[TriLUG] I'm in SAMBA hell

Vestal, Roy L. rvestal at rti.org
Thu Sep 26 08:59:49 EDT 2002 

Ryan, we are setup the same way. Here's the SAMBA globals that work for us:

<snip>
        workgroup = domain_name
        netbios name = MACHINENAME (note - we've found that uppercase works
best with WINS/NETBEUI)
        server string = server_description
        security = SERVER (Note - Here is your secret to making SAMBA work
for NT domains)
        encrypt passwords = Yes (Note - definitely needed)
        password server = BDC_machine_name_or_ip ( note - we don't use our
PDC here to try and reduce the load, but you can)
        map to guest = Bad User (note - allows top level browsing and some
read only functions controlled in username map)
        username map = /opt/samba/lib/password.txt
        local master = No ( NOTE - This is CRITICAL. We've had servers take
over the server browse list handled by the PDC and BDC's and start trying to
authenticate other servers)
        wins server = wins_server_ip ( Note - It needs to be the IP not
machine name)
</snip>

The key we've found to work for us is the security=server line. It's kind of
misleading to use security=domain. security=server uses NT creds correctly.
Also make sure " encrypt passwords = yes " is there. 

To add the machines to your domain (I'm assuming NT4/2000 domain), you need
to join the domain as an "NT 4.5" server. I create the account using
svrmgr.exe (just add the machine name to the domain), then use the following
steps to add the SAMBA server to the domain:

* login as root
* type "smbpasswd -a validuser" (use a valid user on the domain that is able
to add machines to the domain)
* type "smbpasswd -j domain_name -R BDC_machine_name -u validuser" (may need
fully qualified machine name, and use the same name as the one above used to
create the smbpasswd password/shadow files)
* enter validuser NT domain password when prompted for passwd

You may have to remove the server and recreate the files again. I've found
that it doesn't always the first time.

Finally, use SAMBA 2.2.x . We had issues with W2K boxes on 2.0.x and lower
and 2.1.x wasn't stable. Even though most distributions come with SAMBA, I
like to manually compile mine. Guess it comes from the old days of RedHat
5.x and 6.x and the fact that I do this for Solaris boxes as well.

O'Reilly's latest "Using SAMBA" is a great tool for this.

This setup seems to work pretty well. Hope this helps.


-----Original Message-----
From: Ryan Leathers [mailto:Ryan.Leathers at globalknowledge.com]
Sent: Tuesday, September 24, 2002 5:45 PM
To: 'trilug at trilug.org'
Subject: [TriLUG] I'm in SAMBA hell


I'm migrating services from Win2k to Linux.  The majority of my end
users are sticking with windows on their desktop PC's.  
I am in need of some sound advice in handling authentication of users
who "browse" SMB shares on Linux servers.

In my pilot, I have 3 Linux servers running SMB.  They are part of the
same workgroup/domain.  I am compelled to leave the existing domain
alone and build this new workgroup during the pilot.  I suppose it's
most correct to call it a workgroup since there are no NT or Win2k hosts
(no domain controllers).
Authentication is being handled per user.  End users have Win2k Pro on
their PC's and are generally logged in as members of another domain.  My
problems are: synchronization of credentials, visibility of Linux SMB
shares in browse lists on the Win2k hosts.  

My current plan: configure the Linux servers to point to one place for
credentials.  I will still have a credential conflict since users are
members of a domain and a workgroup.  They want to use a single set of
uid/passwd for both.  By setting the security=server option and picking
one of the Linux servers to be that server I hope to simplify my life.
At least this way the credentials will be consistent for all shares on
the Linux servers.  To aid in my quest for "browsability" I plan on
making the authentication server handle WINS chores and point the others
at it.      

Any thoughts ?

Ryan
-----Original Message-----
From: Jon Carnes [mailto:jonc at nc.rr.com]
Sent: Tuesday, September 24, 2002 7:53 AM
To: trilug at trilug.org
Subject: Re: [TriLUG] Suse releases exchange server clone ($999) no
client licenses

It's also worthy to note that this is now the cheapest drop-in
replacement for an Exchange server. It's 40% cheaper than the previous
Linux solution. This may not be a mile-stone for Open Source, but it is
certainly one for the evolution of Linux in the workplace.

Migrating folks off of proprietary MS solutions is made difficult by
their dependence on Exchange. If you remove the Exchange dependency then
you break the strongest lock that MS has on small and medium sized
businesses.

Also, this adds more competition into that market - which drops prices
and encourages better more responsive programming and services.  It's a
big deal for Linux to have these solutions available and actively being
developed. It's also a big deal to contractors (like me) who setup Linux
based services for folks - or even help them migrate off of MS products
over to cheaper Linux based solutions.

The next nice thing will be when LDAP (or some Directory Services) is
fully functional and supported with easy installations and
administration.

Jon Carnes

On Tue, 2002-09-24 at 08:43, Ben Pitzer wrote:
> Can this group ever get past the flame-bait distro bashing?  C'mon,
> folks, whatever your personal preference, other distros have redeeming
> qualities, too.  And while the Skyrix portion of this product may be
> closed source, it may be exactly what somebody needs to start to move
> towards Linux and an open source, non-Exchange clone groupware
platform.
>
> Regards,
> Ben Pitzer
>
> PS - Sorry to pick on you, Tom.  Nothing personal.  I've seen it, and
> thought about it before, and your post just reminded me that I wanted
to
> say something.
>
> > I looked at this product before they released, and the important
pieces
> > (Skyrix) are closed source, in typical SuSE fashion.
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html


_______________________________________________
TriLUG mailing list
    http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ:
    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list