Configuring a Samba server

Updated 8 March 2019

Samba

Introduction

Samba is a popular open source software package that provides Microsoft® Windows® file and print services to clients. You can configure your Samba server with Calculate Utilities, found in the sys-apps/calculate-server package. Для хранения учётных записей пользователей, групп и машин и управления ими утилиты используют OpenLDAP-сервер. All necessary software comes out of box in Calculate Directory Server.

You can use any Calculate Linux Desktop as the Linux client (CLD, CLDC, CLDL, CLDM, or else CLDX). Different Windows operating systems can be used as Windows clients. Microsoft Windows does not support NT4 domains any more. However, with some modifications, you can still use latest Windows operating systems with a Samba NT4 domain.

Server configuration

Настройка Samba-сервера выполняется в несколько этапов. Так как все данные пользователей и машин хранятся в LDAP, вначале неободимо выполнить настройку OpenLDAP-сервера, а затем - настройку LDAP для хранения учётных записей пользователей Linux. You need this to run Linux clients. После этого можно настроить Samba-сервер.

LDAP server configuration

Настройте LDAP-сервер согласно руководству.

Samba configuration

Before setting up a Samba server, let us configure LDAP for storage of Unix user accounts. To do so, run:

cl-setup unix
 * WARNING: Running this program will modify the configuration files and the LDAP database. If you want to continue, enter 'yes', else enter 'no': yes

 * Added ldif file ...                                                                                        [ ok ]
 * Unix service configured ...                                                                               [ ok ]

To configure your Samba server, please run:

cl-setup [options] samba
 * WARNING: Running this program will modify the configuration files and the LDAP database. If you want to continue, enter 'yes', else enter 'no': yes

 * Added ldif file ...                                                                                        [ ok ]
 * Starting Samba ...                                                                                         [ ok ]
 * User client added to Unix service
 * User client added to Samba service
 * User admin added to Unix service
 * User admin added to Samba service
 * Samba service configured ...                                                                              [ ok ]

You can specify netbios or workgroup as options.

  • -n name - устанавливает имя NetBIOS, под которым будет работать Samba сервер. По умолчанию оно устанавливается равным первому компоненту DNS-имени хоста.
  • - w workgroup is the name of the domain or NT workgroup for computers that will access this server.

Set the administrator password (user login admin ):

cl-passwd --smb admin samba

Enter a new password:
Repeat the new password:
* Password of user admin of Samba service modified

Note

admin is only used to add a Windows client computer to the domain. Admin has no home directory.

Если нужен администратор домена для управления компьютерами на Windows, создайте нового пользователя и включите его в доменную группу Domain Admins.

Here is an example of creating a domain administrator:

cl-useradd -p --gid "Domain Admins" -c "Domain Admin" d_admin samba
New SMB password:
Repeat SMB password:
* User d_admin added to Unix service
* User d_admin added to Samba service

Add and remove users

Для работы с пользователями используйте аналоги стандартных Unix-команд: cl-useradd, cl-userdel, cl-usermod, cl-passwd, cl-groupadd, cl-groupdel, cl-groupmod. Their syntax largely coincides with the ones of the system utilities of the same name.

Try adding the test user and give them a password:

cl-useradd test samba
* User test added to Unix service
* User test added to Samba service
cl-passwd test samba
New password:
Repeat new password:
* Password of user of Unix service modified
* Password of user test of Samba service modified

Privileges settings

Configuring file system access rights

To edit file permissions on the server, use ACL ( Access Control List ). Изменяя права на файлы, вы ограничиваете к ним доступ в равной степени как для Windows-, так и для Linux-клиентов. The files and directories you have no access to will not be displayed in the Samba volume.

Access permissions are applied to both files and directories. You can specify permissions for the file owner or a group.
Если Windows-клиент будет распознавать только Samba-группы, то в Linux будут отображаться имена Unix- и Samba-групп. Поэтому, для разграничения прав доступа, предпочтительней использовать Samba-группы.

Для примера создадим Samba-группу manager:

cl-groupadd manager samba
* Group 'manager' added to Samba service

Для создания Unix-группы job, достаточно выполнить:

cl-groupadd job unix
* Group 'job' added to Unix service

Настройка прав доступа для пользователей Windows-компьютеров

To edit additional privileges for Windows computers, such as: the right to install programs, the right to exit a domain, etc., use Samba groups.

Below is an example of giving domain administrator's privileges to the test user:

cl-groupmod -a test 'Domain Admins' samba
 * Users added to group Domain Admins

Структура Samba-групп

Samba-группы могут быть следующих типов:

  • Domain groups (type group number 2)
  • Local groups (type group number 4)
  • Built-in groups (group type number 5 )

Default groups:

  • Доменные группы - глобальные группы, которые действуют в домене.

