Configuring Samba on Ubuntu Server 10.04

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 70
Joined: Wed Mar 15, 2006 8:28 pm
Contact:

Configuring Samba on Ubuntu Server 10.04

Post by dedwards » Mon Oct 11, 2010 12:24 pm

The instructions below are for configuring Samba with local authentication using the samba account "samba_user". You can change "samba_user" to whatever account name you want.

1. Ensure Samba is installed by issuing the following command:

Code: Select all

sudo apt-get install samba


If Samba is installed the system will tell you it's already installed. If not, it will install it for you.

2. Edit the "/etc/samba/smb.conf file:

Code: Select all

sudo vi /etc/samba/smb.conf


Under the "[global] section of the config file ensure at a minimum the following parameters are set:

Code: Select all

null passwords = yes
guest account = samba_user
workgroup = yourworkgroup
unix password sync = yes
security = user


3. Scroll at the very end of the "smb.conf" file and create your samba share(s) by using the format below for each share.

Code: Select all

[myshare]
        comment = Share Description
        path = /path/to/directory/you/want/to/share
        public = yes
        guest ok = yes
        write list = @samba_user samba_user
        read only = no
        writable = yes
        printable = no
        create mode = 0770
        directory mode = 0770


Save and exit the smb.conf file.

4. Create a UNIX user to be associated with the Samba user by issuing the following command:

Code: Select all

sudo useradd -d /home/samba_user -s /bin/false -N samba_user


The "-d /home/samba_user" sets the home directory for this user. The "-s /bin/false" sets a "false" shell for that user meaning that user will not be able to logon the system and run commands since no shell is set. The "-N" switch tells the system to NOT create a group name out of that username.

Set the password for that user:

Code: Select all

sudo passwd samba_user


You will be prompted for a password twice.

5. Create a Samba user by issuing the following command:

Code: Select all

sudo smbpasswd -a samba_user


You will be prompted for a password twice. This is the password you are going to use to authenticated to the Samba shares.

6. Ensure the "samba_user" is the owner of the share.

Code: Select all

chown -R samba_user /path/to/directory/you/want/to/share


7. Reload and re-start the "smbd" service:

Code: Select all

sudo /etc/init.d/smbd reload
sudo /etc/init.d/smbd restart



OPTIONAL: Integrate Samba with Active Directory

If you have a need to integrate your Ubuntu Server with Active Directory in order to authenticated AD users to your server samba shares, it's easy enough to accomplish however, if you have implemented Samba using local authentication from the first part of the article, you must make a backup of your current Samba configuration and start with a clean fresh file.

1. Create a backup of you "/etc/samba/smb.conf" file:

Code: Select all

sudo cp /etc/samba/smb.conf /etc/samba/smb.bak


2. Delete every line in your "/etc/samba/smb.conf" file. in order to start fresh. Easiest way to do this is to edit the file with "v"i and press the "d" key twice on every line until all of them are gone and then save the file. I'm sure there is an even easier way, however, I can't think of one.

3. Next, you must install Likewise Open 6. Word of caution, DO NOT install Likewise open from the Ubuntu repositories because it simply will not work with Samba 3.4 which is the version of Samba Ubuntu Server 10.04 (Lucid) uses. Goto to the following URL:

http://www.likewise.com/community/index.php/download/

***UPDATE 4/26/2012*** Likewise has been renamed to BeyondTrust PowerBroker® Identity Services, Open and it can be now downloaded at https://github.com/BeyondTrust/pbis-open/releases.

Download the appropriate Likewise Open 6 Stable DEB file for your server. Ensure that if you are using a 64-Bit version of ubuntu server, you download the 64-Bit version of Likewise Open. Easiest way to download is the from the console using wget:

Code: Select all

sudo wget http://www.likewise.com/bits/6.0/8336/LikewiseOpen-6.0.0.8336-linux-amd64-deb.sh


Once downloaded, make the file executable:

Code: Select all

sudo chmod +x LikewiseOpen-6.0.0.8336-linux-amd64-deb.sh


Install the file:

Code: Select all

./LikewiseOpen-6.0.0.8336-linux-amd64-deb.sh


Accept the license agreement and proceed with the install. Enter all the appropriate information for your domain and domain controllers when the program asks. Once the installation is finished, reboot your computer.

4. Next, edit your "/etc/hosts" file:

Code: Select all

sudo vi /etc/hosts


Ensure that your file looks like the example below where "yourserver" is your Ubuntu server without the domain part, "yourdomain.local" is is the FQDN of your AD domain, "192.168.xxx.xxx" is the IP of your domain controller, "dc.yourdomain.local" is the FQDN of your domain controller and dc is the hostname of your domain controller without the domain part:

Code: Select all

127.0.0.1 yourserver.yourdomain.local yourserver localhost
192.168.xxx.xxx dc.yourdomain.local dc
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Save the file

5. Edit your "/etc/nsswitch.conf" file:

Code: Select all

sudo vi /etc/nsswitch.conf


Comment out the line that reads (Place a "#" without the double quotes in from of the line):

Code: Select all

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

so it looks like this:

Code: Select all

# hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4


Finally, ensure the "hosts:" line looks like this:

Code: Select all

hosts:          files dns


Save the file.

