Solved

Configuring Samba in windows domain

Posted on 2014-03-13
14
698 Views
Last Modified: 2014-03-22
I want to try to install and configure Samba as File and Print server in existing windows 2008 domain.

** Actually, I do not even know what benefits will Samba bring to environment. in other words -is it worth implementing Samba or just use Windows 2008 as file server. I know that Linux is free, other than that , what are other benefits?

** Now that I want to try Samba in windows domain, I would like to have a step by step guide on how to install and configure Samba.
I have done some reading about the install and configuration of samba, but each link puts something different that makes me wonder if that different thing is required or not…

So, all I need is to get samba file server installed and configured in windows domain.

Any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 27

Assisted Solution

by:serialband
serialband earned 167 total points
Comment Utility
If you already have a windows server that is capable of serving files, why do you need another Samba server?  Which types of systems do you have more of?  If it's mainly windows you should just use a Windows file server.  Linux & OSX already have smbclient and can mount Windows file shares.  If you're mostly linux or OSX, I can see some minor benefit to running Samba on linux, but otherwise it doesn't make sense.

Which version of linux do you have?
0
 

Author Comment

by:jskfan
Comment Utility
I have Ubuntu…
I was just wondering what is the benefit of using Samba in windows domain..it could be doable if we do not want to buy windows server license to install file server..that's my guess..I could be wrong.

Samba, to my understanding means Windows is involved (either windows workgroup or domain)

Seeing that most of windows environments use Windows Active Directory Domain, implementing Samba, would that benefit the company ? Though I have not seen any environment so far using Samba in Windows Active Directory Domain.
Samba may come into the game if the company is completely Linux  and may have few windows workstations  that are not in the Domain, just workgroup
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 83 total points
Comment Utility
Samba can be windows DC or ADC. No CALs needed.
0
 

Author Comment

by:jskfan
Comment Utility
In my case, I already have Windows Domain Controllers, I would like to install Samba server on Ubuntu as file and Print server.
I do not want to create users in Samba, seeing that they are already created in Active Directory.

Any link to a guide that would apply to my case scenario ?

Thank you
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Samba has user friendly document for you.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 167 total points
Comment Utility
install likewise-open and join the domain
sudo apt-get install likewise-open && sudo domainjoin-cli join domain.com adminusername
don't forget you need your ubuntu box to use one of the domain's dns servers
https://help.ubuntu.com/10.04/serverguide/likewise-open.html

then setup shares by right-clicking on directories

--

note that you can setup shares without joining the domain if you want to use a workgroup but you will not have user integration. this is probably not what you want for a file share, but you can always setup a print share and allow guest users without bothering with the domain

--

then is is useful ? i really can't tell : that would depend on your setup. using samba as a client is quite simple, using it as a dc is not that complicated, setting up replications or trusts between a windows dc and a samba dc requires some practice
0
 
LVL 13

Assisted Solution

by:Sandy
Sandy earned 83 total points
Comment Utility
Samba is quiet good while choosing it as file and print server. You can implement share/user level access on every share similar to windows but no specific benefits from user point of view.. Just a basic benefit of keeping the data on such a box where ".exe" kind of virus don't replicate themselves.

http://www.maketecheasier.com/install-and-configure-samba-in-ubuntu-for-file-sharing/

TY/SA
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 27

Expert Comment

by:serialband
Comment Utility
If you already have server 2008 then it comes with a file server role built into it.  There are no additional licenses.   The only benefit to running SAMBA is that it runs older SMB to more reliably allow Linux and OSX to connect via smbclient.  You don't need to run Samba for Windows.  It can be run as the default share for linux or OSX.  Samba is a bit more secure than NFS in certain ways.  So, really, it depends on how many Windows and how many Linux and how many OSX systems are in your workplace and who you are mainly trying to serve.

It looks like you're planning on running Samba anyway and really just want justification to do it instead of enabling file and printer sharing on Server 2008.  Are you mainly a Windows Admin or a Linux Admin?  Which are you more comfortable with?  Don't do it just because you want a change.  Windows is more secure these days, so if it's just about security, that's not really a good reason to switch.

Viruses aren't magical.  Someone needs to manually execute that first one.  If it's running on your back end server, you haven't patched properly or you have "admins" running stuff they shouldn't.  They can still "replicate" on a linux system when you have a Samba share and Windows users are connected to it.  You should have antivirus scans installed on fileservers to scan user files for viruses and trojans, whether you use Windows or Linux.  If you run a file server, it should only run as a back end server, isolated from user roles.  Users should not be able to log in and run browsers or any other applications.  Admins, especially should not use browsers on it.  When I banned other admins from using browsers on the back end servers, all the problems associated with it disappeared.  It's much better now that windows update has been separated from IE.  I can actually uninstall it from the servers.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
Viruses aren't magical.  Someone needs to manually execute that first one.

hmm... the past has show quite a few examples of win-rpc and dcom breaches that did allow a virus to infect a file server and all the machines connected to it without any kind of human intervention whatsoever

