User:Prakashibm

NIS Server configuration

This chapter describes how to configure NIS services on a

network. The network Information Service distributes information that need to be shared through out a Linux network to all machines on the network.

The information most commonly distributed across a

network using NIS consists of user database and authentication information, such as /etc/passwd and /etc/group. If ,for example, a users password entry is shared by all login hosts via the NIS password database, that user is able to log in on all login hosts on the network, all hosts, that is, that are running the NIS client programs. However user authentication database are not the only

use for NIS - any information that needs to be distributed across the network and that can or should be currently administered is a visible candidate for sharing via NIS.

Configuring an NIS Server

The simplest NIS configuration consist of single NIS server

and one or more clients. In this case, NIS server configuration

involves the following steps:

1. Setting the NIS domain name.

2. Configuring and starting the server domain, ypbind.

3. Initializing the NIS maps.

4. Starting the NIS password daemon.

5. Starting the NIS transfer daemon if you slave servers.

6. Modifying the startup process to start the NIS daemons

when system reboots.

Here we are going to configure Nis server with following

informations, NIS domain name is osm.com, running on the server

osm.example.com which has IP address 192.168.0.1.

Please confirm name service is working properly and all the

clients can reach the server.

Install the machine with relevant space for /var, and /home.

To set up NIS server perform the following steps.

Installing relevant software

Yum install ypserv

2) Set the NIS domain name:


 * 1) nisdomainname osm.com

Check the NIS domain name


 * 1) nisdomainname

osm.com

3) Edit /var/yp/securenets to permit access to the NIS server for the specified hosts. The default configuration enables all hosts to

have access (0.0.0.0 0.0.0.0) so change that line to read as

follows:

255.255.255.255 127.0.0.0

255.255.255.0 192.168.0.0

4) Make sure that portmapper is running:


 * 1) rpcinfo -p localhost

program vers proto port

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

5) Start the primary server daemon, ypserve:


 * 1) /etc/rc.d/init.d/ypserve start

Starting YP server services: [OK]


 * 1) chkconfig ypserv on

6) Confirm that ypserve is running:


 * 1) rpcinfo -u localhost ypserve

program 100004 version 1 ready and waiting

program 100004 version 2 ready and waiting

7) Initialize the NIS maps:


 * 1) /usr/lib/yp/ypinit -m

here first give “ctrl+d “ then “y”

8) start the password daemon, yppasswdd:


 * 1) /etc/rc.d/init.d/yppasswdd start

Starting YP passwd services: [OK]


 * 1) chkconfig yppasswdd on

9) Confirm that passwdd is running:


 * 1) rpcinfo -u localhost yppasswd

program 100009 version 1 ready and waiting

10) Edit /etc/sysconfig/network and add the following line:

NISDOMAIN = "osm.com"

11) Sharing home directory using nfs.

Edit /etc/exports file with following entry.

/home *(rw,sync)

service portmap restart

service nfs start

chkconfig portmap on

chkconfig nfs on

exportfs -a

client side configuration

software required : ypbind,yp-tools, authconfig,authconfig-gtk,

step 1

making system as client of the server.

Type command setup-&gt;authentication, here choose nis domain name and nis server ip and go to next.

Please check that it was success by giving he following

commands.

To see the nis server


 * 1) yphich


 * 1) osm.example.com

To see all the users


 * 1) getend passwd

To see only nis users


 * 1) ypcat passwd

Modifying nsswitch.conf

The /etc/nsswitch.conf file lists the order for how lookups for various things are done, such

as DNS lookup, user authentication, and the like. In order to make lookups for user

authentication faster, change the following section in this file from:

passwd: files nisplus nis

shadow: files nisplus nis

group: files nisplus nis

To the following:

passwd: nis files nisplus

shadow: nis files nisplus

group: nis files nisplus

Need to share the home directory from the server with the help of NFS and autofs.In Production the home folders will be coming from NAS server.

