this is for windows name resolution - wins).

security = there are several options, but i'm assuming you have one samba machine (the one being configured) and no other servers handling authentication. All the options apart from 'user' assume there is another machine taking care of authentication!

password server is left empty, because I found it gave some weird results if I uncommented it. This is related to security, any other value tells samba to do the authentication elsewhere.

passdb backend tells samba how to handle authentication. Best to leave it on whatever it is you have now (if you're migrating) or smbpasswd - at least untill you have everything up and running. this file can be found in /etc/samba/smbpasswd and is a text file that maps unix accounts to samba accounts (see later).

hosts allow is there for security. Add as many netmasks as you like (ie this will let in ip adresses from 192.168.0.0 - 192.168.255.255). You can put more subnets in if you need them there.

local master, preferred master, domain master and domain logons are what makes samba the domain master. If you have more samba running machines in the network, set them to 'no' on the ones that aren't PDC's.

os level - the lower this is, the more chance it will have to beat other machines trying to act as PDCs on the network. 65 will allow you to beat any NT machines you have floating around on the network, but obviously, you shouldn't have more than 1 PDC on any network.

logon script is the name of the logon script that will run. There are better howto's than this one how to build one of them - just remember they have to be in msdos format, so convert any unix file to msdos format should you make one in unix. I do like putting net time /domain:DOMAINNNAME /set /y into the logon script as it keeps all the machines on the network at the same time. Make sure there is a [netlogon] setting, as the script is where that setting is set to. You can use stuff like %Gnetlogon.bat which will start a file called groupnamenetlogon.bat. I set the browseable = No, Read Only = Yes, etc. none of anyone's business what all my groups connect to!

logon drive tells windows which drive will be mapped to the home directory.

logon home is where win9x/Me will store roaming profiles. My profiles are local (because they can get really big!) so I've explicitly left it to empty - otherwise samba will default it to some other value. The same goes for logon path, but this is for 200x/XP profiles

time server is not necessary (unless you go for roaming profiles) but is nice as it allows you to synchronise all the clients on the network to the same time (see logon script)

add machine script - this one adds machines for DEBIAN - red hat users find another one! (hint: it doesn't use adduser, the redhat script uses useradd) Later on this gets explained.

log level - set to 2 for debugging - most errors will be logged fairly verbosely like this. Reset it to 1 once you're no longer getting any errors.

3) make sure there is a user nobody and a user guest (both can be made with 'null' passwords) in both smbpasswd and passwd and a user root (with a different password than that in passwd - ie. the unix root) in smbpasswd

1. smbpasswd -a root
2. smbpasswd -a guest

4) Groups you need NT groups mapped to Unix groups for the users to be recognised.

1. net groupmap list

System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-3687569591-2717907897-2748310743-513) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-3687569591-2717907897-2748310743-512) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1

shows the group mappings it expects. So these need to be made in /etc/group

sysops:x:500: repl:x:501: guests:x:502: domusr:x:503: pwrusr:x:504: printops:x:505: ntadmin:x:506:administrator acctops:x:507: domadm:x:508: backops:x:509: usrs:x:510: domgsts:x:511: machine:x:512:

then the unix groups get mapped to the NT groups:

net groupmap modify ntgroup="System Operators" unixgroup=sysops net groupmap modify ntgroup="Replicators" unixgroup=repl net groupmap modify ntgroup="Guests" unixgroup=guests net groupmap modify ntgroup="Domain Users" unixgroup=domusr net groupmap modify ntgroup="Power Users" unixgroup=pwrusr net groupmap modify ntgroup="Print Operators" unixgroup=printops net groupmap modify ntgroup="Administrators" unixgroup=ntadmin net groupmap modify ntgroup="Account Operators" unixgroup=acctops net groupmap modify ntgroup="Backup Operators" unixgroup=backops net groupmap modify ntgroup="Users" unixgroup=usrs net groupmap modify ntgroup="Domain Guests" unixgroup=domgsts net groupmap modify ntgroup="Domain Admins" unixgroup=domadm

Note: case + quotes for ntgroups.

in windows doing a "net group /domain" from cmd will show the groups.

So to add a domain user to an ntgroup they have to be listed in the /etc/group file at the right place. http://www.it.lut.fi/~doc/samba-3.0.0beta3/htmldocs/groupmapping.html

Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use

1. net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname

so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr.

5) Make sure that all the machine and domain names are in CAPITAL LETTERS!

6) in /etc/services make sure you have the following lines: netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp microsoft-ds 445/tcp # Microsoft Naked CIFS microsoft-ds 445/udp # Microsoft Naked CIFS

allthough this might no longer be strictly necessary with samba 3.0.0

7) Migrating the existing local profiles in XP to domain profiles without roaming As I'm not roaming my profiles, first login to the machine as local administrator, rightclick on my computer -> properties -> computername tab. Here click 'change' and fill in the domainname. Enter the samba 'root' account we made earlier and you should be welcomed. Reboot the machine and log in as the new user. This will create the domain profile. Reboot and log in as the domain administrator user and go to computer properties again. tab Advanced and the user profiles settings. Here you can choose the local profile and select 'copy to' - choose the directory that's just been made (usually c:\documents and settings\username.DOMAINNAME) and in permitted to use select 'everyone'. Once the copy is done, reboot the machine and log in as the new user. The local profile should now be copied over to the domain profile on that machine, and when you log in 99% of settings should work and look the same.

Under win2k it's slightly different - open control panel -> users, click on the advanced tab, advanced button and go to groups. Select the administrator group and doubleclick it. click 'add' and choose as location the domain, then (Because I don't just want domain admins, but domain users to be administrators for the machine) choose DOMAIN\Domain Users.

