bafc7b6d796d129b3e392269a88a11ca.ppt
- Количество слайдов: 92
Installing Samba 3 on Open. Server 6 Kirk Farquhar, SCO Canada kirkf@sco. com 1
Agenda 2
What is Samba? Samba is an open-source application suite that enables SMB/CIFS based services on Unix servers SMB – Server Message Block – is the underlying protocol for Windows File & Print Sharing Licensed under the GPL Maintained by the Samba Team (12 -20 people) Web Site for resources – www. samba. org 3
Business Benefits of Samba allows you to merge the resources of your Windows & Unix networks Provides seamless access to Unix based files from Windows clients Provides a secure & stable file server Provides an upgrade path from Windows to “big iron” Eliminates the need for Windows servers in organizations that don’t require Windows Server based applications 4
Samba 3 Installation
OSR 6 -Installing from Media Insert the Open. Server 6 CD Start scoadmin Select Software Manager, Software, Install New Select “From Servername” Select the media device CDROM 0 Expand SCO Open. Server Release 6. 0. 0 Expand Connectivity Highlight SAMBA and click on Install N. B. If Heimdal Kerberos was not installed, install it in the same manor. Run mkdev samba 6
OSR 6 -Installing from Downloads Download CPIO file from the SCO site to /tmp Extract the VOL files cat *. cpio | cpio – ivcd “*. *” Start scoadmin Select Software Manager, Software, Install New Select “From Servername” Select the media images option and directory /tmp Highlight samba and click Install Run mkdev samba 7
mkdev samba Run the command mkdev samba Choose 1 – Configure and Activate Samba Enter your Windows Domain or Workgroup name Accept the default machine name provided If your network has a WINS server select yes and provide its IP address If there is no WINS server on Windows this server can be set as a WINS server Select whether you want to participate in an MS Domain Provide the Net. BIOS name of the PDC 8
mkdev samba command - Workgroup 9
mkdev samba command-Workgroup Defaults 10
mkdev samba command-Workgroup Changes made to /etc/samba/smb. conf § workgroup = WORKGROUP § netbios name = FANGORN § Security = User § WINS server = 192. 168. 0. 2 11
State of Server after this mkdev samba nmbd and smbd are running The server is a member of the workgroup named WORKGROUP No shares are created and only root can connect 12
mkdev samba – Domain Member 13
mkdev samba – Domain Member Changes to /etc/samba/smb. conf § workgroup = ME § netbios name = FANGORN § security = domain § password server = RIVENDELL § wins server = 192. 168. 0. 2 14
State of Server after this mkdev samba nmbd and smbd are running The server is a member of the domain ME The only user is root/administrator Shares aren’t set-up Password backend is smbpasswd Passwords are encrypted 15
Introduction to SWAT
What is SWAT? SWAT = Samba Web Administration Tool Included and configured by default with SCO Samba implementations Swat will allow you to perform most Samba administration functions from any browser that can contact the server Alternative to command line interfaces or configuring smb. conf Available on port 901 by default Controlled by inet and services file entry 17
Issues & Concerns with SWAT Completely replaces smb. conf on each use Only stores non-default settings in intermediate file Doesn’t retain set-up comments Can be viewed as a security risk Never run in demo mode Never run outside firewalls Doesn’t like some passwords 18
SWAT Connection & Login Use your browser to connect to http: //192. 168. 0. 4: 901 19
SWAT Home. Page Primary use of the home page is to access the docs 20
SWAT Screens - Allows you to set all Global variables that control the servers behaviour: • Server Type • Security Settings • Master Browser status & participation • WINS Options 21
SWAT Screens - Allows you to configure File Shares on the Server, including the specific permissions and performance modifiers for the shares. 22
SWAT Screens - Allows you to set-up the Unix printers to be shared by the server and to configure the printing and security options for those printers 23
SWAT Screens - This screen allows you to rewrite the smb. conf file and easily re-set the Server type, WINS status and basic security access. Probably the first screen you’ll use, but this is very dangerous as it can undo much configuration work. 24
