Samba is an Open Source software suite that, since 1992, has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others
. It will allow us to turn our OpenBSD server into a Primary Domain Controller and file server, able to interoperate with Windows-based client machines.
We can install most of the required software from the pre-compiled packages:
but we will compile Samba from the ports, because the antivirus module requires the Samba source code to successfully compile (of course feel free to install the pre-compiled package, samba-x.x.x-cups-ldap.tgz, if you don't need antivirus support).
# cd /usr/ports/net/samba # env FLAVOR="cups ldap" make install [ ... ]
Most of Samba configuration takes place in the /etc/samba/smb.conf(5) file. It is an INI-formatted file, made up of multiple sections, each beginning with the name of a shared resource (except for the "[global]" section) and containing a variable number of parameters, in the form "name = value". Each parameter has a default value which will be retained if the parameter is omitted.
There are three special sections:
Lines beginning with a semicolon (";") or hash ("#") character are treated as comments; parameters may span across multiple lines using a back-slash ("\"). Below is a sample configuration file:
################################################################################
# Parameters in the [global] section apply to the server as a whole, or are #
# defaults for sections that do not specifically define certain items #
################################################################################
[global]
# Domain name to use
workgroup = KERNEL-PANIC
# String that will appear in browse lists next to the machine name
server string = Samba Server
# Set the Samba server to user-level security (more details on security modes
# can be found here)
security = user
# List of hosts permitted to access Samba services
hosts allow = 172.16.0. 127.
# Negotiate encrypted passwords with the clients
encrypt passwords = yes
# Use a separate log file for each machine that connects
log file = /var/log/samba/smbd.%m
# Maximum size, in KB, of the log files
max log size = 1024
# Select the backend(s) to retrieve and store passwords with. The LDAP URL is
# optional and defaults to 'ldap://localhost' (set the URI scheme to 'ldaps' if
# you're using LDAP over TLS/SSL)
passdb backend = ldapsam:ldap://ldap.kernel-panic.it
# Avoid substituting %-macros in the passdb fields
passdb expand explicit = no
# File containing the mapping of Samba users to local Unix users
username map = /etc/samba/smbusers
# This socket option should give better performance
socket options = TCP_NODELAY
# Allow nmbd(8) to try to become the local master browser
local master = yes
# Tell Samba to be the Domain Master Browser for its workgroup
domain master = yes
# A domain controller must have the 'os level' set at or above a value of 32
os level = 33
# Make nmbd(8) force a local browser election on startup, also giving it a
# slightly higher chance of winning the election
preferred master = yes
# A domain controller must provide the network logon service
domain logons = yes
# Uncomment the following parameter to disable roaming profiles
# logon path =
# Name of an (optional) logon script (you can make it user-specific with '%U').
# The script must be in DOS format
logon script = netlogon.bat
# Make nmbd(8) act as a WINS server
wins support = yes
# Try to resolve NetBIOS names via DNS lookups
dns proxy = yes
# LDAP options
ldap suffix = dc=kernel-panic,dc=it
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=kernel-panic,dc=it
ldap ssl = no
ldap passwd sync = Yes
# Range of user and group ids allocated for mapping UNIX users to NT user SIDs
idmap uid = 2000-4000
idmap gid = 2000-4000
# Scripts to run when managing users with remote RPC (NT) tools
add user script = /usr/local/sbin/smbldap-useradd -a -g 512 -m %u
add group script = /usr/local/sbin/smbldap-groupadd %g
add machine script = /usr/local/sbin/smbldap-useradd -w -g 515 %u
delete user script = /usr/local/sbin/smbldap-userdel -r %u
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
delete group script = /usr/local/sbin/smbldap-groupdel -r %g
################################################################################
# Users' home directories. If no path is specified, the path is set to the #
# (Unix) user's home directory (tipically '/home/<username>') #
################################################################################
[homes]
comment = Home Directories
browseable = no
writable = yes
################################################################################
# The netlogon service allows you to specify the path to the logon scripts #
################################################################################
[netlogon]
comment = Share for logon scripts
path = /var/netlogon
read only = yes
write list = @"Domain Admins"
browseable = no
################################################################################
# Shares definitions. The name of a section corresponds to the name of the #
# shared resource. The following are just some examples, feel free to modify #
# them according to your needs. #
################################################################################
# A temporary directory for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# A publicly accessible directory, but read only, except for people in the
# "staff" group
[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
write list = @staff
# Define a share accessible only to a selected group of users. This directory
# should be writable by both users and should have the sticky bit set on it to
# prevent abuse
[myshare]
comment = Mary's and Fred's stuff
path = /usr/somewhere/shared
valid users = mary fred
public = no
writable = yes
create mask = 0660
directory mask = 1770
# A service pointing to a different directory for each user that connects.
# %U gets replaced with the user name (in lower case) that is connecting
[private]
comment = User data
path = /var/data/%U
valid users = %U
public = no
writable = yes
Now we need to create the file containing the mapping of Samba users to local Unix users, /etc/samba/smbusers. In particular, we need to map the Domain Administrator user to root, in order to grant it the privileges it will need to manage the domain.
root = administrator
We can test our configuration by running the testparm(1) command:
# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[tmp]" Processing section "[public]" Processing section "[myshare]" Processing section "[private]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [...]
The last step is telling Samba the password to use to bind to the LDAP server (i.e. the (unencrypted) value of the rootpw parameter in slapd.conf(5)). Samba will store that password in /etc/samba/secrets.tdb:
# smbpasswd -w <password> Setting stored password for "cn=Manager,dc=kernel-panic,dc=it" in secrets.tdb
Now we can configure the system to start Samba on boot by adding a couple of variables to the /etc/rc.conf.local(8) file:
smbd_flags="-D" nmbd_flags="-D"
and the appropriate startup commands to /etc/rc.local(8):
if [ "$smbd_flags" != "NO" -a -x /usr/local/libexec/smbd ]; then
echo -n ' smbd'
/usr/local/libexec/smbd $smbd_flags
fi
if [ "$nmbd_flags" != "NO" -a -x /usr/local/libexec/nmbd ]; then
echo -n ' nmbd'
/usr/local/libexec/nmbd $nmbd_flags
fi
Finally, we are ready to start Samba, though it will be pretty useless until the LDAP database has been populated; so that's what we're going to do in the next chapter.
# mkdir /var/log/samba # /usr/local/libexec/smbd -D # /usr/local/libexec/nmbd -D