Setting up a Samba 3 Windows Primary Domain Controller; File & Print Server; Software Apps & Config Deployment Server, Using Debian 4.0 Etch

Contents

Introduction

This document describes how to setup a multi faceted server for Windows and Unix workstations using Samba 3 on a Debian GNU/Linux 4.0 'Etch' server. The server provides a Windows NT 4 style primary domain controller (PDC), with roaming user profiles; file, print, software deployment (using WPKG) and Windows user config (using TWEAK (Unattended)) server; and WINS server. This is not an Active Directory style PDC.

Having a domain controller on a network allows you to define one set of user accounts. When turned on, Windows workstations present a login prompt allowing users to login to the domain with any of those user accounts at any machine.

Roaming user profiles provide the same Windows profile to users for each account whichever machine they login on. The Windows profile includes their or the system administrator's customisation of their Windows and applictions' environment, their desktop and Start Menu shortcuts, etcetera.

Users have access to a private Home directory and any number of directories shared between some or all other users.

Printers are setup once and available to all users.

For other Debian server options see 'Server Setup with Debian 4.0 'Etch''.

This guide does not provide an upgrade path from our Samba 2.2 domain controller on Debian 3.0 Woody document, available at http://thegoldenear.org/toolbox/unices/samba/samba-setup.html. This guide assumes you are installing from scratch.

Notable Changes To This Document

1.2.0 - 5 December 2013

1.1.0 - 13 May 2013

1.0.0 - 19 March 2010

0.9.7 - 29 June 2009

0.9.6 - 24 April 2009

0.9.3 - 6 Oct 2008

0.9.2 - 4 Oct 2008 - Windows Administration Area's 'chmod g+ws /usr/windows-admin' was wrong as it set group file system permission mode of 'wS' (writable and set group ID) when what we wanted was 'ws' (writable, executable and set group ID). This resulted in people in the samba-domain-admins group not being able to move into the directory /usr/windows-admin. It should have instead been 'chmod g+wxs /usr/windows-admin'.

0.9.1 - 23 Sept 2008 - Windows Administration Area's 'chmod g+ws,o-x /usr/windows-admin' didn't allow WPKG's winuser account access to packages for auto installation so changed to 'chmod g+ws /usr/windows-admin'. To fix an already set directory use 'chmod o+x /usr/windows-admin'.

0.9.0 - 17 June 2008

0.8.8 - 4 March 2008

Changes From The Previous Guide

Some Samba 3 Theory

Domain administration users, rights, groups and relative identifiers

"When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued integrity of operation. Samba must be provisioned with certain essential Domain Groups that require the appropriate RID value. When Samba-3 is configured to use tdbsam the essential Domain Groups are automatically created. It is the LDAP administrators' responsibility to create (provision) the default NT Groups." - 'Chapter 12. Group Mapping: MS Windows and UNIX - Advanced Configuration': http://www.samba.org/samba/docs/man/Samba3-HOWTO/groupmapping.html

"Be sure to map each [Windows] Domain Group to a UNIX system group. That is the only way to ensure that the group will be available for use as an NT Domain Group."

Well-Known Entity RID SID Our Unix Group Type domain/local/builtin Purpose Essential for Samba?
Domain Admins 512 S-1-5-<domain>-512 samba-domain-admins Group domain "A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. Yes
Domain Users 513 S-1-5-<domain>-513 samba-domain-users Group domain "A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default." Yes
Domain Guests 514 S-1-5-<domain>-514 samba-domain-guests Group domain "A global group that, by default, has only one member, the domain's built-in Guest account." Yes
Builtin Print Operators 550 S-1-5-32-550 lpadmin Alias builtin manage printers and document queues; cannot add printers No

Delegate administrative privileges as necessary to either a normal user or to groups of users. By default, no privileges and rights are assigned. They must be created manually.

The smb.conf setting that relates to this is enable privileges = yes.

Available privileges

"The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX." Samba has these privileges available for us to use:

SeAddUsersPrivilege
"This right determines whether or not smbd will allow the user to create new user or group accounts via such tools as net rpc user add or NT4 User Manager for Domains."

SeDiskOperatorPrivilege
"Accounts that possess this right will be able to execute scripts defined by the add/delete/change share command in smb.conf file as root. Such users will also be able to modify the ACL associated with file shares on the Samba server."

SeMachineAccountPrivilege
"This right controls whether or not the user can join client machines to a Samba-controlled domain."

