Guenther Deschner <guenther@deschner.de>
Last Update: 21.07.2001
Well, sorry for the long silence. I just had no time. A lot has happenend meanwhile (TNG 2.6.1, Samba 2.2.1a) and this page really has to be updated...
To do this i decided to switch over to DocBook which seems just perfect to maintain this small piece of documentation. So come back in some weeks, I have to learn sgml first :)
Don't expect to find anything new here...
Please note that this HOWTO is not finished yet and that it applies to highly experimental features of developper code.
Use at your own risk! Feedback and help are welcome.
23.03.2001
Cosmetics and some more stuff about ip-aliases on Solaris (thanks to Larry Austin).
21.03.2001
There are scripts for Solaris now. Thanks to Sardar Azari. There will be (hopefully) a new section about the clientside configuration later...
18.03.2001
After the first edition of this small howto was written, i (surprisingly) received a lot of feedback about it. Well, this made me decide to write much more and to make it more like a real howto. I will try to be less linux-specific and I'm planning to write more about TNG and NT in general.
Unfortunatly my spare-time will be very limited in the next weeks, so every help is welcome ! Expect to find much more in here soon...
Very often you wish to have an opportunity to log win2k/NT-boxes onto NT-like Primary Domain Controller (PDC). Samba-Team is working on several code-branches to allow samba to perform as a PDC. Since the PDC- features of the latest stable samba-version (2.0.7) are quite limited (win2k will never log on without several tricks) and the next stable samba-version (2.2) hasn't left its early alpha-status yet, you should use Samba - The Next Generation (TNG). TNG was forked from the main branch in october 2000 and allows the maximum of PDC-features and a sophisticated process-managment. On the other side: TNG is not optimized as a file-server. For the purpose of high-performance file-serving you should use the samba HEAD-branch. HEAD will become one day Samba 3.0, where PDC-features and superior file-performance will once be merged together...
This short overview raises the question: Fine, I'd like to have TNG's PDC-features but HEAD's file-performance. How can I benefit from both? The answer is quite simple: Just start two Samba-Servers on one single machine. This is quite easy, since Unix-like operating systems allow you to have ip-aliases on your network interfaces. Then you just start two Sambas bound to different ip-adresses. TNG will care about the Domain-stuff while HEAD will perform the dirty job of file-serving.
To make visual what we are planning to do, I made this graphic:
This document assumes that you know about unix-networking in general and Samba in particular.
I wrote a small script that will get the latest sources of both TNG and HEAD, compiles and installs them. To be on the cutting-edge of samba-development you could easily make a cronjob that updates your setup every night (which is in fact a very, very bad idea for production environments, except you don't bother phone calls at six in the morning.)
It can be downloaded from here: dual_samba.tar
This script was initially written for SuSE 7.0/7.1 plattforms, so adapt it yourself if necessary.
Meanwhile there are scripts for other Unixes available:
BSD: Chris Lee made a modified script for BSD (tested on FreeBSD). You'll find it here: dual_samba_bsd.tar.
Solaris: Sardar Azari made scripts for Solaris (tested on Solaris 2.5.1 and Solaris 8). Get the archive here: dual_samba_sol.tar.gz.
