Samba для windows что это

Чтобы решить проблемы, вызванные разобщенностью Microsoft Windows и Linux в корпоративных сетях и добиться «прозрачности» и доступности для администраторов и пользователей одной корпоративной сети к другой, применяется протоколы SMB/CIFS и программа Samba со стороны UNIX/Linux.

Что умеет Samba?

Samba представляет собой программный пакет с открытым исходным кодом, дающий сетевым администраторам возможность гибко и свободно настраивать, конфигурировать и выбирать системы и оборудование, то есть устанавливать на компьютерах UNIX/Linux имитации устройств с Windows. Это упрощает выполнение задач по обмену файлами (как файл-серверам) или задавать параметры печати в качестве принт-серверов.

Принцип программы Samba

Samba обеспечивает свободный доступ к:

• дискам Linux к Windows-компьютерам;
• дискам Windows к оборудованию с ПО Linux;
• принтерам Linux к Windows-компьютерам;
• принтерам Windows к Linux-системам.

Протоколы SMB/CIFS: что это такое, в чем различия

Говоря о программе Samba немаловажно упомянуть о протоколах SMB и CIFS:

• SMB (Server Message Block) – это один из наиболее старых протоколов (был разработан в 1983 году). SMB изначально существовал как клиент-серверный протокол для получения доступа к файлам, каталогам и сетевым ресурсам, а также для обмена информацией по межсистемным процессам. На сегодняшний день основное назначение SMB (версия 3.1.1.) – это установка соединения с устройствами со старыми версиями ОС Microsoft для подключения к серверам и обмена файлами.
• CIFS (Common Internet File System) представляет собой часть протокола SMB и применяется для удаленного подключения нескольких платформ – Windows, Linux или macOS. Отличительная характеристика CIFS – это его универсальность, позволяющая идентифицировать и читать файлы системы NTFS, применяемой в Windows, и HFS из macOS, чтобы совместно использовать эти файлы и принтеры между машинами с Windows и UNIX.

В отличие от SMB, CIFS имеет более широкий функционал – этот протокол способен поддерживать символические и жесткие ссылки, а также файлы больших размеров.

Но сейчас CIFS почти не используется, так как в последних версиях Windows (начиная с версии используются протоколы SMB 2 или SMB 3, которые по сути являются обновленной версией CIFS.

Настройка сети

Первым этапом нужно создать в панели управления все необходимые для этой сети серверы. Затем следует объединение всех машин через панель управления (раздел «Сети») в единую локальную сеть с присвоением каждому серверу локального IP-адреса. После того, как сеть будет создана, нужно провести настройки сетевых адаптеров для каждого сервера.

Настройка сетевого адаптера ОС Centos для Linux проводится так. Подключаемся к виртуальному серверу с правами суперпользователя и выполняем команду:

ifconfig -a

В результате должен отобразиться перечень подключенных интерфейсов:

eth0: flags=4163 mtu 1500
inet 5.200.47.73 netmask 255.255.255.0 broadcast 5.200.47.255
inet6 fe80::250:56ff:fe01:29a9 prefixlen 64 scopeid 0x20
ether 00:50:56:01:29:a9 txqueuelen 1000 (Ethernet)
RX packets 760 bytes 57362 (56.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163 mtu 1500
inet6 fe80::8f6:6de2:ec53:e800 prefixlen 64 scopeid 0x20
ether 00:50:56:01:03:59 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 3580 (3.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 64 bytes 5184 (5.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 64 bytes 5184 (5.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

В настройках сети находим поле MAC, для которого в списке интерфейсов вывелся параметр ether; теперь надо зафиксировать название интерфейса, в этом примере – eth1.

Прежде чем настраивать адаптер в ОС, понадобится уточнить в параметрах сети, была ли выполнена активация для опции DHCP в панели управления рабочей сетью.

Затем перейти в каталог с конфигурационными файлами сетевых интерфейсов:

cd /etc/sysconfig/network-scripts/

Скопировать конфигурационный файл существующего интерфейса, указав имя нового интерфейса:

cp ifcfg-<существующий_интерфейс> ifcfg-<новый_интерфейс>

Далее проверить в настройках сети в панели управления активирована ли опция DHCP. Если активирована, то нужно скопировать файл и отредактировать с помощью текстового редактора и внести исправления, указав собственные значения:

HWADDR=<mac_из_панели_управления>
NAME=<имя_интерфейса>
DEVICE=<имя_интерфейса>
ONB OOT=yes
USERCTL=no
BOOTPROTO=dhcp
check_link_down() {
return 1;
}

Сохраняем изменения.
После всех действий перезапустите сетевые службы сервера, чтобы изменения вступили в силу:

service network restart

Для проверки корректности работы выполните команду ping до другого сервера в частной или публичной сети:

ping 10.0.1.3

Для сетевых интерфейсов Windows настройка будет проводиться по следующей схеме:

• подключаемся к виртуальному серверу по RDP и открываем Network and Sharing Center. Для этого на рабочем столе Windows выбираем и открываем настройки сетевых подключений. В появившемся окне выбираем требуемый интерфейс, не имеющий доступа к сети. Для проверки состояния этого интерфейса откроем его детализацию (кнопка Details). Затем сравниваем значение поля Physical Address со информацией поля MAC в панели управления;
• если при создании сети в панели была активирована опция DHСP, то сетевой адаптер настроится автоматически. Уточнить состояние этой опции можно через свойства сети в панели управления;
• если опция DHCP при создании сети активирована не была, настраивать сеть понадобится вручную. Для этого свойства адаптера открываются через клавишу Properties (выбирается соединение IPv4 и нажимается Properties), затем в появившемся окне в поле IP-address вводится выданный адрес, а в поле Subnet mask – маска подсети. Все значения можно найти в панели в настройках сервера (раздел Сети) или в меню Сеть. После этого все изменения обязательно сохраняются.

Для проверки настроек сетевого адаптера выполняем команду:

ping 10.0.1.1

Чтобы проверить Windows Server 2016, пинг проводится на другой локальный сервер.

Настройка общей папки в Linux и Windows

Linux

Установка и настройка Samba-сервер для Linux состоит из следующих этапов:

1.Обновления информации о репозиториях и для существующих пакетов в системе:

apt-get update && apt-get upgrade

2.Установки пакета Samba:

apt-get install -y samba samba-client

3.Создания резервной копии файла конфигурации:

cp /etc/samba/smb.conf /etc/samba/smb.conf_sample

4.Создания директории для файлов, так чтобы все пользователи имели к ней доступ:

mkdir -p /samba/public

5.Создания каталога для всех пользователей:

mkdir /media/samba/public

6.Изменения прав доступа к каталогу:

cd /samba
chmod -R 0755 public

Важно! Для смены владельца и/или группы пользуемся командой chown

7.Создания директории для ограниченного круга лиц

8.Создания групп пользователей с применением системных инструментов:

groupadd smbgrp

9.Добавления пользователей Samba:

useradd user1

10.Внесения созданных пользователей в группу:

chgrp smbgrp /samba/private

11.Изменения группы, к которой относится приватная директория:

chgrp smbgrp /samba/private

12.Создания с помощью инструментов Samba пароля для добавленного пользователя:

smbpasswd -a user1

13.Редактирования конфигурационного файла samba с помощью текстового редактора:

текстовый редактор /etc/samba/smb.conf

Все строки из файла удаляются, а вместо них вставляются следующие:

[global]
workgroup = WORKGROUP
security = user
map to guest = bad user
wins support = no
dns proxy = no
[public]
path = /samba/public
guest ok = yes
force user = nobody
browsable = yes
writable = yes
[private]
path = /samba/private
valid users = @smbgrp
guest ok = no
browsable = yes
writable = yes

Сохранения введенных строк с использованием комбинации клавиш Ctrl + X, затем с нажатием Y и Enter.

Названия строк при этом обозначают:

• наименование одной из трех секций конфигурационного файла: global – данная секция отвечает за общие настройки Samba-сервера; public и private – секции, описывающие настройки директорий общего доступа;
• пять параметров в секции global: workgroup – наименование рабочей группы, security – уровень безопасности сервера с авторизацией по паре логин/пароль при значении user, map to guest — способ обработки запросов с отклонением неправильного пароля даже для существующего пользователя (значение bad user), wins support – включение/выключение поддержки WINS, dns proxy – обеспечение проксирования запросов к DNS;
• настройки директорий в секциях: path – полный путь до директории на жестком диске, guest ok – возможность доступа к каталогу без пароля (гостевой), force user – пользователь, ведущий работу с каталогом (для безопасности сервера используется значение nobody) , browsable — демонстрация конкретного каталога на сервере; writable – право пользователя при значении “yes” переименовывать, добавлять, удалять, редактировать файлы и перемещать их в каталоги; valid users – список пользователей с предоставленным доступом к каталогу.

14.Проверку настроек проводим командой:

testparm -s

15.Выполняем перезапуск сервера:

service smbd restart
service nmbd restart

Для настройки межсетевого экрана нужно открыть в правилах TCP-порты 139 и 445, а также UDP-порты 137 и 138 (для подсетей с высоким уровнем доверия). Если нужно указать собственный диапазон адресов, значение после ключа “-s” заменяется:

iptables -A INPUT -p tcp -m tcp --dport 445 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 139 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 137 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 138 -s 10.0.0.0/24 -j ACCEPT

16.После перезагрузки сервера сохранить правила и применять их поможет пакет iptables-persistent. Для его установки вводится команда:

apt-get install iptables-persistent

Далее понадобится подтверждение запоминаний существующих правил iptables и их проверка:

iptables -L

Настройка общей папки в ОС Windows

Настройки общего доступа к папкам public и private в ОС Windows выполняются аналогично с Linux. Чтобы обеспечить беспарольный доступ к каталогу, настроим ограничения защиты в панели управления:

Панель управления → Сеть → Центр управления сетями и общим доступом → Расширенные настройки общего доступа

В обновленном окне надо открыть раздел “Все сети” и выбрать секцию “Общий доступ с парольной защитой”, после чего отключить этот параметр и сохранить изменения. Доступ к самому каталогу открывается так: кликом по папке правой кнопки мыши разворачивается контекстное меню, в котором выполняются действия:

Свойства → Доступ → Расширенная настройка → Открыть общий доступ к этой папке

В поле “Имя общего ресурса” указывается название, отображаемое для пользователей. После этого кликается кнопка “Разрешения”, выбирается “Все” и устанавливается “Полный доступ”, и все это подтверждается.Затем в свойствах папки public выбирается “Общий доступ”, добавляются все пользователи, делегируются права на чтение и запись, и кликаются кнопки “Поделиться” и “Готово”.

