Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Samba Domaincontroller For Small Workgroups With SWAT On Fedora 8


This document describes how to set up and configure a Samba Domaincontroller for small workgroups (up to 250 users) on Fedora 8 with the Samba Web Administration Tool. The resulting system provides an easy to manage domaincontroller for your Windows network.

This howto is a practical guide without any warranty – it doesn’t cover the theoretical backgrounds. There are many ways to set up such a system – this is the way I chose.

 

1 Preliminary Note

I used a minimal Fedora 8 installation without GUI etc for this howto. Additionally I had to deinstall Firefox after the minimal installation.

Hostname: server1.example.com
IP: 192.168.0.102
Gateway: 192.168.0.2
Pri.DNS: 192.168.0.2

 

2 Preparation

2.1 Yum

First we install some packages to speed up yum and prevent problems with packages.

yum install yum-fastestmirror yum-skip-broken

 

2.2 SELinux

SELinux should be disabled. If you’re not sure if it is disabled enter:

cat /etc/selinux/config | grep ^SELINUX=

Disable SELinux if it is enabled:

vi /etc/selinux/config

Change:

SELINUX=enforcing

To:

SELINUX=disabled

Afterwards reboot the system.

reboot

 

2.3 Update

Time to update your system.

yum -y update

 

3 Samba & CUPS

Now we install Samba, the Samba Web Administration Tool (SWAT), and printer drivers for CUPS.

yum install samba samba-client samba-swat gutenprint-cups gutenprint-foomatic foomatic printer-filters compat-expat1 libpaper

If you want to use HP printers install a few more packages.

yum install hplip cups-devel ghostscript qt4 pyqt4 python-devel python-reportlab libjpeg-devel net-snmp net-snmp-devel

Note: net-snmp and net-snmp-devel are only needed for network-printers. If you want to use a network-printer, you have to open a few ports in the firewall: jetdirect:tcp (9100), snmp:tcp and snmp:udp (161). How to adjust the firewall settings is explained in step 4.1.

 

4 Basic Configuration

4.1 Firewall

We have to open a few ports so that the clients can connect to Samba.

system-config-firewall-tui

firewall1

Set Samba as a trusted service.

firewall2

4.2 Xinetd

If you set up a server without gui you have to add an additional IP (your workstation) to the swat configuration to use the swat webinterface.

vi /etc/xinetd.d/swat

Change:

only_from = 127.0.0.1

To:

only_from = 127.0.0.1 %workstation_ip%

4.3 CUPS

If you set up a server without gui you have to edit the IP configuration to use the CUPS webinterface. Replace %vm_ip% with your vm’s IP (e.g.: 192.168.0.100) and %workstation_ip% with the IP from the workstation that you’ll use to access the CUPS webinterface.

vi /etc/cups/cupsd.conf

Change:

Listen localhost:631

To:

Listen %vm_ip%:631

Change:

# Restrict access to the server…
<Location />
Order allow,deny
Allow localhost
</Location>

# Restrict access to the admin pages…
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
</Location>

# Restrict access to configuration files…
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
Allow localhost
</Location>

To:

# Restrict access to the server…
<Location />
Order allow,deny
Allow localhost
Allow %workstation_ip%
</Location>

# Restrict access to the admin pages…
<Location /admin>
Encryption Required
Order allow,deny
Allow localhost
Allow %workstation_ip%
</Location>

# Restrict access to configuration files…
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow %workstation_ip%
</Location>

Now we create an SSL certificate for the CUPS webinterface:

openssl req -new -x509 -keyout /etc/cups/ssl/server.key \
-out /etc/cups/ssl/server.crt -days 365 -nodes

Afterwards restart CUPS:

/etc/init.d/cups restart

Now you’re able to manage your CUPS printers via the CUPS webinterface from your workstation. Open https://%vm_ip%:631/ within your preferred browser and log in as root. Please note that if there is no Linux driver available for your printer and you want to use this printer only from your Windows workstations trough SAMBA, you can use the printer manufacturer “RAW” and install the correct driver on your Windows workstations.

