University of munich / Department of CS(Informatik) / Communication systems
TechNote / Networking: Integration of WinNT and Unix
Project: MNM / Fopra
Author: Alexej Kupin
Date: 30/11/99
Description:
This document contains a description of my experience with Samba
and will show you step by step how to install, setup and use
Samba and Samba as PDC. You will find here many solutions
(e.g. NIS-password synchronisation, server-profiles,etc...)
Additionally this report gives you an overview of existing solution
for integration of Windows & Unix-systems in one LAN.
It is impossible to say which of the described solutions is the best,
because it depends on your already existing environment.
Context
0) Conclusion(Let's start from the end!)
a) My Project
b) Managment in Windows/Unix mixed environment
c) Why use Samba
1) Overview of existing solutions
(for integration of Windows & Unix-systems in one LAN.)
a) Terminal Server solution
b) WinNT-Server as PDC
c) Unix-DC(NIS/YP) with WinNT-Clients
d) NFS/SMB-Gateway(Samba as Fileserver)
e) Samba as PDC on NIS-DC
2) Install Samba
a) Get Samba source
b) Build Samba
c) Problems
3) Configure Samba
a) smb.conf
b) start smbd/nmbd
c) smbclient
d) netlogon
e) Printing
f) Problems
4) Samba NT Domain PDC support
a) Setup Samba as PDC
b) User profiles(Roaming profiles)
c) Password synchronisation:Samba-Unix
d) About passwords & security
e) Problems
0) Conclusion
a) My Project:
My task was to integrate WinNT/95-Clients into an existing UNIX-network.
For my environment I chose Samba as PDC on NIS-DC(see below).
I have maintained this project over one year.
I frequently updated Samba and tried all versions from V2.0.0 to V2.0.6
For test it runs on Linux(suse6.0), for prod on HP-10.20
My primary goal was:
To find an easy way for configuration and administration of
WinNT-Unix mixed environment(e.g. one passwordsystem!)
Additionally: the existing NIS-system should be the master for accounts.
At the end of the project the Samba-choice was a success,
although the remote-administration with Samba is in the future...
b) Management in Windows/Unix mixed environment
I found that there is no ideal solution for the Integration of Windows and
Unix systems in a LAN. You have to choose between complex
User-Administration and complex Software Configuration
(for distributed SW or remote Administration).
Additionally you have to choose which of the systems will dominate
(Domain-Master: WinNT-PDC or Unix-DC, File System Win-SMB or Unix-NFS)
Problem: For management of Windows Clients you will need tools,
which are expecting WinNT as PDC. If you have WinNT as PDC you
will have more than one user management system,
because the Password systems are not compatible.
It is impossible to say which of the described solutions is the best,
because it depends on your already existing environment.
c) Why use Samba:
i) In many cases there is already an Unix-Network and we want to
add some WinNT/95/98 - Clients in order to give users access to "MS-World"...
ii) It seems that Samba-solution doesn't require any additional Software installations
for an WinNT-Client, which is going to UNIX-Network!
Keep im mind:
Samba as PDC runs on Unix, while WinNT as PDC does not!
That's mean that you can use Unix-goodies(like scripts, rlogin) with Samba-PDC.
Example:
In the worst case we have 3 password systems(NIS/YP & WinNT-PDC & smbpasswd)!
Samba-PDC Solution:
No WinNT-Server as PDC. (-> Only NIS & SMB-Passwords left)
Samba do "oneway" password synchronisation (Win->Unix) via "smbpasswd",
Synchronaize NIS & SMB-Passwords (-> Only one user password left)
You can use "symbolic link" or "allias" to let "passwd" point to "smbpasswd" too!
Samba-Pros:
Samba is freely available
Samba is a good NFS/SMB-Gateway -> good as File-Server(to mount home-dir)
Samba can be a PDC for your Win-Clients and replace an expencive WinNT-PDC.
Samba-Cons:
remote Administration with Samba is in the future
PDC functionality is not completly implemented(RPC-Calls)
Samba Documentation is not well organized and updated
(This is the reason why I am placing this document in the Web)
1) Overview of existing solutions
(for integration of Windows & Unix-systems in one LAN.)
a) Terminal Server solution
Note: This is not a "real" System-Integration, because both systems
exist independently.
i) Unix-terminal on a WinNT(e.g. "Exceed")
Emulation of Unix-Terminal on WinNT-Workstation
ii) WindowsNT Terminal Server
Emulation of WinNT-Desktop on a Unix-Workstation
Description:
Resource-sharing: none (File sharing via FTP)
Configuration: Separate WinNT & UNIX - user accounts & software
Administration: Maintaince of two independent systems
Links:
Exceed-Software: from Hummingbird Communications Ltd.
