Translations by ZhongHan Cai
ZhongHan Cai has submitted the following strings to this translation. Contributions are visually coded: currently used translations, unreviewed suggestions, rejected suggestions.
99. |
To match the Samba configuration above the <emphasis>sysadmin</emphasis> group will be given read, write, and execute permissions to <filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group will be given read and execute permissions, and the files will be owned by the username <emphasis>melissa</emphasis>. Enter the following in a terminal:
|
|
2009-01-28 |
To match the Samba configuration above the <emphasis>sysadmin</emphasis> group will be given read, write, and execute permissions to <filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group will be given read and execute permissions, and the files will be owned by the user name <emphasis>melissa</emphasis>. Enter the following in a terminal:
|
|
2009-01-27 | ||
100. |
sudo chown -R melissa /srv/samba/share/
|
|
2008-10-11 |
sudo chown -R melissa /srv/samba/share/
|
|
101. |
sudo chgrp -R sysadmin /srv/samba/share/
|
|
2008-10-11 |
sudo chgrp -R sysadmin /srv/samba/share/
|
|
102. |
sudo setfacl -R -m g:qa:rx /srv/samba/share/
|
|
2008-10-11 |
sudo setfacl -R -m g:qa:rx /srv/samba/share/
|
|
103. |
The <application>setfacl</application> command above gives <emphasis>execute</emphasis> permissions to all files in the <filename>/srv/samba/share</filename> directory, which you may or may not want.
|
|
2008-10-11 |
The <application>setfacl</application> command above gives <emphasis>execute</emphasis> permissions to all files in the <filename>/srv/samba/share</filename> directory, which you may or may not want.
|
|
104. |
Now from a Windows client you should notice the new file permissions are implemented. See the <application>acl</application> and <application>setfacl</application> man pages for more information on POSIX ACLs.
|
|
2008-10-11 |
Now from a Windows client you should notice the new file permissions are implemented. See the <application>acl</application> and <application>setfacl</application> man pages for more information on POSIX ACLs.
|
|
105. |
Samba AppArmor Profile
|
|
2009-01-28 |
Samba AppArmor Profile
|
|
2009-01-27 | ||
106. |
Ubuntu comes with the <application>AppArmor</application> security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to your configuration. For more details on using AppArmor see <xref linkend="apparmor"/>.
|
|
2009-01-28 |
Ubuntu comes with the <application>AppArmor</application> security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to your configuration. For more details on using AppArmor see <xref linkend="apparmor"/>.
|
|
2009-01-27 | ||
107. |
There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package, from a terminal prompt enter:
|
|
2009-01-27 | ||
108. |
sudo apt-get install apparmor-profiles
|
|
2008-10-15 |
sudo apt-get install apparmor-profiles
|
|
109. |
This package contains profiles for several other binaries.
|
|
2009-01-27 | ||
110. |
By default the profiles for <application>smbd</application> and <application>nmbd</application> are in <emphasis>complain</emphasis> mode allowing Samba to work without modifying the profile, and only logging errors. To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
|
|
2009-01-27 | ||
111. |
Edit <filename>/etc/apparmor.d/usr.sbin.smbd</filename> adding information for <emphasis>[share]</emphasis> from the file server example:
|
|
2009-01-27 | ||
112. |
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
|
|
2009-01-27 | ||
113. |
Now place the profile into <emphasis>enforce</emphasis> and reload it:
|
|
2009-01-27 | ||
114. |
sudo aa-enforce /usr/sbin/smbd
|
|
2009-01-27 | ||
115. |
cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
|
|
2009-01-27 | ||
117. |
O'Reilly's <ulink url="http://www.oreilly.com/catalog/9780596007690/">Using Samba</ulink> is also a good reference.
|
|
2009-01-27 | ||
118. |
<ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html">Chapter 18</ulink> of the Samba HOWTO Collection is devoted to security.
|
|
2009-01-27 | ||
119. |
For more information on Samba and ACLs see the <ulink url="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568">Samba ACLs page </ulink>.
