Recently I got the opportunity to setup a new lab for a small school. The server runs Linux and the workstations run WindowsXP. There are 3 levels of access on the workstations (admin, teacher, and student) and security on the workstations is based on Windows policies applied at logon.
Post a Comment
Thanks for this, so useful article, on Samba 3.x. I had some hard times after I upgraded from 2.x to 3.x. Now, I hope I'll resolve all my problems. :-)
Did the "server schannel" and/or "server signing" options not make signorseal (or whatever the feature is called) work? The man page (http://au1.samba.org/samba/docs/man/smb.conf.5.html) says that setting the "server schannel" option to no means that the registry patch needs to be applied on the clients.
I've been running Samba with XP clients (part of a domain, that my server is also a member of, that I don't have administrative control over) for a while now, and I've never had a problem with Sign or Seal not working.
http://sloppyadm.sourceforge.net (I know the page hasn't been updated for a while, but right now there are no known bugs (other than #TODOs in the code)) for mixed linux/windows networks. (right now some things are gentoo client specific, but there is redhat/apt-get support in there.)
Bug reports are appreciated.
chmod 775 /home/samba/teachers
...
directory mask = 0775
Well, in order to disallow users (of group "teachers" here) to just remove the whole dir, maybe by mistake... I'd change set the "sticky" bit on it, ie:
chmod 1775 /home/samba/teachers
directory mask = 1775
But while we're at it, since Linux supports "inheritance" of the GID bit on files when a directory is setgid, why not use that, like:
chmod 3775 /home/samba/teachers
directory mask = 3775
And when useing a filesystem that supports it (such as ext2 or ext3) you can set the inmuteable attribute on it, as well:
chattr +i /home/samba/teachers
Furthermore, the 2.6.x kernel series support POSIX ACLs and Samba 3.x can translate that to MS-Windows ACLs in such a way that the Linux box would look very much like a NT server... (From the perspective of a "Windows Explorer" session on the client.)
http://www.bluelightning.org/linux/samba_acl_howto/
http://networking.earthweb.com/netsysm/article.php/10954_3077971_1
Kernel 2.4.x can be patched to support it, BTW:
http://acl.bestbits.at/
Have fun ...
Great article... learned a few things I didn't know before. Any chance you would do one with integrating LDAP? 
Correction, leave allone the directive:
directory mask = 0775
That was stupid of me, heh. The rest of that post seems ok though. (It must be weekend or something ... :-))
@OP
Instead of:
%logonserver%netlogonifmember "teachers"
One could probably do something like:
net user "%username%" /domain |find /i "teachers" >nul
Or maybe, the other way around:
net group "teachers" /domain |find /i "%username%" >nul
(You may have to test for some other errorlevel then BTW.)
IIRC there is a "whoami" command in NT, maybe of interest.
what can i use the samba server for ?
its not like Active Directory where you can set permissions on how their windows should behave, is that what LDAP is used for ?
Very nice tutorial. :-) Lots of details, even though there is a lack of screenshots, I found this article very useful. Kudos! Good job!
Funny that you mention that... I have a client that is looking at migrating from Win2K servers and Exchange and I am looking into Samba with LDAP. http://LDAPAdmin.sf.net looks like a very good answer for management of a Samba/LDAP system. If this comes about I will send my results to OSNews for article consideration. There is an excellent article on Mandrake's website on actually setting up Samba and LDAP if you are using the Mandrake distro.
Brian
Cost savings would be the primary reason for setting up a Samba server as opposed to a Linux or NetWare server for file and printer sharing. It also has some useful features not found on either Windows or NetWare - 'veto files' to disallow certain file types being the best example.
Using poledit is just like using Group Policies to restrict users from changing key settings on their workstations. This is especially useful in a school environment where you don't want the students to change things like the screensaver or desktop colors.
Brian
I know there was a 'whoami' on NetWare but didn't know that it was available in NT. The 'ifmember.exe' file is pretty small but I like the way Novell does login scripts better. I wonder if you could load an alternative shell processor at the top of a login script....