#!/bin/bash # # script to generate and update a dual samba configuration: # tng for domain stuff and head for file-performance # # ### warning: only tested on SuSE 7.0/7.1 !!! ### # there's a bsd-version (kindly provided by Chris Lee) # # comments to guenther deschner (guenther@deschner.de) tng_dst="/usr/local/samba-tng" head_dst="/usr/local/samba-head" tng_dir="/usr/src/packages/SOURCES/samba-tng" head_dir="/usr/src/packages/SOURCES/samba-head" startpwd=$(pwd) tng_log="$startpwd/tng.$(date +%Y-%m-%d).log" head_log="$startpwd/head.$(date +%Y-%m-%d).log" #want start-up-scripts? (only tested with SuSE 7.0 and 7.1!!) STARTUP="YES" if test -e /etc/SuSE-release; then suse=$(grep VERSION /etc/SuSE-release | sed s/[A-Z,=,.,\ ]//g) if test $suse -lt 71; then init_dir="/sbin/init.d" init_head="samba-head" init_tng="samba-tng" else init_dir="/etc/init.d" init_head="samba-head-7.1" init_tng="samba-tng-7.1" fi else echo -e "Hm. Assuming that /sbin/init.d is your init-dir...\n" init_dir="/sbin/init.d" fi #general ######## #am i root? test $(id -u) != 0 && echo "Sorry, you're not root..." && exit 0 #check dirs for i in $tng_dir $head_dir; do test -d $i && echo -e "Ok. Directory $i is there\n" || (echo -e "Creating directory $i\n"; mkdir $i) done #get latest sources, compile and install them ############################################# ### tng ### ########### cd $tng_dir if test -d tng; then echo -e "Updating cvs-tree for SAMBA TNG\n" cvs -z3 -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/vhosts/samba-tng.org/cvsroot co tng 2>&1 | tee $tng_log else echo -e "Starting cvs-login. Please enter password \"anoncvs\"\n" cvs -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/vhosts/samba-tng.org/cvsroot login cvs -z3 -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/vhosts/samba-tng.org/cvsroot co tng 2>&1 | tee $tng_log fi echo -e "Start compiling TNG-sources:\n" cd $tng_dir/tng/source ./configure --prefix="$tng_dst" --with-smbmount --with-profile --with-quotas | tee -a $tng_log (make 2>&1 || (make clean; make 2>&1)) | tee -a $tng_log (make install) 2>&1 | tee -a $tng_log test -f $tng_dst/private/smbpasswd || ( echo -e "Creating missing files for TNG\n"; mkdir $tng_dst/private; touch $tng_dst/private/smbpasswd; chmod 600 $tng_dst/private/smbpasswd) 2>&1 | tee -a $tng_log ### head ### ############ cd $head_dir if test -d samba; then echo -e "Updating cvs-tree for SAMBA HEAD\n" cvs -z5 -d :pserver:cvs@pserver.samba.org:/cvsroot co samba 2>&1 | tee $head_log else echo -e "Starting cvs-login. Please enter password \"cvs\"\n" cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login cvs -z5 -d :pserver:cvs@pserver.samba.org:/cvsroot co samba 2>&1 | tee $head_log fi echo -e "Start compiling HEAD-sources:\n" cd $head_dir/samba/source ./configure --prefix="$head_dst" --with-smbmount --with-profile --with-quotas 2>&1 | tee -a $head_log (make 2>&1 || (make clean; make 2>&1)) | tee -a $head_log (make install) 2>&1 | tee -a $head_log test -f $head_dst/private/smbpasswd || ( echo -e "Creating missing files for HEAD\n"; mkdir $head_dst/private; touch $head_dst/private/smbpasswd; chmod 600 $head_dst/private/smbpasswd) 2>&1 | tee -a $head_log ### startup scripts ### ####################### if test $STARTUP = "YES"; then echo -e "Copying startup-scripts\n" # tng test -x $init_dir/$init_tng || ( echo -e "Creating init-script for TNG\n"; cp $startpwd/$init_tng $init_dir/; chmod 755 $init_dir/$init_tng) 2>&1 | tee -a $tng_log grep "SMB_TNG" /etc/rc.config || ( echo -e "Creating rc.config-entry for TNG\n"; echo -e "#\n#Start Samba TNG? (\"yes\" or \"no\")\n#\nSTART_SMB_TNG=\"yes\"" >> /etc/rc.config) 2>&1 | tee -a $tng_log # head