When I banned other admins from using browsers on the back end servers, all the problems associated with it disappeared.  It's much better now that windows update has been separated from IE.  I can actually uninstall it from the servers.

this is kinda off-topic, but why the hell would a backend file share even have internet access (other than restricted to a few sites such as possibly updates if you don't want to deploy an update server internally)

It looks like you're planning on running Samba anyway

+1
if you have time to broaden your horizon and self-education, it seems like something you may want to do ; if not, you probably should weight the pros and cons with us before you spend days in learning
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 167 total points
Comment Utility
@skullnobrains

That back end server was one I inherited when I started at a "new" place, over a decade ago.  It was one of the first things I did.  You should see the things some of the "admins" were doing.  I uninstalled all the browsers, cracked warez, etc... from all the back end servers and started limiting log on access.  I had to set policy and make them legal and get all the warez off the workstations too. :P

That RPC and DCOM worm is a small fry compared to the other kinds of viruses out there.  Someone still had to run something somewhere to start that first infection.  And that type of problem keeps appearing because microsoft keeps running too many things automatically.  Those should be configurable.  Eventually, they start locking them down, so that the majority of them require much more human intervention to get going.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
i meant first of all the machine should not have internet access. that means your corporate firewall has no reason to allow outgoing HTTP from such a server (nor probably any kind of traffic with the WAN be it incoming or outgoing). if they can't use the internet, they won't use it to do something stupid either ;P

RPC and DCOM where just examples of means of virus replication that are related to files sharing services. as an example of things that could happily NOT run automatically, the "server" service is perfectly useless on a workstation that shares nothing but nevertheless enabled on all windows hosts. it has a history of allowing worms to spread even when no shares are in use. those worms can have very malicious activities or simply download other viruses which are indeed malicious.

---

no someone does not have to run something to start an infection, at least definitely not on a windows system. simply visualising a web page or email may suffice, simply be on the same LAN as another computer as well [ ... skipping LOTS of other known possibilities ] ; IIS (including OWA) has a long history of security breaches that could fairly easily let a virus enter through a remote http connection, and spread to the entire organisation overnight without any user intervention

then i'm not really wishing to have a long debate on how insecure windows can be... we're kinda drifting from the main topic, there

---

i do believe that running a samba is a little more secure than a windows file server, the main reason not even being about which is more secure, but it is indeed more secure to have different OSes, network stacks, protocol implementations, because viruses are usually quite unhappy with hopping from a technology to a different one. the approach is a bit similar to the selection of a web reverse proxy based on the sole criteria that it is NOT the same software as the main server(s) run

obviously, if a virus replicates itself as an executable file on a share (do such viruses even exist anymore ?), and somebody is foolish enough to execute the file, it won't make a difference wether the share was a samba or something else.

as always, the real questions there are
- given the advantages, is the time you are going to spend on it worth it ?
- if it's about security, is it really something meaningful compared to other security threats ? (do your users run their desktops as admins ? do you have an externally accessible IIS ? do all your users including VIPs and people who work on sensitive material use the same network and file shares ? do your users use outlook ? with their personal mailboxes ? ... )
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
That was the etc... that I put in there to include the internet access.  I agree with you on blocking access to critical servers and either manually downloading the patches on another system to patch it or use WSUS.

I think we're just using different definitions about the term "running software".  Someone is running a browser, an email client, IIS, etc...  There's a vector for those infections and they need to be patched/updated or monitored for the infections.

i do believe that running a samba is a little more secure than a windows file server, the main reason not even being about which is more secure, but it is indeed more secure to have different OSes, network stacks, protocol implementations, because viruses are usually quite unhappy with hopping from a technology to a different one. the approach is a bit similar to the selection of a web reverse proxy based on the sole criteria that it is NOT the same software as the main server(s) run
Absolutely.  I prefer running a mixed environment because of that, but I have the knowledge and expertise from my group to do so.  If you're a beginner on linux, you won't be able to make it as secure as the Windows box you've spent years learning to configure and vice versa.  You'll eventually get it, but in the meantime, you've opened up security holes you didn't know existed.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 167 total points
Comment Utility
agreed, running software you're not familiar with is a security breach in itself, but then if we want to learn, there's got to be a first time at some point

sorry about the term "running software" : i probably should have assumed you did not actually mean run an executable.

but then lots of things run on a system other than what the user runs, so i don't think it's only about what users run (such as the above-mentioned "server" service, remote registry access, rpc locator, various explorer.exe add-ons that will be launched just by booting into a desktop...) and obviously which credentials then run as. the only privilege necessary for a file sharing software is the ability to create a process running with the remote user's credentials ( that is if you want the access rights to be enforced by the server system which is not the only meaningfull strategy )

---

anyway seems like we're drifting...
how are things going, @jskfan ?
0
 

Author Closing Comment

by:jskfan
Comment Utility
Thank you all Guys!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now