Thursday, February 23, 2012

Install Samba as Primary Domain Controller

1- apt-get update
2- apt-get upgrade
3- apt-get install ssh openssh-server
4- apt-get install acl
5- change fstab to enable ACL
6- apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient

7- Edit smb.conf:
#Domain name
workgroup = MSHOME

# Sets the primary NetBIOS name of the Samba server
netbios name = CLIENT-PDC

# Sets a descriptive string for the Samba server
server string = %h

# The three passdb backends that are fully maintained (actively supported) by
# the Samba Team are: smbpasswd (being obsoleted), tdbsam (a tdb-based binary file
# format), and ldapsam (LDAP directory).
# Of these, only the ldapsam backend stores both POSIX (UNIX) and Samba user
# and group account information in a single repository.
# The smbpasswd and tdbsam backends store only Samba user accounts.
# It is recommended to use the tdbsam method for all simple systems.
# Use ldapsam for larger and more complex networks.
passdb backend = tdbsam

# Make domain logins query the Samba password db located on the samba server itself
security = user

# File for user mapping
username map = /etc/samba/smbusers

# lmhost: Uses a LAN Manager LMHOSTS file
# hosts: Uses the standard name resolution methods of the Unix system
# wins: Uses the WINS server
# bcast: Uses a broadcast method
name resolve order = wins bcast hosts

# Tells Samba to become the PDC
domain logons = yes

# Makes the PDC act as the central store for names of all windows clients,
# servers and printers
preferred master = yes

# Samba will act as a WINS server
wins support = yes

# Set CUPS for printing
printcap name = CUPS
printing = CUPS

# Default logon

#Drive letter under which the SAMBA share will appear in the Windows Explorer
logon drive = H:

# you can specify a Windows batch script that is executed as soon as a
# Windows workstation logs in
# This option specifies a Windows .BAT or .CMD file with lines
# ending in carriage-return/line feed that will be executed on the
# client after a user has logged on to the domain. Each logon
# script should be stored
# at the base of a share entitled [netlogin]
logon script = login.bat

# The base directory that supports the profiles
logon path = \\client-pdc\profile\%U

# Useradd scripts
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
idmap uid = 15000-20000
idmap gid = 15000-20000

# sync smb passwords with linux passwords
passwd program = /usr/bin/passwd %u

# This option works like a Unix chat
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

# Sends debug logs of the password-change process
# to the log files with a level of 100
passwd chat debug = yes

# Samba updates the standard Unix password db,
# when a user changes his encrypted password
unix password sync = yes

# set the loglevel
log level = 3

#Defines the users home directiory
comment = Home

# specifies a list of users that should be allowed to login to this service
# %S: Name of present share
valid users = %S

# Allows the samba user to also write to their Samba directory
read only = no

# Does'nt allow others to browse the contents of the directory
browsable = no

comment = All Printers
path = /var/spool/samba
printable = yes
guest ok = yes
browsable = no

# Make sure permissions are 755
# Contains scripts that the windows clients may use when they log into the domain
comment = Network Logon Service
path = /home/samba/netlogon
admin users = Administrator

# specifies a list of users that should be allowed to login to this service
# %u: Unix current username
valid users = %U
read only = no

# User roaming profiles.
# Make sure the direcory is owned and group owned by root
# Make sure its permission is 755
# Stores things such as favorite and desktop icons
comment = User profiles
path = /home/samba/profiles
valid users = %U
create mode = 0600
directory mode = 0700
writable = yes
browsable = no

8- Create the directories for domain logons and profiles:
mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
mkdir /var/spool/samba
chmod 777 /var/spool/samba/
chown -R root:users /home/samba/
chmod -R 771 /home/samba

9- restart Samba:
/etc/init.d/samba restart

10- Edit /etc/nsswitch.conf. Change the line:

hosts: files dns


hosts: files wins dns

11- Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.

smbpasswd -a root

12- Create the file /etc/samba/smbusers and add the line by executing:

echo "root = Administrator" > /etc/samba/smbusers

13- Now test if the setup is correct:

smbclient -L localhost -U%

The output should look similar to this:

Domain=[MSHOME] OS=[Unix] Server=[Samba 3.0.24]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Domain=[MSHOME] OS=[Unix] Server=[Samba 3.0.24]

Server Comment
--------- -------
CLIENT-PDC client-PDC server (Samba, Ubuntu)

Workgroup Master
--------- -------

14- Setup the default domain groups for windows:

net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nogroup

15-Now add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

15-1- Add a linux user tom:

useradd tom -m -G users

15-2- Add the linux user tom to the SAMBA password database:

smbpasswd -a tom

16- Now add a share that is accessible by all users.

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

17- At the end of the file /etc/samba/smb.conf add the following lines:

comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

18- restart Samba

19- acl Support:

With a Samba server, only the owner of a file or folder may change its permissions. When modifying the ACLs of files via the ACL dialog, you will need to login as the user who owns those files in order to make the changes. For files that will be managed by multiple administrators, change the owner of those files to Administrator or some other common user. To modify permissions of these files via the ACL dialog, you will need to login as this user.