SePrintOperatorPrivilege
"This privilege operates identically to the printer admin option in the smb.conf file (see section 5 man page for smb.conf) except that it is a global right (not on a per-printer basis). Eventually the smb.conf option will be deprecated and administrative rights to printers will be controlled exclusively by this right and the security descriptor associated with the printer object in the ntprinters.tdb file."

SeRemoteShutdownPrivilege
"Samba provides two hooks for shutting down or rebooting the server and for aborting a previously issued shutdown command. Since this is an operation normally limited by the operating system to the root user, an account must possess this right to be able to execute either of these hooks."

SeTakeOwnershipPrivilege
This right permits users to take ownership of files and directories.

Further Reading

The Official Samba-3 HOWTO and Reference Guide - Chapter 12. Group Mapping: MS Windows and UNIX: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html.

The Official Samba-3 HOWTO and Reference Guide - Chapter 13. Remote and Local Management: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2572033

The Official Samba-3 HOWTO and Reference Guide - Chapter 15. User Rights and Privileges: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html

Well-known security identifiers in Windows operating systems http://support.microsoft.com/kb/243330.

Creating user accounts

The syntax for creating a user account is this:
net rpc user add <username> -S <server hostname> -U <user to connect as>

The syntax for setting a password for the user account is this:
net rpc user password <username> "<password>" -U <user to connect as>

Note that the net command can be used from any Unix machine, not just from the Samba server console, by including the option -S <server name> (and also from any Windows command-line with a slightly different syntax)

WINS

Where NetBIOS over TCP/IP is enabled on the client, a WINS server is highly recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. We make the Samba server the WINS server, through the use of the smb.conf settings wins support and name resolve order. You should only use this if this is the only WINS server; if there are Windows servers make one of them the WINS server instead.

WINS is the only means of name resolution for NetBIOS clients on different subnets.

On the client, you need to define the WINS server address and disable LMHOSTS in the TCP/IP properties section.

Disk Partitions

These partition sizes are for those sections that differ from our standard server partition sizes as described in our respective Debian server document.

Label Size Mount point Usage
usr 5GB - 7GB (for the RCS software suite) /usr software packages for deployment, possibly Windows for deployment, Autopatchers, any Windows programs that run from the server. If you put things like Adobe CS there you may want even more space.
home whatever is appropriate /home User home directories (H:); organisation shared directory (S:); organisation restricted directory (R:); Windows user profiles (including user desktops); email

The Samba Domain Controller

Packages

Install them with this command: aptitude install samba samba-doc smbclient flip.

Samba Configuration File (smb.conf)

smb.conf

Replace the existing Samba configuration file /etc/samba/smb.conf with this:

#===============================================================
# smb.conf
# Samba 3.0.24 configuration file for Primary Domain Controller
# (PDC) file, print and domain server running on Debian 4.0 Etch.
#
# http://thegoldenear.org/toolbox/unices/
#
# Licence: GNU General Public License version 3 or later
#
# Version: 0.8.0
# For explanation and changelog see
# http://thegoldenear.org/toolbox/unices/samba-3-pdc-print-server-debian-etch.html#smb.conf
#===============================================================

#===============================================================
# NOTE:
# - After modifying, run 'testparm' to check for errors.
# - Replace '<ORGANISATION>' with your actual organisation name.
# - Uncomment some of the example shares if you wish to use them.
#===============================================================


#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
# (Note there's a maximum length to this, somewhere < 14)
   workgroup = <ORGANISATION>

# server string is the equivalent of the NT Description field
   server string = Domain Controller

# This machine is the WINS server.
# If you want another machine to be the WINS server use 'wins server = <IP address>'.
wins support = yes

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
# 1. WINS
# 2. Unix's hosts (/etc/hosts), NIS (/etc/nsswitch.conf) or DNS (/etc/resolv.conf)
# 3. broadcast
name resolve order = wins host bcast

# Workstations will set their time by this server
# (by using a command such as net time \\server /set /yes)
time server = yes

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 10

# Do something sensible when Samba crashes: mail the admin a backtrace.
# The email will be sent to whomever Samba runs as, in our case 'root'.
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Require a Unix account in this server for every user.
   security = user

# Provide logon scripts, home directories, etc as well as authentication
   domain logons = yes

# Have the Windows client encrypt passwords sent to Samba
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

# Adhere to the PAM's account and session restrictions
   obey pam restrictions = yes

# On some systems the default guest account "nobody" may not be able to print.
# Default is nobody
   guest account = nobody