    • Domain Admins for domain administrators (full access privileges inside the domain).
    • Domain Guests for domain guests (minimal privileges).
    • Domain Users for domain users.
    • Domain Computers for domain computers.
  • Локальные группы - группы, действующие локально на данном компьютере.
    There is no local groups.

  • Built-in groups are groups embedded in the system.

    • Administrators - Administrators (full privileges)
    • Account Operators are account operators. They create and manage groups and user account information, back up files and directories.
    • Backup Operators are archive operators. They backup and restore from backup, and also shut down the system.
    • Print Operators are print operators. They manage printers and backup.
    • Replicators are replicators. This group is used by the File Replication service on domain controllers.
    • System Operators are system operators. They handle system time setup, system shutdown, including remotely, backup and restoring from a backup, server locking and unlocking, hard disk format, network directories management, and also printers.

Here is how you create a domain test group. A domain group with group type number 2 is created by default.

cl-groupadd test samba
 * Group 'test' added to Samba service

For example, create a built-in group, named Power Users , to put together users with advanced privileges.

cl-groupadd -g 547 --rid 547 -t 5 'Power Users' samba
 * Group 'Power Users' added to Samba service

Where:

  • g is the group ID, 547
  • rid is the RID, which stands for relative ID, 547
  • t is the group type, 5 (built-in group)

Подключение Unix-клиентов

Для подключения Unix-клиентов укажите пароль для служебного пользователя client:

cl-passwd --smb client samba
New password:
Repeat new password:
* Password of user client of Samba service modified

Run the following on the client computer:

cl-client DOMAIN
* Check DOMAIN for domain locations ... 
[ok] 
Password to add the workstation to the domain: 
* Samba location [remote] connected 
* Templates for joining the domain applied ... 
* The computer has been configured to work in the domain 
* Computer added to DOMAIN domain

где DOMAIN - сетевое имя или IP-адрес сервера.

Подключение Windows-клиентов

Important

In Windows, activate the Admin account by running the following:
net user Administrator /active:yes

Connecting a Windows 7 client

Для подключения клиента с ОС Windows 7 войдите в систему под учётной записью Администратора и с помощью текстового редактора создайте текстовый файл с именем samba_7_2008_fix.reg со следующим содержимым:

samba_7_2008_fix.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Double-click the file to import it to the registry. Reboot to apply.

Теперь необходимо ввести компьютер в Samba-домен. To do so, go to the computer's Properties, and from there on to the Remote Access settings. Click on the "Change" button in the Computer Name tab.

Adding a Windows system in the Samba domain

Далее укажите, что компьютер является членом домена, и введите его имя:

Specifying domain name of a computer

Введите имя и пароль пользователя, созданного на Samba-сервере и входящего в группу администраторов домена:

Authenticate computer in the domain

The computer now belongs to the domian:

Adding computer to the domain

Adding a Windows 10 client

To connect a client using Windows 10, log in as the Administrator and create a text file named samba_7_2008_fix.reg , containing the following:

samba_7_2008_fix.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Double-click the file to import it to the registry. Reboot to apply.

Edit the /etc/samba/smb.conf configuration file, adding the following to the "global" section:

/etc/samba/smb.conf

[global]
...
server max protocol = NT1
...

После этого перезапустите сервис samba:

/etc/init.d/samba restart
samba             | * samba -> stop: smbd ...                             [ ok ]
samba             | * samba -> stop: nmbd ...                             [ ok ]
samba             | * samba -> start: smbd ...                            [ ok ]
samba             | * samba -> start: nmbd ...                            [ ok ]

Теперь необходимо ввести компьютер в Samba-домен. To do so, go to the computer's Properties, and from there on to the Remote Access settings. Click on the "Change" button in the Computer Name tab.

Adding a Windows system in the Samba domain

Далее укажите, что компьютер является членом домена, и введите его имя:

Specifying domain name of a computer

Введите имя и пароль пользователя, созданного на Samba-сервере и входящего в группу администраторов домена:

Authenticate computer in the domain

The computer now belongs to the domian:

Adding computer to the domain

Adding a Windows Server 2008 client

To connect a client using Windows 2008, log in as the Administrator and create a text file named samba_7_2008_fix.reg , containing the following:

samba_7_2008_fix.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Double-click the file to import it to the registry. Reboot to apply.

Теперь необходимо ввести компьютер в Samba)домен. To do so, go to the computer's Properties, and from there on to the Remote Access settings. Click on the "Change" button in the Computer Name tab.

Adding a Windows system in the Samba domain

Далее укажите, что компьютер является членом домена, и введите его имя:

Specifying domain name of a computer

Введите имя и пароль пользователя, созданного на Samba-сервере и входящего в группу администраторов домена:

Authenticate computer in the domain

The computer now belongs to the domian:

Adding computer to the domain

Viewing information

To view information on server users and groups, use the cl-info tool. Either unix or samba service can be a parameter.