8) try rpcclient -U username -W DOMAIN SERVERNAME or smbclient -L ftp -I SERVERNAME

for some more info on why you're not logging in

9) Check your settings for typo's :)

10) Upgrading the samba password mechanism from smbpasswd to tdbsam using

1. pdbedit -i smbpasswd -e tdbsam

then changing passdb backend = tdbsam from passdb backend = smbpasswd in /etc/samba/smb.conf

From here on in we're using the pdbedit tool to manage samba users instead of smbpasswd. Or we're upgrading to ldap, but we'll see about that.

TROUBLESHOOTING

Problems with an XP Client:

If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... 1) Registry:

cut ------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "DisablePasswordChange"=dword:00000000 "maximumpasswordage"=dword:0000001e "requiresignorseal"=dword:00000000 "requirestrongkey"=dword:00000000 "sealsecurechannel"=dword:00000001 "signsecurechannel"=dword:00000001 "Update"="no"

paste into sambalogin.reg -----------------

Event ID: 3036 Source MRxSmb Type Warning Description The redirector detected a security signature mismatch. The connection has been disconnected. Comments Adrian Grigorof From a newsgroup posting: "Use Regedit and set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList To: FALSE This will prevent the computer from attempting to become a Domain Master Browser and compete with Domain Controllers."

In certain conditions, this can also occur when a Windows 2000 computer is trying to connect to a Windows NT machine with SMB signing enable. See Q259698.

Jason S. Rundle (Last update 5/15/2003): See Microsoft Knowledge Base Article - Q325487.

Greg Donovan When trying to browse a master domain resource from an untrusted domain or workstation, you are not allowed to view the master (untrusing domain) and the event log shows the 3036 error. The solution is to set HKLM\System\CurrentControlSet \Services\LanmanWorkstation\Parameters\EnableSecuritySignature to 1 instead of to 0 on the client workstation and reboot (or stop workstation and restart workstation, messenger and netlogon). Acknowledgements to Alexander Lobodzinski for solving and posting this on samba @ lists.samba.org.

If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... 1) Registry:

2) If you find application errors in Event Viewer going on about auto-enrollment:

Solution: This is straight from Microsoft's Knowledgebase article (Q318266): Click Start, and then click Control Panel. If you are using Classic view in Control Panel, double-click Administrative Tools , and then double-click Local Security Policy. If you are using Category view in Control Panel, click Performance and Maintenance , click Administrative Tools , and then double-click Local Security Policy. Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it. Click Disabled , and then click OK.

SYMPTOMS The following Event ID 15 error entries are logged at 8-hour intervals in the Application event log:

Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 15 Date: date Time: time User: N/A Computer: computer name Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. CAUSE This behavior can occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available, so Autoenrollment cannot work. In an Active Directory domain with Microsoft Windows 2000 or later domain controllers, the problem can be caused by a DNS name resolution or network connectivity issue. RESOLUTION For a Windows XP-based or a Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to disable Autoenrollment in the Local Group Policy, follow these steps on the local workstation: Click Start, click Run, type gpedit.msc, and then press ENTER. In the left pane, expand the following branches: User Configuration Computer Configuration Windows Settings Security Settings Public Key Policies

Double-click Autoenrollment Settings. Click Do not enroll certificates automatically. Click OK. Close the Group Policy window. For a computer that is a member of a Windows 2000 or later Active Directory domain, make sure that the domain member has network connectivity with at least one domain controller.

After you have determined that you have good Internet Protocol (IP) connectivity between the member and a domain controller, correct the DNS modifyress in the IP properties of the workstation: Start the Network Connections tool in Control Panel. Right-click Local Area Connection, and then click Properties. Click Internet Protocol (TCP/IP), and then click Properties. Type the correct DNS modifyress in the Preferred DNS server box. Click OK.

Notes for Samba 2

1. flat files that map Unix groups to NT type groups.
2. these files take the form unix_group = `Windows NT group

domain group map = /usr/local/samba/private/domaingroup.map domain alias map = /usr/local/samba/private/domainalias.map

but maybe the above is just for samba-tng domain admin group = @ntadmin in [global] seems to be the way to go for now...

Also the add machine script = is add user script = in 2 (confusing huh?!)

Using swat makes life easier!

ON MIGRATION

When moving a PDC to another machine, the setup creates different SIDs (see 'net groupmap list') than on the first PDC. The windows machines want to connect to the same SIDs, so will refuse to connect to the new PDC, giving all sorts of problems. What can you do? Theoretically you should be able to net groupmap modify the SIDs of the new server so that they will be the same as the old servers. I didn't do it that way - I created and left the new SIDs. There seems to be some residue of the old SIDs in the password files.

Remove the machine accounts from /etc/passwd and /etc/samba/smbpasswd. Start up machine, log in as local administrator (not on the domain, silly!) remove the machine from the domain (doesn't matter which PDC as long as you remember the correct root account password for samba) - rightclick my computer, tab Identification, change ID and put it in a workgroup. check the registry settings (see above) rename my documents - username.DOMAIN to username.DOMAIN.old remove the samba users (the usernames your clients log into) from /etc/passwd and /etc/smbpasswd Reboot client log in as local administrator join the domain reboot the machine create the new client users in /etc/passwd and /etc/smbpasswd (use adduser and smbpasswd -a - don't copy and paste from any old ones!) log in with the user on the client on the domain when the default profile has finished building, reboot log in as local administrator copy the contents of /documents and settings/username.DOMAIN.old/* to /documents and settings/username.DOMAIN/ make sure that ntuser.dat has been copied log out, log in as the user on the domain.

Migration complete!