Windows Terminal Server: from Microsoft
b) WinNT-Server as PDC
Note: WinNT-Server as PDC(Primary Domain Controller).
+ WinNT Services AddOn Pack for Unix
+ WinNT Services AddOn Pack for Administration(Zero Admin Kit)
Description:
Resource-sharing: yes (Filesystem=NFS)
Configuration: One way password synchronisation(WinNT->Unix)
Administration: via ZAK(Zero Administration Kit) is possible...
Links:
DiscShare-Software: from Intergraph.
AddOn Packs: from Microsoft
c) Unix-DC(NIS/YP) with WinNT-Clients
Note: NIS/YP-Server as DC(Domain Controller).
+ Each WinNT-Client use a Client-software for accept NFS & NIS-Passwords
Description:
Resource-sharing: yes (Filesystem=NFS)
Configuration: One passwordsystem(NIS/YP).
Administration: Copy of WinNT-partition makes it easy to restore WinNT-Workstation!
Links:
Free-Software(NISGINA):
from Nigel Williams
Business-Software(Chamaleon32NFS):
from NetManage
d) NFS/SMB-Gateway(Samba as Fileserver)
Note: WinNT-Server as PDC(Primary Domain Controller) for Win-Clients
+ NIS/YP-Server as DC(Domain Controller) for Unix-Clients.
+ Samba-Server to accept NFS(and smbpasswd for checking NIS-Passwords)
Description:
Resource-sharing: yes (Filesystem=NFS/SMB)
Configuration: In the worst case 3 passwordsystem(NIS/YP & WinNT-PDC & smbpasswd)!
Administration: via ZAK(Zero Administration Kit) is possible...
Links: SMB-Server samba
e) Samba as PDC on NIS-DC
Note: Samba-Server as PDC(Primary Domain Controller) for Win-Clients
+ NIS/YP-Server as DC(Domain Controller) for Unix-Clients.
Note the difference from 4): Samba as PDC, not WinNT-Server as PDC!
Description
Resource-sharing: yes (Filesystem=NFS/SMB)
Configuration: fancy, but works!
Administration: Copy of WinNT-partition makes it easy to restore WinNT-Workstation!
Links: Just read ahead!
2) Installation of Samba
Caution! If you are using Samb you have to think twice, before you start to work with it!
Before you will get Samba source and before you start the Installation procedure,
you need to be sure for what you want to use Samba(e.g. Samba as PDC or just File-Server?)
and what is your current environment
(e.g. do you have "NIS/YP",are you using "automount" or "shadow-passwords"?)
I will try to describe the installation-procedure step by step.
Your first step is most important: Get the right Samba source!
a) Get Samba source
If you are reading Samba's Mailing-List for the first time,
you will easilly get confused with names like "HEAD-version",
"CVS-source", "NT_DOM-branch" and so on...
The truth is that there is more than one Samba-version :
Official Samba release Version(current 2.0.6),
which you can directly download from the Samba-Server(People say: "ftp-" or "http-" version)
Current working version:
which you can download via CVS-system
(People say: "HEAD-version","CVS-source","NT_DOM-branch"),
this version have some "branches" for special requirements(like PDC-support).
If you aren't careful you will download the "ftp-Version" and you may not
realize until days later that you are working with the "wrong" version of Samba!
(Example: "Why User-Domain Manager respond with: RPC-Call exception?")
Anyway, what you really want to know is how to get the right version:
Official Samba release
you can download directly from your web-browser(via ftp or http)
This version makes Samba to File-Server(e.g. NFS/SMB-Gateway) and additionally you
can use it as Logon-Server or Profile-Server for your Windows-Clients.
Current working version:you can access via CVS, see http://cvs.samba.org/cvs.html
For example: download the latest Samba Domain Controller source code
Obtain a recent copy of the cvs client binary(available from ftp://download.cyclic.com/pub/).
Then run the following command: "cvs -d :pserver:cvs@samba.org:/cvsroot login"
when you are prompted for a password, enter 'cvs' without the quotes.
Then run the command: "cvs -d :pserver:cvs@samba.org:/cvsroot co samba"
To update your source code run the command: "cvs update -d -P"
However you've gotten your copy of Samba, now you need to install it properly.
The second step is as important as the first: Installation Options!
In the original Samba documentation you can find :
"first run the program ./configure in the source directory.
This should automatically configure Samba for your operating system.
