Following measures must be taken
1. correct user to connect to the share (guest account = root and guest ok = yes [no security access])
2. Create iptables holes for netbios ports 137:139 tcp/udp
3. samba_selinux requires the below
3.a To Create home dirs access you should enable setsebool -P samba_enable_home_dirs 1
3.b To enable sharing of any other directory such as /var/eng do:
chcon -t samba_share_t /var/eng
or permanently in /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local add
/var/eng(/.*)? system_u:object_r:samba_share_t
[taken from man samba_selinux]
Friday, May 12, 2006
Setup Samba in Fedora Core 5
from http://www.mjmwired.net/resources/mjm-fedora-fc5.html#samba
20 March 2006
Make sure you have Samba installed in the installation process.
EDIT /etc/samba/smb.conf
Set your Windows Workgroup name in [global] section.
Added shares at the end of the file:
[media]
path = /mnt/media
public = yes
writable = no
[work]
path = /mnt/work
public = yes
writable = yes
If 'writable' the location need to be writable in Linux first.
Example: NTFS is not writable in Linux.
If home data (all work in /home/username) is to be accessible,
then set 'browseable = yes' under [homes] (~line 182).
Run samba check for errors:
/etc/init.d/smb start
Use chkconfig or serviceconf to enable samba (smb) in both runlevels 3 and 5.
[root@charon samba]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@charon samba]# chkconfig --level 35 smb on
[root@charon samba]# chkconfig --list smb
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off
Add users who can access these shares with the 'smbpasswd' command.
This does NOT need to match your Linux password. This should be the
login name and password you use from Windows when accessing your
Linux computer.
[root@charon samba]# smbpasswd -a username
New SMB password:
Retype new SMB password:
Added user username.
(Note: 'username' must be a valid account on the machine)
Restart Samba for every change to users/passwords or 'smb.conf'
[root@charon samba]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Firewall and SELinux Users
Run 'system-config-securitylevel'
Firewall Options:
To allow Samba access to work through your firewall you
must set 'Samba' as a 'Trusted service'.
SELinux:
Modify SELinux Policy > Samba
Disable SELinux protection for smbd daemon
On the command line you can run:
[root@charon ~]# setsebool -P smbd_disable_trans 1
Run 'man samba_selinux' for more help.
For any changes made above to the SELinux settings or smb.conf,
make sure to RESTART samba!
20 March 2006
Make sure you have Samba installed in the installation process.
EDIT /etc/samba/smb.conf
Set your Windows Workgroup name in [global] section.
Added shares at the end of the file:
[media]
path = /mnt/media
public = yes
writable = no
[work]
path = /mnt/work
public = yes
writable = yes
If 'writable' the location need to be writable in Linux first.
Example: NTFS is not writable in Linux.
If home data (all work in /home/username) is to be accessible,
then set 'browseable = yes' under [homes] (~line 182).
Run samba check for errors:
/etc/init.d/smb start
Use chkconfig or serviceconf to enable samba (smb) in both runlevels 3 and 5.
[root@charon samba]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@charon samba]# chkconfig --level 35 smb on
[root@charon samba]# chkconfig --list smb
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off
Add users who can access these shares with the 'smbpasswd' command.
This does NOT need to match your Linux password. This should be the
login name and password you use from Windows when accessing your
Linux computer.
[root@charon samba]# smbpasswd -a username
New SMB password:
Retype new SMB password:
Added user username.
(Note: 'username' must be a valid account on the machine)
Restart Samba for every change to users/passwords or 'smb.conf'
[root@charon samba]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Firewall and SELinux Users
Run 'system-config-securitylevel'
Firewall Options:
To allow Samba access to work through your firewall you
must set 'Samba' as a 'Trusted service'.
SELinux:
Modify SELinux Policy > Samba
Disable SELinux protection for smbd daemon
On the command line you can run:
[root@charon ~]# setsebool -P smbd_disable_trans 1
Run 'man samba_selinux' for more help.
For any changes made above to the SELinux settings or smb.conf,
make sure to RESTART samba!
Monday, May 01, 2006
Joining a Fedora Core 4 Workstation/Server to a Windows NT4 Domain
Prepared by Pascal Chong
At the minimum, you will need:
-
samba-common-3.x
-
samba-client-3.x
-
samba-3.x
Winbind, the component you need to join a Windows domain, is in the samba package.
