Contributed by Dengue on from the domain-member dept.
Setting Up an Openbsd/Samba Fileserver with NT Domain Authentication
- by Robert P Lessard
- OpenBSD 3.1 operating system
- Samba 2.2.5 SMB file sharing
- Windows NT 4.0 domain authentication
- SWAT remote admin from Windows client
- Minimize server overhead
Fileserver summary (what I had to work with)Thanks to Robert P. Lessard for providing a SAMBA Howto.
Primary Domain Controller (NT domain settings)
- Intel PIII 500mhz
- 192mb SDRAM
- 8 gb EIDE HDD
- Standard FDD/IDE CDROM
- Integrated 1mb video
- Standard keyboard
- No sound, no mouse
- Windows NT 4.0 sp4
- Domain name: test.org
- Host/netbios: pdc.test.org/pdc
- Ip: 172.16.38.141/255.255.254.0
- Gateway: 172.16.38.1
- Primary WINS server
- Primary DNS server
I used a snapshot of -current dated 9/4/2002. Otherwise, you can use the standard release and apply patches up to that date and duplicate my setup. The standard release was missing some files required to use the Samba 2.2.5 distribution without a work around- the update installed those files.
This is just a training PC for me, so you’ll have to apply any patches for your system as applicable.
After logging into the system as root, I installed the following packages:
Note: the latest Samba release at the time of this writing at the above site was samba-2.2.3a.tgz but someone compiled the newer version on one of the mirror sites. I simply did an internet search for “samba-2.2.5.tgz” and found it.
Why these packages?
Pico is a text editor. VI is the text editor that comes with the default install. Unless you are smart on all the VI commands, I would recommend pico. It is a lot more forgiving and has a command legend at the bottom of the screen if you forget what to type.
Samba is the SMB software that allows us to provide services for Windows clients. Specifically, it allows us to share folders and printers, be an application server in a Windows network and it even has some limited domain controller capabilities.
Zap is a utility that makes killing a process on OpenBSD easier. Typically, you would need to use the “ps” command to get a list of processes and kill each one by process number. Zap streamlines this process.
That’s all I installed on my PC. I wanted the lowest overhead on the server that I could tolerate. Samba is required for what we want to do and the other tools are tiny and save me heartache. The only other overhead we will have is the ability to edit the Samba configuration remotely with SWAT- just in case we are not at the computer. We will set that up to “start on demand” and shut down when not needed.
Testing that Samba installed
To make sure Samba actually installed type:find / -name smbd -printYou should get back this response:/usr/local/libexec/smbdThis is the location of the smbd (server message block) daemon. If you type the following:cd /usr/local/libexec; lsYou will see that the nmbd (netbios) daemon and SWAT (Samba remote admin) are also installed.
We could set up SWAT at this point and use a friendlier GUI tool, but one of the limitations of SWAT is that it resaves your smb.conf file without comments. That means that any notes or config lines you have rem’d out will be lost.
With that said, let’s edit the smb.conf file on the OpenBSD computer with pico and then we can adjust it with SWAT later. Typepico /etc/samba/smb.confThis brings up smb.conf to edit. Remove appropriate “#” or “;” marks and add lines to achieve the following setup in the global section:Workgroup = test.org Netbios name = fileserver Server string = OpenBSD Samba FileServer Interfaces = 172.16.38.141 172.16.38.142 Security = domain Encrypt passwords = yes Password server = pdc Passwd program = /usr/bin/password %u Passwd chat = *Newspassword:*%nn*Retypesnewspassword:* Unix password sync = yes Log level = 1 Log file = /var/log/smbd.%m Max log size = 500 Add user script = /usr/sbin/adduser –batch %u Delete user script = /usr/sbin/userdel %u Os level = 0 Preferred master = false Local master = no Domain master = false Dns proxy = no Wins server = 172.16.38.141 Host allow = 172.16.38.141 172.16.38.142 127.0.0.1Be careful with spelling, some of these parameters are misspelled by convention. Use the same parameter lines but substitute the functional equivalents for your network (ie hosts allowed may be your network ID/mask). An explanation of the use of these items may be found at the Samba web site under the documentation section: http://www.samba.org/
Each time you make changes to the smb.conf file, the Samba daemons must be restarted.
Checking smb.conf for proper syntax
Type the following command:testparmThis should return feedback about how you setup the parameters. It will not tell you that Samba is fully functional. Note: the “unix password sync” parameter was misspelled in my distribution’s sample file and testparm caught it.