# Beware of this, you'll need a Domain Admin user other than root to create
# machine accounts when this is set to root. Debian defaults to using this.
# I haven't gotten it to work without so are disabling it.
#invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync (Debian-specific)
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes


####### Scripts for interfacing with Unix #######

# To add a user
add user script = /usr/sbin/useradd -m "%u"

# To delete a user
delete user script = /usr/sbin/userdel "%u"

# To add a group, i.e. net rpc add group
add group script = /usr/sbin/groupadd "%g"

# To delete a group
delete group script = /usr/sbin/groupdel "%g"

# To add users to groups, i.e. net rpc group addmem
add user to group script = /usr/sbin/usermod -G "%g" "%u"

# To delete a user grom a group
delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
# (Note that usermod and gpasswd are in different directories)

# A Windows User has a primary group in addition to the auxiliary groups.
# This script sets the primary group in the Unix user datbase when an administrator 
# sets the primary group from the Windows user manager or when fetching a SAM with 
# net rpc vampire.
set primary group script = /usr/sbin/usermod -g "%g" "%u"



########### For domain workstations ###################

# When adding a machine to the domain, this creates the necessary Unix machine account.
# This will require a corresponding Unix group called 'machines' creating.
# "This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd."
  add machine script = /usr/sbin/useradd -g machines -c "Samba Machine" -d /dev/null -s /bin/false '%u'

  logon drive = H:
  logon path = \\%L\profiles\%U
  logon script = netlogon.bat



############ Misc ############

# Support for the Windows privilege model. This model allows
# certain rights to be assigned to a user or group SID via either
# net rpc rights or one of the Windows user and group manager tools.
enable privileges = yes

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Domain Master specifies Samba to be the Domain Master Browser.
  local master = yes
  domain master = auto ; When domain logons = Yes the default setting for this parameter is Yes
  preferred master = yes
  os level = 255


########## Printing ##########

# Print serving is disabled.
# If you instead want a print server then see the corresponding Printing section at
# http://thegoldenear.org/toolbox/unices/samba-3-pdc-print-server-debian-etch.html#printing-smb.conf.
# Without this /var/log/samba/syslog and /var/log/samba/log.smbd are full of messages of
# 'printing/pcap.c:pcap_cache_reload(159)Unable to open printcap file /etc/printcap for read!'
printcap name = /dev/null
load printers = no



#======================= Share Definitions =======================

#------------ System disk shares ---------------
# Samba defaults to:
# read only = yes

[homes]
# 'logon drive' won't work without this section

# If you want to set the home directory somewhere other than the Unix home:
# path =

   volume = HOME
   comment = Home Directories
   read only = no

# Don't display a 'homes' share as well as the '%U' share
   browseable = no

# Only the owner can read/write their files. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Only the owner can navigate into their directory. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700


[netlogon]
# The netlogon directory for Domain Logons
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   share modes = no
   browseable = no
   write list = @samba-domain-admins
   # if you want to use root with this setting then make sure you don't have 'invalid users = root'
   force create mode = 664 ; owner and group can read/write, others can read

[profiles]
   comment = Windows user profile directories
   path = /home/samba/profiles
   read only = no
   browseable = no
   create mask = 0600 ; rwx-xxx-xxx - only the user can read/write files
   directory mask = 0700 ; rwx-xxx-xxx - directories must be executable if they are to be navigated


#------------ Other disk shares ---------------

#[programs]
## To install application programs to and keep utilities in
## Uncomment the corresponding P: mapping in NETLOGON.BAT.
#   comment = Windows programs
#   path = /usr/windows-programs
#   read only = yes
#   browseable = yes
#   write list = @samba-domain-admins
#   force create mode = 0664
#   force directory mode = 2774

#[restricted]
##  For restricted sub-groups, for example 'finance'.
##  Create sub-directories in here for different groups, each with access only by certain Unix groups 
##  Uncomment the corresponding R: mapping in NETLOGON.BAT.
#   Comment = Shared space only for restricted groups
#   path = /home/<ORGANISATION>/restricted
#   read only = no
#   browseable = yes
#   force create mode = 0660
#   force directory mode = 2770