Overview of the Process
Here is what we will need to do:
Joining the Domain
-
On the Windows NT 4 Domain Controller, create an account in the Server Manager application for the Linux server, using the Linux server's NetBIOS name.
-
Install the Samba packages or the "Windows File Server" package group, if you have not already done so.
-
Backup the system configuration files you will be changing.
-
Edit /etc/nsswitch.conf to add Winbind.
-
Edit /etc/samba/smb.conf to define the domain and "shared folders". Adjust the permissions on the shared directories, so that users can write and read from them.
-
Edit /etc/pam.d/login to add Winbind authentication.
-
Add exceptions to firewall rules to allow Windows clients to connect to shared folders.
-
Start Samba and Winbind services.
-
Test on the Linux system that you can retrieve login and group information from the Windows domain.
-
Test on Windows clients that they can connect to the Linux system, browse shares, read and write files.
If all goes well, hopefully, you will have a functioning Linux Samba server that can service Windows clients.
Notice that I am not using the authconfig utility here. I found it a dead-end when I used it, as it did not configure everything like I expected it to -- automagically! You may have more success with it though, as essentially, it does the same (I think) changes to the system configuration files as described here.
Backup the System Configuration Files
I will assume that the server's NetBIOS name has been added to the Server Manager, and that the necessary Samba packages have been successfully installed.
The files you will need to backup are:
-
/etc/nsswitch.conf
-
/etc/samba/smb.conf
-
/etc/pam.d/login
It is absolutely essential that you backup these files! If there are any typo errors or mistakes, it could result in a locked system which you cannot login to. You will also need to keep your Fedora Rescue CD handy. If things turn bad, you may need to use it to boot to single user mode and restore the backup configuration files.
Edit /etc/pam.d/login
You will need to add a couple of lines into this file. I can't figure out how to color code them in Docbook, so you will need to compare the file below with your own file to see where the changes are. A hint: they all contain the string pam_winbind.so.
Example 2. Additions to /etc/pam.d/login
#%PAM-1.0 |
Samba configuration via /etc/samba/smb.conf
Here's where it can get complicated. You will need to use the information you gathered earlier about your Windows domain and plug the values into various parts of your smb.conf, and also define the "folders" that you want to share (I hate using the term "folders", which is a Windows metaphor, but I guess I'll have to use it here because it is most appropriate, if not entirely accurate, from a purist perspective.
You will need to locate and change the values in several lines. Assuming we have a domain called TEMASEK, and a WINS server address of 192.168.1.10, and our server name is FCSAMBA, then these are the lines you will need to locate and change:
Example 3. Define the Windows Domain
# workgroup = NT-Domain Name or Workgroup-Name |
Next, you need to define the NetBIOS name.
Example 4. Define the NetBIOS name
# server string is the equivalent of the NT Description field |
Now, we specify the WINS server address:
Example 5. Specify the WINS server address
# WINS Server - Tells the NMBD components of Samba to be a WINS client |
Now, just before the Share Definitions, we add some Winbind parameters:
Example 6. Winbind parameters
winbind separator = + |
Under the Share Definitions section, you need to add:
I'm not exactly sure what the lines above do or define, but they were mentioned in some articles, so I just added them in.
Now we can define some shares. For simplicity, I am defining one shared directory, accessible by everybody.
Because we are giving universal access to the directory /shares, we will need to adjust the permissions for that folder:
[root@localhost ~]# chmod go+rw /shares |
Now you should connect your machine to the network, if you have not already done so, and get ready to test.
Add Exceptions to Firewall Rules
Fedora blocks Samba traffic in the default firewall rules, so you will need to add a few exceptions to the rules in order to give access to shared resources. At the minimum, this is what you need:
[root@localhost ~]# iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT |
Starting Samba and Winbind
You will need to be root user. We will use the service utility in Fedora to start Samba and Winbind.
[root@localhost ~]# /sbin/service samba start |
Both services should start OK. Once started, we will be ready to test.
If you are experiencing problems starting Samba, you should restore your old smb.conf file and see if that starts OK. Also, check if there are any typos inside the file that you edited.