Set up Samba to start at boot
Type the following command:
After the rc.local file opens, add the following lines and save:echo “smbd” && /usr/local/libexec/smbd –D echo “nmbd” && /usr/local/libexec/nmbd -DSetup the system to listen to the SWAT port
Type the following command:pico /etc/servicesAfter the services file opens, add the following line at the appropriate place in the list of ports and save:swat 901/tcpNow, we don’t want SWAT running continuously because it would waste server resources but we want it to stop when we attempt to connect by typing the following command:pico /etc/inetd.confadding the following line, and saving the updated inetd.conf file.swat stream tcp nowait.400 root /usr/local/libexec/swat swatReboot the system and let the new setting take affect.
Check to see if the Samba daemons started at boot
Type the following command:ps –xYou should see smbd and nmbd as running processes.
Check for current connections
Of course in our test computer we will not have any connections to the file server but we can get an idea if Samba is running correctly by typing the following command:smbstatusWhen I typed this, the computer gave me a peculiar error about a “failed locking database”. This is a fairly common thread on the chat pages. Don’t panic, this appears normal on the first attempt. It has to do with the fact that no one has actually attempted to attach to Samba yet.
Try to connect to Samba
Type the following command:smbclient –L fileserverIt will then ask you for the root password. If you get an error at this point about “NT security”, don’t worry about it yet. It is because you must add the root user to the smbpassword database which we will do shortly if it did not occur automatically. Remember, our setup is for domain security and “root” is not an NT account.
Try to type the following command again:smbstatusThis time the locking database error should not appear. Samba automatically created a locking directory and some files upon the first connection attempt with smbclient. Those were missing and caused the error previously.
Join the fileserver to the domain
So far the Samba server has not participated in any network operations as it does not have a domain account.
At the pdc, use server manager to add a computer account for “fileserver” (or whatever yours is called). Select the non bdc account option.
In dns manager, add the appropriate host record for the Samba server. I also added an entry in the Samba hosts file for the pdc as follows:172.16.38.141 pdc.test.org pdcThe last step is to actually “join” the domain. This transfers some domain sid information that Samba needs for authenticating clients. Type the following command:smbpasswd –j test.org –r pdc.test.org (use your domain/host names)Samba should return a confirmation that your have joined the domain.
Connect to Samba with SWAT
From the pdc or another Windows client, launch the internet browser and type in the following URL: http://fileserver:901
SWAT will start on the Samba server and ask for the root account and password. If you have a problem connecting try substituting the Samba server ip address instead of the netbios name in the URL. If that works, you have a WINS conflict to troubleshoot.
Once I got in SWAT, I went to the password section, entered the root account and password and selected the change password option. This was just to confirm that the smbpassword file matched the OpenBSD password file. After that, running smbclient from the samba server yielded no errors.
From SWAT, you can go into the status section and restart the Samba daemons whenever you want. If you are hitting roadblocks, it may be because you made changes that need to be assimilated by Samba by restarting those daemons.
Attaching to the fileserver as a domain user
Logon to the domain from the pdc or a Windows NT client and map a network drive to the fileserver.
The first time I logged on as a typical user, there was a pause.
Remember, the first time you log on, there are a number of steps that must be performed by Samba and there is actually no record of your account on the fileserver- neither at the OpenBSD or Samba level. Based on how I have the smb.conf file set up, the following steps occur on the first connection of a user:
Subsequent connections were much faster with the above complete.
- Since we have selected the “security = domain” and “password server” parameters, Samba requests authentication of your account from the domain controller
- Samba then looks for the existence of an OpenBSD account for the user
- Since there is no OpenBSD entry for the user and we have specified the “user add script” parameter, the user account is created on the fly and added to the OpenBSD database
- At this point, there is no password associated with the OpenBSD account, but we have selected the “unix password sync”, “passwd program” and the “passwd chat” parameters that will update that information
Note: if you haven’t noticed yet, SWAT is not being encrypted! As I mentioned before, this is not a problem for my test environment, but for a production server, I will be looking for a more secure means of remote admin. Test the password update feature
- Restart the Samba server
- Log out of the pdc and log back on
- Change your NT password
- Map a drive to your personal folder
There are many other considerations, such as security, that are beyond the scope of my project. For many people, including myself, just getting OpenBSD and Samba set up for domain level authentication has been quite a challenge. This is the first step but a significant learning experience for me and I hope I have save someone many hours of frustration.
(Comments are closed)