Порядок настройки папки общего доступа для ограниченного числа пользователей будет таким:

• выбираем “Свойства” папки, открываем вкладку “Доступ” и разворачиваем “Расширенные настройки”;
• в открывшемся окне выбираем опцию “Открыть общий доступ к этой папке” и нажимаем “Разрешения”;
• выбираем “Все” в поле “Группы или пользователи” и жмем “Удалить” — это закрывает анонимный доступ к папке;
• во вновь появившемся окне выполняем следующие действия: “Добавить” → “Дополнительно” → “Поиск” → выбор пользователя, которому нужно предоставить доступ к каталогу. Точно по такой же схеме можно добавить пользователей в составе группы;
• устанавливаем права доступа (или полного доступа к директории) для выбранных лиц: нажимая “OK” переходим к окну свойств папки, выбираем “Общий доступ”, ищем в поле выбора пользователей и групп и добавляем нужного человека (“Дополнительно” → “Поиск” → установка пользователя двойным кликом);
• проверяем правильность выбора пользователя, кликаем “OK”, задаем все требуемые уровни разрешений, прожимаем “Поделиться” и “Готово”.

Чтобы подключиться к общим папкам из среды Linux, понадобится установить отдельный пакет ПО — smbclient. Для этого вводим команду:

sudo apt-get install smbclient

Для подключения к серверу применяется команда:

smbclient -U<Имя_пользователя><Имя_пользователя>

Эту команду не обязательно вводить каждый раз — для этого монтируем общую директорию как сетевой диск через установку пакета cifs-utils:

sudo apt-get install cifs-utils

и применяем шаблон:

mount -t cifs -o username=<Имя_пользователя>,password= //<IP-адрес>/<Общий каталог> <Точка монтирования>

Важно! При подключении к общепользовательским папкам для Windows-сервера в не защищенных паролями директориях устанавливается имя пользователя “Everyone”, для Linux-сервера — “nobody”.

Подключение к общим папкам из среды Windows проводится по иной схеме. Для этого в проводнике или окне запуска программ (Windows + R), применяется шаблон:

<IP-адрес><имя_папки>

Указанный только один IP-адрес сервера выдает список общих папок.

Если при подключении к Windows-серверу всплывает окно с требованием ввода учетной записи, в строку имени пользователя заносится Everyone, а пароль остается пустым.

Подключение к Linux-серверу из ОС Windows выполняется через шаблон <IP-адрес><имя_папки> или через адрес сервера.

Как создать общий сетевой ресурс в Samba

Создание общего сетевого ресурса в Samba включает этапы:

–формирования директории, которую надо установить общедоступной:

mkdir /home/<user_name>/<folder_name>

–создания бэкапа для подстраховки:

sudo cp /etc/samba/smb.conf ~

–редактирования файла «/etc/samba/smb.conf»:

sudo nano /etc/samba/smb.conf

–добавления в файл следующих сведений:

[<folder_name>]
path = /home/<user_name>/<folder_name>
valid users = <user_name>
read only = no

–после заполнения файла своими данными сохраняем введенные сведения и перезапускаем Samba:

sudo service smbd restart

–затем проверяем директорию smb.conf наличие неточностей:

testparm

–доступ к общему сетевому ресурсу предоставляется так:

sudo apt-get install smbclient
# Просмотр всех общих ресурсов:
smbclient -L //<host_ip_or_name>/<folder_name> -U <user>
# Подключение:
smbclient //<host_ip_or_name>/<folder_name> -U <user>

Примечание 1: Для подключения к вашему общему сетевому ресурсу задействуйте имя вашего пользователя () и пароль, который располагается в «smb:////»

Стоит запомнить, что «» значение переводится в «[]», иначе говоря, в название общепользовательского ресурса, вписанного вами в «/etc/samba/smb.conf».

Примечание 2: Группа пользователей samba по умолчанию носит название «WORKGROUP».

Пожалуй нет ни одного офиса, в котором не применялись бы общие ресурсы локальной сети, будь то папки или принтеры. Крупные и средние компании используют возможности Active Directory, компании поменьше – используют штатные средства ОС Windows или Samba, но на серверах под управлением ОС Linux. Рассмотрим все случаи, как настроить Samba.

Настройка общих папок в Linux

Установка и настройка Samba-сервер для Ubuntu выполняется следующими этапами.

Важно! По умолчанию, директория /media располагается в корне системы /, для нее редко создается свой раздел. По этой причине возможно переполнение корневого раздела. Во избежание этой неприятной ситуации, рекомендуем монтировать отдельный жесткий диск в /media/samba.

Также следует воспользоваться командой chown для смены владельца и/или группы.

Сохраняем используя сочетание Ctrl + X, затем нажимаем Y и Enter.

Объясним значения строк. конфигурационный файл состоит из трех секций:

global – данная секция отвечает за общие настройки Samba-сервера;

public и private – секции описания настроек директорий общего доступа.

В секции global присутствуют пять параметров:

• workgroup – рабочая группа. Для упрощения работы пользователей WORKGROUP указывается, как группа по умолчанию. Если в вашей сети имя рабочей группы изменено, то следует изменить это значение и для Samba;
• security – уровень безопасности сервера. Значение user означает авторизацию по паре логин/пароль;
• map to guest – параметр определяет способ обработки запросов. Значение bad user означает, что запросы с неправильным паролем будут отклонены, даже если такое имя пользователя существует;
• wins support – включить или выключить поддержку WINS;
• dns proxy – возможность проксирования запросов к DNS.

Настройки директорий выполняются в соответствующих секциях:

path – полный путь до директории на жестком диске;

guest ok – возможность доступа к каталогу без пароля (гостевой);

browsable – показывать ли каталог (“шару”) на сервере среди прочих. Если параметр установлен как “no”, то доступ будет возможен по полному пути, например ip-addresshidden_directory;

force user – пользователь от которого ведется работа с каталогом. Для повышения безопасности сервера, обычно используют nobody. Главное, не использовать пользователя root – это небезопасно.

writable – установка значения как “yes” позволяет пользователю выполнять действия над файлами внутри каталога – переименование, добавление, удаление, перемещение в подкаталог и копирование;

valid users – список пользователей у которых есть доступ к каталогу. Если пользователей несколько, их имена указываются через запятую. Если необходим доступ для пользователей принадлежащих группе, перед именем группы устанавливается символ ”at” @ (“собака”).

Важно! Имя директории общего доступа, отображаемое пользователям, равно имени секции в которой оно описано.

Настройка общих папок в Windows

Подключение к общим папкам из Linux

Важно! Если требуется подключение к общим папкам расположенным на Windows-сервере, то в для не защищенных паролем директорий, в качестве имени пользователя, следует использовать “Everyone”. Для подключения к Linux-серверу рекомендуем использовать в качестве имени пользователя “nobody”. В случае доступа к защищенным директориям следует использовать те учетные данные, которые вы указали.

Подключение к общим папкам из Windows

Как создать общий сетевой ресурс в Samba

Создайте директорию, которую в хотите сделать общей:

mkdir /home//

Создайте бэкап, если что-то пойдет не так:

sudo cp /etc/samba/smb.conf ~

Отредактируйте файл “/etc/samba/smb.conf”:

sudo nano /etc/samba/smb.conf

Добавьте следующее содержимое в файл:

[]
path = /home//
valid users =
read only = no

Заполните файл своими данными, сохраните его и затем закройте

Перезапустим Samba:

sudo service smbd restart

Использую данную команду проверьте вашу директорию smb.conf на ошибки:

testparm

Чтобы получить доступ к вашему общему сетевому ресурсу:

sudo apt-get install smbclient
# Просмотр всех общих ресурсов:
smbclient -L /// -U
# Подключение:
smbclient /// -U

Note 1: Чтобы подключиться к вашему общему сетевому ресурсу используйте имя вашего пользователя () и пароль, который находится “smb:////”
Учтите, что “” значение передается в “[]”,
другими словами, имя общего ресурса, которое вы ввели в “/etc/samba/smb.conf”.
Note 2: Группа пользователей samba по умолчанию это – “WORKGROUP”.

From Wikipedia, the free encyclopedia

Initial release	1992; 31 years ago[1]
Stable release	4.19.0[2]  / 4 September 2023
Repository	git.samba.org
Written in	C, Python
Operating system	Multiplatform
Type	Network file system
License	2008: GPL-3.0-or-later[a] 1993: GPL-2.0-or-later[b] 1992: Proprietary[c]
Website	www.samba.org

Samba is a free software re-implementation of the SMB networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

Samba runs on most Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple’s macOS Server, and macOS client (Mac OS X 10.2 and greater). Samba also runs on a number of other operating systems such as OpenVMS and IBM i. Samba is standard on nearly all distributions of Linux and is commonly included as a basic system service on other Unix-based operating systems as well. Samba is released under the terms of the GNU General Public License. The name Samba comes from SMB (Server Message Block), the name of the proprietary protocol used by the Microsoft Windows network file system.