|
|
2009-01-27 | ||
120. |
Samba as a Domain Controller
|
|
2009-01-27 | ||
121. |
Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize user and machine credentials. Samba can also use multiple backends to store the user information.
|
|
2009-01-27 | ||
122. |
Primary Domain Controller
|
|
2009-01-27 | ||
123. |
This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.
|
|
2009-01-27 | ||
124. |
First, install Samba, and <application>libpam-smbpass</application> to sync the user accounts, by entering the following in a terminal prompt:
|
|
2009-01-27 | ||
125. |
sudo apt-get install samba libpam-smbpass
|
|
2009-01-27 | ||
126. |
Next, configure Samba by editing <filename>/etc/samba/smb.conf</filename>. The <emphasis>security</emphasis> mode should be set to <emphasis role="italic">user</emphasis>, and the <emphasis>workgroup</emphasis> should relate to your organization:
|
|
2009-01-27 | ||
127. |
In the commented <quote>Domains</quote> section add or uncomment the following:
|
|
2009-01-27 | ||
129. |
<emphasis>domain logons:</emphasis> provides the netlogon service causing Samba to act as a domain controller.
|
|
2009-01-27 | ||
130. |
<emphasis>logon path:</emphasis> places the user's Windows profile into their home directory. It is also possible to configure a <emphasis>[profiles]</emphasis> share placing all profiles under a single directory.
|
|
2009-01-27 | ||
131. |
<emphasis>logon drive:</emphasis> specifies the home directory local path.
|
|
2009-01-27 | ||
132. |
<emphasis>logon home:</emphasis> specifies the home directory location.
|
|
2009-01-27 | ||
133. |
<emphasis>logon script:</emphasis> determines the script to be run locally once a user has logged in. The script needs to be placed in the <emphasis>[netlogon]</emphasis> share.
|
|
2009-01-27 | ||
134. |
<emphasis>add machine script:</emphasis> a script that will automatically create the <emphasis>Machine Trust Account</emphasis> needed for a workstation to join the domain.
|
|
2009-01-27 | ||
135. |
In this example the <emphasis>machines</emphasis> group will need to be created using the <application>addgroup</application> utility see <xref linkend="adding-deleting-users"/> for details.
|
|
2009-01-27 | ||
136. |
If you wish to not use <emphasis>Roaming Profiles</emphasis> leave the <emphasis>logon home</emphasis> and <emphasis>logon path</emphasis> options commented.
|
|
2009-01-27 | ||
137. |
Uncomment the <emphasis>[homes]</emphasis> share to allow the <emphasis role="italic">logon home</emphasis> to be mapped:
|
|
2009-01-27 | ||
138. |
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
|
|
2009-01-27 | ||
139. |
When configured as a domain controller a <emphasis>[netlogon]</emphasis> share needs to be configured. To enable the share, uncomment:
|
|
2009-01-27 | ||
140. |
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no
|
|
2009-01-27 | ||
141. |
The original <emphasis>netlogon</emphasis> share path is <filename>/home/samba/netlogon</filename>, but according to the Filesystem Hierarchy Standard (FHS), <ulink url="http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM">/srv</ulink> is the correct location for site-specific data provided by the system.
|
|
2009-01-27 | ||
142. |
Now create the <filename role="directory">netlogon</filename> directory, and an empty (for now) <filename>logon.cmd</filename> script file:
|
|
2009-01-27 | ||
143. |
sudo mkdir -p /srv/samba/netlogon
|
|
2009-01-27 | ||
144. |
sudo touch /srv/samba/netlogon/logon.cmd
|
|
2009-01-27 | ||
145. |
You can enter any normal Windows logon script commands in <filename>logon.cmd</filename> to customize the client's environment.
|
|
2009-01-27 | ||
146. |
With <emphasis>root</emphasis> being disabled by default, in order to join a workstation to the domain, a system group needs to be mapped to the Windows <emphasis>Domain Admins</emphasis> group. Using the <application>net</application> utility, from a terminal enter:
|
|
2009-01-27 | ||
147. |
sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d
|
|
2009-01-27 |