Need to fetch home directory from nis server. We need to think about some mechanism through which the network access. I

prefer autofs for the same. Setting up autofs for fetching home directory

Edit /etc/auto.master file with the following entry.

/home /etc/auto.misc

please remember our server is osm.example.com which has IP

address 192.168.0.1.

Edit /etc/auto.misc with the following data


 * 192.168.0.1:/home/&amp;


 * 1) service autofs restart


 * 1) chkconfig autofs on

now try to login as a nis user and confirm that he can create

files.

Note : if we add users after nis server creation then we need to give the following command


 * 1) cd /va/yp


 * 1) make

Note : Please check users can login and they can create files

also. If you have logged in and then again you are not able to

touch file, is a problem with your autofs entry.

The set can be customized by editing the make file under /var/yp

--&gt;

MTA Mail Transfer agent'

Mail Transfer agent using sendmail.

Mail serve details :

Smtp server ip – 192.168.10.50

Here we will be discussing how to configure MTA using software sendmail. We will be discussing MDA (Mail delivery agent using default mail receiving agent dovecot). In MDA we will be discussion how to access mails using different protocols like IMAP and pop3. We will be discussing how to secure emails using self signed tls keys (IMAPs and POP3s). Please carefully analyze the net work and domain so that MTA is more specific to domain. We need a DNS server up and running with corresponding MX entry for our mail server (MTA).

In all of our documents we will be discussing two networks as given below.

Our network:

Network ID – 192.168.10.0/24

Domain - example.com

Gateway -192.168.10.1

DNS -192.168.10.50

Other network:

Network ID – 172.168.0.0/16

Domain - 133net.org

Gateway -172.168.0.1

Step by step approach for Configuring MTA.

Step1

Hre we need to be careful that we can create MTA using two software, sendmail and postfix. It is mandatory we need to make sendmail as the default using the command.

[root@server4 ~]# alternatives --config mta

There are 2 programs which provide 'mta'.

Selection Command

---


 * + 1 /usr/sbin/sendmail.sendmail

2 /usr/sbin/sendmail.postfix

Enter to keep the current selection[+], or type selection number:

This stage this will stop for selection. In this case both the software is installed and we can see it with numbers as 1 and 2. We need to choose 1 as our MTA is sendmail.

Software -: sendmail, sendmail-cf , sendmail.doc

Protocol -: SMTP

Port number -: 25

Main Configuration directories -: /etc/mail

Confirm that all the rpms are installed. Otherwise please install all the rpm using

yum. Think all of you know the command…

Step2, checking for relevant software

[root@server4 ~]# yum list sendmail sendmail-cf sendmail-doc

Loading "installonlyn" plugin

Loading "rhnplugin" plugin

This system is not registered with RHN.

RHN support will be disabled.

Setting up repositories

Serve 100% |=========================| 951 B 00:00

Reading repository metadata in from local files

Installed Packages

sendmail.i386 8.13.8-2.el5 installed

sendmail-cf.i386 8.13.8-2.el5 installed

sendmail-doc.i386 8.13.8-2.el5 installed

if not installed please install software using the following command


 * 1) yum install sendmail sendmail-cf sendmail-doc

step 3, Editing configuration file /etc/mail/sendmail.mc.


 * 1) cd /etc/mail

Edit sendmail.mc file. I will be giving the line numbers also.

Line number 116

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

please put dnl infront of this line, means we are commenting the line.

line number 155

LOCAL_DOMAIN(`localhost.localdomain')dnl

please put dnl infront of this line, means we are commenting the line.

Line number 160

dnl MASQUERADE_AS(`mydomain.com')dnl

Remove dnl from this line and change mydomain.com with example.com as

example.com is my domain.

Step 4, editing /etc/mail/ local-host-names file with your domain names.

Here you need to add example.com.