If you have unusual needs then you may wish to run ./configure --help
to see what special options you can enable. Then type "make". This will create the binaries."
The truth is, every Unix-System is unusual!
Before run "./configure"
Check your environment and then run ./configure --help
Examples, for what is "unusual" see below:
NIS+ or PAM password database
if your system use "automount"
if your system use AFS, DFS or SSL -support
and more...
PS: You may need to change mode of ./configure to executable.
(chmod +x ./configure)
Before run "make","make install"
In the Samba mailing list you can find some expressions like this:
"We have to compile the Samba-suite with -Wshadow"
The truth is, you may need some options for the make-procedure
It means you may need to set some environment flags like:
"export CFLAGS= -g -Wall -Wshadow" or "export LDFLAGS= -lnls"
Example: To compile Samba for a system with "shadow-passwords"
You have to set "export CFLAGS= -Wshadow" into your environment.
At this point it is impossible to say if you need some flags for your environment.
Unfortunately I didn't find any documentation about it...
You may wish to run "make --help" to see the make options.
- Make-procedure can stop with error message...
(For example some of the C-Libs weren't available in system
Solution: I copied those libraries from distribution pack)
- Make-Procedure stop without Messages or never stop
(Well it was funny, my local-date was 1989,
and that caused this behavior! It may happen in your system after Y2K?!)
3) Configuration of Samba
The configuration of Samba is done by the smb.config file.
Here you can put all necessary parameters.
The configuration depends on your environment and your Samba-purpose
There are many documents which describe the settings for this file, but
my goal is to show you some examples:
First few steps
Setup smbpasswd/smbclient
Setup simple netlogon
Setup printer
Setup Samba as PDC
Setup roaming profiles
Setup password-synchronisation
About passwords & security
First few steps:
First you have to create your smb.conf file,
or copy "smb.conf.default" from the ./examples to your ./lib.
I suggest you have a copy of "smb.conf.default" change it:
Main-Section:[global] Samba-Server global or default parameter setting
workgroup= YourGroup
server string = YourSambaServer
host allow = 127.198.245., localhost ,and any host you want to allow
security=user
encrypted passwords=yes
// If problemson -> Try "security=share" and "encrypted passwords=no"
Other-Sections: describes a shared resource (known as a "share")
[homes] use for services, which connects clients to their home directories.
For this first example we want to try "smbclient //yourhostname/user -U user"
[homes]
guest ok = no
read only = no
[netlogon] use for logons to the shared directory(e.g. connect to the SW-Archive)
[profiles] use for server-stored profiles(roaming profiles).
There you can set the profiles-share options.
[printers] use to connect to any printer specified in the local
host's printcap file. This share MUST be printable(e.g. printable=yes)
After you're done editing smb.conf you may test it with ./testparm
For the first time it will be easy for you to start Samba with:
/usr/local/samba/bin/smbd -D
/usr/local/samba/bin/nmbd -D
(You may create a start script for this action)
To kill it, send a kill signal to the processes nmbd and smbd.
now we can test Samba with: "smbclient //yourhostname/user -U user"
First time run everything as root-user!
Generate the smbpasswd file from your /etc/passwd file:
cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
For NIS use:
ypcat passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
For NIS this will create valid users but no passwords -> Create user password with:
smbpasswd -U username
Set permissions and owner of the /usr/local/samba/private to root:
chmod 500 /usr/local/samba/private
Set permissions and owner of smbpasswd file the private directory to root:
chmod 600 smbpasswd
Then enable a valid user:
./smbpasswd -e username
Finally you can login to Samba:
./smbclient //yourhostname/user -U user
Problems so far...
Once we can logon to Samba with "smbclient", we can try a netlogon from a Windows-Client
You can use of course the share from last example, but let us define a netlogon-share:
"//yourhostname/netlogon", which will be defined in [netlogon] section.
NOTE: If you use "plain"-passwords, you have to set Windows-Client to accept "plain"-passwords.
Get more information about "passwords" & "security" here
Create an account on Unix-box for Win-PC (MACHINE$-Account)
For example: my WinPC name is Apollo13, then for passwd use:
UserID=Apollo13$
password=apollo13
NOTE: Password=name of machine in lowercase!
Add this account to smbpasswd:
./smbpasswd -a -m Apollo13$
./smbpasswd -e Apollo13$
Enable [netlogon] section in smb.conf
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
guest ok = Yes
You may need to create a directory specified in the netlogon-share:
../samba/lib/netlogon
At this point I restarted Samba and then WinPC
Then you may check, if netlogin-share is available:
./smbclient //Apollo13/netlogon -U user
Finally you can login to Samba from your Windows-PC:
Explorer->Connect Drive:
path=//Apollo13/netlogon
user= valid user
You may want to mount your homedir from your Windows-PC:(last example)
Explorer->Connect Drive:
path=//Apollo13/user1
user=user1
Problems so far...