Please note that if you are going to set up a HP printer, you should add it to CUPS via hplip (command line). The exact command depends on the connection type of your device – have a look at “hp-setup –help“. E.g.: For a network-printer with the IP 192.168.0.20 the command is “hp-setup -i 192.168.0.20“. Afterwards you can adjust the printer settings (resolution etc.) within the CUPS webinterface.

After you added a new printer to CUPS, you’ll have to add it to Samba via

cupsaddsmb -a

4.4 Quota

Now we prepare the system for quota usage.

vi /etc/fstab

Add usrquota and grpquota to the line for the root partition. The options should look like in this line:

/dev/VolGroup00/LogVol00 / ext3 defaults,usrquota,grpquota 1 1

Afterwards we create the files for the quota settings and remount the root partition.

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

Note: You’ll get an error like this when you start quotacheck -avugm for the first time:

quotacheck: WARNING – Quotafile //aquota.user was probably truncated. Cannot save quota settings…
quotacheck: WARNING – Quotafile //aquota.group was probably truncated. Cannot save quota settings…

This is normal and nothing to worry about. How to use quota for users is explained later in this howto when we add users to our Samba domain.

 

4.5 Hosts

Add your host’s IP and all computers of your workgroup to the hosts file on the server.

vi /etc/hosts

It should look like this:

# Do not remove the following line, or various programs
 # that require network functionality will fail.
 127.0.0.1       localhost.localdomain   localhost
 192.168.0.100   server1.example.com     server1
 192.168.0.110   workstation1
 192.168.0.111   workstation2
 192.168.0.112   workstation3
 ::1     localhost6.localdomain6 localhost6

 

4.6 Services

Now we enable the automatic startup of the needed services.

chkconfig smb on
chkconfig nmb on
chkconfig winbind on
chkconfig swat on

Afterwards reboot the system.

reboot

5 Samba As Domaincontroller

Connect to the SWAT webinterface with your preferred browser.

http://%vm_ip%:901

E.g.:

http://192.168.0.100:901

 

5.1 The Wizard

Click on “Wizard” in the SWAT menu and edit the settings:

Server Type = Domain Controller
Configure WINS As = Server for client use

Afterwards click on “Commit” in the upper menu.

Note: This will rewrite/clean the SAMBA configuration!

 

5.2 Global Configuration

Click on “Global” in the SWAT menu and edit the settings (advanced view):

workgroup = EXAMPLE.COM
netbios name = SAMBA SERVER
username map = /etc/samba/smbusers
preferred master = yes
printcap name = CUPS
logon drive = H:
logon script = scripts/logon.bat
logon path = \\server1\profiles\%U (If there is no DNS available in your network you have to replace server1 with the IP that belongs to the Samba server)
logon home = \\server1\%U (If there is no DNS available in your network you have to replace server1 with the IP that belongs to the Samba server)
add user script = /usr/sbin/useradd -m ‘%u’ -g users -G users
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usernod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
idmap uid = 15000-20000
idmap gid = 15000-20000
template shell = /bin/bash
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd chat debug = yes
unix password sync = yes
log level = 3
os level = 200
profile acls = yes

Now click on “Commit Changes” in the upper menu and after that create the directories for domain logons and profiles.

mkdir -p /home/samba/netlogon
mkdir /home/samba/profiles
chmod 777 /var/spool/samba/
chown -R root:users /home/samba/
chmod 777 /home/samba/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/

Edit the nsswitch.conf:

vi /etc/nsswitch.conf

Change:

hosts: files dns

To:

hosts: files wins dns

Now we add root to the SAMBA password database – he (alias: administrator) will be our domain administrator.

smbpasswd -a root

 

5.3 Default Shares

Now we create the default shares for netlogon etc. Click on “Shares” in the SWAT menu and switch to the advanced view.