Joining the Domain and Testing
Let's try to join the domain now. As root user,
[root@localhost ~]# net rpc join -W TEMASEK -U |
Here, we are trying to join the domain called TEMASEK using the domain administrator account. If you have a domain account, you can use that too. If all goes well, you should be prompted for a passsword. Key in the NT administrator's password and you should get a message that says:
Joined domain TEMASEK |
If you have a large domain and a lot of domain accounts, you may get a spurious error:
rpc command function failed! (NT_STATUS_ACCESS_DENIED) |
If you have a large domain and a lot of accounts, the time to get to the Password prompt can be extremely long, like 5 minutes or more. If you are unable to login the first time, try several more times. The error could be the result of a timeout because the server cannot authenticate fast enough. This problem is not peculiar to Linux. When I join a new Windows system to the domain, I sometimes get a similar error. I'm not sure how to fix this in the long term, but I find that retrying several times usually does the trick.
Once you have successfully joined the domain, you can test that your server can gather information about domain groups and users. Note again that if you have a large domain these queries can take a very long time to complete and may scroll off the screen. Spurious errors may also be thrown.
To check that you are successfully joined to the domain,
[root@localhost ~]# wbinfo -t |
Check that you can grab the domain groups.
[root@localhost ~]# wbinfo -g |
Check that you can get the domain users. This process may take a very long while (about 5 minutes for 1,000+ accounts) or throw spurious errors.
[root@localhost ~]# wbinfo -u |
If you are able to get successful results from the last few commands, you can try to check if you can browse the shared resources from another Windows computer on the same domain. Simply launch Network Neighbourhood or My Network Places and browse to the domain, displaying all the computers that are currently on the domain. try to locate your Linux server there and click on it. You should see the shared resources.
Some Observations
One of the first things I noticed was how much more responsive my Samba server was in serving files, compared to the Windows file servers that I had on the same network, even though the Samba server was a lower-powered machine, with less RAM and a slower processor.
I hope this article was useful to you. It took a long while for me to get to this stage, and I know that there are still a lot more configuration nuances that I have not explored yet. If you spotted any errors, please do let me know!
Monday, March 06, 2006
What I have been doing.
What I have accomplished Today:
1. I know how to change linux hostname /etc/sysconfig/network
2. linux hosts file is /etc/hosts
3. installing rarlinux-3.5.1.tar.gz requires compat-libstdc++-33-3.2.3-47.fc4.i386.rpm
4. installing ie4linux from www.tatanka.com.br/ie4linux (farsi major problems)
5. installing apache,php,mysql,phpmyadmin (using fedora core default installations is enough no manipulations required)
6. DO NOT use zip with GUI neither should you unzip with that as the result will be that your files will not be accessible via the web (the files unzipped to the web shared folder) tar xvf had the same problem, USE MC TO UNZIP and the COMMAND LINE to zip
7. Farsi fonts have all been rpm packaged: bfonts, farsiweb, un_beed_fonts and mscorefonts
8. I can connect with samba (gui and smbclient command), create samba mount points using fstab like this: /192.168.0.100/C$ /media/SERVERC smbfs username=user,password=pass 0 0
9. Samba server has to be installed and run and users must be allowed to pass through the iptables hole like this:
iptables -I INPUT 1 -p tcp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables -I INPUT 1 -p udp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
10.0.0.1/255.255.255.0 is my computer ip
****. DO NOT USE THE SAMBA SERVER SETTINGS IN system settings->server settings->samba
Right Click on the folders and share them instead
Samba users may be a subset of linux users using sampasswd -a -U user to add users
10. Compiling and installing almost any source in linux may be done as below:
./configure
make
make install
make clean
11. Running/Stopping service in RPM packages after rpm package installation is done in
System Settings->Server Settings->Services
12. knetstats the KDE network monitor installation from source requires MANY already distributed with linux packages including Qt which is spelled qt in the DVD rpm folder
ps: find /media/cdrecorder/Fedora/RPMS/ -name "*qt*.*"
13. Autorunning non KDE service like application may be done using
cd /root/.kde/Autostart/
knetstats.desktop is the file that has to be copied in this folder after finishing knetstats installation
Look at the file format for inspirations to make other similar ones
PS: kinit application_name did the same for me
14. IPtables and firewal settings I'm using the minimal one at
http://danieldegraaf.afraid.org/info/iptables/
A minimal clinet friendly config
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue May 10 08:06:58 2005
WHAT I HAVE TO WORK ON THIS WEEK:
1. installation of a reliable linux internet server including the following:
a. domain controller
b. firewall
c. DHCP server
d. DNS
e. router/NAT server
g. cache server
I have almost all i require on en-bank's USB Flash
2. I have to work on the single floppy linux routers like http://bakskuru.se/fredrik/freesco/
and the more serious ones like http://www.clarkconnect.com/downloads/ and smoothwall-2.0.iso on the USB