#[database]
## Share with OpLocks turned off for data integrity with shared database files
## Uncomment the corresponding T: mapping in NETLOGON.BAT.
##
#   comment = Shared space for database files
#   path = /home/<ORGANISATION>/database
#   read only = no
#   browseable = yes
#   write list = @<ORGANISATION>-staff

##  Related to this is the database directory's owner and its Unix permissions.

##  All new files will have permissions 'rw-rw----'
##  (only owner can read/write and others in same group can read/write)
#   force create mode = 0660

##  All new directories will have permissions 'rwxrws---'
##  (setgid; only owner and anyone in same group can access, see and modify files and sub-directories)
#   force directory mode = 2770

##  Turn off local caching of files (for write) (Level1 OpLocks)
#   oplocks = no

##  read-only oplocks (Level2 OpLocks)
#   level2 oplocks = no

[shared]
   comment = Shared space for everyone in the organisation group
   path = /home/<ORGANISATION>/shared
   read only = no
   browseable = yes
   write list = @<ORGANISATION>-staff

   # Related to this is the shared directory's owner and its Unix permissions.

   # If you instead want only a file/directory's owner able to delete them, set
   # sticky bit using a leading '3' in 'force create mode' / 'force directory mode'.

   # All new files will have permissions 'rw-rw----'
   # (only owner can read/write and others in same group can read/write)
   force create mode = 0660

   # All new directories will have permissions 'rwxrws---'
   # (setgid; only owner and anyone in same group can access, see and modify files and sub-directories)
   force directory mode = 2770

Change the following in smb.conf to suit your situation:

Test that you have no syntactical errors:
testparm

Restart Samba:
/etc/init.d/samba restart

smb.conf Changelog

Enable root access

Enable the Samba account for root and give it a password when prompted:
smbpasswd -e root

Machine Account

Add a group into which new machines are added:
addgroup machines

Rights, Groups and Relative Identifiers

If you want, you could create a domain administrator account (i.e. make root the administrator) but you don't need to, instead we create domain administration groups. If you did want to you would do it this way:

Create Unix groups (you can't mirror the names used by Windows as we can't create groups with spaces in their names):
addgroup --gid 512 "samba-domain-admins"
addgroup --gid 513 "samba-domain-users"
addgroup --gid 514 "samba-domain-guests"

Map these groups to the respective Windows groups that already exist in this version of Samba:
net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="samba-domain-admins" type=domain -U root
net groupmap add rid=513 ntgroup="Domain Users" unixgroup="samba-domain-users" type=domain -U root
net groupmap add rid=514 ntgroup="Domain Guests" unixgroup="samba-domain-guests" type=domain -U root
(TODO: should Domain Guests instead be unixgroup="nobody"?]

Assign appropriate privileges to these groups - we do so here only for Domain Admins, Print Operators are made in the printing section later:
net rpc rights grant "Domain Admins" \
SeMachineAccountPrivilege \
SePrintOperatorPrivilege \
SeAddUsersPrivilege \
SeRemoteShutdownPrivilege \
SeDiskOperatorPrivilege \
-U root

Directories

Create a directory to hold a few Samba things:
mkdir /home/samba

Create a directory for Windows user profiles:
mkdir /home/samba/profiles
(TODO: what permissions should we set?)

Create a directory for backups of Windows user profiles and set permissions so that no-one but the owner and members of the samba-domain-admins group can access it for privacy reasons:
mkdir /home/samba/profiles-backup
chgrp samba-domain-admins /home/samba/profiles-backup
chmod 770 /home/samba/profiles-backup

Shared Directory For Everyone In The Organisational Group

Directory permissions are about access to that directory, what a person can do there, not about setting what permissions files/directories created in there are given (apart from setuid, setgid and sticky bit, which are about enforcing a particular setting and are inherited). Unlike Windows' ACL-based system, Unix permissions aren't inherited from one directory to another - you can't use them to define that new files have particular r, w or x permissions - the permissions to be assigned are determined instead using the 'umask'.

The umask defines the permissions a new file will get, or better, the permissions it will not get. Debian's default umask for root is 0077, resulting in default file permissions of 600 (rw-------) and default directory permission of 700 (rwx------). Debian's default umask for other users is 0022, resulting in default file permissions of 644 (rw-r--r--) and default directory permission of 755 (rwxr-xr-x)

Samba is able to provide inheritance so all files/directories created in /home/samba from Windows via Samba will have permissions determined by smb.conf's [shared] section's force create mode = 0660 and force directory mode = 2770 (which are set to mirror those defined here). Files/directories created here from within Unix, rather than via Samba, will have their permissions defined as per umask and thus require you to manually set their permissions explicitly, see the seperate information box.

