Friday, May 12, 2006
Samba In Fedora Core 4 and 5 (SELinux enabled)
1. correct user to connect to the share (guest account = root and guest ok = yes [no security access])
2. Create iptables holes for netbios ports 137:139 tcp/udp
3. samba_selinux requires the below
3.a To Create home dirs access you should enable setsebool -P samba_enable_home_dirs 1
3.b To enable sharing of any other directory such as /var/eng do:
chcon -t samba_share_t /var/eng
or permanently in /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local add
/var/eng(/.*)? system_u:object_r:samba_share_t
[taken from man samba_selinux]
Setup Samba in Fedora Core 5
20 March 2006
Make sure you have Samba installed in the installation process.
EDIT /etc/samba/smb.conf
Set your Windows Workgroup name in [global] section.
Added shares at the end of the file:
[media]
path = /mnt/media
public = yes
writable = no
[work]
path = /mnt/work
public = yes
writable = yes
If 'writable' the location need to be writable in Linux first.
Example: NTFS is not writable in Linux.
If home data (all work in /home/username) is to be accessible,
then set 'browseable = yes' under [homes] (~line 182).
Run samba check for errors:
/etc/init.d/smb start
Use chkconfig or serviceconf to enable samba (smb) in both runlevels 3 and 5.
[root@charon samba]# chkconfig --list smb
smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@charon samba]# chkconfig --level 35 smb on
[root@charon samba]# chkconfig --list smb
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off
Add users who can access these shares with the 'smbpasswd' command.
This does NOT need to match your Linux password. This should be the
login name and password you use from Windows when accessing your
Linux computer.
[root@charon samba]# smbpasswd -a username
New SMB password:
Retype new SMB password:
Added user username.
(Note: 'username' must be a valid account on the machine)
Restart Samba for every change to users/passwords or 'smb.conf'
[root@charon samba]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Firewall and SELinux Users
Run 'system-config-securitylevel'
Firewall Options:
To allow Samba access to work through your firewall you
must set 'Samba' as a 'Trusted service'.
SELinux:
Modify SELinux Policy > Samba
Disable SELinux protection for smbd daemon
On the command line you can run:
[root@charon ~]# setsebool -P smbd_disable_trans 1
Run 'man samba_selinux' for more help.
For any changes made above to the SELinux settings or smb.conf,
make sure to RESTART samba!
Monday, May 01, 2006
Joining a Fedora Core 4 Workstation/Server to a Windows NT4 Domain
At the minimum, you will need:
-
samba-common-3.x
-
samba-client-3.x
-
samba-3.x
Winbind, the component you need to join a Windows domain, is in the samba package.
Overview of the Process
Here is what we will need to do:
Joining the Domain
-
On the Windows NT 4 Domain Controller, create an account in the Server Manager application for the Linux server, using the Linux server's NetBIOS name.
-
Install the Samba packages or the "Windows File Server" package group, if you have not already done so.
-
Backup the system configuration files you will be changing.
-
Edit /etc/nsswitch.conf to add Winbind.
-
Edit /etc/samba/smb.conf to define the domain and "shared folders". Adjust the permissions on the shared directories, so that users can write and read from them.
-
Edit /etc/pam.d/login to add Winbind authentication.
-
Add exceptions to firewall rules to allow Windows clients to connect to shared folders.
-
Start Samba and Winbind services.
-
Test on the Linux system that you can retrieve login and group information from the Windows domain.
-
Test on Windows clients that they can connect to the Linux system, browse shares, read and write files.
If all goes well, hopefully, you will have a functioning Linux Samba server that can service Windows clients.
Notice that I am not using the authconfig utility here. I found it a dead-end when I used it, as it did not configure everything like I expected it to -- automagically! You may have more success with it though, as essentially, it does the same (I think) changes to the system configuration files as described here.
Backup the System Configuration Files
I will assume that the server's NetBIOS name has been added to the Server Manager, and that the necessary Samba packages have been successfully installed.
The files you will need to backup are:
-
/etc/nsswitch.conf
-
/etc/samba/smb.conf
-
/etc/pam.d/login
It is absolutely essential that you backup these files! If there are any typo errors or mistakes, it could result in a locked system which you cannot login to. You will also need to keep your Fedora Rescue CD handy. If things turn bad, you may need to use it to boot to single user mode and restore the backup configuration files.
