Tip

Managing Samba: Configuration for remote management, part two

You tasted basic Samba configuration in part one of this tutorial. Now, let's get into something much meatier: Samba PDC (primary domain controller) configuration.

The following smb.conf file contents demonstrate the use of the key parameters as well as a few additional ones required to round out a Samba primary domain controller. The key point to observe is the settings for the interface scripts. The example uses the passdb backend = tdbsam, and this means that this PDC is not -- I repeat, not -- suitable for use with a BDC (backup domain controller).

A PDC that has the configuration file shown in this example is a subset of the configuration that is depicted in the book,

    Requires Free Membership to View

Samba-3 by Example, second edition. The extracted example does not make use of WINS (the Windows Internetworking Name Server) for NetBIOS to IP address name resolution and eliminates a few more refinements. In this article, my objective is to demonstrate a more basic configuration. The example file is fully functional, but it lacks some of the bells and whistles that can be used to create a more stable environment. The latter Samba environment can be obtained by carefully following the examples in the book.

The [homes] share is properly called a meta-service and is used to dynamically create a user home folder share from the Unix system account information.

The [printers] share is another example of a meta-service. In this case, it defines the generic Unix directory into which a print job will be spooled until it is ready to be sent to a Unix system printer by way of a standard operating system print command. Where CUPS (the Common Unix Print System) is used, Samba will pass the print job directly via a built-in CUPS library interface.

The permissions on the /var/spool/samba directory should be set by executing:

  • chmod 1777 /var/spool/samba
  • chown root /var/spool/samba
  • chgrp users /var/spool/samba

The [netlogon] share is necessary for domain controller operation. The logon.bat script specified in the smb.conf file must be stored in DOS file format in a directory called scripts inside the /var/lib/samba/netlogon directory.

The [profiles] directory will permit the storage of Windows roaming profiles. The permissions on this directory are important and should be set so that the default group can write to the directory. An example of suitable configuration is:

chown root /var/lib/samba/profiles
chgrp users /var/lib/samba/profiles
chmod 2775 /var/lib/samba/profiles

As domain users log onto and then out of the Windows workstations that are domain members, the users profiles will be written automatically to the directory /var/lib/samba/profiles/'username'.

  • [global]
    workgroup = ROSESARERED
    netbios name = VIOLETSBLUE
    passdb backend = tdbsam
    username map = /etc/samba/smbusers
    enable privileges = Yes
    log level = 0
    log file = /var/log/samba/%m.log
    max log size = 50
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -G '%g' '%u'
    set primary group script = /usr/sbin/usermod -g '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
    logon script = scripts\logon.bat
    logon path = \\%L\profiles\%U
    logon drive = h:
    logon home = \\%L\%U
    domain logons = Yes
  • [homes]
    comment = Home Directories
    valid users = %S
    read only = No
    browseable = No
  • [printers]
    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    use clientdriver = Yes
    default devmode = Yes
    browseable = No
  • [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = Yes
    locking = No
  • [profiles]
    comment = Profile Share
    path = /var/lib/samba/profiles
    read only = No
    profile acls = Yes

Before starting Samba's smbd and nmbd daemons, the contents of the smb.conf file can be validated by executing testparm. This is a very useful tool to verify that there are no critical errors or typos.

It may be useful to rename smb.conf file to smb.conf.master, and then let the testparm utility generate the smb.conf file by executing:

testparm -s smb.conf.master > smb.conf

The resulting smb.conf file will be fully optimized. Additionally, if there are any significant errors, these will be reported as the file is created.

If all went well, go ahead and start Samba. Check the documentation for your operating system platform for information regarding how to start the smbd and nmbd daemons. Alternatively, refer to chapter 1 of my book, The Official Samba-3 HOWTO and Reference Guide, 2nd Edition, for further Samba start-up information.

Operation of Samba can be validated by executing:

#> smbclient -L localhost -U%
Domain=[ROSESARERED] OS=[Unix] Server=[Samba 3.0.21]
Sharename Type Comment
--------- ---- -------
netlogon Disk
profile Disk
IPC$ IPC IPC Service (Main Server)
ADMIN$ IPC IPC Service (Main Server)
hp940 Printer HP DeskJet 940c
Cups-PDF Printer Cups-PDF
Domain=[ROSESARERED] OS=[Unix] Server=[Samba 3.0.21]
Server Comment
--------- -------
VIOLETBLUE Main Server
Workgroup Master
--------- -------
ROSESARERED VIOLETBLUE

If you've made it this far, then the Samba server is operative and it should now be possible to administer it remotely. Congratulations! Now you're ready for the upcoming tutorial on more PDC configuration options.

Click here to go back to part one.

About the author: John H. Terpstra is CTO, PrimaStasys Inc., an IT consulting firm and a member of SearchOpenSource.com's Editorial Advisory Board. He is author of the new books, Samba-3 by Example: Practical Exercises to Successful Deployment, 2nd Edition and The Official Samba-3 HOWTO and Reference Guide, 2nd Edition.

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.