SWAT Screens - Displays current status of the Samba Server including active connections. Can be used to shut-down or restart the server. 25
SWAT Screens - View the current smb. conf file. Note – you cannot change the file here. By default shows only the nondefault entries you’ve created for the file. The Full View option shows the entire smb. conf file. 26
SWAT Screens - Add, enable and disable users as well as resetting passwords for users. 27
Files & Directories
Files & Directories /etc/samba smb. conf lmhosts secrets. tdb smbusers smbpasswd smbstab primary samba configuration file of netbios host names & ip addresses holds SID information maps Unix to Windows account names Equivalent to the Unix Password file Info about file & print shares /usr/sbin Daemons smbd and nmbd /usr/bin Executables, testparm, smbnet etc 29
smb. conf file § The smb. conf file contains all non-default entries you make to configure the Samba server § Other entries are automatically set to defaults by Samba § Re-read on each new connection and every 60 seconds § Rebuilt dynamically if you use SWAT 30
S 99 smbd & S 99 nmbd Located in /etc/rc 2. d – linked to smb & nmb in /etc/init. d Created by mkdev samba or you can manually create links /etc/init. d/smb enable, /etc/init. d/nmb enable Starts and stops daemons Syntax /etc/rc 2. d/S 99 smbd start|stop|restart|enable|disable /etc/rc 2. d/S 99 nmbd start|stop|restart|enable|disable Can be modified to change location of Samba files Attempts to delete PID files and starts smbd and nmbd 31
Daemons Located in /usr/sbin smbd § tcp/ip daemon handles all file and print requests as well as authentication and security nmbd § Handles name look-up and resolution and manages network browsing § Handles all UDP traffic § smbd will not work without nmbd 32
Using testparm Utility to test syntax of smb. conf file Located in /usr/lib/samba/bin Usage testparm (-v) (smb. conf file location) By default only lists changes you’ve made The –v option will show all defaults added by Samba Giving smb. conf file location lets you test multiple files Besides displaying data does a very simple syntax check – Note: this doesn’t guarantee your server will work 33
Configuring Your Server
Configuring the Samba Server Decisions to be made Do you have an existing Windows Network? § Is it a Workgroup or Domain? · If a Domain, what security profile? What type of Server will this be? What Security Mode do you want? Will you join an existing Workgroup or Domain? § Do you have a Windows Domain? · Do you use Active Directory? § Is the Samba Server to be a Domain Controller? § Are Unix userids and network ids to be the same? What type of clients will you have, Win 95, Win 2 K? 35
Prerequisites You need to have a running network interface DNS should be configured § Optionally use /etc/hosts § Test with ping & nslookup § If joining an AD domain DNS should probably be running from the Win 2 K server i. e. nslookup fangorn. me. local returns 192. 168. 0. 4 nslookup 192. 168. 0. 4 should return fangorn. me. local Apache is necessary for SWAT to function Other smb services must not be operating (AFPS VFS) Ports 137, 139, and 901 must be available 36
Windows Networking Issues Existing Win 2 K+ Domains with AD need to be configured with a Domain Functional Level of: § Windows 2000 Mixed § This allows servers using NT 4 style Domain functionality to participate in the Domain § Or Native § This allows for native AD authentication using kerberos – this will require the Heimdal modules 37
Server Types Stand-alone Server A stand-alone server is a Workgroup member, but does not participate in Domain Security. Domain members may access it using local authentication. Domain Member Server A Domain Member Server participates in a Domain and provides for a Single Sign-on Environment Domain Controller Acts as either a Primary or Back-up Domain Controller 38
Security Levels User Security § Security=user § Client sends session request as username/password § Server checks user and hostname only since no share info is available § Once authenticated client “expects” to be able to mount shares with a tree connection without further authentication § Client can send multiple session requests and gets a separate UID for each Share Security § Security=share § Each tree connection request has a password submitted § Unlike NT, Unix needs a username/password combo § Samba will try to resolve a username by checking the PW against possible users § Not recommended – may create problems with newer Win Clients § Primarily to support legacy implementations – Win 9? 39