Now we need to make the changes get reflected using make command

Note : please check you are still in /etc/mail directory, while doing this

[root@server4 mail]# make restart

service sendmail restart

Shutting down sm-client: [ OK ]

Shutting down sendmail: [ OK ]

Starting sendmail: [ OK ]

Starting sm-client: [ OK ]

Step 5 ,start sendmail service

[root@server4 ~]# service sendmail restart

Shutting down sm-client: [ OK ]

Shutting down sendmail: [ OK ]

Starting sendmail: [ OK ]

Starting sm-client: [ OK ]


 * 1) chkconfig sendmail on

Now we need to check whether service and ports are up or not.

We can check it using nmap command. Please observe out put carefully you can see that

smtp with port number 25 is up and running.

[root@server4 ~]# nmap 192.168.10.50

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-06-21 23:36 IST

Interesting ports on server1.example.com (192.168.10.50):

Not shown: 1663 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

143/tcp open imap

443/tcp open https

631/tcp open ipp

909/tcp open unknown

1023/tcp open netvenuechat

5801/tcp open vnc-http-1

5802/tcp open vnc-http-2

5901/tcp open vnc-1

5902/tcp open vnc-2

6001/tcp open X11:1

6002/tcp open X11:2

Nmap finished: 1 IP address (1 host up) scanned in 0.304 seconds

Note: Need to check whether service can sustain reboot.

[root@server4 ~]# chkconfig --list sendmail

sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Need to see on relevant runlevels.

Check the socket is up for sendmiail by the following command. And check the status is LISTEN.

[root@server4 ~]# netstat -taulpn | grep sendmail

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 4951/sendmail: acce

Now we need to check whether sendmail service is able to resolve your domain name, server machine etc. Please give the following command and check.

[root@server4 ~]# sendmail -d0 &lt; /dev/null

Version 8.13.8

Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG

MAP_REGEX

MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND

NETINET NETINET6

NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP

STARTTLS

TCPWRAPPERS USERDB USE_LDAP_INIT

=
SYSTEM IDENTITY (after readcf) ============

(short domain name) $w = server4

(canonical domain name) $j = server4.example.com

(subdomain name) $m = example.com

(node name) $k = server4.example.com

=
===========================================

Recipient names must be specified

Hi all now your mail server is ready and we can move for MDA configuration. I know

you are already slept so please wake up…

Mail Delivery Agent MDA

Dovecot server ip – 192.168.10.50

Software – dovecot

Relevant protocols – pop3, pop3s, imap , imaps.

Port numbers - pop3(110), pop3s(995), imap (143), imaps(993).

If you are confused with port numbers please use the following commands and observe out put.

[root@server4 ~]# cat /etc/services | grep pop3s

[root@server4 ~]# cat /etc/services | grep pop3

[root@server4 ~]# cat /etc/services | grep -w imap

[root@server4 ~]# cat /etc/services | grep -w imaps

Configuration.

Step1, Install software

[root@server4 ~]# yum install dovecot

Step2, Edit /etc/dovecot.conf

Line number 17


 * 1) protocols = imap imaps pop3 pop3s

Will be commented default please choose the protocol which will support your email client like, outlook, evoluction etc…

Pease uncomment the line or create another entry as the same for example I am going to configure with imap protocol. My entry will be like this

protocols = imap

step 3, restart the service.


 * 1) service dovecot restart


 * 1) chkconfig dovecot on

Please check the port number using nmap and get confirmed. Here I have maeked it with

yellow mark.

[root@server4 ~]# nmap 192.168.10.50

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-06-22 00:11 IST

Interesting ports on server1.example.com (192.168.10.50):

Not shown: 1663 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

25/tcp open smtp

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

143/tcp open imap

443/tcp open https

631/tcp open ipp

909/tcp open unknown

1023/tcp open netvenuechat

5801/tcp open vnc-http-1

5802/tcp open vnc-http-2

5901/tcp open vnc-1

5902/tcp open vnc-2

6001/tcp open X11:1

6002/tcp open X11:2

Nmap finished: 1 IP address (1 host up) scanned in 0.272 seconds Please check socket.