For instance, to view the list of Unix users, run:

cl-info -u unix
All LDAP users for Unix service
+------+--------+-----------------------------+------------------+---------------------+
| ID   | Login  | Full name               | Primary group | Home directory |
+------+--------+-----------------------------+------------------+---------------------+
| 900  | client | Client unix workstation     | 900              | /dev/null           |
| 901  | admin  | Administrator samba service | 544              | /dev/null           |
| 1000 | user1  | Calculate user              | user1            | /home/user1         |
| 1001 | user2  | Calculate user              | user2            | /home/user2         |
+------+--------+-----------------------------+------------------+---------------------+
(4 lines)

To list Samba users, run:

cl-info -u samba
All LDAP users for service Samba
+--------+-----------------------------+--------------+--------+
| Login  | Full name                  | Blocked | Password |
+--------+-----------------------------+--------------+--------+
| client | Client unix workstation     | No          | Yes     |
| admin  | Administrator samba service | No          | Yes     |
| user1  | Calculate user              | No          | Yes     |
| user2  | Calculate user              | No          | Yes     |
+--------+-----------------------------+--------------+--------+
(4 строк)

To view information on user1, who uses a Unix service, run:

cl-info -U user1 unix
Information on user user1 for service Unix
+-----------------------+--------------------------+
| Field                  | Value                   |
+-----------------------+--------------------------+
| ID                    | 1000                     |
| Login                 | user1                    |
| Full name             | Calculate user           |
| Blocked               | No                       |
| Shown                 | Yes                      |
| Primary group         | user1                    |
| Additional groups     | user1                    |
|                       | group                    |
| Home directory        | /home/user1              |
| Shell                 | /bin/bash                |
| Password              | Yes                      |
| Password modified     | 25.09.2018               |
| Jabber ID             | user1@server.example.com |
| Email                 | usr1@example.com         |
+-----------------------+--------------------------+
(14 lines)

To view information on user1, who uses a Samba service:

cl-info -U user1 samba
Информация о пользователе user1 для сервиса Samba
+-----------------------+------------------------------------------------------+
| Field                 | Value                                             |
+-----------------------+------------------------------------------------------+
| Login                 | user1                                                |
| Full name             | Calculate user                                       |
| Blocked               | No                                                  |
| Password              | Yes                                                   |
| Password modified     | 25.09.2018                                           |
| Additional groups     | No                                                  |
| Home directory        | /var/calculate/server-data/samba/home/user1          |
| Shared directory      | /var/calculate/server-data/samba/share               |
| Linux profile         | /var/calculate/server-data/samba/profiles/unix/user1 |
| Windows profile       | /var/calculate/server-data/samba/profiles/win/user1  |
| Windows logon         | /var/calculate/server-data/samba/netlogon/user1      |
+-----------------------+------------------------------------------------------+
(11 lines)

For instance, to list Unix groups, run:

cl-info -g unix
All LDAP groups for Unix service
+------------+--------------------+------+
| Group     | Full name         | GID  |
+------------+--------------------+------+
| maildomain | Default Mail Users | 1000 |
| user1      | Calculate group    | 1001 |
| user2      | Calculate group    | 1002 |
| group      | Calculate group    | 1003 |
+------------+--------------------+------+
(4 lines)

To list Samba groups, run:

cl-info -g samba
All LDAP groups for service Samba
+-------------------+-----+-------------------+
| Group             | GID | Group Type        |
+-------------------+-----+-------------------+
| System Operators  | 549 | built-in group    |
| Print Operators   | 550 | built-in group    |  
| Domain Guests     | 514 | domain group      |
| Domain Admins     | 512 | domain group      |
| Account Operators | 548 | built-in group    |
| Domain Users      | 513 | domain group      |
| Administrators    | 544 | built-in group    |
| client            | 900 | domain group      |
| Backup Operators  | 551 | built-in group    |
| Replicators       | 552 | built-in group    |
| Domain Computers  | 515 | domain group      |
+-------------------+-----+-------------------+
(11 lines)

For example, here is a command to view information about the group group of the Unix service:

cl-info -G group unix
+-----------------------+-----------------+
| Field                  | Value        |
+-----------------------+-----------------+
| Group                | group           |
| Full name            | Calculate group |
| GID                   | 1003            |
| Users in group | user1           |
|                       | user2           |
+-----------------------+-----------------+
(5 lines)

For example, here is a command to view information about the Domain Users group of the Samba service:

cl-info -G 'Domain Users' samba
Information on Domain Users group for Samba service
+-----------------------+-----------------+
| Field                  | Value        |
+-----------------------+-----------------+
| Group                | Domain Users    |
| Full name            | Domain Users    |
| GID                   | 513             |
| Group type            | domain group |
| Users in group | No             |
+-----------------------+-----------------+
(5 lines)