Early history[edit]

Andrew Tridgell developed the first version of Samba Unix in December 1991 and January 1992, as a PhD student at the Australian National University, using a packet sniffer to do network analysis of the protocol used by DEC Pathworks server software. It did not have a formal name at the time of the first releases, versions 0.1, 0.5, and 1.0, all from the first half of January 1992; Tridgell simply referred to it as «a Unix file server for Dos Pathworks.» He understood that he had «in fact implemented the netbios protocol» at the time of version 1.0 and that «this software could be used with other PC clients.»^{[citation needed]}

With a focus on interoperability with Microsoft’s LAN Manager, Tridgell released «netbios for unix», observer, version 1.5 in December 1993. This release was the first to include client-software as well as a server. Also, at this time GPL2 was chosen as license.^{[citation needed]}

Midway through the 1.5-series, the name was changed to smbserver. However, Tridgell got a trademark notice from the company «Syntax», who sold a product named TotalNet Advanced Server and owned the trademark for «SMBserver». The name «Samba» was derived by running the Unix command grep through the system dictionary looking for words that contained the letters S, M, and B, in that order (i.e. grep -i '^s.*m.*b' /usr/share/dict/words).^[5]

Versions 1.6, 1.7, 1.8, and 1.9 followed relatively quickly, with the latter being released in January 1995. Tridgell considers the adoption of CVS in May 1996 to mark the birth of the Samba Team, though there had been contributions from other people, especially Jeremy Allison, previously.^[6]

Version 2.0.0 was released in January 1999, and version 2.2.0 in April 2001.

Version history[edit]

Version 3.0.0, released on 23 September 2003, was a major upgrade. Samba gained the ability to join Active Directory as a member, though not as a domain controller.^[7] Subsequent point-releases to 3.0 have added minor new features. Currently, the latest release in this series is 3.0.37, released 1 October 2009, and shipped on a voluntary basis.^[8] The 3.0.x series officially reached end-of-life on 5 August 2009.^[8]

Version 3.1 was used only for development.

With version 3.2, the project decided to move to time-based releases. New major releases, such as 3.3, 3.4, etc. will appear every six months. New features will only be added when a major release is done, point-releases will be only for bug fixes.^[9] Also, 3.2 marked a change of license from GPL2 to GPL3, with some parts released under LGPL3.^[4] The main technical change in version 3.2 was to autogenerate much of the DCE/RPC-code that used to be handcrafted. Version 3.2.0 was released on 1 July 2008.^[10] and its current release is 3.2.15 from 1 October 2009. The 3.2.x series officially reached end-of-life on 1 March 2010.^[10]

Security[edit]

Some versions of Samba 3.6.3 and lower suffer serious security issues which can allow anonymous users to gain root access to a system from an anonymous connection, through the exploitation of an error in Samba’s remote procedure call.^[28]

On 12 April 2016, Badlock,^[29] a crucial security bug in Windows and Samba, was disclosed. Badlock for Samba is referenced by CVE|2016-2118 (SAMR and LSA man in the middle attacks possible).^[30]

On 24 May 2017, it was announced that a remote code execution vulnerability had been found in Samba named EternalRed or SambaCry, affecting all versions since 3.5.0.^[31] This vulnerability was assigned identifier CVE|2017-7494.^[31][32]

On 14 September 2020, a proof-of-concept exploit for the netlogon vulnerability called Zerologon (CVE|2020-1472) for which a patch exists since August was published.^[33] Some federal agencies using the software have been ordered to install the patch.^[34]

Features[edit]

Samba allows file and print sharing between computers running Microsoft Windows and computers running Unix. It is an implementation of dozens of services and a dozen protocols, including:

• NetBIOS over TCP/IP (NBT)
• SMB (known as CIFS in some versions)
  • Samba supports POSIX extensions for CIFS/SMB. The initial extension was CIFS VFS (CAP_UNIX) from 2004, which has been somewhat superseded by SMB3.^[35]
• DCE/RPC or more specifically, MSRPC, the Network Neighborhood suite of protocols
• A WINS server also known as a NetBIOS Name Server (NBNS)
• The NT Domain suite of protocols which includes NT Domain Logons
• Security Account Manager (SAM) database
• Local Security Authority (LSA) service
• NT-style printing service (SPOOLSS)
• NTLM
• Active Directory Logon using modified versions of Kerberos and LDAP
• DFS server

All these services and protocols are frequently incorrectly referred to as just NetBIOS or SMB. The NBT (NetBIOS over TCP/IP) and WINS protocols, and their underlying SMB version 1 protocol, are deprecated on Windows. Since Windows Vista the WS-Discovery protocol has been included along with SMB2 and its successors, which supersede these. (WS-Discovery is implemented on Unix-like platforms by third party daemons which allow Samba shares to be discovered when the deprecated protocols are disabled).

Samba sets up network shares for chosen Unix directories (including all contained subdirectories). These appear to Microsoft Windows users as normal Windows folders accessible via the network. Unix users can either mount the shares directly as part of their file structure using the mount.cifs command or, alternatively, can use a utility, smbclient (libsmb) installed with Samba to read the shares with a similar interface to a standard command line FTP program. Each directory can have different access privileges overlaid on top of the normal Unix file protections. For example: home directories would have read/write access for all known users, allowing each to access their own files. However they would still not have access to the files of others unless that permission would normally exist. Note that the netlogon share, typically distributed as a read only share from /etc/samba/netlogon, is the logon directory for user logon scripts.

Samba services are implemented as two daemons:

• smbd, which provides the file and printer sharing services, and
• nmbd, which provides the NetBIOS-to-IP-address name service. NetBIOS over TCP/IP requires some method for mapping NetBIOS computer names to the IP addresses of a TCP/IP network.

Samba configuration is achieved by editing a single file (typically installed as /etc/smb.conf or /etc/samba/smb.conf). Samba can also provide user logon scripts and group policy implementation through poledit.

Samba is included in most Linux distributions and is started during the boot process. On Red Hat, for instance, the /etc/rc.d/init.d/smb script runs at boot time, and starts both daemons. Samba is not included in Solaris 8, but a Solaris 8-compatible version is available from the Samba website. The OS/2-based ArcaOS includes Samba to replace the old IBM LAN Server software.^[36]

Samba includes a web administration tool called Samba Web Administration Tool (SWAT).^[37][38]
SWAT was removed starting with version 4.1.^[39]

Samba TNG[edit]

Samba TNG (The Next Generation) was forked in late 1999, after disagreements between the Samba Team leaders and Luke Leighton about the directions of the Samba project. They failed to come to an agreement on a development transition path which allowed the research version of Samba he was developing (known at the time as Samba-NTDOM) to slowly be integrated into Samba.^[40] Development has been minimal, due to a lack of developers. The Samba TNG team frequently directed potential users towards Samba because of its better support and development.^[41]

A key goal of the Samba TNG project was to rewrite all of the NT Domains services as FreeDCE projects.^[42] This was made difficult as the services were developed manually through network reverse-engineering, with limited or no reference to DCE/RPC documentation.^{[citation needed]}

A key difference from Samba was in the implementation of the NT Domains suite of protocols and MSRPC services. Samba makes all the NT Domains services available from a single place, whereas Samba TNG separated each service into its own program.^{[citation needed]}

ReactOS started using Samba TNG services for its SMB implementation. The developers of both projects were interested in seeing the Samba TNG design used to help get ReactOS talking to Windows networks. They worked together to adapt the network code and build system. The multi-layered and modular approach made it easy to port each service to ReactOS.^[43]

See also[edit]

• LM hash
• SSLBridge

Notes[edit]

References[edit]

External links[edit]

• Official website

About

Samba is the standard Windows interoperability suite of programs for Linux and Unix.

Samba is Free Software licensed under the GNU General Public License, the Samba project is a member of the Software Freedom Conservancy.

Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others.

Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

— Citation from the Samba homepage.

I tried to provide a little list for all the fancy #Acronyms.

The name was filtered from a dictonary.

   1 grep '^s.*m.*b.*' /usr/share/dict/american-english\
   2         |grep -v -e 'ed$' -e 'ing$' -e 'ly$' -e 's$' \
   3         |head -n1

Links

• Samba Homepage

• SambaXP — The International User and Developer Conference

• Samba+ — Samba for Enterprise Linux and more

• Samba Git-Repository

• Samba Wiki

• Samba Mailing Lists

• Samba Mailing Lists

• Samba Bugtracker

• Setting up Samba as an Active Directory Domain Controller

• LPIC-300 Objectives V3.0

• docs.microsoft.com — Glossary

Why Samba

• Free libre open-source software (GNU GPL)
• No Microsoft licenses for the windows operating system and for client access (CALs) to the machine necessary
• Simple and flexible
  • Many compatibility options
  • e.g. 2 Samba-Versions on the same machine
• CLI administration
• Configuration in a file (easy backup/restore/migration)
• Every client has its own process
  • Stability (only one process dies)
  • Scales well on multi-core systems
• Good hardware abstraction with linux or unix
• log-files better to read than event-log

Alternatives

• Bare LDAP
• FreeIPA
• Univention Corporate Server (essentially Samba in a appliance)
• Freedombox for small deployments

Releases

• Samba Wiki — Samba Release Planning

• Samba Wiki — Samba Security Process

The regular Samba release cycle intends a new release series

1. six months fully supported,
2. another six months in the maintenance mode,
3. six months in the security fixes only mode.

In total, each series is maintained for a period of approximately 18 months.

So there are three minor releases in active maintenance by the Samba Team:

1. x.y+1 — next upcoming release series

2. x.y — current stable release

3. x.y-1 — maintenance mode — fixing security and severe bugs

4. x.y-2 — security fixes only

5. x.y-3 — Discontinued (EOL)

Security fixes may also be back-ported by the distributions to their frozen versions.

You better stick with the pace.

Your old OpenWRT router is probably out of bug-fixes.

Samba versions and features

Samba is changing rapidly with huge differences between versions. It’s important to know, which features are necessary to select a version to install minimally to carry your setup.

