Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

SAMBA (Domaincontroller) Server For Small Workgroups With Ubuntu 6.10


This is a detailed description about how to set up a Ubuntu based server (Ubuntu 6.10) to act as a file- and printserver for Windows ™ workstations in small workgroups. This howto uses the tdb backend for SAMBA to store passwords and account information. This is suitable for workgroups for up to 250 users and is easier to set up than an LDAP backend.

Installed Software:

  • Samba as Domaincontroller
  • Cups
  • Foomatic printer drivers

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

Requirements

To install such a system you will need the following:

  • A Ubuntu server install CD (available here: http://www.ubuntu.com/download/)
  • An internet connection since I will describe a network installation in this document.

In part 1 of the howto, I will install the Ubuntu base system. You may skip this part if the base system is already set up on your server.

 

1 The Base System

Insert your Ubuntu install CD into your system and boot from it.

img_1

The installation starts, and first you have to choose your language:

img_2

The installation starts, and first you have to choose your language:

img_3

The installation starts, and first you have to choose your language:

img_4

Choose a keyboard layout:

img_5

Chose your location:

img_6

img_7

Package scanning starts.

img_8

Enter the hostname. In this example, my system is called fileserver1, so I enter fileserver1:

img_9

Partitioning the server. I will use one large partition for the operating system and data and a small swap partition.

img_10

img_11

Set the system clock either to UTC (Universal Time) or local time:

img_12

Now we create a first user which will be used for administartion purposes, so I name the user administrator.

img_13

Now we create a first user which will be used for administartion purposes, so I name the user administrator.

img_14

img_15

img_16

The installation of the base system starts:

img_17

Don’t select anything here, just select Continue:

img_18

The package installation starts:

img_19

The base setup is finished and your server will boot now into the fresh Ubuntu Linux system:

img_20

2 Installing And Configuring The Rest Of The System

Enable root user

Now I can log in with the username administrator and the password I entered above. I will enable the root user first for ease of installation. You can disable it later if you want.

sudo passwd root
su

Now we are logged in as root user.

Hint: This step is optional, if you don’t want to enable the root user for security reasons, plese run the command

sudo su

to switch to root without enabling the root user to log in directly.

 

Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
        script grep
        map eth0

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Edit /etc/hosts and add your new IP addresses:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost       server1
192.168.0.100   server1.example.com     server1


# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

 

Setting the Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

 

Edit /etc/apt/sources.list And Update Your Linux Installation

Now we edit the file /etc/apt/sources.list to enable the Ubuntu universe repository:

vi /etc/apt/sources.list

It should look like this:

#
# deb cdrom:[Ubuntu-Server 6.10 _Edgy Eft_ - Release i386 (20061025.1)]/ edgy main restricted


#deb cdrom:[Ubuntu-Server 6.10 _Edgy Eft_ - Release i386 (20061025.1)]/ edgy main restricted

deb http://de.archive.ubuntu.com/ubuntu/ edgy main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ edgy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ edgy-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ edgy-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu/ edgy universe
deb-src http://de.archive.ubuntu.com/ubuntu/ edgy universe

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse


deb http://security.ubuntu.com/ubuntu edgy-security main restricted
deb-src http://security.ubuntu.com/ubuntu edgy-security main restricted
deb http://security.ubuntu.com/ubuntu edgy-security universe
deb-src http://security.ubuntu.com/ubuntu edgy-security universe

Now we load the new sources and update our system:

apt-get update
apt-get upgrade

 

Install SSH Daemon

apt-get install ssh openssh-server

 

The Next Steps…

Now you can log in to your Server with an SSH Client like PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/). It’s easier to follow this howto if you connect to your server with PuTTY and copy and paste the commands. If you want to edit config files on the server, you can use commandline editors like vi, pico or joe or use a program like WinSCP (http://winscp.net/eng/docs/lang:en) to edit the files over your SSH connection in a Windows client.

 

Quota

apt-get install quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partitions with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# /dev/sda1
UUID=226d9304-88ca-44c0-a3e3-d1ad26cfc084 /               ext3    defaults,errors=remount-ro,usrquota,grpquota 0       1
# /dev/sda5
UUID=d824ce36-04b8-4870-83f4-f1a5037c2de4 none            swap    sw              0       0
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0

Then run:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

You will get a error like this when you run the command quotacheck -avugm the first time:

quotacheck: WARNING – Quotafile //quota.user was probably truncated. Cannot save quota settings…
quotacheck: WARNING – Quotafile //quota.group was probably truncated. Cannot save quota settings…

That is normal and nothing to worry about!

