SAMBA (Domaincontroller) Server For Small Workgroups With Ubuntu 5.10 "Breezy Badger" - Page 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by till (Contact Author) (Forums) on Wed, 2005-12-07 17:36. ::

Adding Users To Our SAMBA Domain

Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

1) Add a linux user tom:

useradd tom -m -G users

2) Add the linux user tom to the SAMBA password database:

smbpasswd -a tom


Adding Shares

Now I will add a share that is accessible by all users.

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

[allusers]
comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

Now we restart Samba:

/etc/init.d/samba restart


Installing CUPS

If you want your SAMBA server to act as a print server also, you have to install and configure CUPS:

apt-get install cupsys cupsys-client cupsys-driver-gimpprint cupsys-driver-gimpprint-data defoma fontconfig foomatic-db foomatic-filters libcupsimage2 libexpat1 libfontconfig1 libfreetype6 libgimpprint1 libjpeg62 libpaper1 libpng12-0 libpoppler0c2 libslp1 libtiff4 patch perl perl-modules ttf-bitstream-vera ucf (1 line!)

To get access to the web interface from my workstation, I will change cups to listen on the Server IP.
Edit /etc/cups/cupsd.conf in the section Network Options:

Listen 127.0.0.1:631
Listen 192.168.0.100:631

Set AuthGroupName to shadow in the section Security Options:

AuthGroupName shadow

To allow access only from my admin workstation (IP: 192.168.0.70), I add Allow From 192.168.0.70 the security options and set AuthClass to Group:

<Location /admin>
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#

AuthType Basic
AuthClass Group

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.0.70

#Encryption Required
</Location>

Add the cupsys user to the shadow group:

adduser cupsys shadow

and restart the cups daemon:

/etc/init.d/cupsys restart

The cups webinterface is now accessible with any webbrowser from my workstation:

http://192.168.0.100:631/

Now I can login to the cups interface with username root and my root password.

Hint: If there is no linux driver available for your printer and you want to use this printer only from your windows workstations trough SAMBA, you can use the printer manufacturer RAW and install the correct driver on your windows workstation.

If you created a new printer in cups, you will have to add it to samba with the command:

cupsaddsmb -a

Have fun!


Links

All trademarks belong to their respective owner.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by jmm (not registered) on Sat, 2009-06-27 04:18.

Hi after following the tutorial this is what I get " a domain controller for the domain adnt could not be contacted " What should I do?

 

 

Thanks

Submitted by Anonymous (not registered) on Sat, 2006-07-22 14:06.
The tutorial is excellent.

A suggestion -- You might want to consider adding a note in the last section where smb users are added, a newbie, like me, might forget to add the user to the GROUP 'users' which ubuntu doesn't do automatically when you create new users. If you don't do this, you end up not being able to access the shared 'allusers' directory which at first is confusing.

Submitted by Anonymous (not registered) on Sat, 2006-06-17 16:31.

I don't know if I was the only person that had these issues..

When trying to join the PC to the domain, I had to add it with the root login, then reboot, and login with the username I setup.


Apart from that though, a very nice tutorial and well done! Saved my ass :)

Submitted by Anonymous (not registered) on Mon, 2006-05-08 17:45.

Great tutorial. There is one minor mistake that gave me some trouble.

Where it says:

The cups webinterface is now accessible with any webbrowser from my workstation:

http://192.168.0.100:631/

It should be:

http://192.168.0.100:631/admin

You may also need to "Allow From [server's IP]" under <Location /admin> in cupsd.conf.

In addition, I had to allow the same addresses under <Location /> for it to work properly.

Submitted by Anonymous (not registered) on Mon, 2006-05-01 17:38.
Hey great howto... Recomended it to alot of people so far! When is the LDAP part going to be done?! I REALLY NEED IT! :)
Submitted by Anonymous (not registered) on Mon, 2006-05-01 14:27.
I had set up a Samba PDC several months ago... I wish this was around then... It took me a week of evenings to finally get it working... And it really hasn't worked extremely reliably (ie I would get access denied at least once a day) until recently when I changed my PDC box from CentOS to Gentoo... No problems since then...
Submitted by Anonymous (not registered) on Mon, 2006-04-24 23:01.

thanx for the gr8 howto!

my only quibble is, if its "cut-and-paste," (in other words, as easy as it gets) shouldn't there be instructions on how to configure the 2nd machine?

it just seems like there are so many howtos that say configure this, do that, edit this file... but without reasons why to do those things. it was more difficult for me because i got up to the part about changing /etc/network/interfaces, and i didn't know how many of the values to change. a little trial and error and it worked.

gentoo has great docs, they have explicit instructions, but take a time out to explain why. thats why their docs have been easier to understand, in my experience, than things for debian.

Submitted by Anonymous (not registered) on Sat, 2006-04-08 06:35.

Thank you for an excellent walk-through for Ubuntu and Samba. I've been struggling with multiple linux distributions, trying to create a secure file server. Your tutorial saved me months of sleepless nights.