[root@server4 ~]# netstat -taulpn | grep dovecot

tcp 0 0 :::143 :::* LISTEN 5387/dovecot

Please change selinux Boolean for dovecot by giving the following command

Step 4, changing selinux Boolean


 * 1) setsebool -P dovecot_disable_trans on

Email client configuration (MUA – Mail user Agent)

Here we will be configuring out look express which is in another windows machine.

Please make sure that we all the clients can communicate

Here server ip is 192.168.10.50, please take care for both smtp and dovecot (imap) I have used same server.

Please open outlook express from start menu. Then choose tools-&gt;Accounts

Choose Add-&gt;mail

J

ust give any display name, preferred is username

As this outlook is configuring for user user1, we need to give email address of user1.

Please choose the protocol for incoming as imap as we have configured for I map server. Other server

entries are sam as our server as both smtp and dovecot are on same machine 192.168.10.50

Please give user credentials like user name and password. Finish for ending configuration.

Controlling access to the server

Main file we will prefer will be /et/mail/access. Will see how we can configure play

around with access file.

Check the /usr/share/doc/sendmail/README.cf file for a description of the format of this file. (search for access_db in that file). The /usr/share/doc/sendmail/README.cf is

part of the sendmail-doc package.

Remember, since /etc/mail/access is a database, after creating the text

file as described below, you must use makemap to create the database

map. For example:

makemap hash /etc/mail/access &lt; /etc/mail/access

Main options we normally use.

OK Accept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable.

"Accept" does not mean "relay", but at most acceptance for local recipients. That is, OK allows less than RELAY.

RELAY Accept mail addressed to the indicated domain or received from the indicated domain for relaying through your SMTP server.

RELAY also serves as an implicit OK for the other checks.

REJECT Reject the sender or recipient with a general purpose message. DISCARD Discard the message completely using the

Example 1

The table itself uses e-mail addresses, domain names, and network

numbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:".

For example,

From:spammer@aol.com REJECT

From:cyberspammer.com REJECT

Connect:cyberspammer.com REJECT

Connect:TLD REJECT

Connect:192.168.212 REJECT

would refuse mail from spammer@aol.com, any user from cyberspammer.com

(or any host within the cyberspammer.com domain), any host in the entire

top level domain TLD, 192.168.212.* network.

Example 2

From:spammer@some.dom REJECT

To:friend.domain RELAY

Connect:friend.domain OK

Connect:from.domain RELAY

From:good@another.dom OK

From:another.dom REJECT

This would deny mails from spammer@some.dom but you could still

send mail to that address even if FEATURE(`blacklist_recipients')

is enabled. Your system will allow relaying to friend.domain, but

not from it (unless enabled by other means). Connections from that

domain will be allowed even if it ends up in one of the DNS based

rejection lists. Relaying is enabled from from.domain but not to

it (since relaying is based on the connection information for

outgoing relaying, the tag Connect: must be used; for incoming

relaying, which is based on the recipient address, To: must be

used). The last two entries allow mails from good@another.dom but

reject mail from all other addresses with another.dom as domain

part.

Redirecting emails from one user to another user.

Configurations file /etc/aliases

If we need to redirect all the email coming to user1 to user2, we may require the

following entry.

Edit fiel with the following entry.

user1: user2

Please do not forget to give the following command


 * 1) newaliases

Webmail

Yet now we ware configuring email client which has a system dependency. But noe we will go for a email client which can be accessed from any ware over internet. We will use webmail for this.

Software : squirrelmail

Step1. Install software.


 * 1) yum install squirrelmail

Step2. Go to the corresponding directory and run conf.pl script.


 * 1) cd /usr/share/squirrelmail/config/

Run the script.

./conf.pl

After running this script we will be getting one interactive shell, please see below.

