Monday, January 16, 2012

Configure SAMBA Server on your Red Hat Enterprise Linux5 (Part-2)

Configure samba as a Member Server of windows domain
A domain member server is similar to a stand-alone server that is logged in to a windows based (Server 2003) domain controller. An example of a domain member server would be a departmental server that is running Samba Server which has a machine account in Primary domain controller on a windows machine (Server 2003). All of the department's clients can authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares. 


Preparing windows server 2003 as a domain controller:

Operating System:      Windows Server 2003 Enterprise Edition
Machine Name:           wdc01
Machine IP:                 210.207.201.100
Domain Name:            alphabd.net
FQDN:                        wdc1.alphabd.net

Step-1: Install & Configure DNS server on windows server 2003

            Start → Program → Administrative tools → Configure Your Server Wizard → Next → Next → Custom Configuration → Next → Select DNS → Next → Next → wait a moment → Next

            Select Create forward and reverse lookup zones (2nd option) → Next → Select Yes create a forward lookup zone now → Next → Primary zone → Next → Provide zone name into the Zone name field as “alphabd.net” → Next → keep the default settings → Next → Select “Allow both nonsecure and secure dynamic update → Next

            Select Yes create a reverse lookup zone now → Next → Primary zone → Next → Type “210.207.201.” in to the Network ID field → Next → Keep the default settings → Next → Select “Allow both nonsecure and secure dynamic update → Next → Next → Cancel → Finish → OK → Finish → Manager the server wizard page will display, close the page.

Edit the DNS Resources Record

HOST Add (A):

            Start → Program → Administrative tools → DNS → Right click on “wdc01” → All tasks → Restart → Expand the Forward lookup zones → Right click on “alphabd.net” → New host (A) → Type “wdc01” in to the Name field → Type “210.207.201.100” in to the IP address field → Select the “Create associated pointer (PTR) record” check box → Add Host → OK → Done

PTR Record defines:

            Expand the Reverse lookup zone → Select “210.207.201.x Subnet” from the right pane you will see that the PTR record is added automatically, if not added then Right click on Right pane → Refresh

SOA & Name Server Record define:

Expand Forward lookup Zone → Click alphabd.net → Double click on Start of Authority (SOA) → Ensure that SOA tab is selected → Click Browse from the Primary server: section → Then double click on your machine name (in this case my machine is wdc01) → Double click on Forward lookup Zone → alphabd.net double click → Select wdc01 → OK

Click Browse from the Responsible person: section → Then double click on your machine name (in this case my machine is wdc01) → Double click on Forward lookup Zone → Select All Record From the Record type section → Double click on alphabd.net → Select wdc01 → OK → Just remove the wdc01 and type hostmaster → OK

Do the Same Task into the Reverse Lookup Zone file.

Name Server Record Edit:

From the Forward lookup Zone Double Click on Name Server record → Edit → Type the Full name of the DNS domain (wdc01.alphabd.net.) → Click Resolve → OK

Do the Same Task into the Reverse Lookup Zone file.


Prepare Samba for acting as Member Server

 Basic Configuration

Step-1: Check samba rpm package is installed or not by following this command:
                       
[root@srv1 ~]# rpm -qa | grep –i samba*    or
[root@srv1 ~]#  rpm –qa samba*

samba-common-3.0.33-3.14.el5
samba-swat-3.0.33-3.14.el5 
samba-3.0.33-3.14.el5
samba-client-3.0.33-3.14.el5
system-config-samba-1.2.41-5.el5

If not installed then install the packages using yum command

[root@srv1 ~]# Yum Install samba* -y 

Step-2: Check and Configure the Network Card:

[root@srv1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

(Modified File):

#Broadcom Corporation Net link BCM57875 Gigabyte Ethernet PCI Express
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:29: EB: B2: CA
ONBOOT=yes
TYPE=Ethernet
PEERDNS=no
USERCTL=no
IPV6INIT=no
IPADDR=210.207.201.8
NETMASK=255.255.255.0
NETWORK=210.207.201.0
BROADCAST=210.207.201.255

After changing you have to reload/restart the NIC(eth0) card by following command:

[root@srv1 ~]# ifdown eth0
[root@srv1 ~]# ifup eth0
[root@srv1 ~]# service network restart

Step-3: After complete the NIC configure you have to change the host name by following this command:

[root@samba ~]# vi /etc/sysconfig/network

(Modified File):

NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=srv1

Additional configuration for Samba Server

Creating & Managing Users & Groups:

Step-1: Create A Group Named “samba-users” & define a directory Named “Resources” for sharing resources.

[root@srv1 ~]# groupadd samba-users
[root@srv1 ~]# mkdir /opt/Resources

Step-2: Create some samba users with password & add them into “samba-users” group also defines the “Resources” directory for those users.