Brian
what i wish is for there to be a linux distro come out that focuses on using ldap/acls/samba/nfs/etc... already set up when you install it. a distro that does the initial ldap configuration with you during installation. i want a tool to use like novell's nwadmn32 for adding users and setting up file permissions, basically i want to see the entire network on a tree and be able to administrate accordingly (even if i am doing said administration through a web page)
setting up an ldap server manually is a pain in the arse for someone who has never done it before (and i was following a howto, it just didnt work exactly with the distro i was trying it on. finally got it to work, decided to go back to /etc/passwd because of far less headache)
i dont want to have to wait on novell making netware linux for this to happen 
Ophidian
I agree. I would willingly pay for a distro that had a nice admin utility for Windows and Linux (similiar to LDAPAdmin and NetWare Administrator). It would need to be able upon installation to join an existing system and provide login credentials on its own via its copy of the network directory - not by forwarding them to one master server. Administration of the system must be easier to make inroads in businesses. Webmin is full featured but NWAdmin beats most (if not all) utils for User and Group administration.
Brian
what can i use the samba server for ?
its not like Active Directory where you can set permissions on how their windows should behave, is that what LDAP is used for ?
Samba servers can be standalone windows file sharing servers, windows file sharing servers as part of an NT domain, NT domain controllers, and windows file sharing servers as part of an active directory (native mode) domain. They cannot, be an active directory domain controller, and cannot currently function as part of a non active directory Kerberos realm in combination with an LDAP server. They can however, retrieve user account information from an LDAP server, just not if those accounts have their passwords stored in an MIT Kerberos KDC.
what i wish is for there to be a linux distro come out that focuses on using ldap/acls/samba/nfs/etc... already set up when you install it. a distro that does the initial ldap configuration with you during installation. i want a tool to use like novell's nwadmn32 for adding users and setting up file permissions, basically i want to see the entire network on a tree and be able to administrate accordingly (even if i am doing said administration through a web page)
This distro is called Mac OS X Server. Apple has integrated all of these components together (OpenLDAP, Samba, Kerberos, NFS, etc) and slapped an easy to use admin GUI on them called workgroup manager. It works really well and can out of the box. It works in such a way that your users can use the same name/pw to securely log into Linux, Mac OS X, and Windows clients and have their files and settings follow them wherever they go. (It translates between the roaming profile on windows, and a NFS network home directory for OSX, *NIX.) Really quite amazing, the Windows clients see it as an NT domain controller and the Linux and OSX clients see it as an LDAP/Kerberos server. Best part, no client access licenses.
Now your forcing me to look at Mac OS X and expand my horizons... which apparently needs to be done. Thanks!
Brian
whoa nice. i have never looked at osx server (never had the opportunity).
I had no clue the option existed. Thanks for the info.
Brian
Easy, with the program unix2dos:
$ unix2dos inputfile outputfile
The counterpart dos2unix also exists and might be helpful for other tasks.
Why does this guy use NT policies on Windows XP? Its best to use Group Policy, by running gpedit.msc at the run prompt....NT policies are old news.
I've just set up a Samba/XP domain, and I have not needed to alter any registry settings for this. Everything worked out of the box with Samba 3 - it wad great. However, this is vanilla XP, so if you are running with a further service pack things may be different.
AMSR, will you post some of your experiences w/ setting up OS X server? Or perhaps would you be willing to email me offline?
Using poledit and the modified adm files allows you to administer rights from one workstation that affect anyone that logs in to the network. I don't want to go to every workstation and run 'gpedit.msc' and setup policies a hundred times for a hundred workstations. The modified adm files contain the most useful policies of gpedit and can be applied to an individual computer, an individual user, or a group of users without having to visit each pc.
Brian
Novell has a new thing out called Linux Enterprise services which ports most of the features of Novell administration to the Linux platform, and the are going to be doing even more. They have made the comitment to have the next version of their software, to be called Open Enterprise Server, run on Linux and even have a linux desktop avaiable as well. Novell is going gang busters for Linux, this is why they bought SUSE and Ximian.