Thanks again,


Devan

Submitted by Anonymous (not registered) on Sat, 2006-02-25 18:30.

Hi,

Let me say that this how-to is the best thing in a long time. I am installing a PDC at my school and everything is working execpt that when from a client Winxp client i press CRTL-ALT-DEL and try to change that user's password i enter the old one the new one twice and the press ok. The machine just hangs there waiting and waiting... and nothing. Is this happening to someone else??

Thanks,

José

Submitted by Anonymous (not registered) on Wed, 2006-05-10 15:02.

Hi,

Try to change the "passwd chat" line in smb.conf to this:

passwd chat = *password* %n\n *password* %n\n *success*

/punch

Submitted by Anonymous (not registered) on Sat, 2006-02-04 23:57.

Sugestion:

Add the "foomatic-filters-ppds" package to the cups installation line, it will install the foomatic ppds.

Submitted by Anonymous (not registered) on Thu, 2006-01-19 23:23.

I had absolutely no problems setting up my domain controller as described here. This includes the main features of:

* Roaming profiles
* Central user management (set 'em up on the server and they can log in at any workstation, that is joined into the domain.

This is how joining is done - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/82b8966c-a6d9-49f7-9bd5-2990a7cc38c3.mspx ) While I agree to use Ubuntu (and the under lying Debian OS. Since it is the last truely "free" distro)

I then tried the same method (using the same smb.conf) on an existing RedHat Fedora Core 4 Samba installation and after only minor tweaking (eg. re-entering user passwords into smbpasswd, because the above setup uses a different, more secure password db) I was able to get it working. Naturally one would also have to deal with any migration issues (mostly transfering files to the network) of existing users.

On a whole a very good experience getting something going, which I personally had attempted without success several times over the past years. ....And HowtoForge rocks ; - )...many great howtos. Thanks

Submitted by Anonymous (not registered) on Mon, 2006-04-17 12:19.
What are the benifits of roaming profiles? Is this functionality standard, how to you get it working?
Submitted by Anonymous (not registered) on Wed, 2006-01-18 12:07.

Very usefull.. I used it for a small network and it worked perfectly..

Submitted by Anonymous (not registered) on Mon, 2006-01-09 07:16.
I'd like to also say this is a great article -- easy to read and very straight forward in its language. I too look forward to the ldap piece. -NG
Submitted by Anonymous (not registered) on Sun, 2006-01-08 14:17.

This was a very great article! Thanks so much. I do hope that you decide to post another using LDAP though, as I have been wanting to get this working for some time but just can't find a good enough how-to - as all of the attempts I've made failed miserably.

I'm looking for something that allows both windows and linux clients to authenticate to a central authentication server.

I'm sure many would appreciate it.

Thanks again,

Mike.

Submitted by Anonymous (not registered) on Mon, 2006-03-06 21:15.

It took me a while but I got the LDAP peice working last year. No clean, easy, and still current howto covers everything with LDAP/Samba SSO so you will be working on this for a long time if you really want it. I created and recreated it many times, learning more about LDAP each time. I ended up following the Samba example howto *exactly* in order to have a working setup, then changing it to suit my situation. Some of the problems I encountered were old Samba and Slapd packages in the apt repositories, the inability to use a SASL backend, no digest passwords, etc. No idea if these were fixed after 3.0.14.

The addition of the LDAP piece gives me a single-sign-on solution for both windows and *nix boxes, but because of the SASL/Digest issue you need to use SSL certificates, which can present a whole 'nuther issue. Watch out adding users to the root group (using netgroup map in this tutorial) it may present a security issue in your configuration if you are not careful since Samba can communicate using the old NTLM protocols.

The beauty is that once you have LDAP auth working you can use PAM to extend it to auth almost anything: Apache, SSH, mail services, etc.

-Box

Submitted by Anonymous (not registered) on Mon, 2006-01-09 09:58.
Really superb tutorial. I tried to find the relevant forum enttry but couldn't find it. How is it possilbe to do this via the GUI interface?
Submitted by Anonymous (not registered) on Mon, 2006-01-09 09:56.
I really like this. Is there a method to do this using a gui interface?
Submitted by Anonymous (not registered) on Wed, 2006-01-25 22:01.

Samba comes with a web config tool SWAT.

there are also lots of guis for samba here -http://us5.samba.org/samba/GUI/

in case u also need a gui for other things apart from samba u might want to try webmin. (webmin.org)

Submitted by Anonymous (not registered) on Wed, 2006-01-25 21:48.
u can try webmin(webmin.com) . It has a module to configure samba.
Submitted by Anonymous (not registered) on Sat, 2006-01-14 17:02.
no
Submitted by Anonymous (not registered) on Mon, 2006-02-20 10:22.

This was a great help from a invaluable website. I am looking forward to the HowTo for a PDC and BDC using OpenLDAP and hope the author will find the time to post it soon. All sysadmins that learned something about the subject here owe the author a great deal of gratitude.