Configuring a Samba server

Samba

Introduction

Samba is a popular open source software package that provides Microsoft® Windows® file and print services to clients. You can configure your Samba server with Calculate Utilities, found in the sys-apps/calculate-server package. Calculate Utilities store and manage all user accounts, groups, and computers with OpenLDAP. All necessary software comes out of box in Calculate Directory Server.

You can use any Calculate Linux Desktop as the Linux client (CLD, CLDC, CLDL, CLDM, or else CLDX). Different Windows operating systems can be used as Windows clients. Microsoft Windows does not support NT4 domains any more. However, with some modifications, you can still use latest Windows operating systems with a Samba NT4 domain.

Server configuration

A Samba server is configured in several steps. Since all user and computer data are stored in LDAP, the first thing to do will be OpenLDAP server configuration. Now configure LDAP for Linux user accounts storage. You need this to run Linux clients. Now you can configure your Samba server.

LDAP server configuration

Configure the LDAP server according to the manual.

Samba configuration

Before setting up a Samba server, let us configure LDAP for storage of Unix user accounts. To do so, run:

cl-setup unix
 * ПРЕДУПРЕЖДЕНИЕ: Выполнение этой программы изменит конфигурационные файлы и базу данных сервиса LDAP.
 Если вы готовы продолжить выполнение программы, введите 'yes', если нет - 'no': yes

 * Добавлен ldif файл ...                                                                                        [ ok ]
 * Unix сервис сконфигурирован ...                                                                               [ ok ]

To configure your Samba server, please run:

cl-setup [options] samba
 * ПРЕДУПРЕЖДЕНИЕ: Выполнение этой программы изменит конфигурационные файлы Samba сервиса.
 Если вы готовы продолжить выполнение программы, введите 'yes', если нет - 'no': yes

 * Добавлен ldif файл ...                                                                                        [ ok ]
 * Запускается Samba ...                                                                                         [ ok ]
 * Пользователь client добавлен в Unix сервис
 * Пользователь client добавлен в Samba сервис
 * Пользователь admin добавлен в Unix сервис
 * Пользователь admin добавлен в Samba сервис
 * Samba сервис сконфигурирован ...                                                                              [ ok ]

You can specify netbios or workgroup as options.

  • - n name sets the NetBIOS name under which the Samba server will run. By default, it is set to the first component of the DNS host name.
  • - w workgroup is the name of the domain or NT workgroup for computers that will access this server.

Set the administrator password (user login admin ):

cl-passwd --smb admin samba

Enter a new password:
Repeat the new password:
* Пароль пользователя admin Samba сервиса изменен

Note

admin is only used to add a Windows client computer to the domain. Admin has no home directory.

If you need a domain administrator to manage Windows computers, create a new user and add the to the domain group Domain Admins .

Here is an example of creating a domain administrator:

cl-useradd -p --gid "Domain Admins" -c "Domain Admin" d_admin samba
Новый SMB пароль:
Повторите новый SMB пароль:
* Пользователь d_admin добавлен в Unix сервис
* Пользователь d_admin добавлен в Samba сервис

Add and remove users

To work with users, use the CL equivalents of standard Unix commands: cl-useradd,cl-userdel, cl-usermod,cl-passwd, cl-groupadd,cl-groupdel, cl- groupmod. Their syntax largely coincides with the ones of the system utilities of the same name.

Try adding the test user and give them a password:

cl-useradd test samba
* Пользователь test добавлен в Unix сервис
* Пользователь test добавлен в Samba сервис
cl-passwd test samba
Новый пароль:
Повторите новый пароль:
* Пароль пользователя Unix сервиса изменен
* Пароль пользователя test Samba сервиса изменен

Privileges settings

Configuring file system access rights

To edit file permissions on the server, use ACL ( Access Control List ). By editing file permissions, you restrict access to them to the same extent for both Windows and Linux clients. The files and directories you have no access to will not be displayed in the Samba volume.

Access permissions are applied to both files and directories. You can specify permissions for the file owner or a group.
While a Windows client recognizes only Samba groups, Unix and Samba groups will be both displayed on Linux. Therefore, it is preferable to use Samba groups to differentiate access privileges.

For example, create a Samba manager group. To do so, run:

cl-groupadd manager samba
* Group 'manager' added to Samba service

To create the job Unix group, simply run:

cl-groupadd job unix
* Group 'job' added to Unix service

Setting permissions for Windows users

To edit additional privileges for Windows computers, such as: the right to install programs, the right to exit a domain, etc., use Samba groups.

Below is an example of giving domain administrator's privileges to the test user:

cl-groupmod -a test 'Domain Admins' samba
 * Users added to group Domain Admins

Samba groups structure

Samba groups can be of the following types:

  • Domain groups (type group number 2)
  • Local groups (type group number 4)
  • Built-in groups (group type number 5 )

Default groups:

  • Domain groups are global groups that operate in a domain.