Security Levels Domain Security (NT 4 Domains) § Security=Domain § Workgroup=ME § Encrypt Passwords=Yes Server has a trust account on the domain server –gotcha! Authentication requests passed to domain server to be resolved You must join a domain after Samba is started ( you only need to do this once) As root execute: /usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw You must have a standard Unix user account for each user of the server or define acceptable users by share Populate /etc/passwd with /usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw 40
Security Levels Domain Security (Native AD Domains) § Security=Domain § Workgroup=ME § Encrypt Passwords=Yes Server has a trust account on the domain server –gotcha! Authentication requests passed to domain server to be resolved You must join a domain after Samba is started ( you only need to do this once) As root execute: /usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw You must have a standard Unix user account for each user of the server or define acceptable users by share Populate /etc/passwd with /usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw 41
Security Levels Server Security smb. conf entries needed Security=Server Encrypt passwords=yes Password Server=nbnameofserver Variation of user level security – client “thinks” this is user level When the server gets a session setup request it uses the username/password combo to try to login to the password server Requires a standard Unix user account on the Samba Server You may want to block shell connections for this account May cause account lockouts on servers for failed authentications If the PW server shuts down Samba won’t work 42
Setting Up a Standalone Server
Setting up a Stand-alone Server - In the Globals Screen: • Define your Workgroup name • Define the netbios name • Set security level • Set Encrypted Passwords to Yes • Set Password Backend to smbpasswd • Commit changes 44
Setting up a Stand-alone Server - In the Wizard Screen: • Select Stand-alone Server • Configure WINS Server • Expose Home Dirs? • Commit changes 45
Create Machine Accounts for Workstations You need to create machine accounts for workstations running W 2 K or above § Create a Unix Group machines § groupadd machines § Add an account for each machine § useradd –g machines –d /var/nobody –c “Kirks Workstation” –s /bin/false bilbo$ § Note $ at end of machine name 46
Add Users - In the Password Screen § Add users § Set passwords to match Windows PW § Click Add New User for each user § Click Enable User 47
Setting up a Stand-alone Server - In the Status screen: Click on Restart All to shutdown and restart the Server From a windows Workstation go to My Network Places, and select Entire Network, Microsoft Windows Network Your Domain Your Samba Server To display current shares. 48
smb. conf Entries Security = User Workgroup = SCO Encrypted Passwords = Yes Password Backend = smbpasswd 49
Check Access to Resources 50
Try to Access Resources 51
Try to Access Resources 52
Setting Up a Domain Member Server
Setting up a Domain Member In the Globals screen: • Add the Domain name in the Workgroup field • Add the Server’s name in the Net. BIOS name Field • Set Security to DOMAIN • Commit changes 54
Setting up a Domain Member In the Wizard screen: • Jump to Parameter Edit • Configure the Server Type as Domain Member • Configure WINS as Client of another Server • Set security=Domain • Set the IP address of your primary WINS Server • Expose Home Dirs? • Commit changes 55
Setting up a Domain Member In the Status screen: • Click on Restart All to shutdown and restart the Server • At a Unix prompt as root run the command: • /usr/bin/smbnet rpc join –U administrator%password From a windows Workstation go to My Network Places, and select • Entire Network, • Microsoft Windows Network • Your Domain • Your Samba Server To display current shares. 56
smb. conf Entries [global] workgroup = ME server string = Fangorn Samba 3 Server interfaces = net 0, lo 0 bind interfaces only = Yes security = DOMAIN password server = rivendell log file = /var/log/samba/log. %m max log size = 50 dns proxy = No wins server = 192. 168. 0. 2 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No 57