test -x $init_dir/$init_head || ( echo -e "Creating init-script for HEAD\n"; cp $startpwd/$init_head $init_dir/; chmod 755 $init_dir/$init_head) 2>&1 | tee -a $head_log grep "SMB_HEAD" /etc/rc.config || ( echo -e "Creating rc.config-entry for HEAD\n"; echo -e "#\n#Starting Samba HEAD? (\"yes\" or \"no\")\n#\nSTART_SMB_HEAD=\"yes\"" >> /etc/rc.config) 2>&1 | tee -a $head_log # both echo -e "Creating runlevel-links and rc-shortcuts\n" for i in $init_tng $init_head; do if test $suse -lt 71; then ln -sf ../$i $init_dir/rc2.d/S20$i ln -sf ../$i $init_dir/rc2.d/K20$i ln -sf ../$i $init_dir/rc3.d/S20$i ln -sf ../$i $init_dir/rc3.d/K20$i else ln -sf ../$i $init_dir/rc3.d/S10$i ln -sf ../$i $init_dir/rc3.d/K14$i ln -sf ../$i $init_dir/rc5.d/S10$i ln -sf ../$i $init_dir/rc5.d/K14$i fi ln -sf $init_dir/$i /usr/sbin/rc$i done sed s/"START_SMB=\"yes\""/"START_SMB=\"no\""/gI /etc/rc.config > /tmp/rc.config.tmp mv /tmp/rc.config.tmp /etc/rc.config echo -e "Don't forget to shutdown eventually running sambas with something like \"rcsmb stop\".\n" fi
Download and untar it with:
tar xvf dual_samba.tar
Execute the script (on older machines you maybe get some coffee...).
Now the sources will be installed under
/usr/src/packages/SOURCES/samba-tng
and
/usr/src/packages/SOURCES/samba-head
.
The binaries are now at
/usr/local/samba-head
and /usr/local/samba-tng
The script installs init.d-scripts called samba-tng
and
samba-head
.
Now that we have the latest code compiled and installed, there's still a good job of configuration we have to do:
In this document we assume that you have a linux-machine with one ip-address for your internal network eth0. Wherever I can, i will try to provide information for other Unixes.
In our example:
TNG should listen on 192.168.44.45 / 255.255.255.0, while
HEAD should listen on 192.168.44.55 / 255.255.255.0.
We call our domain "office" and give
TNG the netbios-name "samba-tng" and
HEAD the netbios-name "samba-head".
Generally it would be a very good idea to add your netbios-names into your DNS. At least add entries into your /etc/hosts. Ask you local unix-guru if you're not familiar with DNS. Expect heavy problems without a working name-resolution.
Linux: Now we need an alias on our network-card. On Linux-platforms the following should make it (tested with 2.2 and 2.4 kernels):
ifconfig eth0:0 192.168.44.55 broadcast 192.168.44.255 netmask 255.255.255.0 up
BSD: If you find yourself on a BSD-platform, you'll need to find out the id of your interface/driver, something like fxp0 for a Intel EtherExpress Pro 100. Others are dc0, el0, etc. So please replace [eth] with the correct id.
ifconfig [eth]0 alias 192.168.44.55 broadcast 192.168.44.255 netmask 255.255.255.0
Solaris: (thanks to Sardar Azari and Larry Austin)
The setup varies for different versions, plattforms and hardware.
First, find out your interface with:
ifconfig -a
Your output could look like this:
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 inet 127.0.0.1 netmask ff000000 le0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet 192.168.44.45 \ netmask ffffff00 broadcast 192.168.44.255 ether 7:76:76:e1:20
In this case, your interface name is "le0". In the next examples we use "hme0".
Solaris 2.5.1/2.6/7:
The syntax is basically: ifconfig <device>:<logical interface number> <ip-address> up
Here's one example:
ifconfig hme0:1 192.168.44.55 up
Solaris 8:
Here the syntax is basically: ifconfig <device> addif <ip-address[/bits]> up
And an example:
ifconfig hme0 addif 192.168.44.55/24 up
TNG's smb.conf
Here is a sample smb.conf for TNG. Either copy it from the archive or create it with:
vi /usr/local/samba-tng/lib/smb.conf
just copy/paste...
