Tuesday, 13 December 2011

### Samba ###



 1. Provides Windows features (file & print) on Linux | Unix

/etc/samba/smb.conf - primary config file

Clients:
 1. findsmb - finds SMB hosts on the network
 2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workgroups, hosts, and shares)
 3. smbget - similar to 'wget', in that, it will download files from the remote share
  a. smbget -u dean smb://linuxcbtwin1/mtemp/20070524_SAN_Allocations.ods

 4. smbclient - interactive (FTP-like_ utility to connect to shares - permits uploads/downloads from shares
  a. smbclient -U dean //linuxcbtwin1/mtemp
  b. mget file* - downloads file(s)
  c. mput file* - uploads file(s)


 5. smbtar - backs-up smb shares to a TAR archive
  a. smbtar -s linuxcbtwin1 -x mtemp -u dean -t backup1.tar


Samba Server:
/etc/samba/smb.conf - primary config file

SWAT manages /etc/samba/smb.conf

Samba Server Modes:
 1. User
  a. One Samba-defined user is required per Linux user
  b. Authentication of users is handled by Samba server
 2. Server/Domain (PDC/BDC)
  a. Authentication is handled by the Windows NT/2K/2K3/2K8 server
  b. Still requires a local Samba-defined user accounts database
 3. ADS - Active Directory
  a. Authentication is handled by Active Directory
  b. When used with Winbind, locally-defined Samba users are NOT required

Note: Ultimately, users must authenticate to the local Linux file system

Task:
 1. Install SWAT
  a. yum -y install samba-swat
  b. nano /etc/xinetd.d/swat - set 'disable = no'
  c. service xinetd restart
  d. netstat -ntl | grep 901


/etc/samba/smbpasswd maps Windows users to /etc/passwd

 2. Install rdesktop and connect to Windows XP to test connectivity to Samba
  a. yum -y install rdesktop

Winbind:
 Features:
  1. Windows AD integration
  2. Avoids having to define users in 2 places: Windows, Linux
  3. Uses Kerberos for authentication

Requirements:
 1. krb5-* packages
 2. Properly configured Kerberos environment:
  a. /etc/krb5.conf

[libdefaults]
    default_realm = AD2.LINUXCBT.INTERNAL

[realms]
    AD2.LINUXCBT.INTERNAL = {
        kdc = linuxcbtwin3.ad2.linuxcbt.internal
        admin_server = linuxcbtwin3
    }

[domain_realm]
    .linuxcbtwin3.ad2.linuxbt.internal = AD2.LINUXCBT.INTERNAL


Steps:
 1. Update: /etc/krb5.conf
 2. Update Samba configuration to use ADS authentication
 3. Update Samba server's DNS to point to ADS server
  a. /etc/resolv.conf
  b. /etc/hosts - including a pointer to the ADS server (linuxcbtwin3)

 4. Join AD domain:
  a. 'net ads join -U administrator'
 5. Confirm AD membership using: 'Active Directory Users & Computers' Tool

 6. Setup Winbind to authenticate using ADS:
  a. /etc/pam.d/system-auth - account & auth settings
  auth sufficient /lib/security/pam_winbind.so - place before 'pam_unix.so'
  account sufficient /lib/security/pam_winbind.so

  b. /etc/nsswitch.conf
   passwd: files winbind
   group: files winbind

  c. Configure 'idmap' 'uid & gid' mappings - 10000 - 20000
   Use SWAT to update idmap settings for 'uid & gid'
Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box using SSH, Telnet, mingetty, etc., change the 'Template Shell' directive to a valid shell. i.e. /bin/bash

  d. Create 'Template homedir' %D (Domain) directory beneath '/home'
   mkdir /home/LINUXGENIUS

 7. Test Winbind Integration using: wbinfo
  a. wbinfo -u - this enumerates users in AD
  b. wbinfo -g - this enumerates groups in AD
  c. ssh into LINUXCBTSERV1 (Winbind) as ADS user


Task1:
 1. Authenticate using ADS, as 'administrator' from Windows box
 2. Create a user named 'linuxcbt' in AD
 3. Create shared directory on the Samba box, and provide access (Share it)

No comments:

Post a Comment