Here we need to select 2 and configure accordingly. If you choose 2 you will be getting a

window as below.

choose 1, and for changing domain in our case it should be example.com.

choose 3, and change to sendmail.

chooseA, it will lead you to a different prompt and will be like the below one.

choose 4 – To give IMAP Server, our case need to give

server4.example.com(192.168.10.50)

Choose5- To give port number in our case it is 143 as it is imap server.

Step 4, accessing server from mozzilla.

Please give http://server4.example.com/webmail

Please login and proceed.

This will allow default user to login in ftp server as user “anonymous” .Anonymous user

will not require a password, say any password will work. This is a default feature.

Step 1: edit configuration

Open /etc/vsftpd/vsftpd.conf and edit anonymous_enable to YES.

Step 2: Restart the service


 * 1) service vsftpd restart


 * 1) chkconfig vsftpd on

Go to another machine and give the following command to access our ftp server. Say the

server ip is 192.168.10.20

[root@server1 ~]# ftp 192.168.10.20

Connected to 192.168.10.20.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.10.20:root):

Here we will be getting a prompt for user authentication and give the username and any

Password. Password can be any thing,

Type anonymous username and password see an example for success login.

[root@server1 ~]# ftp 192.168.10.20

Connected to 192.168.10.20.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.10.20:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp&gt;

When we login to an ftp server as an anonymous user we will be reaching to /var/ftp directory of in the server. And you will be in ftp prompt and there we have to give ftp commands not Linux commands. We can type “help” for getting the list of commands (see below). When you login as anonymous user we can down load the file but upload is Restricted. But we can enable it with some extra configuration, but this will prevent the anonymous user to download the files.

ftp&gt; help

Commands may be abbreviated. Commands are:

! cr mdir proxy send

$ delete mget sendport site

account debug mkdir put size

append dir mls pwd status

ascii disconnect mode quit struct

bell form modtime quote system

binary get mput recv sunique

bye glob newer reget tenex

case hash nmap rstatus trace

ccc help nlist rhelp type

cd idle ntrans rename user

cdup image open reset umask

chmod lcd passive restart verbose

clear ls private rmdir ?

close macdef prompt runique

cprotect mdelete protect safe

Please read this out put to get the commands and use it accordingly.

Ex: get – to down load the files

Put - to upload the files.

ls – Listing files

cd – change the path on the server.

lcd – change the path on the client for choosing the down load path.

bye- to come out of the ftp prompt.

See below when we give ls command on ftp prompt it will show you the file under the /var/ftp directory of the server.

ftp&gt; ls

227 Entering Passive Mode (192,168,10,20,240,75)

150 Here comes the directory listing.

drwx-wx--- 2 0 50 4096 Jun 14 08:09 incoming

drwxr-xr-x 2 0 0 4096 Jan 17 2007 pub

drwxr-xr-x 2 0 0 4096 Jun 14 07:12 qwe

drwxr-xr-x 2 0 0 4096 Jun 14 07:12 qwe2

drwxr-xr-x 2 0 0 4096 Jun 14 07:12 qwe3

226 Directory send OK.

ftp&gt;

Configuring ftp server so that anonymous user can upload file

Step1

Set up selinux boolian if selinux is running.


 * 1) setsebool –P allow_ftpd_full_access on

Step2

Create and give proper authentication parameters for the directory which we are going allow for.


 * 1) cd /var/ftp


 * 1) mdir incoming


 * 1) chown root:ftp incoming


 * 1) chmod 730 incoming

Step 3

Edit and save /etc/vdftpd/vsftpd.com with following lines, Please check whether the lines already existing to avoid the conflict.

anon_upload_enable=YES

chown_uploads=YES

chown_username=daemon

anon_umask=077


 * 1) service vsftpd restart


 * 1) chkconfig vsftpd on

Configuring ftp server for normal users

This will allow all the normal users to login in ftp server. This is a default feature for.