Too keep track you may read

• Samba Homepage — Release Announcements

• Samba Homepage — Samba Security Releases

• Samba Wiki — Category:Release Notes

3.5

• Experimental SMB2.0 support

3.6

• Full SMB2.1 support

4.0

• AD DC support
• Ships with built-in
  • LDAP server
  • Kerberos KDC (can generate PAC)
• Introduction of the

  • supervisor process samba

  • cli-management tool samba-tool

• Introduction of 2 DNS-solutions
  • Built-in DNS
  • BIND9-plugin (with DLZ)

4.2

• SMB3 support

4.3

• SMB3.1.1 support

4.7

• MIT-Kerberos support
• The dynamic port range for RPC services has been changed from the old default value «1024-1300» to «49152-65535».
• Self-signed certs with SHA256

4.8

• Domain member setups require winbindd
• No simple downgrade (GUID index)
• Time Machine Support with vfs_fruit
• Support for RODC setups

4.10

• MIT-Kerberos support disabled (at compile time)
• Python 3 support

4.11

• SMB1 is disabled by default
• Default schema updated to 2012_R2

4.13

• Samba 4.13 deprecates Samba’s original domain controller mode.

Please also take a look at the protocol support at SMB versions

3 Daemons and a supervisor

• nmbd — NetBIOS name server to provide NetBIOS over IP naming services to clients

• smbd — server to provide SMB/CIFS services to clients

• winbindd

  • Name Service Switch daemon for resolving names from NT servers
  • Idmapping Unix — Samba

• samba

   1 systemctl status nmbd.service
   2 systemctl status smbd.service
   3 systemctl status winbind.service
   4 systemctl status samba-ad-dc.service

Requirements

• At least 2 domain controllers
  • Improvement of maintenance and availability
  • Resources:
    • CPU: 4
    • RAM: 8GiB
    • Storage: 20GiB
• Separated file servers
  • Resources:
    • CPU: 4
    • RAM: 8GiB
    • Storage: according to your demands,

      but > 128GiB makes sense …

• Knowlegde about corporate structure to map the company on the LDAP directory.

Ports

See also:

• Microsoft Docs — Service overview and network port requirements for Windows

• Microsoft Docs — How to configure a firewall for Active Directory domains and trusts

• Samba Domain Member Port Usage

SRV records

Always check SRV records on each domain controller

   1 $ORIGIN rockstable.it.
   2 _ldap._tcp     SRV 0 100 389 dc1
   3 _ldap._tcp     SRV 0 100 389 dc2
   4 
   5 _kerberos._tcp SRV 0 100 88 dc1
   6 _kerberos._tcp SRV 0 100 88 dc2
   7 _kerberos._udp SRV 0 100 88 dc1
   8 _kerberos._udp SRV 0 100 88 dc2
   9 
  10 _gc._tcp       SRV 3268 dc1
  11 _gc._tcp       SRV 3268 dc2

Definitions

• docs.microsoft.com — Understanding the Active Directory Logical Model

• docs.microsoft.com — Glossary

• docs.microsoft.com — [MS-ADTS]: Active Directory Technical Specification

Active Directory forest

German: Gesamtstruktur

A forest is a collection of one or more Active Directory domains that share a common logical structure, directory schema (class and attribute definitions), directory configuration (site and replication information), and global catalog (forest-wide search capabilities). Domains in the same forest are automatically linked with two-way, transitive trust relationships.

Active Directory domain

A domain is a partition in an Active Directory forest. Partitioning data enables organizations to replicate data only to where it is needed. In this way, the directory can scale globally over a network that has limited available bandwidth. In addition, the domain supports a number of other core functions related to administration, including:

• Network-wide user identity. Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. Domain controllers that make up a domain are used to store user accounts and user credentials (such as passwords or certificates) securely.

• Authentication. Domain controllers provide authentication services for users and supply additional authorization data such as user group memberships, which can be used to control access to resources on the network.

• Trust relationships. Domains can extend authentication services to users in domains outside their own forest by means of trusts.

• Replication. The domain defines a partition of the directory that contains sufficient data to provide domain services and then replicates it between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a unit.

Active Directory organizational units

OUs can be used to form a hierarchy of containers within a domain. OUs are used to group objects for administrative purposes such as the application of Group Policy or delegation of authority. Control (over an OU and the objects within it) is determined by the access control lists (ACLs) on the OU and on the objects in the OU. To facilitate the management of large numbers of objects, AD DS supports the concept of delegation of authority. By means of delegation, owners can transfer full or limited administrative control over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects across a number of people who are trusted to perform management tasks.

Active Directory global catalog

A unified partial view of multiple naming contexts (NCs) in a distributed partitioned directory. The Active Directory directory service GC is implemented by GC servers. The definition of global catalog is specified in [MS-ADTS] section 3.1.1.1.8.

In AD DS, the global catalog (GC) is a partial view of a forest’s NCs, with these properties:

• The GC view includes all domain NCs, the config NC, and the schema NC.
• The GC view is partial. It includes all objects in the included NCs, but only those attributes defined as members of the partial attribute set in the schema NC (as specified in section 3.1.1.2). If the GC is an RODC, the attribute list is further restricted to those attributes not present in the filtered attribute set in the schema NC (as specified in section 3.1.1.2).
• The GC view is read-only.

The GC has no state model impact outside the schema NC, which defines the forest’s partial attribute set. The implementation of the GC (that is, actually providing the specified view to LDAP clients) does have impact, explained in section 3.1.1.1.9.

In AD LDS there is no support for the GC.

NOTES

• In opposite to the Microsoft implementation the Samba ‘Administrator’ password expires, too. This behavour may be changed with.

     1 #Disable password expiration for the Administrator account.
     2 samba-tool user setexpiry Administrator --noexpiry
  

• ntpd >= 4.2.6 to support signing, which is required by Active Directory

• In Samba every DC is global catalog
• With Samba4 data should not be saved on a AD DC, since they use their own ID-mapping. Dedicated fileservers should be used to provide data instead.
• Always document your GPOs.

Installation

Server

NT4

Bare Samba

   1 apt install \
   2         samba smbclient \
   3         acl attr

Samba with #ctdb

   1 apt install \
   2         samba smbclient \
   3         acl attr \
   4         winbind libnss-winbind libpam-winbind \
   5         ctdb

Samba with ldap

   1 apt install \
   2         samba smbclient \
   3         acl attr \
   4         winbind libnss-winbind libpam-winbind \
   5         libnss-ldap smbldap-tools

AD DC

Integrated DNS

   1 apt install \
   2         samba smbclient \
   3         acl attr \
   4         winbind libnss-winbind libpam-winbind \
   5         ldb-tools \
   6         heimdal-clients libpam-heimdal \
   7         ntp \
   8 

With Bind9 DLZ

   1 apt install \
   2         samba smbclient \
   3         acl attr \
   4         winbind libnss-winbind libpam-winbind \
   5         ldb-tools \
   6         heimdal-clients libpam-heimdal \
   7         bind9 bind9utils dnsutils \
   8         ntp

Due to collision with ntp, systemd-timesyncd will be removed.

AD fileserver

Install a AD fileserver

   1 apt install \
   2         samba smbclient \
   3         acl attr \
   4         winbind libnss-winbind libpam-winbind \
   5         ldb-tools \
   6         heimdal-clients libpam-heimdal \
   7         ntp

Due to collision with ntp, systemd-timesyncd will be removed.

Client

# TODO

Configure

Test and show configuration and their defaults

Of cause all defaults are documented in
man 5 smb.conf

But there is a more comfortable way to find out bulks of defaults.
Please see #testparm

Logging

Defaults compiled in (Debian)

   1 [global]
   2 ### DEFAULT
   3 #logging =
   4 #log file = 
   5 #log level = 1
   6 ### FILE SIZE IN KILOBYTE
   7 #max log size = 5000
   8 #syslog = 1
   9 #syslog only = No

Default configuration (Debian)

   1 ### DEFAULT DEBIAN
   2 log level = 1
   3 logging = file
   4 ### LOG FILE BY NETBIOS NAME
   5 log file = /var/log/samba/log.%m
   6 ### FILE SIZE IN KILOBYTE
   7 max log size = 1000
   8 syslog = 1
   9 syslog only = No

The logfile may not work, when using SMB over tcp/445.

The log level is even more flexible. For more information please see
man -P «less -p ‘log level \(G\)'» 5 smb.conf

   1 ### DEFAULT DEBIAN
   2 log level = 1 winbind:3@/var/log/samba/winbind.log
   3 ### LOG FILE BY IP
   4 log file = /var/log/samba/log.%I

A high log level may impact system performance.

You may change the log level of a running smbd instance with #smbcontrol

Flexiblity

macros

The Samba configuration can be very dynamic. There are several macros which may be used, to achieve e.g. interface-IP- %i, client-IP- %I or protocol-version-specific %R configurations. Even environment variables (dereferenced to their value) may be used as a macro %$(envvar).

man -P «less -p ‘^VARIABLE SUBSTITUTIONS'» 5 smb.conf

Be careful: Netbios macros are not resolved, when using SMB over tcp/445 %m, %L.

Include

Other files may be included into smb.conf.

Macros may be combined with the include statement.

   1 install -d /etc/samba/conf.d
   2 cat <<EOF > /etc/samba/conf.d/ldap.conf
   3 ldap … = …
   4 EOF

   1 [global]
   2 include = /etc/samba/conf.d/ldap.conf

Dedicated resources

Some resources cannot not be shared between two samba instance:
interfaces, lock directory, netbios name, pid directory, workgroup

Some resources may/should not be shared between two samba instance:
passdb backend, log file

Interfaces

Bind only to specified interfaces

   1 [global]
   2 interfaces = eth0
   3 bind interfaces only = yes

Ports

Prohibit NetBIOS on tcp/445 and disable SMB over NetBIOS over tcp/139

   1 [global]
   2 ### DISABLE NETBIOS ON TCP/445
   3 netbios ports = 139
   4 ### DISABLE SMB ON TCP/139
   5 ### DEFAULT: 139, 445
   6 smb ports = 445

NetBIOS Macros like %L are not resolved with SMB over tcp/445.