#sample TNG's smb.conf [global] bind interfaces only = true interfaces = 192.168.44.45 127.0.0.1 netbios name = samba-tng workgroup = office security = user domain logons = yes encrypt passwords = yes logon home = \\samba-head\%U logon path = \\samba-head\profiles\%U [netlogon] path = /whereever/your/netlogon/path/is
First we want TNG just to listen only on the specified interfaces. I added localhost, because some people reported to have problems in user-accounting, if TNG is not listening on 127.0.0.1. We don't need all the Domain Master Browser, Local Master Browser-parameters because their default value is "Yes". Note that we let HEAD even share the profiles. Thomas Winkler reported that there is a performance-plus with huge profiles in larger environments. Well, adapt the paths...
HEAD's smb.conf
Here is a sample smb.conf for HEAD. Create with:
vi /usr/local/samba-head/lib/smb.conf
and copy/paste:
# sample HEAD's smb.conf [global] bind interfaces only = true interfaces = 192.168.44.55 netbios name = samba-head workgroup = office security = domain domain logons = no encrypt passwords = yes password server = samba-tng os level = 20 domain master = no preferred master = no local master = no [profiles] path = /whereever/your/profile/path/is [sample-share] path = /tmp
Note that security on HEAD is switched to "domain" to pass all user- and password-checks over to the password-server (TNG).
Now start your Sambas with:
rcsamba-tng start rcsamba-head start
Please note that the ifconfig-alias is part of the HEAD-startup-script, so that you have to change the ip-alias there! The "default"-init.d-script assumes that you use 192.168.44.55 as well...
You should now create a unix-group for all the machines you're going to integrate into your domain. Personally I prefer the group-name "machines". Take whatever you like. On Linux type:
groupadd machines useradd -g machines -s /bin/false SAMBA-HEAD$
/usr/local/samba-tng/bin/samedit -S . -U root createuser SAMBA-HEAD$
/usr/local/samba-head/bin/smbpasswd -j office
Should I point you to the fact, that you always have to create your users first as local unix-users, before you ever can add or use them as samba-users?
/usr/local/samba-tng/bin/samedit -S . -U root createuser testuser -p password
Finally test your sample-user on TNG and on HEAD
/usr/local/samba-tng/bin/samedit -S . -U root ntlogin office\testuser password
For some odd reason, you might get a negative result. If the second test works, you can ignore it. #fixme!
/usr/local/samba-head/bin/smbclient //samba-head/sample-share -U testuser
If you get a "smb>"-prompt you're done! (well almost...)
Voila. Enjoy HEAD's high-performance file-serving with TNG's PDC-features !
Now you can start to create your shares, tune your configuration, make it a safe setup (!), configure your clients, etc.
Now we have the basics done for our dual-samba, it's time to have a closer look on TNG's PDC-features:
Usually, logon-scripts consist of ordinary dos-batch-commands, most often used to map network-drives, adjust the time and maybe start some programs.
Please make sure that you have
logon script = %U.bat time server = yes
in TNG's [global]-section of smb.conf.
The *.bat-file must have a dos-like carriage return / line feed in each line. Either create it from a dos-box or use tools like unix2dos. Here's an example (taken from David Bannon's 2.2-PDC-Howto):
net time \\samba-tng /set /yes @echo off if %OS%.==Windows_NT. goto WinNT :Win95 net use k: \\samba-head\test-share net use p: \\samba-head\homes start /m winpopup goto end :WinNT net use k: \\samba-head\test-share /persistent:no net use p: \\samba-head\homes /persistent:no :end
Save this file as testuser.bat in //samba-tng/netlogon. To be on the safer side, make it read-only (!) for testuser.