20- Configure Windows XP clients

You should start the process for Windows XP clients by a complete Windows Update. After the release of Service Pack 2, Microsoft Windows way of dealing with profile has changed a bit. You will need to start by login into your Windows XP client locally as Administrator and execute :


then, you must navigate to :

Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles

and change the setting of the key 'Do not check for user ownership of Roaming Profile Folders' from 'Not Configured' to 'Enable'. If that key is not present, you should try visiting Windows Update again. Then you can use 'File / Exit'. This is needed because WinXP actually checks ACL Permission in your profile file system (which isn't really that easy to develop under *NIX). Once this is completed, you can procede as for Windows 2000.

Alternatively, you can add the following registry key:


Install Samba to join to Active Directory

Join SAMBA to Active Directory domain and File, Directory, and Share Access Controls

Step 1: Install the Required Packages

apt-get install krb5-user
apt-get install winbind samba

Step 2: Edit the /etc/krb5.conf File

default_realm = CONNECTA.LOCAL
ticket_lifetime = 24000

kdc = mercury.connecta.local
admin_server = mercury.connecta.local
default_domain = CONNECTA.LOCAL

.connecta.local = CONNECTA.LOCAL
connecta.local = CONNECTA.LOCAL
.kereberos.server = mercury.connecta.local

Step 3:
Edit /etc/samba/smb.conf 
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!! ) Make the edits. The configuration shown is the bare minimum and doesn't share anything. 
workgroup = CONNECTA 
security = ads 
netbios name =COPPELIUS001 
preferred master = yes 
encrypt passwords = yes 
log file = /var/log/samba/%m 
winbind separator = + 
password server = mercury.connecta.local 
idmap uid = 600-20000 
idmap gid = 600-20000 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = yes 
winbind nested groups = yes 
guest account = nobody 
template shell = /bin/bash 
nt acl support = true 

2) Test the configuration with the "testparm" command 
Step 4: Edit /etc/nsswitch.conf to look like the example below 
passwd: compat winbind
group: compat winbind
shadow: compat 
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis 

Step 5: Modify the PAM settings 

1) /etc/pam.d/common-account should contain only the following lines 
account sufficient account required 

2) /etc/pam.d/common-auth should contain only the following lines 
auth sufficient auth required nullok_secure use_first_pass 

3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below 
password required nullok obscure min=4 max=50 md5 

4) Make sure the /etc/pam.d/common-session file contains the following line 
session required umask=0022 skel=/etc/skel 
Step 6: Make a directory to hold domain user home directories 
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file 

Code (if you want to use WORKGROUP): 
mkdir /home/DOMAIN 

Step 7: Initialize Kerberos 

1) Code: 
kinit domain_admin_account@CONNECTA.LOCAL
Next check to be sure you got a ticket from the domain controller It's possible that With ADMINISTRATOR you have problem, then you must change ADMINSITRATOR's password on Active-Directory!! 

2)KLIST Shows the current ticket(s): 

Step 8: Join the system to the set Computer name in /etc/hosts to fully qualified name (example: aspirin.CONNECTA.LOCAL) 

net ads join -U administrator@CONNECTA.LOCAL 

kinit(v5): Clock skew too great while getting initial => The time at server and client are not same, and must be synchronized.

Step 9: Restart Samba-related Services (Or reboot the server)

Note: The order is important

/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start

Step 8: Enable ACL (Access Control List) support for the file system

mount / -o remount,acl

If you want to add it at startup, edit /etc/fstab in the following way:

/dev/hda1 / ext3 defaults,acl 0 0

Now set up ACL tools, which allows us to assign ACL to files:

# apt-get install acl

Step 9: Make a directory for sharing


mkdir /home/masoud/share/newtest
chgrp "Domain Users" /home/masoud/share/newtest

Step 10: add share properties in smb.conf


path = /data
available = yes
browsable = yes
read only = no
public = yes
writable = yes
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
nt acl support = yes
store dos attributes = yes
dos filemode = yes

Step 11-1: Share permission management in WINDOWS

1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.
2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish.


from Control Panel -> Administrative Tools run Computer Management:

1. After launching the MMC with the Computer Management snap-in,click the menu item Action and select Connect to another computer.If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate
you to the domain. If you are already logged in with administrative privilege, this step is not offered.
2. If the Samba server is not shown in the Select Computer box, type in the name of the target Samba server in the field Name:. Now click the on [+] next to System Tools, then on the [+] next to Shared Folders in the left panel.
3. In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you wish to assign for each entry

Be careful. If you take away all permissions from the Everyone user without removing this user, effectively no user will be able to access the share. This is a result of what is known as ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access.

Step 11-2: Share permission management in UBUNTU

setfacl: This utility sets Access Control Lists (ACLs) of files and directories.
-R : Recursive
-m : Modify
-x : Delete

setfacl -R -m user:suresh:rwx /home/share/newtest

geftacl: This utility shows Access Control Lists (ACLs) of files and directories.

getfacl /home/share/newtest


Map a Windows Folder to a Ubuntu Directory:

kinit suresh@CONNECTA.LOCAL

sudo mount -t cifs -o username=suresh //$ /home/share/suresh