Server aliases

Consolidate multiple servers to a single node

   1 [global]
   2 netbios name = sambasrv
   3 netios aliases = win-old1 win-old2

Security

Security modes

• share level «tree connect»

  • every authenticated user can read the share
  • not recommended
  • removed with Samba 4.0

• server

  • Samba 2.0 option, still supported in Samba 3.0
  • high load
  • problematic
  • removed with Samba 4.0

• user level -> «session setup»

  • Permissions based on user name

• domain

  • like user but auth backend is domain logon server

  • adc methods may be disabled with
    winbind rpc only = yes

• adc

  • auth backend is domain logon server with kerberos

  • system clocks must be in sync (t_Δ < 5min)

  • DNS-Server required (NetBIOS and DNS-Name must be identical)

  • realm and domain are defined in smb.conf

   1 [global]
   2 security = <MODE>

Backends

Please also see #Actions on backends

Backend smbpasswd

• deprecated
• plaintext

• /etc/samba/smbpasswd

• 6 columns

  username

  Unix UID

  LANMGR-hash

  NT-hash

  account flag

  mtime

• most simple
• no additional attributes (like HOME directory, …)

/etc/samba/smb.conf

   1 [global]
   2 passdb backend = smbpasswd
   3 passdb backend = smbpasswd

Backend tdbsam

• trivial database Security Accounts Manager (SAM)

• Default and recommended for normal usage

• binary
• offers concurrency and locking

• path in private dir name passdb.tdb

• long cache times, not always in sync with disk

• backup at runtime with #tdbbackup

• Do backups!

See also #ctdb

/etc/samba/smb.conf

   1 [global]
   2 passdb backend = tdbsam
   3 private dir = /var/lib/samba/private
   4 #passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

Backend ldapsam

• bigger networks
• replication backbone of PDCs and BDCs
• tools to modify ldap and unix databases necessary

  like smbldap-tools

     1 #add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false '%u'
     2 add machine script = /usr/sbin/smbldap-useradd -w '%u'
  

/etc/samba/smb.conf

   1 [global]
   2 ### DEFAULT: localhost
   3 passdb backend = ldapsam
   4 #passdb backend = ldapsam:"ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com"
   5 #passdb backend = ldapsam:"ldaps://ldap1.example.com ldaps://ldap2.example.com ldaps://ldap3.example.com"
   6 ### PLEASE DON'T USE ROOTDN
   7 ldap admin dn = cn=samba,dc=rockstable,dc=it
   8 ldap suffix = dc=rockstable,dc=it
   9 ldap user suffix = ou=users
  10 ldap group suffix = ou=groups
  11 ldap machine suffix = ou=computers
  12 ldap idmap suffix = ou=idmaps
  13 ### SECURE BACKEND LDAP CONNECTION OF RPC CALLS (MIND THE SPACE)
  14 ldap ssl = start tls
  15 ### SECURE BACKEND LDAP CONNECTION OF ADC CALLS (MIND THE SPACE)
  16 ldap ssl adc = start tls

ldap ssl should be set explicitly, because the defaults may vary, and depend on the configuration at compile time.

It is subsequently necessary to #Set ldap password

When local system is attached to ldap via NSS and the information in ldap is sufficient to qualify the system. Local NSS may be bypassed and samba built-in optimized ldap-queries used instead to read information stored in the ldap-tree (users, groups, …) directly. During the bootstrapping of the ldap-tree, NSS is configured after preparing the ldap-tree for/by/with samba, of cause.

   1 ### DEFAULT
   2 ldapsam:trusted = no
   3 ### SPEED UP UID/GID LOOKUPS
   4 ldapsam:trusted = yes

Please see
man -P «less -p ‘^\s*ldapsam:trusted \(G\)'» 5 smb.conf

The write path may also be optimized using direct write access to the ldap-tree (without using scripts). In this scenario windbindd allocates uids/gids and has therefor to be installed on the Samba-DC. Furthermore the id ranges have to be defined for windbind.

   1 ### ENABLE OPTIMIZED MODIFICATION OF LDAP
   2 ldapsam:editposix = yes
   3 ### ALSO DELETE DN NOT ONLY SAMBA ATTRIBUTES
   4 ldap delete dn = yes
   5 ### WINBIND RANGES
   6 idmap uid = 10000-19999
   7 idmap gid = 10000-19999

Please make sure samba has sufficient access to the ldap-tree.

Now the ldap-tree needs to be structured as defined in smb.conf. This may be achieved using a hand crafted ldif-file or a script from the smbldap-tools called smbldap-populate, which is quite flexible.

Futhermore some essential accounts need to be created, which can be achieved with

For NSS name resolution over ldap a package has to be installed.

   1 apt install libnss-ldap

/etc/nsswitch.conf

   1 # /etc/nsswitch.conf
   2 #
   3 # Example configuration of GNU Name Service Switch functionality.
   4 # If you have the `glibc-doc-reference' and `info' packages installed, try:
   5 # `info libc "Name Service Switch"' for information about this file.
   6 
   7 passwd:         compat systemd ldap
   8 group:          compat systemd ldap
   9 shadow:         compat
  10 gshadow:        files
  11 
  12 hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname mymachines
  13 networks:       files
  14 
  15 protocols:      db files
  16 services:       db files
  17 ethers:         db files
  18 rpc:            db files
  19 
  20 netgroup:       nis

During the test you may stop then name service caching daemon (nscd), to always get fresh (but much more expensive) results.

Accounts

NT4 Accounts

Before adding the samba account make sure a corresponding Unix account (for its UID-number) exists.

The Unix user does not need to have a existing home directory. The home may even be /dev/null

User with UID 0 on DC is domain admin, when created in Samba.

The Unix and the Samba password do not need to match.

AD DC accounts

Samba user no longer need a Unix account to be created before. The Samba ID-mapping is sufficient.

AD DC DNS

BIND9_DLZ

Bind9 has a richer feature set, than the internal DNS-service. For example it allows load-balancing using round robin, which is not supported with SAMBA_INTERNAL.

Adjust forwarders and Kerberos keytab in Bind9 configuration.
/etc/bind9/named.conf.options

   1 forwarders {
   2         192.168.1.1;
   3 }
   4 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Include the configuration generated by Samba in Bind9
/etc/bind9/named.conf.options

   1 include "/var/lib/samba/bind-dns/named.conf"

Bind9 must be able to read both files (via group permissions)

   1 ls -l \
   2         "/var/lib/samba/private/dns.keytab" \
   3         "/var/lib/samba/bind-dns/named.conf"

Make sure SELinux or Apparmor do not interfere.

Username map

Map Samba users to unix accounts

Acts differently in different security modes.

Therefor read the docs
man -P «less -p ‘^\s*username map \(G\)'» 5 smb.conf

/etc/samba/smb.conf

   1 [global]
   2 username map = /etc/samba/username.map

/etc/samba/username.map

   1 ### UNIX = SAMBA
   2 root = admin administrator
   3 nobody = guest smbguest pcguest

Shares

Options

Are suffixed with (S) in man 5 smb.conf

Unix groups are prefixed by @
Example

   1 valid users = tobias, @samba
   2 write list = tobias, @adm

Default shares

There are some default share definitions in
/etc/samba/smb.conf

homes

Unix home directory exported for a user.

The default value of the path to the home directory

   1 #template homedir = /home/%D/%U
   2 template homedir = /srv/samba/%D/home/%U

The directory for the domain should already be created for Samba4 to be able to create user home directories.

Home directories

   1 #======================= Share Definitions =======================
   2 
   3 [homes]
   4    comment = Home Directories
   5    browseable = no
   6 
   7 # By default, the home directories are exported read-only. Change the
   8 # next parameter to 'no' if you want to be able to write to them.
   9    read only = no
  10 
  11 # File creation mask is set to 0700 for security reasons. If you want to
  12 # create files with group=rw permissions, set next parameter to 0775.
  13    create mask = 0700
  14 
  15 # Directory creation mask is set to 0700 for security reasons. If you want to
  16 # create dirs. with group=rw permissions, set next parameter to 0775.
  17    directory mask = 0700
  18 
  19 # By default, \\server\username shares can be connected to by anyone
  20 # with access to the samba server.
  21 # The following parameter makes sure that only "username" can connect
  22 # to \\server\username
  23 # This might need tweaking when using external authentication schemes
  24    valid users = %S

netlogon

The logon scripts of a domain controller are stored here.

   1 # Un-comment the following and create the netlogon directory for Domain Logons
   2 # (you need to configure Samba to act as a domain controller too.)
   3 ;[netlogon]
   4 ;   comment = Network Logon Service
   5 ;   path = /home/samba/netlogon
   6 ;   guest ok = yes
   7 ;   read only = yes

profiles

Store roaming profile, which is downloaded on logon and uploaded on logout. This feature requires a fast network and sufficient disk-IO especially in the peak time.

   1 # Un-comment the following and create the profiles directory to store
   2 # users profiles (see the "logon path" option above)
   3 # (you need to configure Samba to act as a domain controller too.)
   4 # The path below should be writable by all users so that their
   5 # profile directory may be created the first time they log on
   6 ;[profiles]
   7 ;   comment = Users profiles
   8 ;   path = /home/samba/profiles
   9 ;   guest ok = no
  10 ;   browseable = no
  11 ;   create mask = 0600
  12 ;   directory mask = 0700

printers

Manage printers

   1 [printers]
   2    comment = All Printers
   3    browseable = no
   4    path = /var/spool/samba
   5    printable = yes
   6    guest ok = no
   7    read only = yes
   8    create mask = 0700

print

Manage printer drivers

   1 # Windows clients look for this share name as a source of downloadable
   2 # printer drivers
   3 [print$]
   4    comment = Printer Drivers
   5    path = /var/lib/samba/printers
   6    browseable = yes
   7    read only = yes
   8    guest ok = no
   9 # Uncomment to allow remote administration of Windows print drivers.
  10 # You may need to replace 'lpadmin' with the name of the group your
  11 # admin users are members of.
  12 # Please note that you also need to set appropriate Unix permissions
  13 # to the drivers directory for these users to have write rights in it
  14 ;   write list = root, @lpadmin

sysvol

# WIP

Store group policy objects (GPOs).