Step1

Uncomment these lines and edit NO to YES so that all normal users present in the machine will get the access to the ftp server.

If the entry in the configuration file is NO, All the normal users will be blocked.

local_enable=YES

Step2


 * 1) service vsftpd restart


 * 1) chkconfig named on

here I have logged in ftp server 192.168.10.50 as user pp

[root@server1 ~]# ftp 192.168.10.50

Connected to 192.168.10.50.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.10.50:root): pp

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp&gt; ls

There is some difference from the login of anonymous. While we login as anonymous User we are pushed to /var/ftp directory of the server by default. But when we login as a normal user We are logging in to the home directory of the user. Remember that when we login as User, unlike anonymous user we can upload and download files. It is a default feature.

Blocking few users to access ftp server

Enter all the users who should be blocked in the file /etc/vsftpd/ftpusers.

Allowing root access

Delete the entry root from the the follwing file and restart the service

1) /etc/vsftpd/ftpusers

2) /etc/vsftpd/user_list

We can access ftp server over the internet .open your browser and give the following entry.

Note: If anonymous user is not enabled we will not be able to access the web interface with out password.

ftpL//server.example.com

Where server.example.com is the ftp server host name and the name is resolved. We can use ip address also.

--&gt;

SAMBA

Samba have mainly following important uses:

1. As a domain controller

2. As a file server


 * 1) Samba ###

Samba provides 1)file and 2)print services. It allows data transfer between Linux boxes and

Windows boxes. Samba uses SMB protocol to communicate with windows.


 * 1) Important Daemons in Samba ###

smbd (139/445 _cifs)

nmbd (137/138)

winbindd - Mapping of users [ADS]


 * 1) Installing and Configuring a Samba Server ###

If you have a yum server configured, execute the following steps. Else find the required rpms


 * 1) yum install samba*

The following packages will be installed.

xinetd [dep]

samba

samba-client

samba-swat

Start the samba service.


 * 1) /etc/init.d/smb start

SMB services started

NMB services started


 * 1) chkconfig smb on

Important fields in /etc/samba.smb.conf [Samba configuration file] :

When you use samba server there is one important thing you have to note. Thats in the configuration file. In glogal settings there is a "workgroup" field. In that you have to give the

domain name if your windows machine belongs to one. Or you can give workgroup name if it is belongs to any. For sharing files and folders workgroup is enough.

You can make the above changes in windows also, but it requires rebooting of the windows machine. So its better you change the corresponding fields in linux box. There is also another field "server string" in global settings. Its just as hostname. You can give any name by which you can identify the samba box.

The field "host allow" specifies the hosts which are allowed for the particular share. See the

example below.

host allow = 192.168.0.21 #allow 192.168.0.21 only

host allow = 192.168.0. # allows all the machines starting with 192.168.0. network.

The field "write list" specifies the group of users who has write permission on that share.

For example

write list = @admins #the group admins has the write permission on that share.

The field "valid users" means only that users specified has access to that share.

valid users = root, samba1


 * 1) Some useful commands ##


 * 1) findsmb

The command findsmb returns the systems running samba compatible services.


 * 1) smbtree

smbtree is a smb browser program in text mode. It is similar to the "Network Neighborhood"

found on Windows computers. It prints a tree with all the known domains, the servers in those

domains and the shares on the servers.

To login Annonimously to a Windows box. If enabled.

[root@vm1 ~]# smbclient //192.168.0.77/Share_name -N

Anonymous login successful

[root@vm1 ~]# smbclient -L 192.168.0.77 [192.168.0.77 is a Windows box]

binds to windows as guest user. you have to enable the guest user login.

shows the domains and workgroups but not the shares. To see shares you have to login as

privillaged user.

[root@vm1 ~]# smbclient -L 192.168.0.77 -U administrator

binds to windows as administrator. You can see all the shares in the system. It will promt

password.


 * 1) using samba credential file ###

Using a credential file you can save time. The format of the file and the usage given below.