    • Domain Admins for domain administrators (full access privileges inside the domain).
    • Domain Guests for domain guests (minimal privileges).
    • Domain Users for domain users.
    • Domain Computers for domain computers.
  • Local groups are groups operating locally on a given computer.
    There is no local groups.

  • Built-in groups are groups embedded in the system.

    • Administrators - Administrators (full privileges)
    • Account Operators are account operators. They create and manage groups and user account information, back up files and directories.
    • Backup Operators are archive operators. They backup and restore from backup, and also shut down the system.
    • Print Operators are print operators. They manage printers and backup.
    • Replicators are replicators. This group is used by the File Replication service on domain controllers.
    • System Operators are system operators. They handle system time setup, system shutdown, including remotely, backup and restoring from a backup, server locking and unlocking, hard disk format, network directories management, and also printers.

Here is how you create a domain test group. A domain group with group type number 2 is created by default.

cl-groupadd test samba
 * Group 'test' added to Samba service

For example, create a built-in group, named Power Users , to put together users with advanced privileges.

cl-groupadd -g 547 --rid 547 -t 5 'Power Users' samba
 * Группа 'Power Users' добавлена в Samba сервис

Where:

  • g is the group ID, 547
  • rid is the RID, which stands for relative ID, 547
  • t is the group type, 5 (built-in group)

Adding Unix clients

To add Unix clients, set the password for the client service user:

cl-passwd --smb client samba
Новый пароль:
Повторите новый пароль:
* Пароль пользователя client Samba сервиса изменен

Run the following on the client computer:

cl-client DOMAIN
* Проверка DOMAIN на наличие доменных ресурсов ...                                                              [ ok ]
Пароль для ввода рабочей станции в домен:
* Samba ресурс [remote] подключен
* Применены шаблоны ввода в домен ...
* Компьютер настроен для работы в домене
* Компьютен добавлен в домен DOMAIN

Where DOMAIN is the network name or IP address of the server.

Adding Windows clients

Important

In Windows, activate the Admin account by running the following:
net user Administrator /active:yes

Connecting a Windows 7 client

To connect a client using Windows 7, log in as the Administrator and to create a text file named samba_7_2008_fix.reg , containing the following:

samba_7_2008_fix.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Double-click the file to import it to the registry. Reboot to apply.

Now you have to add the computer to the Samba domain. To do so, go to the computer's Properties, and from there on to the Remote Access settings. Click on the "Change" button in the Computer Name tab.

Adding a Windows system in the Samba domain

Next, indicate that the computer belongs the domain and enter its name:

Указание имени компьютера в домене

Enter the name and password of a user created on the Samba server and belonging to the domain administrators group:

Авторизация компьютера в домене

The computer now belongs to the domian:

Успешный ввод компьютера в домен

Adding a Windows 10 client

Для подключения клиента с ОС Windows 10 войдите в систему под учётной записью Администратора и с помощью текстового редактора создайте текстовый файл с именем samba_7_2008_fix.reg со следующим содержимым:

samba_7_2008_fix.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Double-click the file to import it to the registry. Reboot to apply.

Edit the /etc/samba/smb.conf configuration file, adding the following to the "global" section:

/etc/samba/smb.conf

[global]
...
server max protocol = NT1
...

Now restart the Samba service:

/etc/init.d/samba restart
samba             | * samba -> stop: smbd ...                             [ ok ]
samba             | * samba -> stop: nmbd ...                             [ ok ]
samba             | * samba -> start: smbd ...                            [ ok ]
samba             | * samba -> start: nmbd ...                            [ ok ]

Now you have to add the computer to the Samba domain. To do so, go to the computer's Properties, and from there on to the Remote Access settings. Click on the "Change" button in the Computer Name tab.

Adding a Windows system in the Samba domain

Next, indicate that the computer belongs the domain and enter its name:

Указание имени компьютера в домене

Enter the name and password of a user created on the Samba server and belonging to the domain administrators group:

Авторизация компьютера в домене

The computer now belongs to the domian:

Успешный ввод компьютера в домен

Adding a Windows Server 2008 client

Для подключения клиента с ОС Windows 2008 войдите в систему под учётной записью Администратора и с помощью текстового редактора создайте текстовый файл с именем samba_7_2008_fix.reg со следующим содержимым:

samba_7_2008_fix.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Double-click the file to import it to the registry. Reboot to apply.

Now you have to add the computer to the Samba domain. To do so, go to the computer's Properties, and from there on to the Remote Access settings. Click on the "Change" button in the Computer Name tab.

Adding a Windows system in the Samba domain

Next, indicate that the computer belongs the domain and enter its name:

Указание имени компьютера в домене

Enter the name and password of a user created on the Samba server and belonging to the domain administrators group:

Авторизация компьютера в домене

The computer now belongs to the domian:

Успешный ввод компьютера в домен

Viewing information

To view information on server users and groups, use the cl-info tool. Either unix or samba service can be a parameter.