ADS Authentication – Globals Screen Essentially same as a domain member, but: • Add realm • Set Security to ADS 58
ADS Authentication – Wizard Screen § The wizard should pick up correct changes from the Globals commit § Note addition of realm 59
Changes to the Globals section of smb. conf [global] workgroup = ME realm = ME. LOCAL server string = Fangorn Samba 3 Server interfaces = net 0, lo 0 bind interfaces only = Yes security = ADS password server = rivendell log file = /var/log/samba/log. %m max log size = 50 dns proxy = No wins server = 192. 168. 0. 2 60
Getting Kerberos to Work To authenticate natively to AD you need kerberos services to work In smb. conf Globals section we need security = ADS (use AD for Authentication) realm = ME. LOCAL (the realm is your local DNS domain name) password server = RIVENDELL (Netbios name of the Windows PDC) SID must be correct If errors show in SID use smbnet getlocalsid domainname smbnet setlocalsid S-1 -5 -21 -x-y-z Run smbnet ads status –U administrator (you should get a big dump of data) Re-run smbnet ads join –U administrator 61
Sharing Directories
Sharing Directories In SWAT Shares screen Enter a new share name & click on Create Share 63
Sharing Directories Fill in options for this share Optionally Add special user conditions Turn on/off Guest Access Control host access Set Browseable NB- blank entry for valid users means anyone can access the share If hosts are allowed then only those hosts are allowed Click on Commit Changes when done 64
smb. conf Entries This will create a section in smb. conf for this share [U Filesystem] path = /u valid users = kirk, @Administrators hosts deny = 192. 168. 0. 5 65
Sharing Unix Printers
Configuring the Print Server By default Samba will load all of the printers in the /etc/printcap file This is done by the Global option Load Printers=yes Printing mode is sysv Optionally on Legend you can use CUPS In the Globals screen/Advanced View you can set print spooler options (defaults work well) 67
Sharing all printers In the Printers tab: • Choose “printers” • Note Browseable option • Set Hosts to allow & Deny 68
Adding a Specific Printer § § § 69 Enter Printer Name Click on Create Printer Make printer specific settings Set Browseable to Yes Commit changes
Accessing the Printer from Windows To use this printer from Windows: • Start • Printers • Add a Printer • Choose a Network Printer • Choose connect to this Printer • (leave name blank) • Drill down to printer 70
Setting Up Windows Clients
Configuring the Windows Clients From the Control panel select Networking-Local Area Connetion Select Properties Ensure File & Print Sharing for Microsoft Networks is installed Select Internet Protocol (TCP/IP) and then Properties 72
Configuring the Windows Clients Select Control Panel-System 73 Choose the Network Identification Wizard (Network ID button) and enter your machine name and Domain Name or Workgroup You will be prompted for an admin user name and password on the domain controller
Configuring the Windows Clients If using DHCP select “Obtain Address Automatically” Otherwise populate all fields Select the Advanced tab 74
Configuring the Windows Clients If not using DHCP you must add the IP Address and Gateway Likewise, DHCP will automatically add DNS & WINS information 75
Configuring the Windows Clients If not using DHCP populate DNS & WINS Screens 76
Configuring Windows Clients From the Desktop -My Network Places -Microsoft Windows Network Choose your Domain (ME) The Samba Server should be displayed (FANGORN) Expand the Server and Shares should appear Double click on the Server’s name to see Shares Alt-click on a Share to consume it Double click on it to Browse 77
Using Windows Resources
Using smbclient is a CIFS client that allows the Samba system to consume resources from other CIFS servers Usage: [-? Eg. VNk. P] [--usage] [-R NAME-RESOLVE-ORDER] [-M HOST] [-I IP] [-L HOST] [-t CODE] [-m LEVEL] [-T<c|x>IXFqgb. Nan] [-D DIR] [-c ARG] [-b BYTES] [-p PORT] [-d DEBUGLEVEL] [-s CONFIGFILE] [-l LOGFILEBASE] [-O SOCKETOPTIONS] [-n NETBIOSNAME] [-W WORKGROUP] [-i SCOPE] [-U USERNAME] [-A FILE] [-S on|off|required] service <password> 79
