Setting up a PDC with SAMBA under selinux and iptables.

Samba is an emulation to NetBios, a kind of maps (names) where Windows through broadcast can talk to each other. Before that

Internet has grown, Microsoft utilized a protocol called NetBEUI to comunicate to others Windows. Throughout this process of

migration, Novel launched Netware 5 with support to TCP/IP while Microsoft was working to improve Windows NT 3.5 to 4. it’s had

support to TCP/IP.

It’s simple as sound. First of all, there are two daemons incorporated. These are smbd and nmbd.

SMBD is a main samba daemon .
NMDB is a Netbios name service daemon.

First of all, let’s give permissions to samba working behind a firewall.

you can get it running system-config-security-tui or increasing the file /etc/sysconfig/iptables. It’s much better doing the

first one choice.

[root@server ~]# system-config-securitylevel-tui

Go ahead customize option and check samba checkbox followed by OK.

Now, we need to set some selinux proprieties.

[root@server ~]# setsebool -P samba_enable_home_dirs 1

[root@server ~]# setsebool -P samba_domain_controller 1

[root@server ~]# setsebool -P samba_export_all_rw 1

[root@server ~]# setsebool -P samba_export_all_ro 1

[root@server ~]# setsebool -P use_samba_home_dirs 1

if you by chance wanna turn selinux off over samba, you just have to disable 2 options to “1”

disable_smbd_trans and disable_nmbd_trans

I’ll create immediately all directories used on this example.

[root@server ~]# mkdir /home/samba/profiles /home/samba/netlogon /home/samba/common -p

The first one will be used by storing informations of profile users at the moment that they log off.

The second one, will be used by netlogon attributes and the last one we’ll use to share information between users of the

system.

[root@server ~]# cd /home/samba/
[root@server samba]# chcon -t samba_share_t profiles
[root@server samba]# chcon -t samba_share_t netlogon/
[root@server samba]# chcon -t samba_share_t common/

We’ve just ended up to recognize a samba share to the object (directories)

We can check out it through:

[root@server samba]# ls -Z
drwxr-xr-x root root root:object_r:samba_share_t common
drwxr-xr-x root root root:object_r:samba_share_t netlogon
drwxr-xr-x root root root:object_r:samba_share_t profiles

We gonna need to set 2 groups. One for machines and other one for people :)

[root@server samba]# groupadd machines
[root@server samba]# groupadd people

What you’re seeing belog seems what appears to be, but I defined a SGID on common directory.

[root@server samba]# chmod 770 profiles/

[root@server samba]# chmod 770 common/

[root@server samba]# chmod 770 netlogon/

[root@server samba]# chgrp people profiles/ netlogon/ common/

[root@server samba]# chmod g+s common/

[root@server samba]# ls -la
total 40
drwxr-xr-x 5 root root 4096 Mar 18 22:12 .
drwxr-xr-x 3 root root 4096 Mar 18 22:12 ..
drwxrws— 2 root people 4096 Mar 18 22:12 common
drwxrwx— 2 root people 4096 Mar 18 22:12 netlogon
drwxrwx— 2 root people 4096 Mar 18 22:12 profiles
[root@server samba]#

Now, it’s about time to install samba packages.

[root@server ~]# yum install samba samba-client

Now, here you are a brief overview how to set up a PDC server using samba.
I suggest you to spend your time to review and look it over a bit more. There are lots of options and proprieties and what

criterions you can use to set it up.

[root@server samba]# cd /etc/samba/

[root@server samba]# mv smb.conf smb.conf.OLD

[root@server samba]# vi smb.conf

[global]

workgroup = QUEIROZPACHECO

netbios name = SERVER

security = user

encrypt passwords = yes

passdb backend = tdbsam

hosts allow = 192.168.1.

interfaces = 192.168.1.0/24

local master = yes

domain master = yes

preferred master = yes

domain logons = yes

logon path = \\%L\profiles\%U
logon script = common.bat

[profiles]
comment = User’s Profiles
path = /home/samba/profiles
writeable = yes
browseable = no
guest ok = no

[netlogon]
comment = netlogons users
path = /home/samba/netlogon
read only = yes

[homes]
comment = home’s users
writeable = yes
browseable = no

We can even try our current configuration if is OK, typing testparam.

[root@server samba]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[profiles]”
Processing section “[netlogon]”
Processing section “[homes]”
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

it’s fine. next step. Making smb service available to load automatic way during the boot time and starting the service.

[root@server samba]# chkconfig smb on
[root@server samba]# service smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@server samba]#

Now, let’s see if it works….
Define a password for root user.

[root@server samba]# smbpasswd -a root
New SMB password:
Retype new SMB password:
Added user root.
[root@server samba]#

Create a user and every user has to be into people group.
Let’s add a user called manufacture.

[root@server samba]# adduser -s /bin/false manufacture
[root@server samba]# usermod -G people manufacture
[root@server samba]# smbpasswd -a manufacture
New SMB password:
Retype new SMB password:
Added user manufacture.
[root@server samba]#

It’s a rule. You must create the machine name as a user followed by $ character. however you can implement a command line into

smb.conf file to do this job for you.

I’ll show without this script machine and then you implement it.

Let’s suppose that the machine calls pc001.

[root@server samba]# adduser -d /dev/null -s /bin/false pc001$

[root@server samba]# smbpasswd -a -m pc001$
Added user pc001$.
[root@server samba]#

You can either do on this way or creating an entry into smb.conf file looked like this.

add machine script = /usr/sbin/useradd -g machines -c “Machine from %u” -d /dev/null -s /bin/false %u

save and restart smb service.

You can check the smbd log out typing this.

[root@server samba]# tail -f /var/log/samba/smbd.log

Create a file called common.bat in /home/samba/netlogon and put into it something like this:

net use x: \\server\common /y

Now, let’s introduce a WinXP Client into queirozpacheco domain.

Right button click over My Computer, Proprieties. Computer Name and Change button. Choose Domain and put QUEIROZPACHECO into

the gap. Click ok. It will ask you for the root password. Type it at once and reboot your WinXP Client.

Tks’a lot..
bye from Carlos.