Deploying Suse Linux Enterprise Server

Purchase "Deploying Suse Linux Enterprise Server"
at Lulu.com

Configuring the Samba Server

Samba Server Roles

Samba can be configured in a variety of ways depending upon your network configuration and what role you want Samba to play within your network (i.e. Standalone Server, Primary Domain Controller, Secondary Domain Controller, etc) . With SLES, when you first launch the Yast Samba Server module it will first scan your networks for available Domains/Workgroups, then it will ask which type of network server you want to setup.

Samba Installation Wizard: Configuring Workgroup name and Server Type

On the first screen, if you are creating a new Domain or Workgroup go ahead and change the name to whatever you want it to be. If you are creating a Backup Domain Controller, ensure you select the correct Domain and when you hit next it will give you a prompt to join the domain (it will create a computer account in the Domain).

If you are not using Suse Linux Enterprise Server, you can add the following to your /etc/samba/smb.conf file to get the same configuration:

Standalone Server

	domain logons = No
	domain master = No
	security = user

Primary Domain Controller

	domain logons = Yes
	domain master = Yes
	local master = Yes
	os level = 65
	preferred master = Yes
	security = user

Secondary Domain Controller

	domain logons = Yes
	domain master = No
	security = user

Note: There are other configuration options that can be used, the ones listed here are the most "popular" types for file servers. If you need to configure share-level security or use an existing domain or Active Directory Server for user access check the documentation at Samba's Web Site.

Samba Backends

Since Samba's job is basically to allow Windows Clients to access Unix/Linux Resources (among other things) and Windows Resources (user accounts, group accounts, etc.) are different than Unix's, Samba needs to have a "Database" that it can use to maintain and "map" these differences together. This "Database" is referred to as a Backend. Samba can use several different types of Backends, the ones I will cover here are a simple text file, a tdbsam database (specifically created for Samba) and an LDAP Database. There are other databases that can be used as Samba Backends, such as MySQL and Novell's eDirectory, but I will not cover them here.

smbpasswd - This backend is a simple text file that basically only stores user accounts and passwords. You should only use this backend on standalone servers that only require a very basic setup.

tdbsam - This backend is a database created for Samba. It holds all of the account information necessary for Samba to act as a Domain Controller. This backend is usually used for sites with a Single Samba Domain Controller, thus should be limited to smaller networks (less than 250 computers).

ldapsam - This backend allows you to store all of the account information into an LDAP database. This gives you the ability to replicate this information to other servers, as well as allow you to create Backup Domain Controllers for your network. Another side benefit of this backend is the fact that both the Unix/Linux Account information and the Windows Account information are stored in the same location.

With Suse Linux Enterprise Server you set the Samba Backend using the Samba Server Yast Module. The setting is under the Advanced Settings drop-down menu located under the Identity Tab.

Accessing the User Information Sources page through the Identity Tab

At the User Information Sources Page you can remove the current backend and add the one you want to use. There are a few things to note here: Once you set your backend, do not remove or change the backend or you will lose all of the Windows Account Information that you have created. For instance, if you decide down the road that you want to utilize the ldapsam backend instead of the tdbsam backend, the data you already have (the user accounts, group mappings, etc.) will not be automatically transferred over - you will have to recreate them. Also, you can no longer use 2 backends at the same time, Samba will error out if you do.

If you decide to use the ldapsam backend you will need to configure it to talk to the server correctly. The Samba Server Yast Module now has a separate tab that allows you to fine tune this backend. When using this tab you will soon notice that every time you open the tab, you cannot leave the tab unless you (re)enter the LDAP Password. This password is needed to ensure that Samba can write to the LDAP store. This was changed primarily because with previous versions of SLES many people forgot to enter this password, thus samba would not work correctly with the administrator wondering why (until they checked the logs). Also note that if you want the Unix and Windows password to be the same for your users, you will want to change "Synchronize Passwords" to "yes" under the advanced LDAP settings.

The Samba Server Yast Module LDAP Settings Pages

When using the LDAP Settings tab you will soon notice that every time you open the tab you cannot leave the tab unless you (re)enter the LDAP Password. This password is needed to ensure that Samba can write to the LDAP store. This was changed primarily because with previous versions of SLES many people forgot to enter this password, thus samba would not work correctly with the Admin wondering why (until they checked the logs). Also note that if you want the Unix and Windows password to be the same for your users, you will want to change "Syncronize Passwords" to "yes" under the advanced LDAP settings.

Whenever you change the Samba Backend and you finish with Samba Server module it will ask you to create the Administrator password. This is the password for the "root" user, which is used for Administrative functions, such as adding computers to the Domain, changing User Passwords, etc. Later on I will show you how you can specify additional groups to have these privileges.

Manually Setting the Backend

If you are not using Suse Linux Enterprise Server or if you simply want to manually set the Backend, add these to your smb.conf file:

smbpasswd: passdb backend = smbpasswd

tdbsam: passdb backend = tdbsam
Be sure to run "smbpasswd -a root" to ensure you (re)create the Admin Account

ldapsam: - note that using this on a GNU/Linux Distro other than SLES requires quite a bit of work to setup LDAP properly, as well as prepped to be used with Samba. Your Mileage May Vary.

	passdb backend = ldapsam:ldap://localhost
	ldap admin dn = cn=Administrator,dc=private,dc=lan
	ldap group suffix = ou=group
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Machines
	ldap suffix = dc=private,dc=lan
	ldap user suffix = ou=people
	idmap backend = ldap:ldap://localhost
	ldap passwd sync = Yes

WINS Server Support

When configuring Microsoft Windows networks, there are multiple ways that the clients receive it's name resolution. Most newer Windows clients use DNS for their name resolution lookups. Older Windows Clients use what is called WINS. This is a database that Microsoft Windows Servers maintain consisting of the names/addresses of all the connected Windows Clients.

Samba can be configured to be a WINS Server, as well as be configured to utilize an existing WINS Server. However, be warned that if you inadvertantly take over the WINS Server role on a network with an existing WINS Server you will most likely run into problems.

To enable WINS Server support on your Samba server, include the following within the Global Section of your smb.conf file:

	wins support = yes

If you wish to utilize another WINS Server for name resolution, enter the following within the Global Section of your smb.conf file:

	wins support = no
	wins server = 10.0.0.251 (IP Address of the WINS Server)

Note - If you are having troubles with newer Windows versions "talking" to older Windows versions, ensure that you enter the WINS Server address in the network configuration of the newer clients. Also note that if you change IP Addresses on your network, you must flush the WINS databases on your Samba server, they are usually located at /var/lib/samba/wins.*

Purchase "Deploying Suse Linux Enterprise Server"
at Lulu.com