Deploying Suse Linux Enterprise Server
 |
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
Configuring the Samba Server
- Introduction & Samba Configuration
- Samba Server Roles & Backends
- Users, Groups & Computer Accounts
- Samba Shares
- Sharing Printers through Samba
- Additional Domain Controller Functions
- Relevant Samba Parameter Reference
Samba Server Roles
Samba can be configured in a variety of ways depending upon your network configuration and what role you want Samba to play within your network (i.e. Standalone Server, Primary Domain Controller, Secondary Domain Controller, etc) . With SLES, when you first launch the Yast Samba Server module it will first scan your networks for available Domains/Workgroups, then it will ask which type of network server you want to setup.
Samba Installation Wizard: Configuring Workgroup name and Server Type
On the first screen, if you are creating a new Domain or Workgroup go ahead and change the name to whatever you want it to be. If you are creating a Backup Domain Controller, ensure you select the correct Domain and when you hit next it will give you a prompt to join the domain (it will create a computer account in the Domain).
If you are not using Suse Linux Enterprise Server, you can add the following to your /etc/samba/smb.conf file to get the same configuration:
Standalone Server
domain logons = No domain master = No security = user
Primary Domain Controller
domain logons = Yes domain master = Yes local master = Yes os level = 65 preferred master = Yes security = user
Secondary Domain Controller
domain logons = Yes domain master = No security = user
Note: There are other configuration options that can be used, the ones listed here are the most "popular" types for file servers. If you need to configure share-level security or use an existing domain or Active Directory Server for user access check the documentation at Samba's Web Site.
Samba Backends
Since Samba's job is basically to allow Windows Clients to access Unix/Linux Resources (among other things) and Windows Resources (user accounts, group accounts, etc.) are different than Unix's, Samba needs to have a "Database" that it can use to maintain and "map" these differences together. This "Database" is referred to as a Backend. Samba can use several different types of Backends, the ones I will cover here are a simple text file, a tdbsam database (specifically created for Samba) and an LDAP Database. There are other databases that can be used as Samba Backends, such as MySQL and Novell's eDirectory, but I will not cover them here.
smbpasswd - This backend is a simple text file that basically only stores user accounts and passwords. You should only use this backend on standalone servers that only require a very basic setup.
tdbsam - This backend is a database created for Samba. It holds all of the account information necessary for Samba to act as a Domain Controller. This backend is usually used for sites with a Single Samba Domain Controller, thus should be limited to smaller networks (less than 250 computers).
ldapsam - This backend allows you to store all of the account information into an LDAP database. This gives you the ability to replicate this information to other servers, as well as allow you to create Backup Domain Controllers for your network. Another side benefit of this backend is the fact that both the Unix/Linux Account information and the Windows Account information are stored in the same location.
With Suse Linux Enterprise Server you set the Samba Backend using the Samba Server Yast Module. The setting is under the Advanced Settings drop-down menu located under the Identity Tab.
Accessing the User Information Sources page through the Identity Tab
At the User Information Sources Page you can remove the current backend and add the one you want to use. There are a few things to note here: Once you set your backend, do not remove or change the backend or you will lose all of the Windows Account Information that you have created. For instance, if you decide down the road that you want to utilize the ldapsam backend instead of the tdbsam backend, the data you already have (the user accounts, group mappings, etc.) will not be automatically transferred over - you will have to recreate them. Also, you can no longer use 2 backends at the same time, Samba will error out if you do.
If you decide to use the ldapsam backend you will need to configure it to talk to the server correctly. The Samba Server Yast Module now has a separate tab that allows you to fine tune this backend. When using this tab you will soon notice that every time you open the tab, you cannot leave the tab unless you (re)enter the LDAP Password. This password is needed to ensure that Samba can write to the LDAP store. This was changed primarily because with previous versions of SLES many people forgot to enter this password, thus samba would not work correctly with the administrator wondering why (until they checked the logs). Also note that if you want the Unix and Windows password to be the same for your users, you will want to change "Synchronize Passwords" to "yes" under the advanced LDAP settings.
The Samba Server Yast Module LDAP Settings Pages
When using the LDAP Settings tab you will soon notice that every time you open the tab you cannot leave the tab unless you (re)enter the LDAP Password. This password is needed to ensure that Samba can write to the LDAP store. This was changed primarily because with previous versions of SLES many people forgot to enter this password, thus samba would not work correctly with the Admin wondering why (until they checked the logs). Also note that if you want the Unix and Windows password to be the same for your users, you will want to change "Syncronize Passwords" to "yes" under the advanced LDAP settings.
Whenever you change the Samba Backend and you finish with Samba Server module it will ask you to create the Administrator password. This is the password for the "root" user, which is used for Administrative functions, such as adding computers to the Domain, changing User Passwords, etc. Later on I will show you how you can specify additional groups to have these privileges.
Manually Setting the Backend
If you are not using Suse Linux Enterprise Server or if you simply want to manually set the Backend, add these to your smb.conf file:
smbpasswd: passdb backend = smbpasswd
tdbsam: passdb backend = tdbsam
Be sure to run "smbpasswd -a root" to ensure you (re)create the Admin Account
ldapsam: - note that using this on a GNU/Linux Distro other than SLES requires quite a bit of work to setup LDAP properly, as well as prepped to be used with Samba. Your Mileage May Vary.
passdb backend = ldapsam:ldap://localhost ldap admin dn = cn=Administrator,dc=private,dc=lan ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap suffix = dc=private,dc=lan ldap user suffix = ou=people idmap backend = ldap:ldap://localhost ldap passwd sync = Yes
WINS Server Support
When configuring Microsoft Windows networks, there are multiple ways that the clients receive it's name resolution. Most newer Windows clients use DNS for their name resolution lookups. Older Windows Clients use what is called WINS. This is a database that Microsoft Windows Servers maintain consisting of the names/addresses of all the connected Windows Clients.
Samba can be configured to be a WINS Server, as well as be configured to utilize an existing WINS Server. However, be warned that if you inadvertantly take over the WINS Server role on a network with an existing WINS Server you will most likely run into problems.
To enable WINS Server support on your Samba server, include the following within the Global Section of your smb.conf file:
wins support = yes
If you wish to utilize another WINS Server for name resolution, enter the following within the Global Section of your smb.conf file:
wins support = no wins server = 10.0.0.251 (IP Address of the WINS Server)
Note - If you are having troubles with newer Windows versions "talking" to older Windows versions, ensure that you enter the WINS Server address in the network configuration of the newer clients. Also note that if you change IP Addresses on your network, you must flush the WINS databases on your Samba server, they are usually located at /var/lib/samba/wins.*
|
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