 * 1) vi samba_password

username = administrator

password = ******


 * wq

[root@vm1 ~]# smbclient -L 192.168.0.77 -A samba_passwd


 * 1) smbget ###

smbget is a wget-like utility for download files over SMB

[root@vm1 ~]# smbget -u administrator -p redhat

smb://192.168.0.77/chanku/samba_sambaget.txt

downloads samba_sambaget.txt to local system.


 * 1) smbtar ###

smbtar is a shell script for backing up SMB/CIFS shares directly to UNIX tape drives or

directories.

[root@vm1 ~]# smbtar -s 192.168.0.77 -u administrator -p redhat -t chanku.tar -v -x chanku

It will archive all the files and directories in share "chanku" and will download to local directory.

Empty files will not be archived.


 * 1) Mounting a Windows Share to a Linux box ###

[root@vm1 ~]# mount -t cifs -o username=administrator //192.168.0.77/chanku /mnt

mounts the remote windows share 192.168.0.77/chanku into local linux samba machine.

smbfs - rhel4

cifs - rhel5 common internet file system


 * 1) File masks and Directory masks###

[root@vm1 ~]# mount -t cifs -o

username=administrator,file_mode=0777,dir_mode=0755 //192.168.0.77/chanku /mnt

will mount the share with file permissions 777 and directory permissions 755.


 * 1) Mounting Samba permenantly###

Goto /etc/fstab and add the entry for samba share as shown below

//192.168.0.77/chanku /mnt cifs

defaults,username=administrator,password=redhat,file_mode=0777,dir_mode=0755 0 0

[FOR COMMUNICATING A WINDOWS MACHINE AND A SAMBA SERVER SMOOTHLY

THEY SHOULD BE IN SAME WORKGROUP]


 * 1) Adding a SAMBA user ###


 * 1) useradd username


 * 1) smbpasswd -a username #for adding samba user.


 * 1) smbpasswd -e username #for enabling that user.

Give and verify password for username.


 * 1) Configuring WINS Client For Samba ###

speed ups the resolution of netbios name to IP

Samba name resolution:

Default Order

1. /etc/hosts

2. /etc/samba/lmhosts

3. WINS - One or more IP Addresses

4. Broadcast 192.168.0.255


 * 1) Steps In windows ###

Installation:

Control panel -&gt; Add/Remove programs -&gt; Add/Remove Windows components -&gt;

network services -&gt; Windows Interent Name Service -&gt; Install

Configuration:

Start -&gt; Administrative tools -&gt; WINS Check!

Control panel -&gt; Network Connections -&gt; Local Area Connection -&gt; Properties -&gt;

TCP/IP -&gt; Advanced -&gt; WINS tab

Add wins server IP

Ip of windows machine. Which we use as wins server.

Display records after restarting the smb service in linux box[steps below] and click find now


 * 1) Steps in linux ###

vi /etc/samba/smb.conf

Name resolve order = wins host lmhosts bcast

wins support = no

wins server = 192.168.0.60


 * 1) service smb restart

now when we execute


 * 1) smclient -v -U administrator -L linuxcbt2k3

gives the result fast because itstead of using broadcast search, it uses wins server for resolution.

-v for verbose. to check whether it is still using broadcast method.


 * 1) Share Level Security ###

Default is User level. We can change it in smb.conf file. as

security = user

or

security = share

in /etc/samba/smb.conf file

[public]

path = /public

public = yes It is to enable guest user mount in windows.

read only = yes

in output of #testparm

[public]

path = /public

guest ok = Yes


 * 1) SAMBA - SWAT ###

SWAT - Samba Web Administration Tool


 * 1) SWAT INSTALLATION ###


 * 1) yum install samba-swat

vi /etc/xinetd.d/swat


 * 1) default: off


 * 1) description: SWAT is the Samba Web Admin Tool. Use swat \


 * 1) to configure your Samba server. To use SWAT, \


 * 1) connect to port 901 with your favorite web browser.

