Samba Installation with a Windows (2000/XP) PDC Server
Preface
This paper is an attempt to gather brief, comprehensive Linux-Samba-Windows 2000/XP setup guidance into one document. To be concise, little explanation is offered – other than to point out consequences, where observed, if the steps aren’t followed. If you’re looking for background on Linux, Samba or Linus Torvald’s genealogy back to Adam & Eve, that’s not here (though those docs etc. are sprinkled over the far reaches of the {Internet} earth). This document is offered for those frustrated souls who wish to use Linux for something (like database business systems), rather than spend life tinkering with their operating system. <G>
All I ask in return is that you don’t remove the references to Data-based Systems Corporation - so that Data-based Systems Corporation may enjoy whatever notoriety (or infamy?) comes of it.
The following approach works for me, using Red Hat Linux 7.x and Windows 2000 server, my Primary Domain Controller (PDC).
Yes, security = domain (not just security = server) actually works! It should work for you, too. Enjoy …
Documentation locations
Red Hat Linux installs Samba documentation here:
/usr/share/doc/Samba-2.2.1a (the filename-version will vary with your Samba version)
In particular, read the “Setting up browsing in a domain” section of Browsing.txt You should also read the Encryption.txt file. On the SWAT “Home” button, read “Joining an NT Domain with Samba 2.0”.
I also benefited from “Red Hat Linux 6 Server” Chapter 15 by Mohammed J Kabir.
Non-Samba-related Setup
When you attempt to browse the Linux box from your W2k/NT box or map a drive to your Linux box from your W2k/NT box, you may get a “The network path was not found” error, even though your Linux box can smbmount your W2k/NT box. Doing the following “Windows 2000 (NT) setup” and “Linux (non-Samba) PC setup” seemed to alleviate that problem.
Windows 2000 (NT) setup
Run WINS on your Windows 2000 (NT) box – not on the Linux-Samba box.
Create a (Workstation or server, but not PDC or BDC) “computer account” for your Linux PC on the Windows 2000 PDC.
“Pre-Windows 2000 Servers”
When installing DNS on your PDC, the installation asks (i.e. presents you with two radio buttons):
- “Permissions compatible with pre-Windows 2000 servers”
- “Permissions compatible only with Windows 2000 servers”
If you don’t (or didn’t) select the pre-Windows 2000 option, how might you expect Windows 2000 to be able to exchange permissions with your Linux server?
Domain Master
You can verify if your Windows 2000 PDC is really acting in the Domain Master role by searching for (and changing, if necessary) the following Registry key: IsDomainMaster. Search three times, since there are three references to IsDomainMaster in the Registry. For non-PDC Windows 2000 servers in your network, IsDomainMaster should be False, rather than True.
Linux (non-Samba) PC setup
In KDE | System | Networking Configuration (or in LinuxConf) | Hosts | Hostname, I entered: RHLinux for domain: office.comSamba setup
Configuration
The Samba configuration file is located here: /etc/samba/smb.conf
If you don’t set Encrypt Passwords = yes, NT/W2k will harass you with UserName/Password dialog boxes.
My example variable names (which you should change to whatever you named yours …).
Domain/Workgroup is called: OFFICE (In this case, “OFFICE” is the netBIOS name for office.com)
Windows 2000 PDC is called: OFFICE1
Linux-Samba server is called: RHLinux
smb.conf
SWAT
Rather than manually edit files to auto-start the SWAT web-based smb.conf utility, in KDE you can simply go to: Kontrol Panel | Services … scroll down and enable SWAT (by touching the Space bar) KDE Kontrol Panel | Services actually runs ntsysv in a window. Then re-boot, open the browser and enter http://localhost:901/ for the Address, which will prompt you for a username/password (I just use “root”) and open SWAT. SWAT is much nicer than manually searching for all the documentation files, but if you need the documentation, separately, it’s located at:/usr/share/doc/Samba-2.0.7/docs/htmldocs/smb.conf5.html
Verifying and listing smb.conf parameters
To verify that you’ve entered your smb.conf parameters correctly, run (and re-run frequently): testparm
The portions of smb.conf, that got Samba to work, follow:
smb.conf parameter notes
The workgroup = parameter is more critical, than you might think, for your W2k boxes to “see” your Linux box and display your Linux box in Network Neighborhood. If your domain name (e.g. office.com) differs from the NetBIOS name (e.g. Office) for your domain, you will pull your hair out, wondering why Network Neighborhood won’t display your Linux box i.e. unless you enter:
Workgroup = OFFICE //assuming that “OFFICE” is your NetBIOS name for your office.com domain.
NetBIOS name can be left blank. NetBIOS name allows re-naming the name that will be given to your Linux-Samba box in W2k Network Neighborhood.
[global]
workgroup = OFFICE
NetBIOS name =
server string = %h Samba %v Server
security = DOMAIN
encrypt passwords = Yes
update encrypted = Yes
null passwords = Yes
smb passwd file = /usr/local/samba/private/smbpasswd
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 0
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 192.168.1.100 //change this IP to whatever your IP is.[homes]
comment = Home Directories
path = /home
read only = No[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
smbpasswd
smbpasswd permits a Windows box to “see” the Linux box. It is much easier for the Linux box to “see“ the Window box; in fact, the Linux box can “see” the Windows box (see smbmount … below) - without doing these smbpasswd steps!