[root@srv1 ~]# useradd –g samba-users –d /opt/Resources user1
[root@srv1 ~]# useradd –g samba-users –d /opt/Resources user2
[root@srv1 ~]# useradd –g samba-users –d /opt/Resources administrator
[root@srv1 ~]# smbpasswd –a user1
[root@srv1 ~]# smbpasswd –a user2
[root@srv1 ~]# smbpasswd –a administrator

Step-3: Set samba “root” password for login as “root” user from both windows & Linux machine.

[root@srv1 ~]# smbpasswd –a root

Step-4: Assign the appropriate permission for “Resources” directory against those users.

[root@srv1 ~]# chown root:samba-users /opt/Resources/
[root@srv1 ~]# chmod 750 /opt/Resources/

Step-5: Now create some sub directory into “Resources” directory named “Documents”, “Software”, & “Others

[root@srv1 ~]# mkdir –p /opt/Resources/Documents
[root@srv1 ~]# mkdir –p /opt/Resources/Software
[root@srv1 ~]# mkdir –p /opt/Resources/Others

Step-6: Now set the permission for those sub directories that owner can read, write & delete but others users can not delete the files but should have read & write permission.

[root@srv1 ~]# chown root:samba-users /opt/Resources/Documents
[root@srv1 ~]# chown root:samba-users /opt/Resources/Software
[root@srv1 ~]# chown root:samba-users /opt/Resources/Others
[root@srv1 ~]# chmod 1770 /opt/Resources/Documents
[root@srv1 ~]# chmod 1770 /opt/Resources/Software
[root@srv1 ~]# chmod 1770 /opt/Resources/Others

Step-7: Now create an anonymous accessible directory with read & write permission that anonymous user can access this directory

[root@srv1 ~]# mkdir /opt/Public
[root@srv1 ~]# groupadd anonymous-users
[root@srv1 ~]# useradd –g anonymous-users –d /opt/Public guest
[root@srv1 ~]# useradd –g anonymous-users –d /opt/Public nobody
[root@srv1 ~]# chown root:anonymous-users /opt/Public/
[root@srv1 ~]# chmod 777 /opt/Public/

Step-8: Set blank password for anonymous users that they can access this folder without password

[root@srv1 ~]# smbpasswd –a guest
[root@srv1 ~]# smbpasswd –a nobody

Server Configuration


Step-1: To configure Samba as a member server of windows domain controller edits the smb.conf file as like below

[root@srv1 ~]# vi /etc/samba/smb.conf

#==================== Global Settings ================

      workgroup = ALPHABD
      server string = Member Server
      netios name = SRV1
      hosts allow = 127. 210.207.201.

# --------------------------- Logging Options -----------------------------

      log file = /var/log/samba/%m.log
      max log size = 50

# ----------------------- Domain Members Options ------------------------

      security = ADS
      passdb backend = tdbsam
      realm = ALPHABD.NET
      password server = *
      encrypt password = yes

# ----------------------- Browser Control Options ----------------------------

      local master = no
      os level = 33
      preferred master = no

#----------------------------- Name Resolution -------------------------------

      wins support = yes

# --------------------------- Printing Options -----------------------------

      printing = cups

#========================= Share Definitions =====================

[Resources]
      comment = All Resources for domain uers
      path = /opt/Resources
      browseable = yes
      writable = yes
      valid users = root user1 admin
      public = no
      printable = no
      create mask = 0765
      write list = @samba-users @Administrator

Step-2: Configure Kerberos authentication on member server (on samba server)

Kerberos is an authentication protocol that is used to send data from one system to another in encrypted form.

[root@srv1 ~]# vi /etc/krb5.conf

logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ALPHABD.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 ALPHABD.NET = {
  kdc = wdc01.Alphabd.net:88
  admin_server = wdc01.Alphabd.net:749
  default_domain = Alphabd.net
 }

[domain_realm]
 .example.com = ALPHABD.NET
 example.com = ALPHABD.NET

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Step-3: Adding Samba as member Server of a Domain (Windows Based Domain):

            In order to join a member server to an Active directory domain you have to complete the task step by step as below:
  • Create a machine account of member server in to the domain controller.
  •  Associate the member server to the Active directory domain
Create Machine Account:

            To create the machine account & join the windows 2003 Active Directory, Kerberos must be initialized for the member server. To create an administrative Kerberos ticket, type the following command as root on the following command as root on the member server:

[root@srv1 ~]# kinit Administrator@ALPHABD.NET

            The kinit command is a Kerberos initialization scripts that references the Active Directory Administrator account & Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains & caches Kerberos ticket-granting tickets for clients/server authentication.

            To join Active directory server (srv1.Alphabd.net) type the following command as root on the member server:

[root@srv1 ~]# net rpc join -U Administrator%windows machine admin password

Since the machine samba was automatically found in the corresponding Kerberos realm (kinit command succeeded), & net command connects to the Active Directory Server using its required administrator account & password. This creates appropriate machine account on the Active Directory & grants permissions to the Samba domain member server to the domain.