For instance, to view the list of Unix users, run:

cl-info -u unix
All LDAP users for Unix service
+------+--------+-----------------------------+------------------+---------------------+
| ID   | Login  | Full name               | Primary group | Home directory |
+------+--------+-----------------------------+------------------+---------------------+
| 900  | client | Client unix workstation     | 900              | /dev/null           |
| 901  | admin  | Administrator samba service | 544              | /dev/null           |
| 1000 | user1  | Calculate user              | user1            | /home/user1         |
| 1001 | user2  | Calculate user              | user2            | /home/user2         |
+------+--------+-----------------------------+------------------+---------------------+
(4 lines)

To list Samba users, run:

cl-info -u samba
All LDAP users for Samba service
+--------+-----------------------------+--------------+--------+
| Login  | Full name                  | Blocked | Password |
+--------+-----------------------------+--------------+--------+
| client | Client unix workstation     | No          | Yes     |
| admin  | Administrator samba service | No          | Yes     |
| user1  | Calculate user              | No          | Yes     |
| user2  | Calculate user              | No          | Yes     |
+--------+-----------------------------+--------------+--------+
(4 строк)

To view information on user1, who uses a Unix service, run:

cl-info -U user1 unix
Информация о пользователе user1 для сервиса Unix
+-----------------------+--------------------------+
| Поле                  | Значение                 |
+-----------------------+--------------------------+
| ID                    | 1000                     |
| Логин                 | user1                    |
| Полное имя            | Calculate user           |
| Заблокирован          | Нет                      |
| Видимый               | Да                       |
| Первичная группа      | user1                    |
| Дополнительные группы | user1                    |
|                       | group                    |
| Домашняя директория   | /home/user1              |
| Оболочка              | /bin/bash                |
| Пароль                | Да                       |
| Изменение пароля      | 25.09.2018               |
| Jabber ID             | user1@server.example.com |
| Почтовый адрес        | usr1@example.com         |
+-----------------------+--------------------------+
(14 строк)

To view information on user1, who uses a Samba service:

cl-info -U user1 samba
Информация о пользователе user1 для сервиса Samba
+-----------------------+------------------------------------------------------+
| Поле                  | Значение                                             |
+-----------------------+------------------------------------------------------+
| Логин                 | user1                                                |
| Полное имя            | Calculate user                                       |
| Заблокирован          | Нет                                                  |
| Пароль                | Да                                                   |
| Изменение пароля      | 25.09.2018                                           |
| Дополнительные группы | Нет                                                  |
| Домашняя директория   | /var/calculate/server-data/samba/home/user1          |
| Общая директория      | /var/calculate/server-data/samba/share               |
| Linux профиль         | /var/calculate/server-data/samba/profiles/unix/user1 |
| Windows профиль       | /var/calculate/server-data/samba/profiles/win/user1  |
| Windows logon         | /var/calculate/server-data/samba/netlogon/user1      |
+-----------------------+------------------------------------------------------+
(11 строк)

For instance, to list Unix groups, run:

cl-info -g unix
All LDAP groups for Unix service
+------------+--------------------+------+
| Group     | Full name         | GID  |
+------------+--------------------+------+
| maildomain | Default Mail Users | 1000 |
| user1      | Calculate group    | 1001 |
| user2      | Calculate group    | 1002 |
| group      | Calculate group    | 1003 |
+------------+--------------------+------+
(4 lines)

To list Samba groups, run:

cl-info -g samba
Все LDAP группы для сервиса Samba
+-------------------+-----+-------------------+
| Группа            | GID | Тип группы        |
+-------------------+-----+-------------------+
| System Operators  | 549 | встроенная группа |
| Print Operators   | 550 | встроенная группа |
| Domain Guests     | 514 | доменная группа   |
| Domain Admins     | 512 | доменная группа   |
| Account Operators | 548 | встроенная группа |
| Domain Users      | 513 | доменная группа   |
| Administrators    | 544 | встроенная группа |
| client            | 900 | доменная группа   |
| Backup Operators  | 551 | встроенная группа |
| Replicators       | 552 | встроенная группа |
| Domain Computers  | 515 | доменная группа   |
+-------------------+-----+-------------------+
(11 строк)

Пример команды для просмотра информации о группе group Unix-сервиса:

cl-info -G group unix
+-----------------------+-----------------+
| Field                  | Value        |
+-----------------------+-----------------+
| Group                | group           |
| Full name            | Calculate group |
| GID                   | 1003            |
| Users in group | user1           |
|                       | user2           |
+-----------------------+-----------------+
(5 lines)

Пример команды для просмотра информации о группе Domain Users Samba-сервиса:

cl-info -G 'Domain Users' samba
Information on Domain Users group for Samba service
+-----------------------+-----------------+
| Field                  | Value        |
+-----------------------+-----------------+
| Group                | Domain Users    |
| Full name            | Domain Users    |
| GID                   | 513             |
| Group type            | domain group |
| Users in group | No             |
+-----------------------+-----------------+
(5 lines)