3. I have to work on Open Source ERPs like ERP5 and that german one
4. Have to wrap up the Dr's project tonight.
5. I have to work on ipwireless installation by the rodent, hopefully if this works I can continue with #1.
PS: and man! look at these smart hardworking people and move that huge butt of yours you !@#$%^&
1. I know how to change linux hostname /etc/sysconfig/network
2. linux hosts file is /etc/hosts
3. installing rarlinux-3.5.1.tar.gz requires compat-libstdc++-33-3.2.3-47.fc4.i386.rpm
4. installing ie4linux from www.tatanka.com.br/ie4linux (farsi major problems)
5. installing apache,php,mysql,phpmyadmin (using fedora core default installations is enough no manipulations required)
6. DO NOT use zip with GUI neither should you unzip with that as the result will be that your files will not be accessible via the web (the files unzipped to the web shared folder) tar xvf had the same problem, USE MC TO UNZIP and the COMMAND LINE to zip
7. Farsi fonts have all been rpm packaged: bfonts, farsiweb, un_beed_fonts and mscorefonts
8. I can connect with samba (gui and smbclient command), create samba mount points using fstab like this: /192.168.0.100/C$ /media/SERVERC smbfs username=user,password=pass 0 0
9. Samba server has to be installed and run and users must be allowed to pass through the iptables hole like this:
iptables -I INPUT 1 -p tcp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables -I INPUT 1 -p udp --source 10.0.0.1/255.255.255.0 --dport 137:139 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
10.0.0.1/255.255.255.0 is my computer ip
****. DO NOT USE THE SAMBA SERVER SETTINGS IN system settings->server settings->samba
Right Click on the folders and share them instead
Samba users may be a subset of linux users using sampasswd -a -U user to add users
10. Compiling and installing almost any source in linux may be done as below:
./configure
make
make install
make clean
11. Running/Stopping service in RPM packages after rpm package installation is done in
System Settings->Server Settings->Services
12. knetstats the KDE network monitor installation from source requires MANY already distributed with linux packages including Qt which is spelled qt in the DVD rpm folder
ps: find /media/cdrecorder/Fedora/RPMS/ -name "*qt*.*"
13. Autorunning non KDE service like application may be done using
cd /root/.kde/Autostart/
knetstats.desktop is the file that has to be copied in this folder after finishing knetstats installation
Look at the file format for inspirations to make other similar ones
PS: kinit application_name did the same for me
14. IPtables and firewal settings I'm using the minimal one at
http://danieldegraaf.afraid.org/info/iptables/
A minimal clinet friendly config
# Generated by iptables-save v1.2.11 on Tue May 10 08:06:58 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1192099:595387635]
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Windows / Samba
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
# up to 5 Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue May 10 08:06:58 2005
WHAT I HAVE TO WORK ON THIS WEEK:
1. installation of a reliable linux internet server including the following:
a. domain controller
b. firewall
c. DHCP server
d. DNS
e. router/NAT server
g. cache server
I have almost all i require on en-bank's USB Flash
2. I have to work on the single floppy linux routers like http://bakskuru.se/fredrik/freesco/
and the more serious ones like http://www.clarkconnect.com/downloads/ and smoothwall-2.0.iso on the USB
3. I have to work on Open Source ERPs like ERP5 and that german one
4. Have to wrap up the Dr's project tonight.
5. I have to work on ipwireless installation by the rodent, hopefully if this works I can continue with #1.
PS: and man! look at these smart hardworking people and move that huge butt of yours you !@#$%^&
Subscribe to:
Posts (Atom)