 

5.3.1 Homes

First we edit the share “homes“. Select it, click on “Choose Share” and edit the settings:

valid users = %S

Afterwards click on “Commit Changes

 

5.3.2 Print$

Insert “print$” (without quotes) as the name for the new share and click on “Create Share“. Now edit the settings:

comment = Printer Drivers
path = /var/lib/samba/printing
write list = root, @smbadmin
available = yes

Afterwards click on “Commit Changes

 

5.3.3 Netlogon

Insert “netlogon” (without quotes) as the name for the new share and click on “Create Share“. Now edit the settings:

comment = Network Logon Service
path = /home/samba/netlogon
admin users = administrator
valid users = %U
read only = yes
guest ok = yes
share modes = no
browseable = no
available = yes

 

5.3.4 Profiles

Insert “profiles” (without quotes) as the name for the new share and click on “Create Share“. Now edit the settings:

comment = User profiles
path = /home/samba/profiles
valid users = %U
create mask = 0600
security mask = 0600
directory mask = 0770
directory security mask = 0770
read only = no
browseable = no
available = yes

 

5.4 Testing

Now lets test if all is OK:

smbclient -L localhost -U%

The output should look like this:

Sharename Type Comment
——— —- ——-
IPC$ IPC IPC Service (Samba Server Version 3.0.27a-0.fc8)
netlogon Disk Network Logon Service
Officejet_Pro_L7600 Printer Officejet_Pro_L7600
print$ Disk Printer Drivers
Domain=[EXAMPLE.COM] OS=[Unix] Server=[Samba 3.0.27a-0.fc8]

Server Comment
——— ——-
SAMBA SERVER Samba Server Version 3.0.27a-0.fc8

Workgroup Master
——— ——-
EXAMPLE.COM SAMBA SERVER

5.5 Domain Groups

In this step we create the default domain groups for Windows.

net groupmap add ntgroup=”Domain Admins” unixgroup=”root” type=domain -U root
net groupmap add ntgroup=”Domain Users” unixgroup=”users” type=domain -U root
net groupmap add ntgroup=”Domain Guests” unixgroup=”nobody” type=domain -U root

After that click on “STATUS” in the SWAT menu and restart all services.

 

5.6 Domain Users

Now we add users to our SAMBA domain – this is required for each useraccount that shall connect to the SAMBA domain controller.

net rpc user add %username% -U root
net rpc user password %username% “%userpassword%” -U root
smbpasswd -e %username%

E.g.:

net rpc user add james -U root
net rpc user password james “secret” -U root
smbpasswd -e james

Additionally you can add a quota to the user via:

setquota -u %username% %block-softlimit% %block-hardlimit% %inode-softlimit% %inode-hardlimit% -a

E.g.:

The following command will add a quota to the user james:

setquota -u james 40960 51200 0 0 -a

Now james has a block softlimit of 40MB, a block hardlimit of 50MB and no restrictions for inodes (folders and files).

You can check the current quota settings and quota usage via:

quota %username%

E.g.:

quota james

The output should look like this:

Filesystem blocks quota limit grace files quota limit grace
/dev/mapper/VolGroup00-LogVol00
1108 40960 51200 104 0 0

 

6 Additional Samba Shares

This is an example for a share that is accessible by all users.

6.1 Directory

First we have to create the directory that we want to share. Afterwards we change the owner, group and permissions.

mkdir -p /home/shares/allusers/
chown -R root:users /home/shares/allusers/
chmod -R 775 /home/shares/allusers/

 

6.2 Share Configuration

Click on “SHARES” in the swat menu. Afterwards insert a desired name for the new share into the corresponding field and click on “Create Share“.

Now change the view to Advanced in the upper menu and edit the settings for the share.

comment = Share for all users (or something other)
path = /home/shares/allusers/ (The path to the directory that you created at step 6.1)
valid users = @users
force group = users
read only = No (if the users should be able to write to this share)
create mask = 0660
security mask = 0660
directory mask = 0771
directory security mask = 0771
available = Yes

After that click on “Commit Changes” in the upper menu.

 

  • Fedora: http://fedoraproject.org/
  • Samba: http://de.samba.org/
  • CUPS: http://www.cups.org/

Comments

comments