If you enable the print-share Samba will receive the file
from the PC and will pass it to an external "print command".
What print command you use depends on your environment.
Printing parameters(in [Global]-section):
load printers=yes
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
printer name = "your printer"
printer driver =
printer driver location=
printer driver file=usr/local/sambe/lib/printers.def
printcap name= /etc/printcap
Then you need to enable [printers]-section:
[printers]
path=/usr/local/samba/printer
public=yes
writable=no
browseable=yes
printable=yes
Configure your printer
It is well described in the original Samba-documentation:
printing
You may need to install the driver for your specific printer.
It is well described in the original Samba-documentation:
driver
Please note: at this point many things can cause problems,
it depends on your environment, your OS, Samba-Version
Many solutions can be found in samba-mailing list
Here are the problems, which I had and some from Samba-Docu:
"Network is not available"
-> basic network problems(Try ping!)
"BAD password...."
-> Check User|Mashine account in passwd|smbpasswd(user needs to be enabled!)
smbclient works fine, but you can't login from Win-Client
-> Check if your Win-Client is using NetBEUI-protocol, if yes->remove/disable it!
You can connect to samba, but you can't disconnect
->look in mailing list, there you will find a couple reasons/solutions
Some Unix/Linux-Distribution dislike "$" in UID
->create UserID=MyWinPC and add "$" manual in passwd!
4) Samba NT Domain PDC support
Note: Samba as PDC works only with encrypted passwords and
also you need to set "security=user" in your smb.conf
Additionally check your
Version of Samba
First you need to create MACHINE$ for each Windows-PC
(see description above).
Tells workstations to use SAMBA as its PDC.
Set up domain logons = yes in your smb.conf
At this point I restarted Samba and then WinPC
Then you may check if your home-share is available:
./smbclient //Apollo13/user -U user
Now you need to tell WinPC to use Samba as Domain Controller:
In the Network Settings, change the domain to "YourGroup"
(which is taken from smb.conf: workgroup= YourGroup)
You should get the message: "Welcome to the YourGroup Domain."
If you don't, then check again all steps above and see also
Problems so far...
Letīs say you can login into your Samba-PDC,
now you may want to set Server stored profiles.
b) Roaming profiles
First you need to choose:
i) One standard-profile for everyone(without update profile)
ii) One profile for each user(with/without update profile)
iii) Mixed solution
(for example students(standard)/stuff(individual)-profiles)
Then you need to choose where to store the remote-Profile:
i) In a Profile-directory on the Samba-Machine
ii) In every User-Homedir
iii) In a separate profile-server Machine
For my environment I chose:
- One profile for each user
- User is allowed to modify its profile(=update profile)
- Profile will be stored in user Home-dir
PS: I tested it only with WinNT-Clients see more details on Win95
here
On WinNT-client (You have to be a local Administrator!):
Note: You may want to set the "root"-user to be an Administrator on each WinPC.
See Samba documentation for more details
here
Create local a standard profile(for first logon)
Via: Programms->Administration->UserManager->New user
Copy local Profile to remote profile on Samba-Machine
Via: Settings->System->UserProfile->Change Type->copy/remote
On Samba Machine(You have to be root!):
In smb.conf
Enable [Profiles]-Section:
if you want profiles in user home-directory: path=/home
if you want profiles in separate "profile" directory:
path=/usr/local/samba/profiles (+ You have to create it!)
set writable=yes (=update profile allowed)
In [Global]-Section:
set logon path=\\%N\Profiles\%U
Note: You may want to use a per user or per maschine logon script
(Because of CR\CN: write this script under Windows and then copy it to Unix!)
Distribute standard-profile to all users
you can write a "distribute to all"-script or
a "user's first logon"-script for this job !
Otherwise, just copy it by hand...
Note:
Do not forget to change protection/ownership
of the user profile-dir's, NTUSER.DAT(or USER.DAT),
and "username".pds to user!
If it doesn't work, then check again all steps above and see also
Problems so far...