   1 [sysvol]
   2    comment = Store GPOs
   3    path = /var/lib/samba/sysvol
   4    browseable = no
   5    ### ON REPLICATION TARGETS
   6    #read only = yes
   7    guest ok = no

The content of the share sysvol must be the same on all DCs, but the synchronization is not managed by Samba. It does not need to be stricly synchronized, it’s sufficient to use rsync or another custom script based approach. (Please don’t use a unencrypted rsync daemon module over tcp consider the rsync features of utilizing a remote shell like ssh.) But you may have to designate a primary server, who acts as a replication source. A good choice could be the server with the #FSMO-role «PDCEmulationMaster». This server must then always be used to change GPOs. RSAT can be pointed specifically to this primary server.

1. Open RSAT Group Policy Management
2. Right click on domain
3. Change domain controller
4. Chose «Domain-Controller with the token for PDC-Emulation»

The replication may than be triggered by

• a cron-job
• a systemd-timer or
• inotify

Another possibility is to use a distributed filesystem like GlusterFS to share the directory.

Guest shares

May also be combined with
#Username map

Do not combine valid users = with guest ok = yes or guest won’t be able to connect.

/etc/samba/smb.conf

   1 [global]
   2 security = user
   3 ### DEFAULT GUEST ACCOUNT
   4 guest account = nobody
   5 ### MAP USERS, THAT ARE NOT MAPPABLE TO A UNIX ACCOUNT,
   6 ### E.G. THEY DON'T EXIST, TO THE GUEST ACCOUNT
   7 map to guest = Bad User
   8 
   9 ### PUBLIC READ-ONLY SHARE
  10 [DVD-ROM]
  11 comment = DVD-Drive
  12 path = /media/sr0
  13 guest ok = yes
  14 
  15 ### PUBLIC WRITEABLE SHARE
  16 ### UNIX PERMISSIONS CONTROL WRITING
  17 [tmp]
  18 comment = Insecure temporary share.
  19 path = /mnt/sda2/tmp
  20 read only = no
  21 guest ok = yes
  22 create mask = 664
  23 directory mask = 775
  24 browseable = yes

For the mount please see
#Mount as guest

Usershares

man -P «less -p ‘^USERSHARES'» 5 smb.conf

Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete their own share definitions has been added. This capability is called usershares and is controlled by a set of parameters in the [global] section of the smb.conf.

Usershare options with their defaults on Debian 10.

   1 [global]
   2 usershare allow guests = Yes
   3 usershare max shares = 100
   4 usershare owner only = Yes
   5 usershare path = /var/lib/samba/usershares
   6 usershare prefix allow list =
   7 usershare prefix deny list =
   8 usershare template share =

Authorization to the creation of usershares is managed by filesystem permissions to /var/lib/samba/usershares.

The group and the directory usually exist, because the installation takes care of it. But in case it doesn’t, this is how to create it.

   1 addgroup sambashare
   2 install -o root -g sambashare -m 4770 \
   3         -d /var/lib/samba/usershares

The directory usershares is sticky and can only be written to by root and the group sambashare.

ls -ld /var/lib/samba/usershares

   1 drwxrwx--T 1 root sambashare 0 12. Nov 2017  /var/lib/samba/usershares

So the group sambashare controls access to the managemant of user shares and should not be reused to grant access to other branches on the filesystem-tree. Just create a separate group for this purpose.

Add a user to the group sambashare

   1 adduser "$USERNAME" sambashare

Now shares can be managed by a user.

If you are using KDE Plasma, make sure some packages are installed

   1 aptitude install samba kdenetwork kdenetwork-filesharing

A directory can now be shared via filesystem browser (like dolphin or konqueror). Just navigate to the directory, open the properties and chose the tab «share».

Or just use the cli with #net usershare.

DOS-Attributes

DOS-Attributes are

• SYSTEM
• HIDDEN
• ARCHIVE
• READ-ONLY

DOS attributes are mapped to UNIX-Attributes prior to evaluating Unix-permissions. When store dos attributes is set to true the mappings to Unix-permissions are simply ignored. Please see
man -P «less -p ‘store dos attributes \(S\)'» 5 smb.conf

Defaults

   1 [share]
   2 store dos attributes = yes  # Store DOS flags in extended attributes (EA)
   3 map archive = yes           # UNIX owner execute bit
   4 map hidden = no             # UNIX world execute bit
   5 map system = no             # UNIX group execute bit
   6 map readonly = no           # inverse of the user or owner write bit

On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.

Control filesystem permissions

In somewhat simpler setups utilizing the SET-UID/GID-BIT may be sufficient.

Samba has some nice filesystem permission semantics, that help in controlling access to the share.

   1 [operations]
   2 path = /srv/samba/operations
   3 ### ANONYMIZE WRITING USER OR
   4 ### MANAGE VIA USER PERMISSIONS
   5 #force user = operator
   6 ### ENFORCE ENTITY TO BE OWNED BY GROUP
   7 force group = operations
   8 ### LIMIT ACCESS TO GROUPS AND SINGLE USERS
   9 valid users = @operations, @management, ceo, cto
  10 ### ONLY MEMBERS OF GROUP OPERATIONS MAY WRITE
  11 write list = @operations
  12 ### SET FILE CREATE MASK
  13 ### (BIT-WISE "AND"ED WITH REQUEST)
  14 ### DEFAULT: 0744
  15 create mask = 0740
  16 ### FORCE FILE PERMISSION
  17 ### (BIT-WISE "OR"ED WITH REQUEST)
  18 ### DEFAULT: 0000
  19 force create mode = 0020
  20 ### SET DIR CREATE MASK
  21 ### (BIT-WISE "AND"ED WITH REQUEST)
  22 ### DEFAULT: 0755
  23 directory mask = 0770
  24 ### FORCE DIR PERMISSION
  25 ### (BIT-WISE "OR"ED WITH REQUEST)
  26 ### DEFAULT: 0000
  27 force directory mode = 0020

It’s also possible to use POSIX-ACLs within the filesystem achieve even more flexible permissions. But this raises the bar quite a bit, because this requires kernel support, mount-options, vfs objects and a adapted backup strategy, which secures the additional info.

Templating

The share [operations] from #Control filesytem permissions has become quite complex. It could be a challage to manage a higher number of these shares.

Luckily other shares can be used as templates. Only specifically mentioned directives are overridden everything else is copied.

   1 [development]
   2 copy = operations
   3 path = /srv/samba/development
   4 force group = development
   5 valid users = @development, @management, ceo, cto
   6 write list = @development

VFS modules

man -P «less -p ‘vfs objects \(S\)'» 5 smb.conf

vfs objects (S)

This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects. Be aware that the definition of this parameter will overwrite a possible previous definition of the vfs objects parameter.

This modules are stackable.

This modules are installed with packge samba-vfs-modules as a recommendation by package samba. The VFS modules are stored in
/usr/lib/x86_64-linux-gnu/samba/vfs

VFS modules of Samba 4.13.3-Debian

• vfs_acl_tdb — Save NTFS-ACLs in a tdb file

• vfs_acl_xattr — Save NTFS-ACLs in Extended Attributes (EAs)

• vfs_aio_fork — implement async I/O in Samba vfs

• vfs_aio_pthread — implement async open in Samba vfs using a pthread pool

• vfs_audit — record selected Samba VFS operations in the system log

• vfs_btrfs — Utilize features provided by the Btrfs filesystem

• vfs_cap — CAP encode filenames

• vfs_catia — translate illegal characters in Catia filenames

• vfs_ceph — Utilize features provided by CephFS

• vfs_ceph_snapshots — Expose CephFS snapshots as shadow-copies

• vfs_commit — flush dirty data at specified intervals

• vfs_crossrename — server side rename files across filesystem boundaries

• vfs_default_quota — store default quota records for Windows clients

• vfs_dirsort — Sort directory contents

• vfs_extd_audit — record selected Samba VFS operations

• vfs_fake_perms — enable read only Roaming Profiles

• vfs_fileid — Generates file_id structs with unique device id values for cluster setups

• vfs_fruit — Enhanced OS X and Netatalk interoperability

• vfs_full_audit — record Samba VFS operations in the system log

• vfs_glusterfs — Utilize features provided by GlusterFS

• vfs_glusterfs_fuse — Utilize features provided by GlusterFS

• vfs_gpfs — gpfs specific samba extensions like acls

• vfs_io_uring — Implement async io in Samba vfs using io_uring of Linux (>= 5.1).

• vfs_linux_xfs_sgid — Workaround XFS sgid bit not inherited

• vfs_media_harmony — Allow multiple Avid clients to share a network drive.

• vfs_nfs4acl_xattr — Save NTFS-ACLs as NFS4 encoded blobs in extended attributes

• vfs_offline — Mark all files as offline

• vfs_preopen — Hide read latencies for applications reading numbered files

• vfs_readahead — pre-load the kernel buffer cache

• vfs_readonly — make a Samba share read only for a specified time period

• vfs_recycle — Samba VFS recycle bin

• vfs_shadow_copy — Expose snapshots to Windows clients as shadow copies.

• vfs_shadow_copy2 — Expose snapshots to Windows clients as shadow copies.

• vfs_shell_snap — Shell script callouts for snapshot creation and deletion

• vfs_snapper — Expose snapshots managed by snapper as shadow-copies

• vfs_streams_depot — EXPERIMENTAL module to store alternate data streams in a central directory.

• vfs_streams_xattr — Store alternate data streams in posix xattrs

• vfs_syncops — Ensure meta data operations are performed synchronously.

• vfs_time_audit — samba vfs module to log slow VFS operations

• vfs_unityed_media — Allow multiple Avid clients to share a network drive.

• vfs_virusfilter — On access virus scanner

• vfs_widelinks — make a Samba share ignore filesystem symbolic links inside a share

• vfs_worm — disallows writes for older file

• vfs_xattr_tdb — Save Extended Attributes (EAs) in a tdb file

Example share

   1 [purchasing]
   2 copy = operations
   3 path = /srv/samba/purchasing
   4 force group = purchasing
   5 valid users = @purchasing, @management, ceo, cto
   6 write list = @purchasing
   7 vfs objects = btrfs recycle virusfilter
   8 ### KEEP TREE HIERARCHY
   9 recycle = keeptree=True
  10 ### DON'T RECYCLE FILES GREATER 8GiB
  11 recycle = maxsize=8589934592

FSMO

Flexible Single Master Operations roles

SchemaMaster

Unique in AD forest

Should also be global catalog

Should be held together with DomainNamingMaster

Definition/Authority of LDAP schema

DomainNamingMaster

Unique in AD forest

Should be held together with SchemaMaster

Authority of assignment of domain names.