6. Next, we are going to go ahead and join the AD domain. Run the following command from the console where "yourdomain.local" is your AD domain, and "Administrator" is a domain account with privileges to join a computer to the domain:

Code: Select all

sudo /opt/pbis/bin/domainjoin-cli join yourdomain.tld Administrator


Enter the domain account password and if successful you should get the following message back:

Code: Select all

Warning: System restart requiredYour system has been configured toauthenticate to Active Directory for thefirst time. It is recommended that you restart your system to ensure that allapplications recognizethe new settings.
SUCCESS


Reboot your machine and check in your domain controller under "Active Directory Users and Computers" and you should be able to see your Ubuntu server listed under the "Computers" container.

7. Next, we are going to ensure that each time a domain user logs in your Ubuntu server via SSH or the console that they use the "/bin/bash" shell and a folder is created for each user under "/home/YOURDOMAIN/username". So run the following two commands:

Code: Select all

sudo /opt/likewise/bin/lwconfig LoginShellTemplate /bin/bash

and

Code: Select all

/opt/likewise/bin/lwconfig HomeDirTemplate %H/%D/%U


8. next, we want your ubuntu server to update the DNS everytime it boots up, so create the following script under "/etc/init.d":

Code: Select all

sudo vi /etc/init.d/lw-startup


Enter the following in the new file:

Code: Select all

#!/bin/bash
/opt/likewise/bin/lw-update-dns
exit


Save the file and make it executable:

Code: Select all

sudo chmod a+x /etc/init.d/lw-startup


Setup the script to run everytime your server is boots up:

Code: Select all

cd /etc/init.d

Code: Select all

sudo update-rc.d -f lw-startup defaults


9. Ensure that members of a group in your AD domain are able to "sudo" in your Ubuntu server. On the console run the following command:

Code: Select all

visudo


The command above allows you to edit the "/etc/sudoers" file. This is the ONLY way you should edit this file, don't even think about using just plain old "vi". Enter the following under the "%admin ALL=(ALL) ALL" line:

Code: Select all

%YOURDOMAIN\\AD^GROUP ALL=(ALL) ALL


so the whole section will look like this:

Code: Select all

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%YOURDOMAIN\\AD^GROUP ALL=(ALL) ALL


where "YOURDOMAIN" is your AD domain and the "AD^GROUP" is an AD group you want to be able to "sudo" in your machine. The "^" is located right above the "6" key in your keyboard and it's used when you have a two word AD group (most of them are) since you cannot separate the group name with spaces in your "/etc/sudoers" file.

Press "CTRL" and "O" (the letter NOT ZERO), press enter in the "File Name to Write" prompt and then press "CTRL" and "X" to exit.

Run the following command to verify Samba compatibility with Likewise:

Code: Select all

sudo /opt/likewise/bin/samba-interop-install --check-version


You should get the following message:

Code: Select all

Found smbd version 3.4.7
Samba version supported


10. Next, edit your fresh "/etc/samba/smb.conf" file and enter the following entries:

Code: Select all

[global]
   workgroup = YOURDOMAIN
   realm = YOURDOMAIN.LOCAL
   server string = %h server
   wins server = 192.168.xxx.xxxx
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = no
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   idmap uid = 10000-33554431
   idmap gid = 10000-33554431
   usershare allow guests = yes

[Share]
  path = /share
  read only = no
  guest ok = no
  browseable = yes
  valid users = YOURDOMAIN\Administrator
  force user = share


Where, "YOURDOMAIN" is your netbios domain name, "YOURDOMAIN.LOCAL" is your full AD domain name, "192.168.xxx.xxx" is the IP of your domain controller, "/share" is the name of your share and "YOURDOMAIN\Administrator" is the AD user you want to have access to that share, and "force user = share" is the unix account username we are going to create next to have full ownership of that directory path and save the file.

Change the permissions on your share directory path:

Code: Select all

sudo chmod -R -c 766 /share


Add a user named "share" or whatever you want it to be and give it ownership of that directory path. If you use another username, ensure you change the "force user = " parameter in the "/etc/samba/smb.conf" file to reflect that username:

Code: Select all

sudo useradd share

Code: Select all

sudo chown -R share:share /share


Alternatively, in the "valid users =" parameter of your "/etc/samba/smb.conf" instead of using a single domain user, you can use a domain group as follows:

Code: Select all

valid users = @"YOURDOMAIN\Domain Users"


As you can see we put a "@" symbol in front and enclosed the AD group name in double quotes since it's a two word group name.

11. Next, we need to run the Samba Interoperability Installer and restart the Samba and Winbind services. But, since we don't have Winbind installed, we must install it first:

Code: Select all

sudo apt-get install winbind


The installation of winbind will most likely give you a compatibility error between Likewise and Winbind, just ignore it and continue. It will not harm anything.

Once winbind is installed, enter the following command:

Code: Select all

sudo /opt/pbis/bin/samba-interop-install --install


Reboot the server or restart Samba and winbind (Order is important):

Code: Select all

sudo /etc/init.d/samba stop

Code: Select all

sudo /etc/init.d/winbind stop

Code: Select all

sudo /etc/init.d/samba start

Code: Select all

sudo /etc/init.d/winbind start



You should now be able to access the Samba share from any Windows computer on the AD domain and as long as you supply the correct AD credentials, you should get access to the share. Alternatively, you can SSH into your server and logon as an AD user.
Post Reply