service swat

{

disable = no //Change the 'yes' to 'no'.

port = 901

socket_type = stream //means tcp based

wait = no


 * 1) only_from = 127.0.0.1 //If not commented can be accessible only from

localhost. increase security

user = root //In order to bind privillaged port 901

server = /usr/sbin/swat

log_on_failure += USERID


 * wq


 * 1) service xinetd restart


 * 1) SWAT INTERFACE ###

Take any browser and give following url in address bar.

http://IP_of_samba_server:port_number_of_swat[901]

http://192.168.0.21:901

samba log files can be found in

/var/log/samba


 * 1) NETBIOS ALIASES ###

setting alias

access the global section in swat

goto advanced mode

netbios aliases [give names]

now you can access the aliases machine in many names.


 * 1) Blocking a particular user from accessing a share. ###

goto swat and take shares section

goto the advance mode

choose the share u want to modify

in invalid users field

give the usernames u want to block with commas.

Restart the service


 * 1) service smb restart

--&gt;

SAMBA PDC [Public Domain Controller]

Samba PDC is used for centralized authentication and domain control of Windows

operating systems. Here we will set a samba PDC machine with domain name lap.work and create some users. And we will check whether these users are able to login to this domain from different

machines.

Samba PDC Machine:

rhel 5.4

IP : 192.168.0.25

Windows Client:

Windows XP Professional

Computer Name : lap-xp

Domain Name : lap.work

IP : 192.168.0.26

Installation:

Install samba packages:

[root@sambapdc ~]# yum install samba*

Configuration:

open the samba configuration file and make the following edits.

[root@sambapdc ~]# vim /etc/samba/smb.conf

Uncomment or edit the lines as shown below.

In global settings:

workgroup = lap.work #domain name

server string = Samba PDC Server #as host name. just to identify

netbios name = samba #netbios name for communication

local master = yes

preferred master = yes

domain master = yes

domain logons = yes

logon path = \\%L\Profiles\%U #profile entry

security = user

passdb backend = tdbsam

In share definishions:

[homes]

browseable = yes

writable = yes

[netlogon]

path = /home/netlogon

writable = no

[Profiles]

path = /home/profiles

create mask = 0755

directory mask = 0755

writable = yes #should give. Else you will get ACCESS DENIED errors

Now create the following directories:

[root@sambapdc ~]# mkdir -m 1777 /home/profiles

[root@sambapdc ~]# mkdir -m 1777 /home/netlogon

Attaching a windows machine:

Now create a group named machine and add a user with the name of windows client

[root@sambapdc ~]# groupadd -g 200 machine

[root@sambapdc ~]# useradd -d /dev/null -g 200 -s /sbin/nologin lap-xp$

Where lap-xp is the name of the machine we are attaching to samba PDC

[root@sambapdc ~]# smbpasswd -m -a lap-xp

Start the samba service:

[root@sambapdc ~]# service smb start

[root@sambapdc ~]# chkconfig smb on

Run testparm and test your configuration settings:

[root@sambapdc ~]# testparm

Add root user to sambausers

[root@sambapdc ~]# smbpasswd -a root

[root@sambapdc ~]# smbpasswd -e root

Add two more users for testing:


 * 1) useradd user1


 * 1) smbpasswd -a user1


 * 1) smbpasswd -e user


 * 1) useradd user2


 * 1) smbpasswd -a user2


 * 1) smbpasswd -e user2

[root@sambapdc ~]# service smb restart

On windows machine:

-Right click the My Computer icon

-Take properties

-Take Computer name tab

-Add the system to lap.work domain

you will be prompted for a username and password. Give root and its password.

-System may need to restart

-you can see that when we are logged as user1 a directory user1 will be created in /home/profiles in samba PDC machine. This will be the home directory of that user. He will he able to login

-from all machines in this domain and will be getting to this same directory.