smbclient - L Use to list shared resources on a server rohan: ~$ smbclient -L bilbo Password: Domain=[ME] OS=[Windows 5. 0] Server=[Windows 2000 LAN Manager] Sharename Type Comment ---------E$ Disk Default share IPC$ IPC Remote IPC D$ Disk Default share downloads Disk ADMIN$ Disk Remote Admin C$ Disk Default share Exchange. Data Disk Domain=[ME] OS=[Windows 5. 0] Server=[Windows 2000 LAN Manager] Server ----Workgroup ----rohan: ~$ 80 Comment ------Master -------
Accessing Windows Files Use smbclient to connect to a File Share and get an FTP-like interface rohan: ~$ smbclient //bilbo/downloads -Ukirk Password: Domain=[ME] OS=[Windows 5. 0] Server=[Windows 2000 LAN Manager] smb: > At the smb prompt you can use commands similar to FTP, cd, dir, get, mget etc. 81
Listing Files rohan: ~$ smbclient //bilbo/downloads -Ukirk Password: Domain=[ME] OS=[Windows 5. 0] Server=[Windows 2000 LAN Manager] smb: > dir. D 0 Mon May 30 14: 46: 16 2005 Adbe. Rdr 60_enu_full. exe A 16706160 Wed Apr 13 16: 40: 49 2005 bilbo 01_1024 x 768. jpg A 317087 Tue Jul 6 12: 59: 22 2004 casedge D 0 Tue Nov 30 16: 20: 08 2004 genica D 0 Tue Nov 30 14: 26: 54 2004 gn 788. zip A 565618 Thu Oct 14 14: 58: 33 2004 ISA 2004 Enterprise. iso A 114960384 Sun Apr 24 18: 50: 35 2005 i. Tunes. Setup. exe A 21904216 Mon May 30 14: 46: 16 2005 ppviewer. exe A 1951432 Wed Apr 13 16: 26 2005 Product_Training_April_v_4. ppt A 4551680 Wed Apr 13 16: 30: 37 2005 Real. Player 10 -5 GOLD. exe A 10827296 Thu Apr 21 23: 25: 11 2005 Risk. Filter_403. ISO A 376932352 Mon Jan 10 15: 21: 51 2005 threatdetector. exe A 17345027 Mon May 16 16: 02: 34 2005 W 2 KSP 2. exe A 106278016 Tue Nov 30 16: 33: 23 2004 W 2 Ksp 3. exe A 32913953 Tue Dec 14 14: 42: 37 2004 smb: > 82 51740 blocks of size 524288. 44090 blocks available
Getting a file smb: > cd casedge smb: casedge> dir. . . audio_0050. exe lan usb video D D D 0 Tue Nov 30 16: 20: 08 2004 0 Tue Nov 30 16: 23: 03 2004 A 19342431 Tue Nov 30 16: 22: 32 2004 0 Tue Nov 30 14: 19: 29 2004 0 Tue Nov 30 14: 21: 29 2004 0 Tue Nov 30 14: 20: 39 2004 51740 blocks of size 524288. 44090 blocks available smb: casedge> cd video smb: casedgevideo> dir. D 0 Tue Nov 30 14: 20: 39 2004 autorun. inf A 34 Thu Jul 11 16: 07: 42 2002 Graphics D 0 Tue Nov 30 14: 20: 39 2004 Read. Me. txt A 27090 Thu Jul 11 18: 02: 00 2002 51740 blocks of size 524288. 44090 blocks available smb: casedgevideo> get Read. Me. txt getting file casedgevideoRead. Me. txt of size 27090 as Read. Me. txt (464. 1 kb/s) (average 464. 1 kb/s) smb: casedgevideo> 83
Using a Printer Configure CUPS printing on the Unix Server Use smbclient –L servername to identify the sharename of the available printers Create a PPD file for the Windows printer Install the printer to CUPS root#lpadmin –p winprinter –v smb: //frodo/psc 2200 -P /path/to/PPDfile 84
Special Considerations
Special Considerations Real Time updates of smb. conf The smb. conf file is reread on each new connection and every 60 seconds Manually changing smb. conf can interrupt existing connections Sharing datafiles with Windows & Unix Apps By default Samba enables Opportunistic locking for local data caching This should only be used where shares are used exclusively In the Globals-Advanced View-Locking set the oplocks and level 2 oplocks to No You can also disable oplocks on a per share basis in Shares-Share Properties-Advanced-Locking 86
Securing your Samba Server If possible Samba servers should be behind the firewall Host-Based Protection You can restrict access to certain systems in the Globals. Host Allow/Deny options to create entries hosts allow = 127. 0. 0. 1, 192. 168. 0. 0/24 hosts deny = 0. 0/0 These entries allow only local and from the 192. 168. 0 net and deny everyone else User Based Protection You can restrict access to certain users or groups from Globals-(in)valid users option 87
Securing your Samba Server You can control access by Interface with Globals-Interfaces eth 0 lo as an example will only listen on the loopback and eth 0, but not on eth 1, eth 2 etc You must set Bind Interfaces Only in the Advanced screen for this to work Useful on dual-homed systems Blocking IPC$ Shares Cannot be done from SWAT Add lines to smb. conf [IPC$] Hosts Allow = 127. 0. 0. 1, 192. 168. 0. 0/24 Hosts Deny = 0. 0/0 NB – this will be overwritten if you use SWAT to rebuild smb. conf 88
Resources http: //www. samba. org http: //us 1. samba. org/samba/docs/man/samba. 7. html The Official Samba-3 HOWTO and Reference Guide by and Jelmer R. Vernooij 89 Samba – Installation & Configuration John Terpstra and
90
91
Questions
bafc7b6d796d129b3e392269a88a11ca.ppt