To allow TNG to automatically create and store your users profiles (and to create the necessary directories), do:
chmod 1700 /whereever/your/profile/path/is
Policies do work. Just do it like David Bannon described it in his PDC-FAQ. The two approaches:
NT,2k:
Unless you don't have a NT-Server-CD, get a NT-Servicepack (it works for 2k as well, believe me)
Extract it using servicepackname /x (don't install it!!)
Copy common.adm, winnt.adm to c:\winnt\inf
Use poledit.exe (from the servicepack) to edit your policy
Save your policy, make it readable to all your users (NOT writable!) and copy it to //samba-tng/netlogon as ntconfig.pol
9x:
Take your Installation-CD and look in the Resource Kit, there you'll find poledit.exe and the default policies.
Save your policy as config.pol, make it readable to all your users (NOT writable!) and copy it to //samba-tng/netlogon
They do work in read-mode. AFAIK write-access is planned. The tools come with the NEXUS-package.
9x: Download the NEXUS-package from here.
NT/2k: And here's a NT-version that works on 2k as well: here.
TNG provides several mappings of UNIX-Users/Groups to NT-Users/Groups:
Create the necessary files with:
cd /usr/local/samba-tng/private/ touch domaingroup.map domainuser.map chmod 600 domaingroup.map domainuser.map
Inform TNG's smb.conf about the .map-files:
# Mapping of Unix users/groups to NT users/groups # These files take the form unix_group="NT group" domain user map = /usr/local/samba-tng/private/domainuser.map domain group map = /usr/local/samba-tng/private/domaingroup.map
Here are some examples:
domaingroup.map
You can grant (Samba)-members of a unix-group administration rights on NT/2k by mapping the relevant group to "Domain Admins".
admin="Domain Admins" users="Domain Users" lp="Print Operators"
Another approach would be just to map members of the group "root" to have administration rights: root="Domain Admins"
domainuser.map
While domaingroup maps groups, domainuser just maps users. If we want root to be the Administrator on a NT/2k, just make:
root=Administrator
To be written...
In general it is not a very good idea. Although we pointed our CVS-Sambas to write their files into separate folders. At least HEAD copies (on linux) the smbmount-binaries over 2.0.7's (/sbin/mount.smbfs). There is a good chance that other problems occur. Feedback welcome!
BSD:
You need a line like this in /etc/rc.conf. Adapt fxp0 to your network/driver-id. I do not have BSD here, so I can't tell you how exactly this has to be done.
ifconfig_fxp0_alias0="inet 192.168.44.55 broadcast 192.168.44.255 netmask 255.255.255.0"
Solaris:
You can use static configuration files with the following syntax:
/etc/hostname.<physical device>:<logical interface number>.
Examples: /etc/hostname.hme0:1, /etc/hostname.hme0:2.
Inside the files you should have either the ip address of the interface or
a hostname resolvable via /etc/hosts (symlinked to /etc/inet/hosts)
(Thanks again to Larry Austin).
If this won't work, maybe have a look at Sun's Documentation here
.Sure. You can mix all Samba-Versions, e.g. use 2.2 as PDC and the stable 2.0.7-release as File-Server. In theory, you can even have more than two samba servers on a single machine. This would make sense if you have a lab and want to test the different versions.
Thanks to Thomas Winkler <t.winkler@itcampus.de> who brought up and explained this concept on the SuSE-Linux-Mailinglist.
Many usefull hints came from Chris Lee <lee@azsites.com> (FreeBSD), Oleg Grodzevich <illinar@mindon.net> (FreeBSD, etc.), Stephan Lauffer <lauffer@ph-freiburg.de>, Sardar Azari <me@sardar.net> and Larry Austin <blakie@myrealbox.com> (both Solaris).
And of course the Mailing-lists are a great source of information:
*** Even if there are people who sucessfully run a configuration like this, be aware and keep in mind, that there is always a risk using alpha/beta-code in production environments! So don't blame me! ***