Deploying Suse Linux Enterprise Server

Purchase "Deploying Suse Linux Enterprise Server"
at Lulu.com

Configuring the Samba Server

User Accounts

Now that you have a Samba Backend configured you can start populating it with data for your network. As you start adding entries, keep in mind that Samba simply allows Windows Clients access to your Unix/Linux resources. So, do not try to "add" a Windows Group without having a Unix Group already present (or automatically created at the same time).

SLES LDAP User Credentials

With Suse Linux Enterprise Desktop, allowing Users to access your Linux Server is accomplished in a couple of different ways depending upon the Samba Backend you are using. If you decided to go with an LDAP backend the Yast Users module provides a nice graphical way to adjust your user's samba properties. This is done with the "Manage Samba Account Parameters" Plugin.

Note: Adding Users should probably be done AFTER your server is completely configured. This allows you to fine tune various settings, such as adding files/directories into the /etc/skel folder, etc. before you start adding users.

Launching the Samba Plugin for LDAP Users and Adjusting User Parameters

As you can see in the above screen shots, you can modify various Samba User parameters directly within the Yast User module. This makes it very easy to maintain the Samba Credentials for your users since it is more or less automatic (simply enable the Samba User Plugin by default).

Manually Adding User Credentials

If you are not using the LDAP Backend on Suse Linux Enterprise Server, or if you are using a different GNU/Linux Distribution, you must manually create the user credentials for Samba. To do this you must enter the following command for every user account on your server (or do this after you create the Unix User account).

	smbpasswd -a username

This will add the relevant information for that user into your backend, whether it be the smbpasswd file (usually located at /etc/samba/smbpasswd) or the tdbsam database (usually located at /etc/samba/*.tdb). Again be warned that if you change your Samba Backend you will have to recreate all of your User Credentials.

Creating the User Accounts in this way can be somewhat of a put-off for some Administrators, some may say: "Why do you have to add the same user twice ?" To get around this annoyance, you can set a script that will automatically add the Unix User Account to your Server when you create the Samba Credentials. A basic script to add to your smb.conf file would look something like these (note that these probably won't work with an LDAP Backend):

	add user script = /usr/sbin/useradd -m %u

You can also set a delete user script similar to:

	delete user script = /usr/sbin/userdel -r %u

For those that are not familiar with Samba, these scripts can be very useful since you can actually manage most of Samba's User and Machine data remotely using Microsoft's User Manager for Domains. This can make Samba a very easy upgrade for people still using Windows NT4 Servers. Also, if you do not want to use Microsoft User Manager, there are other alternatives such as webmin or the included Samba Swat utility (there are also a whole slew of others if you are using the ldapsam backend).

Note: Some version of Microsoft's User Manager for Domains may have problems working with Samba - for instance, the last time I checked, the version available on Microsoft's Website will not work properly with Samba. However the NT4 version, as well as the Win2k version are known to work properly.

Group Accounts

When setting up a server for file sharing, proper management of groups is a must. Groups can help in sorting out file permission problems when sharing files, help you in locking down your workstations, and even help you to automate certain settings during the user's login.

Similar to User Accounts, the Unix Group Account must already be present on the server, then you must "map" the Unix Group to a Windows Group (usually by running a command on the server). This "mapping" will create all the necessary entries into the Samba Backend that Windows Networking requires (including the Security Identifier). Also of note is the fact that Windows Group Names are different than Unix Group Names, with Unix Groups you should avoid long names (usually you stay at or below 8 characters) and you should not use spaces, Windows Groups do not have these limitations.

SLES LDAP Group Mapping

To show you how to create this group mapping I am going to show you how to create a "Domain Admin" account on your Samba Server so that anyone added to this group will have Administrator privileges when they log onto the Domain at your Windows Machines.

First, you will want to have a Unix Group already present that you will map the Domain Admin Windows Group to. I usually use ntadmins or domadmin on the servers I setup. Some Distributions already create a "ntadmin" group that could be used for this mapping (although if you are using the LDAP Backend you will not want to use this pre-configured Unix group). Since this document is mostly about Suse Linux Enterprise Server I will first show you how to create this mapping using the Yast Group Management Module (using the LDAP Backend).

Lauching the Yast Samba Group Plugin to create the group mapping

First, open the Yast Group Management Module and either add the ntadmins group, or edit it if it is already created. Then you will go to the "Plugins" tab and add the "Manage Samba attribute of LDAP groups" plugin (if it is not already enabled). Now you will want to "Launch" that plugin to be able to name the Windows Group "Domain Admins". When you are done, click finished and the mapping is done.

Normally this is all you would have to do to map a Unix Group to a Windows Group, however we are creating a Default Windows Group that requires it to have a specific Relative Identifier (RID) to work properly, for the Domain Admins Group that Relative Identifier needs to be 512. So to adjust this for LDAP groups you need to launch the "Yast LDAP Browser" module and login to the local LDAP Server.