Encrypt the Samba password file
Read /usr/share/doc/Samba-2.0.7/docs/textdocs/ENCRYPTION.txt. The mksmbpasswd.sh is a passwd hash-encryption utility. Create the directories /samba/private under /usr/local … and then run:
cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
smbpasswd permissions
For security, encryption.txt advises that both the smbpasswd file and the directory that holds it, /private, be restricted to root-limited permissions. Do the following to set those permissions:
chmod 500 /usr/local/samba/private
chmod 600 /usr/local/samba/private/smbpasswd
Get smbpasswd to join the Domain – for security = domain
Critical prerequisites:
- A computer account for the Linux PC (e.g. RHLinux) on the (OFFICE1) domain PDC must pre-exist this command.
- When the Linux PC account is created on the domain PDC, “Allow pre-Windows 2000 computers to use this account” must be checked. Otherwise, the dreaded “NT_Status_Access_Denied” error will be generated in response to the smbpasswd command. Note where it says “User/Group that can add this computer to a domain = Domain Admins”. Then run:
smbpasswd –j domainName.com –r PDCnameFor example:
smbpasswd -j office.com -r OFFICE1This command should return: the date, followed by:
Change_trust_account_password:
Changed password for domain OFFICE.COM
Joined domain OFFICE.COM.
If, instead, you get the “NT_Status_Access_Denied” error, delete the Linux “computer account” on your Windows 2000 PDC server, re-boot both PCs and re-create the “computer account” in “Active Directory Users & Computers”, making sure to check “Allow pre-Windows 2000 computers to use this account”. (Yes, folks, Microsoft looks at your Linux box as a “pre-Windows 2000 computer”! <G> )
If necessary, delete the PDC WINs “computer account” entries and re-boot the PDC; the PDC WINs will re-detect what’s really needed, including your Linux box.
Should you decide to hose your Linux box and re-install it (Nobody ever does that, right? … `cause it takes all of 30 minutes to start fresh. <G> ), remember that you will, again, need to delete the W2k PDC “computer account” for your Linux box and re-create the Linux “computer account” because Windows tracks your Linux box via a GUID – not by the NetBIOS name. If your don’t, Error, “NT_STATUS_ACCESS_DENIED” will plague you.
Browsing from a Windows PC
When browsing from a Windows PC, if you get prompted for a username/password and, subsequently, receive a “System error 1326 has occurred”, chances are … the Windows domain-user account in question has not been added to the smbpasswd list on the Linux box. This can be confusing; so remember, Windows domain security does not extend to the Samba-Linux box i.e. you have to add each Windows domain user, who will need to browse the Samba-Linux box, to the Samba-Linux users list, as follows:
smbpasswd –a userName
For example,
smbpasswd –a Administrator
The –a switch stands for “add” userName. You will be prompted for a password and to confirm that password, after which that Windows-domainUserAccount will be allowed to browse from Windows.
Browsing from Samba-Linux
Similarly (in reverse), to browse the Windows box from the Linux box, the Windows domain has to have a Windows-userAccountName, corresponding to the Linux-userAccountName, trying to browse that Window box.
DNS
If you are setting up a small home-office network, you may not want to bother running a local domain name server (DNS) – especially if your Internet (e.g. cable modem) provider offers a perfectly good (i.e. better) DNS. For such a small network it may be easier (and wiser) to simply specify the few other computers in the local hosts file.
- On the Linux box you can either manually edit the /etc/hosts file or make your additions via Linuxconf | Networking | Misc | Information about other hosts …
- On the Windows 2000 box manually add to C:\WinNT\system32\drivers\etc\hosts
Starting/stopping Samba
The following smb call starts/stops both Samba daemons (services), smbd and nmbd (which supports browsing).
/etc/rc.d/init.d/smb startsmb can be autostarted via ntsysv, made available through KDE | Kontrol Panel | Services … scroll down to it and touch the space bar – to get a * beside the daemon/service name. Any services with an * will autostart.
/etc/rc.d/init.d/smb stop
To properly auto-start Samba at the appropriate run-level (5) for x-windows, create a symbolic link as follows:
ln –s /etc/rc.d/init.d/smb /etc/rc.d/rc5.d/S91.smb
smbmount - mounting a Windows share
smbmount //WindowsServerNetBiosName/shareName /LinuxMountPoint username= WindowsUserNameFor example,
smbmount //OFFICE1/DownLoad /DownLoad username=AdministratorNote: the /DownLoad folder must be previously created i.e. already exist on Linux. Smbmount does not actually create that directory; smbmount merely makes the share contents (the W2k //OFFICE1/DownLoad) visible in that directory.
Also note that root permissions (or … su root) are required to smbmount.
Issuing a smbmount command from the terminal will only result in a mount for the current boot session.
Samba Client
smbclient can either:
- list shares or
- act as a command-line FTP client.
You may list the smbclient options by typing the following in a terminal session:
smbclient --help
To list Windows 2000 shares,
smbclient -L WindowsServerNetBIOSname -U userAccountNameFor example,
smbclient –L OFFICE1
To use the smbclient FTP service
smbclient //WindowsServerNetBIOSname/shareName –U userAccountName –P passwordFor example,
smbclient //OFFICE1/C$ -U administrator –P password
THE END
If you carefully followed and did all of the above, you should be smilin’ by now. It is my sincerest hope that you don’t have to go through what I did – to get Samba to work (I wouldn’t wish that upon my worst enemy).
Now, go forth … and build business systems. <G>
Back Home