InfrastructureMaster

Unique in AD domain

Manages referential integrity in a domain

If IM-role server holds a global catalog, all DCs need a GC. If a DC does not hood a GC, IM-role must not be a GC.

RidAllocationMaster

Unique in AD domain

Should be held together with PdcEmulationMaster

Allocates pools of IDs to the DC, to make sure IDs are unique in the domain

PdcEmulationMaster

Unique in AD domain

Should be held together with RidAllocationMaster

Manage password-changes (t_replication_ ≤ 20min)

DomainDnsZonesMaster

Unique in AD domain

Management of DNS structure of a domain

ForstDnsZonesMaster

Unique in AD forest

Responsible for DNS structure of the AD forest

Distributed File System (DFS)

wiki.samba.org — Distributed File System (DFS)

   1 [global]
   2 host msdfs = yes
   3 
   4 ### LIKE AN ALIAS
   5 [ProxiedShare]
   6 msdfs root = yes
   7 msdfs proxy = \otherserver\someshare,\otherserver2\someshare
   8 
   9 ### LIKE A LINK
  10 [DFS-ROOT]
  11 msdfs root = yes
  12 path = /srv/samba/dfs-root

Set up the DFS root directory

   1 DFS_ROOT="/srv/samba/dfs-root"
   2 ### MAKE SURE TO HAVE CORRECT UNIX_PERMISSIONS
   3 chown 0.0 "$DFS_ROOT"
   4 chmod 664 "$DFS_ROOT"
   5 cd "$DFS_ROOT"
   6 ### CREATE LINKS TO THE SHARES
   7 ### ALL LOWERCASE CHARACTERS
   8 ln -s msdfs:server1.domain.tld\\share1 share1
   9 ln -s msdfs:server2.domain.tld\\share2 share2
  10 ln -s msdfs:server3.domain.tld\\share3 share3
  11 ### READ-ONLY LINK WITH COMMA-SEPARATED REDUNDANT SOURCE "SERVERS\SHARES"
  12 ln -s msdfs:server5.domain.tld\\share5,server6.domain.tld\\share5 share5

GUIs

gadmin-samba

The activity of this project is in question.

• website down :-/
• was not able to find the source repo

Probably you should not use this nat all anymore.

Install the graphical frontend

gadmin-samba will on startup and with your permission perform some changes to your configuration.

• Create users
  • Unix user «smbguest»
  • Samba users «root» and «smbguest»
• Create unix group «sambamachines»
• Backup your old config

• Create a file /etc/samba/smbusers with username mappings between unix and samba

• Overwite the config with
  • no comments
  • Set NetBIOS name to «Samba24»
  • Overwrite current workgroup with «Workgroup»
  • Allow the wrong networks («127. 192.168.0»)
  • Bind to interfaces that doesn’t exist 192.168.0″)
  • …

When (after the inital setup) configuration options are given, that gadmin-samba does not support, they are not discarded.

It’s definitely worth a look for the configuration it performs especially for older Samba versions.

But i won’t use it, because it’s not up to date.

SWAT

Swat is no longer available with Samba 4.1.

Samba 4 mailing list — PROPOSAL: Remove SWAT in Samba 4.1

Install internet super-deamon

   1 aptitude install xinetd

Add a service to
/etc/services

   1 swat            901/tcp  # Samba Web Administration Tool

/etc/xinetd/swat

   1 ### XINETD CONFIG FOR SWAT
   2 socket_type  =  stream
   3 protocol     =  tcp
   4 wait         =  no
   5 user         =  root
   6 server       =  /usr/sbin/swat
   7 only_from    =  127.0.0.1
   8 disable      =  no

netdomjoin-gui

A gui for domain joins in the Samba source code. Located in source/lib/netapi/examples.

Local Master Browser

• Is the base of the Windows Networking (Netzwerkumgebung)

• Is handled by nmbd

  • Writes state to /var/lib/samba/browse.dat

• Services have to register with a LMB.
• Should be stable (with «long» uptime)
• Is limited to a subnet.
• There is a LMB in every subnet.
• LMB ist elected
  • Criteria:
    1. protocol version
    2. OS
    3. uptime
    4. name in alphabetic order
• Election
  • can be started by every participant
  • is based on broadcasts

Samba OS Levels

Configure election

Start on boot and win the election

   1 ### SAMBA ADVERTISES ITS LEVEL
   2 ### DEFAULT: 20
   3 os level = 100
   4 ### FORCE NMDB TO START ELECTION ON STARTUP
   5 ### DEFAULT: auto
   6 preferred master = yes

You may also prevent participation in LMB elections.

   1 ### PARTICIPATION IN LMB ELECTIONS
   2 ### DEFAULT: YES
   3 # local master  = no
   4 

Domain Master Browser

• Synchronizes the info from LMBs and thus allows seeing nodes in other subnets in the Windows networking browser on the clients.
• Is a passive node, the LMB initiates the sync process.
• In a given subnet the roles LMB and DMB are distinguished from each other and must not reside on the same machine.

• DMB is looked up via WINS domain<1b>. The connection to WINS is essential.

• On the LMB the info, which was
  • discovered locally marked as local and relevant, because it was dicovered by broadcasts
  • synchronized from DMB is marked as such and is subject to upstreaming
• This system is very sluggish and only has «antique» info.

Host announcement and its timeout

• The host announcement interval is 12min.
• If 3 host announcements are missed, the LMB considers the host dead.

Therefor dead hosts stay visible in the windows networking browser for 36min.

MSBROWSE — Browsing other workgroups

..__MSBROWSE__. <01> — <GROUP> B <ACTIVE>

The dots are ASCII 0x01 (StartOfHeading) and 0x02 (StartOfText).

Every LMB in a subnet (but of different workgroups) signals its existence to this NetBIOS group. These list is maintained by all LMBs in a subnet.

If a DMB is used and there are workgroups in the Browser, which do not exist anymore, but are still visible in Windows networking browser, then in Samba set

WINS

For the protocol please see
networking#WINS

WINS is a Highlander. There can only be one in the entire network.

WINS Client

Configure Samba server as a WINS client.

   1 wins server = IP.AD.DR.ES

WINS Server

Enable WINS support in Samba

Now WINS clients may be configured to register their names with the Samba server.

On Samba the dynamically maintained database is stored persistently across reboots in /var/lib/samba/wins.dat, which is written in regular intervals.

wins.dat may be synced with

/var/lib/samba/wins.tdb is only a cache.

WINS Proxy

Enable WINS proxy in Samba

   1 wins server = IP.AD.DR.ES
   2 wins proxy = yes

Should only be a intermediate solution.

Name Resolve Order

   1 ### DEFAULT
   2 name resolve order = lmhosts host wins bcast

host means resolution with DNS

Print Server

Some defaults

   1 [global]
   2 printing = cups
   3 printcap name =
   4 addprinter command = 
   5 deleteprinter command = 
   6 lppause command = 
   7 lpq command = %p
   8 lpresume command = 
   9 lprm command = 
  10 print command = 
  11 queuepause command = 
  12 queueresume command = 

The share [$print] serves printer drivers.

   1 # Windows clients look for this share name as a source of downloadable
   2 # printer drivers
   3 [print$]
   4    comment = Printer Drivers
   5    path = /var/lib/samba/printers
   6    browseable = yes
   7    read only = yes
   8    guest ok = no
   9 # Uncomment to allow remote administration of Windows print drivers.
  10 # You may need to replace 'lpadmin' with the name of the group your
  11 # admin users are members of.
  12 # Please note that you also need to set appropriate Unix permissions
  13 # to the drivers directory for these users to have write rights in it
  14 ;   write list = root, @lpadmin

Drivers are sorted by architecture
ls -l /var/lib/samba/printers

   1 insgesamt 0
   2 drwxr-xr-x 1 root root 0  9. Jun 2018  color
   3 drwxr-xr-x 1 root root 0 26. Oct 2017  COLOR
   4 drwxr-xr-x 1 root root 0 26. Oct 2017  IA64
   5 drwxr-xr-x 1 root root 0 26. Oct 2017  W32ALPHA
   6 drwxr-xr-x 1 root root 0 26. Oct 2017  W32MIPS
   7 drwxr-xr-x 1 root root 0 26. Oct 2017  W32PPC
   8 drwxr-xr-x 1 root root 6  9. Jun 2018  W32X86
   9 drwxr-xr-x 1 root root 0 26. Oct 2017  WIN40
  10 drwxr-xr-x 1 root root 6  9. Jun 2018  x64

The share [printers] provides access to the printers.

   1 [printers]
   2    comment = All Printers
   3    browseable = no
   4    path = /var/spool/samba
   5    printable = yes
   6    guest ok = no
   7    read only = yes
   8    create mask = 0700

Registry configuration

Wiki EN Windows Registry

smb.conf stays initial configuration and has precedence.

The file /var/lib/samba/registry.tdb may be spread automatically to other cluster nodes using #ctdb.

Registry may be edited using the WINREG-RPC-Service, which is provided by Samba.

Key: HKLM\Software\Samba\smbconf

Please see also

• #net conf

• #net registry

• #samba-regedit

• #tdbtool

Shares from registry

/etc/samba/smb.conf

   1 [global]
   2 ### STORE SHARES IN REGISTRY
   3 registry shares = yes

• Shares are loaded on demand
  • Reduced memory footprint
  • Faster operation

• Shares in smb.conf also provided

  • On duplicate definition

    smb.conf has precedence over registry

Configuration only from registry

/etc/samba/smb.conf

   1 [global]
   2 ### DEFAULTS
   3 #config backend = file
   4 #config file =
   5 ### STORE WHOLE CONFIGURATION IN REGISTRY
   6 config backend = registry

• Whole configuration is stored in registry

• registry shares = yes is implicitly set

Configuration from file and registry

/etc/samba/smb.conf

   1 [global]
   2 ### OVERRIDES
   3 include = registry
   4 ### OVERRIDDEN

• The include semantics are still active.
  • Registry may override earlier definitions as well as
  • Registry may be overridden by later definitions.