SAMBA Server

apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient

Edit /etc/samba/smb.conf so that it looks like this:

vi /etc/samba/smb.conf

[global]
   workgroup = MYWORKGROUP
   netbios name = SERVER1
   server string = %h server (Samba, Ubuntu)

   
   passdb backend = tdbsam
   security = user
   username map = /etc/samba/smbusers
   name resolve order = wins bcast hosts
   domain logons = yes
   preferred master = yes
   wins support = yes
   
   # Set CUPS for printing
   load printers = yes
   printcap name = CUPS
   printing = CUPS
   printer admin = @lpadmin
   
   # Default logon
   logon drive = H:
   logon script = scripts/logon.bat
   logon path = \\server1\profile\%U


   # Useradd scripts
   add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
   delete user script = /usr/sbin/userdel -r %u
   add group script = /usr/sbin/groupadd %g
   delete group script = /usr/sbin/groupdel %g
   add user to group script = /usr/sbin/usernod -G %g %u
   add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
   idmap uid = 15000-20000
   idmap gid = 15000-20000
   template shell = /bin/bash


   # sync smb passwords woth linux passwords
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
   passwd chat debug = yes
   unix password sync = yes
   
   # set the loglevel
   log level = 3

[public]
   browseable = yes
   public = yes


[homes]
   comment = Home
   valid users = %S
   read only = no
   browsable = no


[printers]
   comment = All Printers
   path = /var/spool/samba
   printable = yes
   public = no
   writable = no
   create mode = 0700
   
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
   write list = root, @smbadmin


[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   admin users = Administrator
   valid users = %U
   read only = no
   guest ok = yes
   writable = no
   share modes = no


[profile]
   comment = User profiles
   path = /home/samba/profiles
   valid users = %U
   create mode = 0600
   directory mode = 0700
   writable = yes
   browsable = no
   guest ok = no

Create the directories for domain logons and profiles:

mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
mkdir /var/spool/samba
chmod 777 /var/spool/samba/
chown -R root:users /home/samba/
chmod -R 771 /home/samba/

Now we restart Samba:

/etc/init.d/samba restart

Edit /etc/nsswitch.conf. Change the line:

vi /etc/nsswitch.conf

hosts: files dns

to:

hosts: files wins dns

Add all computers of your workgroup in the /etc/hosts file on the server:

vi /etc/hosts

[...]
192.168.0.100 server1
192.168.0.110 workstation1
192.168.0.111 workstation2
192.168.0.112 workstation3
192.168.0.113 workstation4
[...]

Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.

smbpasswd -a root

Create the file /etc/samba/smbusersand add the line by executing:

echo “root = Administrator” > /etc/samba/smbusers

This will allow us to use the common Windows username Administrator as an alias for the Linux root user.

Now I will test if the setup is correct:

smbclient -L localhost -U%

The output should look similar to this:

Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.22]

Sharename       Type      Comment
———       —-      ——-
public          Disk
print$          Disk      Printer Drivers
netlogon        Disk      Network Logon Service
IPC$            IPC       IPC Service (server1 server (Samba, Ubuntu))
ADMIN$          IPC       IPC Service (server1 server (Samba, Ubuntu))
Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.22]

Server               Comment
———            ——-
SERVER1              server1 server (Samba, Ubuntu)

Workgroup            Master
———            ——-
MYWORKGROUP          SERVER1

Set up the default domain groups for Windows:

net groupmap modify ntgroup=”Domain Admins” unixgroup=root
net groupmap modify ntgroup=”Domain Users” unixgroup=users
net groupmap modify ntgroup=”Domain Guests” unixgroup=nogroup

 

Adding Users To Our SAMBA Domain

Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

1) Add a Linux user tom:

useradd tom -m -G users

2) Add the Linux user tom to the SAMBA password database:

smbpasswd -a tom

 

Adding Shares

Now I will add a share that is accessible by all users:

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

[allusers]
  comment = All Users
  path = /home/shares/allusers
  valid users = @users
  force group = users 
  create mask = 0660
  directory mask = 0771
  writable = yes

Now we restart Samba:

/etc/init.d/samba restart

Installing CUPS

apt-get install cupsys cupsys-client cupsys-driver-gimpprint defoma fontconfig foomatic-db foomatic-filters libcupsimage2 libexpat1 libfontconfig1 libfreetype6 libjpeg62 libpaper1 libpng12-0 libslp1 libtiff4 patch perl perl-modules ttf-bitstream-vera ucf

To get access to the web interface from my workstation (IP 192.168.0.70), I will change cups to listen on the server IP and allow access from the IP 192.168.0.70. You will have to change this IP to suit into your network configuration.

vi /etc/cups/cupsd.conf

The cupsd.conf file should look like this after editing:

	  
#
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel info

# Administrator user group...
SystemGroup lpadmin

# Only listen for connections from the local machine.
Listen localhost:631
Listen 192.168.0.100:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing Yes
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow localhost
  Allow @LOCAL
  Allow 192.168.0.70
</Location>

# Restrict access to the admin pages...
#<Location /admin>
#  Order allow,deny
#  Allow localhost
#</Location>

<Location /admin>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow 192.168.0.70
</Location>


# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow 192.168.0.70
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an adminstrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
Add the cupsys user to the shadow group:

adduser cupsys shadow

and restart the cups daemon:

/etc/init.d/cupsys restart

The cups web interface is now accessible with any webbrowser from my workstation:

http://192.168.0.100:631/

Now I can log in to the cups interface with the username root and my root password.

Please note: If there is no Linux driver available for your printer and you want to use this printer only from your Windows workstations trough SAMBA, you can use the printer manufacturer RAW and install the correct driver on your Windows workstation.

If you created a new printer in cups, you will have to add it to samba with the command:

cupsaddsmb -a

This howto is also available as VMware virtual machine image for all Kreationnext subscribers.

 

  • http://www.ubuntu.com
  • http://www.samba.org
  • http://www.cups.org

All trademarks belong to their respective owners.


 

 

Comments

comments