Edit /etc/pam.d/login
You will need to add a couple of lines into this file. I can't figure out how to color code them in Docbook, so you will need to compare the file below with your own file to see where the changes are. A hint: they all contain the string pam_winbind.so.
Example 2. Additions to /etc/pam.d/login
#%PAM-1.0 |
Samba configuration via /etc/samba/smb.conf
Here's where it can get complicated. You will need to use the information you gathered earlier about your Windows domain and plug the values into various parts of your smb.conf, and also define the "folders" that you want to share (I hate using the term "folders", which is a Windows metaphor, but I guess I'll have to use it here because it is most appropriate, if not entirely accurate, from a purist perspective.
You will need to locate and change the values in several lines. Assuming we have a domain called TEMASEK, and a WINS server address of 192.168.1.10, and our server name is FCSAMBA, then these are the lines you will need to locate and change:
Example 3. Define the Windows Domain
# workgroup = NT-Domain Name or Workgroup-Name |
Next, you need to define the NetBIOS name.
Example 4. Define the NetBIOS name
# server string is the equivalent of the NT Description field |
Now, we specify the WINS server address:
Example 5. Specify the WINS server address
# WINS Server - Tells the NMBD components of Samba to be a WINS client |
Now, just before the Share Definitions, we add some Winbind parameters:
Example 6. Winbind parameters
winbind separator = + |
Under the Share Definitions section, you need to add:
I'm not exactly sure what the lines above do or define, but they were mentioned in some articles, so I just added them in.
Now we can define some shares. For simplicity, I am defining one shared directory, accessible by everybody.
Because we are giving universal access to the directory /shares, we will need to adjust the permissions for that folder:
[root@localhost ~]# chmod go+rw /shares |
Now you should connect your machine to the network, if you have not already done so, and get ready to test.
Add Exceptions to Firewall Rules
Fedora blocks Samba traffic in the default firewall rules, so you will need to add a few exceptions to the rules in order to give access to shared resources. At the minimum, this is what you need:
[root@localhost ~]# iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT |
Starting Samba and Winbind
You will need to be root user. We will use the service utility in Fedora to start Samba and Winbind.
[root@localhost ~]# /sbin/service samba start |
Both services should start OK. Once started, we will be ready to test.
If you are experiencing problems starting Samba, you should restore your old smb.conf file and see if that starts OK. Also, check if there are any typos inside the file that you edited.
Joining the Domain and Testing
Let's try to join the domain now. As root user,
[root@localhost ~]# net rpc join -W TEMASEK -U |
Here, we are trying to join the domain called TEMASEK using the domain administrator account. If you have a domain account, you can use that too. If all goes well, you should be prompted for a passsword. Key in the NT administrator's password and you should get a message that says:
Joined domain TEMASEK |
If you have a large domain and a lot of domain accounts, you may get a spurious error:
rpc command function failed! (NT_STATUS_ACCESS_DENIED) |
If you have a large domain and a lot of accounts, the time to get to the Password prompt can be extremely long, like 5 minutes or more. If you are unable to login the first time, try several more times. The error could be the result of a timeout because the server cannot authenticate fast enough. This problem is not peculiar to Linux. When I join a new Windows system to the domain, I sometimes get a similar error. I'm not sure how to fix this in the long term, but I find that retrying several times usually does the trick.
Once you have successfully joined the domain, you can test that your server can gather information about domain groups and users. Note again that if you have a large domain these queries can take a very long time to complete and may scroll off the screen. Spurious errors may also be thrown.
To check that you are successfully joined to the domain,
[root@localhost ~]# wbinfo -t |
Check that you can grab the domain groups.
[root@localhost ~]# wbinfo -g |
Check that you can get the domain users. This process may take a very long while (about 5 minutes for 1,000+ accounts) or throw spurious errors.
[root@localhost ~]# wbinfo -u |
If you are able to get successful results from the last few commands, you can try to check if you can browse the shared resources from another Windows computer on the same domain. Simply launch Network Neighbourhood or My Network Places and browse to the domain, displaying all the computers that are currently on the domain. try to locate your Linux server there and click on it. You should see the shared resources.
Some Observations
One of the first things I noticed was how much more responsive my Samba server was in serving files, compared to the Windows file servers that I had on the same network, even though the Samba server was a lower-powered machine, with less RAM and a slower processor.
I hope this article was useful to you. It took a long while for me to get to this stage, and I know that there are still a lot more configuration nuances that I have not explored yet. If you spotted any errors, please do let me know!