Note: Although it is possible for Samba to be a member of an Active directory, but it is not possible for Samba to operate as an Active directory domain controller.


Sharing & Accessing Samba Share

Step1: Accessing shared Resources from Windows machine:

Double Click on My Network Place → Click “Entire Network”→ Microsoft Windows Network → Double Click on ALPHABD icon → here you will show the Samba Server & all Windows machine → Double Click Samba Server → Double click your Share resources & create, delete, copy/paste everything you can do now.

            You can also use your home directory by using Network Drive to do this Double Click on My Computer icon → Follow the Network Device Section → Double click a Drive then put you necessary documents in to it.

Step-2: Accessing share resources by mounting Linux share on windows machine:

Samba is a program which allows you to share your files between Linux and Windows. Your Statistics Samba share contains all of your Linux files. By mounting the Samba share on your Windows machine, you will be able to access your files across the operating systems. 

Scenario:

Suppose you have some confidential files that exist on a Windows machine are not backed up by the department and are subject to be erased without notice. If your Windows machine crashes, you could permanently lose your files. Only files saved in your Samba share are backed up. Please make it a practice to keep your Windows files on your Samba share.
You must enable security protocol on windows machine. In order to mount Linux shares (Such as \\samba, Z: drive) on a Windows Xp system, you must force XP to use the NTLM protocol as well as NTLM2.


1.      Select Start → Run and type “secpol.msc”. Press “Enter” or Start → Program → Administrative Tools → Local Security Policy.
2.       Expand the Local policies Container → Security Options.
3.      Locate “Network Security: LAN Manger authentication level” → Double Click.
4.      Change the setting it from “Send LM & NTLM responses” to “Send LM & NTLM – useNTLMv2 session security if negotiated” → OK.
5.      Open My Computer → Tools → Map Network Drive.
6.      Click on “Drive: “drop down menu & choose A drive Letter (Z :)
7.      Click Browse → Select Entire Network → Microsoft windows Network → Choose you workgroup/domain name → Select Samba Machine → Select A share folder that you want to map with windows → OK.
8.      Make Sure the “Reconnect at Logon” box is checked → Finish.
9.      Samba should now be Visible in “My Computer”.
Step-3: Sharing windows Resources that you can access from Linux machine

You can also share so many Resources of windows machine for accessing from Linux machine. You can share CD-ROM, DVD, floppy or hard disk drive installed on a Windows machine. In this section I'll show you how to share a CD-ROM drive from windows machine & also how to access it from Linux machine. 
The Windows client machine should be setup first as a member of a Samba domain or workgroup. The next step is to make the CD-ROM drive shared. The steps you used depend on which version of Windows you have.

For Windows XP:
  1. Double click 'My Computer'
  2. Right click on the CD-ROM drive and choose ' Properties' then Sharing
  3. Set the Share Name as 'cdrom' and the appropriate access control
  4. Logout and login again as normal using your current login 
 After you have completed this task, you'll have to go to the next step of testing your configuration.

Step-4: Mount the shared CD-ROM drive on Linux machine and put a share definition on smb.conf file that you can access it from both Linux & all other windows machine. To do it follow the below.

[root@ srv1]# mkdir /opt/CDROM
[root@ srv1]# chown root:samba-users /opt/CDROM
[root@ srv1]# smbmount //IP or machine name/Share_name /opt/CDROM 
OR
[root@ srv1]# mount –t smbfs //IP or machine name/share_name /opt/CDROM 
 
After that you should permanently mount the drive that it can load the share on every restart.

 
[root@ ~]# vi /etc/fstab 
 
Then type this path following by space or tab key

 
//windows_IP/Share_name    /opt/CDROM   smbfs    username=nobody  0 0

Now put a share definition in to the share section on smb.conf

From Linux machine:
 
[root@ srv1]# smbclient –L //Win_IP 

Now you can use various command like: - dir, cd, put, get, pwd, ls, mget, q etc

Testing the Samba Configuration File

            To test the configuration file for syntax errors, use the “testparm” command. It will also list all settings currently in place, including defaults that may not appear in the configuration file.
[root@samba ~]# testparm –v 
Testing Share Configuration:

Use the smbclient command to test your share. You should substitute the name of your Windows client PC for "Client1," and in place of "username" provide a valid workgroup/domain username that normally has access to the Windows client. You should get output like this when using the username's corresponding password:

[root@srv1 ~]# smbclient -L Client1 -U user1

6 comments:

  1. Hello There. I found your blog using msn. This is a really well written article. I will make sure to bookmark it and return to read more of your useful information. Thanks for the post. I will definitely comeback.
    Jaxon Crushable Ford Fedora

    ReplyDelete
  2. Linux training at http://www.icanxplore.com transform your Linux skill.

    ReplyDelete
  3. Linux training For Linux System Administrator and Linux training for Windows Users at http://www.icanxplore.com

    ReplyDelete
  4. I think that is not very wise to have samba user root! Samba can be security hole.

    ReplyDelete