• registry shares = yes is implicitly set with this option

RODC

On sites with a lower level of security (e.g. DMZ) it’s generally a better idea to use a RODC.

• No passwords are safed on a RODC.
• Users or groups, that should be able to authenticate to a RODC, have to be specified explicitly

With Samba RODC setups are possible starting with version 4.8.

1. Configure /etc/hosts

2. Configure DNS on the existing DCs
   • Create new DNS zones (forward/reverse)
   • Create A/PTR records in the AD for the RODC
   • Allow Bind9 to accept queries from other subnets
3. Open firewall
   • Kerberos, DNS, …
4. Install the packages like on a regular DC

5. Copy /etc/krb5.conf to RODC

6. Join the domain as RODC

   #samba-tool domain join

7. Configure a read-only Bind9 setup on the RODC (e.g. copy configuration from another DC)

8. Configure Systemd to enable samba-ad-dc.service

RODCs are never listed in SRV records. DCs can also be identified via /var/lib/samba/private/dns_update_list.

DHCP server

There is a very good description in
Samba Wiki — Configure DHCP to update DNS records with BIND9

smbstatus

   1 smbstatus --help
   2 smbstatus
   3 Samba version 4.13.2-Debian
   4 PID     Username     Group    Machine   Protocol Version  Encryption  Signing              
   5 -----------------------------------------------------------------------------
   6 
   7 Service      pid     Machine  Connected at                Encryption  Signing     
   8 -----------------------------------------------------------------------------
   9 
  10 No locked files

smbclient

Show list of shares

   1 % smbclient -L libertas
   2 Enter DUNGEON\tobias's password: 
   3 
   4         Sharename       Type      Comment
   5         ---------       ----      -------
   6         print$          Disk      Printer Drivers
   7         IPC$            IPC       IPC Service (Samba 4.13.2-Debian)
   8         tobias          Disk      Home Directories
   9         gargantua_HP_Color_LaserJet Printer   gargantua_HP_Color_LaserJet
  10         gargantua_HP_Color_LaserJet@gargantua.local Printer   gargantua_HP_Color_LaserJet@gargantua.local
  11         PDF             Printer   PDF
  12 SMB1 disabled -- no workgroup available

smbcontrol

Since smbd runs a process for ever client, it is possible to the change log level for a single remote host, while process is running.

   1 IP=10.0.0.11
   2 HNAME=hostname
   3 $PID_SMBD="$(smbstatus |grep -e "$IP" -e "$HNAME" |cut -d\  -f1)"
   4 smbcontrol "$PID_SMBD" debug 5

This comes in very handy.

net

net uses positional parameters. Fill missing arguments with the empty string «».

net ads

Join AD-Domain, the computer account will be created automatically.

   1 net adc join -U Administrator

net groupmap

List group mappings

Add a group mapping manually

   1 net groupmap add ntgroup="Devel" unixgroup=devel
   2 net groupmap add ntgroup="QA" unixgroup=qa
   3 net groupmap add ntgroup="Sales" unixgroup=sales
   4 #…
   5 

Modify group mapping manually

   1 net groupmap modify ntgroup="Domain Admins" unixgroup=root
   2 net groupmap modify ntgroup="Domain Users" unixgroup=users
   3 net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
   4 #…
   5 

net getlocalsid

Export sid of domain SAMBA

This may be used for a backup or to set the sid on a NT4 BDC.

net setlocalsid

All domain controllers need the same SID.

The SID may be set like this e.g. on a NT4 BDC.

   1 net setlocalsid S-1-5-21-x-y-z

net conf

An cli API for registry operations

   1 net conf           
   2 Usage:
   3 net conf list            Dump the complete configuration in smb.conf like format.
   4 ### USEFUL DURING MIGRATIONS - BE CAREFUL
   5 ### OVERWRITES ALL VALUES AND REMOVES MISSING FROM REGISTRY
   6 net conf import          Import configuration from file in smb.conf format.
   7 net conf listshares      List the share names.
   8 ### BE CAREFUL
   9 net conf drop            Delete the complete configuration.
  10 net conf showshare       Show the definition of a share.
  11 net conf addshare        Create a new share.
  12 net conf delshare        Delete a share.
  13 net conf setparm         Store a parameter.
  14 net conf getparm         Retrieve the value of a parameter.
  15 net conf delparm         Delete a parameter.
  16 net conf getincludes     Show the includes of a share definition.
  17 net conf setincludes     Set includes for a share.
  18 net conf delincludes     Delete includes from a share definition.

Export modify and reimport registry

To simplify complex changes

   1 net conf list > smb_registry.conf
   2 ### MODFIFY IT WITH YOUR BELOVED EDITIOR
   3 net conf import smb_registry.conf

net dom

• Sync times
• DNS must work
• DNS must resolve to fqdn

Join a remote client to domain and optionally reboot the machiine

   1 read SECRET_LOCAL
   2 read SECRET_DOMAIN
   3 net dom join -S hostname \
   4         -U HOSTNAME\\administrator%"$SECRET_LOCAL" \
   5         domain=DOMAIN account=root password="$SECRET_DOMAIN" \
   6         reboot
   7 net dom unjoin …

There is also a GUI called #netdomjoin-gui

net registry

Please see also #net conf

List registry keys

   1 net registry enumerate HKLM/Software/Samba/smbconf
   2 net registry enumerate HKLM/Software/Samba/smbconf/homes

net rpc

List users

List groups

Join domain, the computer account will be created automatically.

   1 net rpc join -U Administrator

net rpc rights

Grant the right to show and edit the Samba configuration stored in registry to a user.

   1 net rpc rights grant root SeDiskOperatorPrivilege -U root

From windows

   1 net use \\samba.domain.tld /user:root
   2 regedit

Special privileges

net rpc trustdom

List Interdomain trust relationships

• NT4: directed (one-sided)
• ADC: symmetric, transient

List trusts

   1 read -r -p "Password: " PASSWORD
   2 net rpc trustdom list -U root%"$PASSWORD"

Samba as trusting domain

Add a unix account trusted$ and create «domain machine account» «TRUSTED» for the trusted domain.

   1 useradd "trusted$"
   2 read -r -p "Remote password: " PASSWORD1
   3 read -r -p "Local password: " PASSWORD2
   4 net rpc trustdom add TRUSTED "$PASSWORD1" -U "root%$PASSWORD2"

Delete domain account for trust

Remove a domain machine account (by the trusting domain)

   1 net rpc trustdom del TRUSTED

Samba as trusted domain

   1 net rpc trustdom establish TRUSTED

Leave domain trust

Revoke a domain trust (by the trusted domain)

   1 net rpc trustdom del TRUSTED

net rpc vampire

Tool to migrate MS Windows NT4 domains to Samba.

1. Prepare the Samba configuration
   • BDC setup {{{#highlight ini

[global] workgroup = NT4DOMAIN domain master = no domain logons = yes }}}

• backends (ldap/tdb)
• scripts like (add user script, …)

1. Stop smbd
2. Join the Domain as a BDC
3. Create a copy of the NT4-Domain.

      1 net rpc vampire -S nt4pdc -U administrator
   

4. List and check result with pdbedit -L

5. Prepare ID-mapping with winbind
6. Check and manually correct the mappping of NT groups to unixgroups

   Please see #net groupmap

7. Migrate profiles and policies

8. You may use convmv, which is available in the Debian repos to change the character encoding of the filenames.

      1 convmv -f cp850 -t utf8 -r /media/samba
   

net sam

since 3.0.23

Modify local user-database

• Only root is allowed to use net sam.

• Samba server does not need to run.

• winbindd must run to use group-mapping.

   1 net sam show
   2 ### SET ATTRIBUTES
   3 net sam set
   4 ### MODIFY POLICIES
   5 net sam policy

net usershare

A full round

   1 # net usershare add Tobias_Public /home/tobias/Öffentlich "Tobias public share" 'Everyone:r,LIBERTAS\tobias:f' guest_ok=y
   2 # net usershare list
   3 Tobias_Public
   4 # net usershare info
   5 [Tobias_Öffentlich]
   6 path=/home/tobias/Öffentlich
   7 comment=Tobias public share
   8 usershare_acl=Everyone:R,LIBERTAS\tobias:F,
   9 guest_ok=y
  10 ### LIST USERSHARES OF ALL USERS
  11 # net usershare info -l
  12 #net usershare delete Tobias_Public
  13 

smbldap-tools

smbpasswd

smbpasswd also synchronizes the unix password in opposite to pdbedit, if unix password sync is set in smb.conf.

Add user account

Before adding a account make sure a corresponding unix-account does exist. Please also take look on the notes to #Accounts

1. Create a unix account.
2. Create the corresponding samba account.
3. Enable the samba account

Add machine account

1. Create a unix machine account,

   which is suffixed by a $ sign.

      1 useradd -d /dev/null -s /bin/false machine$
   

2. Create the corresponding samba machine account.

   The $ sign is appended automatically when using -m.

      1 smbpasswd -a -m machine
   

3. Enable the samba account

You may now join the domain.

Set ldap password

Set the password for ldap access

Domain-SID, ldap admin credentials and computer-account to join domain are stored in a file secrets.tdb in the private directory usually
/var/lib/samba/private/secrets.tdb

Other actions

Change password

Disable user

Delete user

pdbedit

Tool to modify, back-up and migrate passdb.

The extended attributes are only supported, if passdb backend is not set to smbpasswd, which only contains username ans hash. SO always check if changes are committed.

smbpasswd also synchronizes the unix password in opposite to pdbedit, if unix password sync is set in smb.conf.

Before adding a account make sure a corresponding unix-account does exist. Please also take look on the notes to #Accounts

Add user

   1 pdbedit -a username -f 'Test User' -h '\\SERVER\test'

Delete user

List users

List user attributes (verbosely)

Actions on backends

Convert passdb