Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

Published byMelvyn Newman Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part."— Presentation transcript:

1 © 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part 2: Domain Configurations Tim Pottertpot@hp.com Samba Teamtpot@samba.org

2 March 6, 2006 Part 2 – Domain Configurations Samba as −Domain member (NT4) −Domain member (Active Directory) −Domain controller Account storage options Delegation using privileges Domain security Using winbind

3 March 6, 2006 Samba as Domain Member (NT4) Use security = domain in smb.conf −NTLM or NTLMv2 authentication used RPC calls used to query user information Much better than security = server −Uses less resources −Can use domain trusts Not prompted to enter passwords all the time

4 March 6, 2006 Joining a Domain (2.x) Stop smbd and nmbd Adjust smb.conf Join domain with smbpasswd Start smbd and nmbd Ensure Linux user exists for each Windows user −Samba 2.2 behaviour enabled with map to guest = bad uid

5 March 6, 2006 net rpc join (3.x) Join the domain using the net command −net rpc join -U administrator%password Domain name taken from smb.conf PDC located via a netbios name query for DOMAIN#1B Join information stored in ${private}/secrets.tdb −Trust account password −Local and domain SIDs

6 March 6, 2006 Samba as Domain Member (AD) New for Samba 3.x Use security = ads in smb.conf −Kerberos authentication used LDAP used to query user information Better integration with Windows 2000 networks Uses DNS to resolve names, NetBIOS as a fallback

7 March 6, 2006 net ads join (3.x) Join domain using the net command −net ads join -U administrator%password Domain and realm taken from smb.conf Domain controller located via DNS Join information stored in ${private}/secrets.tdb −Trust account password −Local and domain SIDs

8 March 6, 2006 Samba as Domain Controller Samba 3 can control NT4-style domains Can act as PDC or BDC −Replicate accounts via other means −NT4 account replication not supported −Samba BDC still serves logon request Windows 2000 and above workstations can still join the domain Must have Linux user created for each Windows user

9 March 6, 2006 Account Storage Options Samba 2.2 used smbpasswd file Samba 3.0 has pluggable backends −tdbsam −ldapsam Use tdbsam for small installations Use ldapsam for larger installations −LDAP replication −Integration with other directory services passdb backend (G)

10 March 6, 2006 Account Storage Options Write your own storage backend! API described in source/include/passdb.h Fill in hooks for −Creating users and groups −Enumerating users and groups −Searching users and groups −Mapping Unix uids and gids to NT SIDs Compile to a shared library Set passdb backend parameter

11 March 6, 2006 Delegation using Privileges Windows privileges bypass normal access controls for particular operations Allow you to delegate authority and admin work New in Samba 3.0.11 Also called user rights

12 March 6, 2006 Supported Privileges SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege SeTakeOwnershipPrivilege

13 March 6, 2006 Configuring Privileges Set enable privileges = yes in smb.conf Disabled by default <= 3.0.21b Can be used in security = user, domain or ads Currently not replicated between Samba DCs Implies that certain operations done as root

14 March 6, 2006 Modifying Privileges Use net rpc rights command List assigned privileges −net rpc rights list accounts Grrant privileges −net rpc rights grant \ 'DOMAIN\User' SeMachineAccountPrivilege Revoke privileges −net rpc rights revoke \ 'DOMAIN\User' SeMachineAccountPrivilege

15 March 6, 2006 Account Policies Similar to NT4-style domain policies Applies to all accounts in a Samba domain Implemented using the pdbedit command line tool See the Samba HOWTO for tips and details on policy usage

16 March 6, 2006 Account Policies (cont) min password length password history use must logon to change password maximum password age minimum password age lockout duration...

17 March 6, 2006 Domain Security

18 March 6, 2006 Samba as WINS Server Samba easily configured as a WINS server Replication with other servers not possible samba4wins project Implements WINS replication protocol Allows migration of another service

19 March 6, 2006 Using Winbind Samba requires a Unix user for every Windows user Administrative nightmare! Winbind is a daemon and NSS library Returns a Unix user for every Windows user Returns a Unix group for every Windows group

20 March 6, 2006 Configuring Winbind Configure uid/gid mapping parameters in smb.conf −winbind_idmap.tdb −LDAP −SFU Add winbind entry to /etc/nsswitch.conf Start winbind daemon Test configuration with wbinfo and getent command line tools

21 March 6, 2006 TDB Files A superior data storage format Simple multi-reader, multi-writer database Much important information stored in TDBs /var/lib/samba for persistent data /var/run/samba for temporary data Use tdbbackup utility to back up TDBs

22 March 6, 2006 Summary of Part 2 Samba can act as domain member or domain controller Can delegate admin work via privileges More domain policy supported Samba can act as a WINS server, now with replication Use winbind to dynamically create users and groups

23 End of Part 2 Break for 10 minutes

Download ppt "© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part."

Similar presentations

Microsoft Active Directory

Microsoft Active Directory
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.

Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Windows Server 2003. WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.

Windows Server WHAT IS ACTIVE DIRECTORY? FUNDAMENTALS OF THE ACTIVE DIRECTORY – Benefits of Using the Active Directory in an Enterprise Environment.
Resource Sharing Over a Network

Resource Sharing Over a Network
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Understanding Active Directory

Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
CMSC 691X – Summer 2002 Project By Pravin D’Souza.

CMSC 691X – Summer 2002 Project By Pravin D’Souza.
1 COP 4343 Unix System Administration Unit 16: file server – samba.

1 COP 4343 Unix System Administration Unit 16: file server – samba.
UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.

UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.
Samba

Samba

Similar presentations

Ads by Google