This page describes the Samba setup we use when setting up Samba at our client's. It's not a page for newcomers to Samba - if you are new to Samba, we suggest you get a Samba book first, that's what we did ! And we don't expect anyone to follow our setup verbatim. This page is here as inspiration to other system administrators who are working on their own Samba setup ; it is not pre-packaged software and will probably not work on your system out of the box.

It is written for Debian Etch, and requires Samba 3.x and Ruby 1.8.x to be installed.

The typical Samba setup we install is for very simple setups :

• One domain
• One Linux server
• Windows 2000/XP workstations

The access requirements are always fairly simple, and always fall within :

• Roaming profiles are enabled
• Users have a home directory
• There can be any number of additional shares
• Each share must be mounted on a given drive letter at logon
• The administrator must be able to select which user gets which shares

The setup is therefore fairly simple :

Each share has an associated group (a unix group, and the equivalent nt group), such that only users in that group can access that share (and get it mounted to a drive letter at logon time). All users are in the primary group users (mapped to the nt group Domain Users) and have any additional secondary group per share they can access. This is done thanks to a Ruby script which generates the netlogon file dynamically depending on the user's primary and secondary groups.

There is a special group, ntadmin which is mapped to 'Domain Admins'. Users in that group are Domain Administrators (so they get administrator privileges on all the computers in the domain) and also have privileges to add/edit/remove users in the domain, as well as join new machines to the domain.

The administrators can use the Windows NT tool USRMGR.EXE to add/edit/remove users.

The directory setup

The directory setup is as follow :

• Home folders are in /home
• Scripts are in /server/scripts
• Data of deleted users go in /server/trash
• Shares are in /server/shares

Some special shares are required:

• The netlogon share in /server/shares/netlogon
• The profiles share in /server/shares/profiles

The Samba config file

The first thing is to set up the Samba config file. At the end of it you will see a commented section which acts as a template for new shares. When adding a new share, just copy that section and change as appropriate.

The Scripts

In /server/scripts are the following files :
config.rb
This file contains configuration information for the scripts. You may need to edit this file.

generate_netlogon.rb
This script is used to create the netlogon windows .bat script for the given user. You will need to edit this script to map the right shares to the right drive letters for the given users. Messages are logged to /var/log/samba/netlogon.log

utils.rb
Contains functions used by the other scripts. You should not need to edit this file.

adduser.rb
This script is used when adding new users via Samba. It will create the user and it's profile directory. Messages are logged to /var/log/samba/adduser.log. You should not need to edit this file.

deluser.rb
This script is used when deleting users via Samba. It moves that user's home directory and profile directories to the trash folder. Messages are logged to /var/log/samba/deluser.log. You should not need to edit this file.

Initial group mapping setup

After setting up the config file, it is necessary to set up the default group mappings. First, create the ntadmin group (as root) :

/usr/sbin/groupadd ntadmin

Now create all the default mappings :

net groupmap add unixgroup=nogroup ntgroup="Domain Guests" comment="Domain guests" rid=514
net groupmap add unixgroup=ntadmin ntgroup="Domain Admins" comment="Gives Administrator privileges" rid=512
net groupmap add unixgroup=users ntgroup="Domain Users" comment="Basic user group" rid=513

Add an initial domain administrator :

/usr/sbin/adduser --ingroup users ntadmin
/usr/sbin/adduser ntadmin ntadmin

Finally give the extra rights to the ntadmin group (where domain is MYDOMAIN) :

net rpc rights grant 'MYDOMAIN\Domain Admins' SeAddUsersPrivilege -Untadmin
net rpc rights grant 'MYDOMAIN\Domain Admins' SeMachineAccountPrivilege -Untadmin

Adding new shares

When adding a new share, you need to :

• Create the group that will own the share, as well as the corresponding NT group :
  /usr/sbin/groupadd newgroup
net groupmap add unixgroup=newgroup ntgroup="New Group" comment="Gives access to share newshare"
• Create the share in /server/shares. Make sure that it belongs to the group :
  mkdir /server/shares/newshare
chgrp newgroup /server/shares/newshare

• Create the new share in smb.conf, by copying the template at the end of the file
• Edit the generate_netlogon.rb script to map the new share as required
• Reload the samba configuration :
  /etc/init.d/samba reload

Managing users

Administrators can now use the USRMGR.EXE tool to manage the users from a Windows workstation. This tool can be dowloaded here. Note that when using this tool :

• Usernames must be all lowercase
• home directory must be initialised to \<username>
• Profile directory must be initialised to \Profiles\<username>
• netlogon script must be initialised to <username>.bat

Once an initial user has been setup, new users can be setup simply by copying the initial user - in that case, only the netlogon script name must be re-initialised

Todo

We hope you find this Samba install usefull ; however it is far from perfect and here are things we are planning on doing :

• Put the netlogon script in the home directory so that it is always the same name and does not need to be edited when creating new users
• Automate the creation of new shares directly from USRMGR.EXE (by creating groups/shares at the same time)