Using the Yast LDAP Browser to Adjust the ntadmins' SambaSID

Once you have the local LDAP tree open, browse to group organizational unit and highlight the group that you created to be "Domain Admins". Now click on the Entry Data tab and go ahead and edit the sambasid to have "512" as the last group of digits (don't forget to save before you exit). After this is done, anyone in the ntadmins group will be considered a "Domain Admin" for your Windows Workstations.

Along with the "Domain Admins" group, you should also create a few other Windows Default Groups: The "Domain Users" Group with a RID of 513, and "Domain Guests" Group with a RID of 514.

Manually Creating the Group Mapping

If you are not using the LDAP Backend with your Suse Linux Enterprise Server, or if you are using another GNU/Linux Distribution, you must manually create the "Group Mapping" in your Samba Backend for Groups to work properly. To show you this I will re-create the same Domain Admins group only this time using the command line utilities. Again you must already have a group created to map to. I will be using a group called "ntadmin" (since SLES already has this group created by default for this purpose).

net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512 type=d

To check if the mapping worked correctly, issue the "net groupmap list" command. One thing to note when you manually create these mappings; the Relative Identifiers must not overlap (even with user's RIDs).

Again, if your server is going to be a Domain Controller, you should also create groups for: The "Domain Users" Group with a RID of 513, and The "Domain Guests" Group with a RID of 514.

Granting Rights to Domain Admins

Normally, if you stop now, anyone in the "Domain Admins" group has the Administrator privileges on the Windows Workstation when logging in, but does not have any "privileges" to remotely modify the Samba Server (including adding machines to the Domain). This could be a good thing, or it could be a bad thing, it really depends upon the users you will add to the "Domain Admins" group.

If you want these users to be able to also modify the Samba Server you must first set the following in the global section of your smb.conf file (actually, later versions of Samba has this enabled by default):

	enable privileges = yes

Then you must run the following command with the privileges you want to allow:

net rpc rights grant 'DomainName\Domain Admins' SeXXXX -S servername -U root

Where SeXXXX is the rights you want to grant. If you want to specify multiple rights, simply separate the rights with a space. The rights you can specify are:

SeMachineAccountPrivilege - add machines to the Domain
SePrintOperatorPrivilege - manage printers
SeAddUsersPrivilege - add users and groups to the Domain
SeRemoteShutdownPrivilege - remotely shutdown computers
SeDiskOperatorPrivilege - manage disk shares
SeTakeOwnershipPrivilege - take ownership of files

Remotely Managing Groups

Similarly to managing Users with Microsoft's tools (among others), you can also manage groups with Microsoft's User Manager for Domains (and Microsoft's MMC). In order for you to utilize this functionality you must first set a few scripts within your smb.conf file. Generic scripts (which may or may not work with your distribution) are found below - note that these probably will not work if you are using a LDAP Backend:

	add group script = /usr/sbin/groupadd %g 
	delete group script = /usr/sbin/groupdel %g 
	add user to group script = /usr/sbin/usermod -G %g %u

There is also a possibility of adding a "delete user from group script", but it is highly recommended that you manually do that at the Samba Server to avoid inadvertently deleting the user from all their groups (or deleting the user entirely).

Computer Accounts

The way Windows Networking works, to participate in a Domain, every Windows Workstation must have an account created at the Domain Controller. Normally this account is created when the Computer is joined to the Domain, although it can be created before it is joined (some admins consider this a risk).

With Samba, this is accomplished with a script specified in the smb.conf file, which is ran whenever a computer attempts to join the Domain. With Suse Linux Enterprise Server, this script is already specified for you. Other GNU/Linux Distributions may or may not have this script specified, so here is an example:

	/usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$

Once this is set, you would add Computers to the Domain in the exact same way as you would when connecting them to a Windows Server. To join a domain, under Windows XP/2000 right-click on the "My Computer" icon and hit properties. Go to the "Computer Name" tab and hit change. Where it says "Member of" select Domain and enter the domain name that you used, such as "TUX-NET" and hit OK. The workstation will contact your server, and it will ask for a username and password to create a computer account on the server. Simply type in "root" and the root password (or a user that belongs to a group that has the SeMachineAccountPrivilege set) and hit OK, Windows will now become a member of the domain and will ask to restart the computer.

Opening the System Properties to Join the Domain

Joining Windows NT to the domain is slightly different, instead of right-clicking on "My Computer", right click on the "Network Neighborhood" and select properties, click the change button and enter the domain name. Also, you must check the "create machine account" and enter an appropriate username and password (root account or a user that belongs to a group that has the SeMachineAccountPrivilege set). Once Completed, when you restart the client you will be able to log into the Samba Domain.