Samba offers a "one way" synchronisation for the passwords(Samba->Unix)
[Global]-Parameters:
(in your smb.conf - file)
unix password sync = yes|no
passwd program = (path + your passwd or yppasswd program)
passwdchat = (I/O - Syntax of your passwd-program)
Settings:
(passwd for root on the Samba-machine)
unix password sync = yes
passwd program = /bin/passwd %u
passwd chat = *pass* %n\n *pass* %n\n *suc*
The trick: "two way" password synchronisation
Once you set the "one way" synchronisation for the passwords (see below),
You can use "symbolic link" or "alias" to let "passwd" point to "smbpasswd"!
Problem: it works only for User "root" on the Samba-machine
If you are using NIS or you are not "root" this wouldn't work,
because passwd or yppasswd requires an old-password in plaintext.
By using SMB Encryption(see below) Samba is unable to send plaintext passwords
over the network and your passwd/yppasswd will fail...
Solution: NIS-Samba passwords synchronisation
Run Samba on your NIS-Machine
Use passwd+make instead yppasswd for your password program
On Unix-Clients let passwd/yppasswd point to local smbpasswd-client
in this case your "passwd"(for "root-user") won't ask you for the old-password.
Disadvantage of "passwd" is the make-procedure which must be run after each passwd,
but you can run it automatically if you add "make"-command to "passwd program"-parameter!
(PS: please check, that your make-program does not create a temporary passwd-file
To verify this: if you can change a test-user password(using passwd+make) twice->you are fine)
Last step: smbpasswd-client can do remote authentification.
On each Unix-Client let passwd/yppasswd point to local smbpasswd-program and for smbpasswd
program you need to set location of your samba-password server(your Samba/NIS-Master).
See smbpasswd documentation for more details.
Examples
My settings(for HP-UX10.20)
unix password sync = yes
passwd program = /bin/passwd %u; make /var/yp/passwd
passwd chat = *pass* %n\n *pass* %n\n *updated* *pushed*
Others settings(for sunos 5.5)
unix password sync = yes
passwd program = /bin/passwd -r files %u; cd /var/yp; make passwd
passwd chat=*New/spass:* %n\n *new/spass:*%n\n*updated/spas*.*pushed/spass*
My settings(for local Linux-suse)
unix password sync = yes
passwd program = usr/bin/passwd %u
passwd chat = *pass* %n\n *pass* %n\n *suc*
More examples you can find in Samba NT_DOM mailinglist
If it doesn't work, then check again all steps above and see also
Problems so far...
(Some of this information I found in Samba-documentation)
[Global]-Parameters:
security= share|user|server (in the most cases = user)
encrypt passwords=yes|no(in the most cases = yes)
Settings:
For plain passwords(I've tested, it works fine):
security= share
encrypt passwords=no
each Windows client have to be setup to access plain passwords
See Samba documentation for more informations.
For Samba PDC-support:
security= user
encrypt passwords=yes
otherwise it wouldn't work!
Problem:
The unix scheme typically sends clear text passwords over the network
when logging in. This is bad.
The SMB encryption scheme never sends the cleartext password over the
network but it does store the 16 byte hashed values("password equivalent"!)
on disk. This is also bad.
Note:
Windows NT 4.0 Service pack 3 changed the default for permissible
authentication so that plain-passwords are *never* sent over the wire.
You will find that it is easy to use Samba with "encrypt passwords=yes".
For password-synchronisation see the Chapter above.
Advantages of SMB Encryption:
- plain text passwords are not passed across the network. Someone using
a network sniffer cannot just record passwords going to the SMB server.
- WinNT doesn't like talking to a server that isn't using SMB
encrypted passwords. It will refuse to browse the server if the server
is also in user level security mode. It will insist on prompting the
user for the password on each connection, which is very annoying.
The only thing you can do to stop this is to use SMB encryption.
Advantages of non-encrypted passwords
- plain text passwords are not kept on disk.
- uses same password file as other unix services such as login and ftp
- you are probably already using other services (such as telnet and ftp)
which send plain text passwords over the net, so not sending them
for SMB isn't such a big deal.
Please note: at this point many things can cause problems,
it depends on your environment, your OS, Samba-Version
Many solutions can be found in samba-mailing list
Here are the problems which I had and some from Samba-Docu:
Win-Client can't find Samba-PDC
-> Check if your Win-Client is using NetBEUI-protokoll, if yes->remove/disable it!
Win-Client-Message: unable update remote profile
-> Client-time is not synchronized.(Use: net time \\MyPDCserver /set /yes) or
logon path should be writable and browsable by the current user
User needs permission/ownerchip of his profile files!
No remote profile found
-> Check if logon-path & path in [Profiles] are set correctly
and are writable and browsable by the user
"username".pds - file is not available!
Last Modified: 30.11.99
1999 Alexej Kupin