SAMBA plugin

This document explains how to install the SAMBA plugin for MMC and its related configuration.

Installation

Install the packages python-mmc-samba, mmc-web-samba and samba.

SAMBA configuration for MMC

This section explains how to configure SAMBA with a LDAP directory so that it works with the MMC. Basically, you need to do a classic SAMBA/LDAP setup, SAMBA running as a PDC.

Note

Configuration files

A slapd.conf for OpenLDAP and a smb.conf for SAMBA can be found in /usr/share/doc/mmc/contrib/samba.

Please use these files as templates for your own configuration.

If you aren’t familiar with SAMBA/LDAP installation, read the SAMBA LDAP HOWTO. SAMBA LDAP setup is not easy.

LDAP directory configuration

You need to import the SAMBA schema into the LDAP directory. The schema file is provided by the python-mmc-samba package in /usr/share/doc/mmc/contrib/samba/samba.schema. But you can also use the schema provided by the SAMBA project.

SAMBA configuration

Stop samba before modifying its configuration:

# /etc/init.d/samba stop
Or according to your distribution:
# /etc/init.d/smb stop

In /etc/samba/smb.conf, you need to modify the « workgroup », « ldap admin dn » and « ldap suffix » to suit your configuration.

SAMBA also needs the credentials of the LDAP manager to write into the LDAP:

# smbpasswd -w secret
Setting stored password for "cn=admin,dc=mandriva,dc=com" in secrets.tdb

Now, SAMBA needs to create the SID for your workgroup:

# net getlocalsid MANDRIVA
SID for domain MANDRIVA is: S-1-5-21-128599351-419866736-2079179792

Use slapcat to check that the SID has really been recorded into the LDAP. You should find an entry like this:

# slapcat | grep sambaDomainName
dn: sambaDomainName=MANDRIVA,dc=mandriva,dc=com
...

Now you can start SAMBA:

# /etc/init.d/samba start

Populating the LDAP directory for SAMBA

The LDAP directory needs to be populated so that SAMBA can use it. We use the smbldap-populate command from the smbldap-tools package. This command populates the LDAP with the OUs (Organizational Unit), users and groups needed by SAMBA.

Note

On Debian do first:

cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/ gunzip /etc/smbldap-tools/smbldap.conf.gz

Now the smbldap-tools conf file need to be edited. Put this in /etc/smbldap-tools/smbldap_bind.conf:

slaveDN="cn=admin,dc=mandriva,dc=com"
slavePw="secret"
masterDN="cn=admin,dc=mandriva,dc=com"
masterPw="secret"

smbldap_bind.conf defines how to connect to and write to the LDAP server.

Then edit smbldap.conf and set those fields:

SID="S-1-5-21-128599351-419866736-2079179792"
sambaDomain="MANDRIVA"
ldapTLS="0"
suffix="dc=mandriva,dc=com"
sambaUnixIdPooldn="sambaDomainName=MANDRIVA,${suffix}"
#defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive=""

Now the directory can be populated. Type:

# smbldap-populate -m 512 -a administrator

A user called « administrator » will be created, and a prompt will ask you to give its password. Thanks to the « -m 512 » option, this user will belong to the « Domain Admins » group.

User password expiration

By default, the maximum password age of a SAMBA user is 42 days. Then the user will need to change his/her password.

If you don’t want password to expire, type:

# pdbedit -P "maximum password age" -C 0

If you want to check your current password expiration policy:

# pdbedit -P "maximum password age"

Giving privileges to SAMBA users and groups

If « enable privileges = yes » is set on your smb.conf, you can give privileges to SAMBA users and groups.

For example, to give to “Domain Admins” users the right to join a machine to the domain:

# net -U administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
Password:
Successfully granted rights.

Notice that you must replace « DOMAIN » by your SAMBA domain name in the command line.

Note

Users that can give privileges

Only users that belong to the “Domain Admins” group can use the net rpc rights grant command to assign privileges.

About SE Linux

The default SE Linux configuration may not allow SAMBA to launch the script defined in “add machine script”, and so you won’t be able to join a machine to the SAMBA domain.

MMC « base » plugin configuration

By default, you want your new user to belong to the « Domain Users » group.

You just need to set the « defaultUserGroup » option to « Domain Users » in /etc/mmc/plugins/base.ini.

MMC « SAMBA » plugin configuration

For a full description of the MMC SAMBA plugin configuration file see MMC SAMBA plugin configuration file.

You shouldn’t need to edit the configuration file (/etc/mmc/plugins/samba.ini). This plugin won’t be activated if your LDAP directory does not include the SAMBA schema, and well-known RIDs.

ACLs must be enabled on your filesystem. The SAMBA plugin needs them to set the ACLs when creating shares, and SAMBA will be able to map NTFS ACLs to the POSIX ACLs.

If you use XFS, ACLs are enabled by default. For ext3, you need to enable ACLs in /etc/fstab.