Create an organisation group for sharing files between all staff:
# addgroup <organisation>-staff

Create a directory within which you'll create further shared directories for people within the organisation:
# mkdir /home/<organisation>

Create a directory for shared files between everyone within the organisation (an S: for people in the organisation staff group):
# mkdir /home/<organisation>/shared

We change the owner of the shared directory to winadmin later when we've created that user.

Change the group of the shared directory to the organisation group:
# chgrp <organisation>-staff /home/<organisation>/shared

Change permissions on the shared directory such that:

# chmod 2770 /home/<organisation>/shared

Issues With Copying Existing Files To Shared

When copying files here from another Unix system, remember to preserve their timestamps as users find that useful. Using cp, the -a switch will copy recursively and preserve timestamps; using scp, the -rp switch is similar. Also, rather than using *, use the following syntax that copies all files including those beginning with a .: cp -a <source directory> <destination directory>

When copying files here via some other method than using Windows Explorer through Samba, such as cp, scp or an FTP client, afterward you should set permissions on these files to those we've defined for the shared directory. The following describes how:

Permissions For A Single File

chmod 0660 /home/<organisation>/shared/<file>

Permissions For Multiple Files / Directories
Set Permissions On All Files

chmod 0660 /home/<organisation>/shared/* -R

Set Permissions On All Directories

chmod 2770 /home/<organisation>/shared/*/
chmod 2770 /home/<organisation>/shared/*/*/
chmod 2770 /home/<organisation>/shared/*/*/*/
Carry on adding '*/' until it says chmod: cannot access `/home/<organisation>/shared/*/*/*/*/*/*/*/*/': No such file or directory.

If instead of the above chmod: cannot access you get -bash: /bin/chmod: Argument list too long then you need to lessen the amount of files being processed by applying chmod to a smaller set of directories, taking a couple of goes at it, for example to /home/<organisation>/shared/1/ and /home/<organisation>/shared/2/

If you lost file ownership details because of copying them from Winows formatted media or a Linux system with different users, you can set the owner to winuser (it doesn't actually matter who) and the group to the organisation group using:
chown -R winuser.<organisation>-staff /home/<organisation>/shared/*

(Instead of chmod 2770 you could alternatively use chmod u+rwx,g+rwxs,o-rwx)

The shared directory will eventually look similar to this:
drwxrws--- 29 winadmin someorganisation-staff 4.0K 2008-06-01 17:27 shared

If you instead want only the person who created a file/directory to be able to delete them, set the sticky bit using chmod 3770 (or chmod u+rwx,g+rwxs,o-rwx,o+t) here and in smb.conf.

Directories for Specific Shared Subjects

These are accessable by the same rules as for /home/shared.

Templates

A location for shared document templates for software such as OpenOffice.

Create the directory:
mkdir /home/<organisation>/shared/templates

Set the same permissions as were previously set on /home/shared, otherwise permissions will be determined by the umask and thus be rwxr-sr-x (if you used differing permissions on /home/shared then do so here too). Though set group ID is inherited from /home/shared we set it again because to not specify it would remove it:
chmod 2770 /home/<organisation>/shared/templates

Images

A location for shared images (logos, photos, etc) for image management software such as Picasa.

Create the directory:
mkdir /home/<organisation>/shared/images

Set the same permissions as were previously set on /home/shared, otherwise permissions will be determined by the umask and thus be rwxr-sr-x (if you used differing permissions on /home/shared then do so here too). Though set group ID is inherited from /home/shared we set it again because to not specify it would remove it:
chmod 2770 /home/<organisation>/shared/images

Directory In Which To Locate Sub-group / Restricted Group Directories

This is for a shared area only a restricted group of people can access. It'll be made available as R:. All users will be attached to R: but only those who are in particular groups can see into the directory associated with each group.

(Note: this requires corresponding settings in smb.conf and NETLOGON.BAT)

Create a directory we'll put seperate sub-group directories in:
# mkdir /home/<organisation>/restricted

Change the group of the shared directory to the organisation group (so anyone can connect to R:):
# chgrp <organisation>-staff /home/<organisation>/restricted

Change permissions so that only the directory owner has full access and anyone in the organisation group can just access the directory (note that the owner will need to be the person to create each retricted group's directory):
# chmod 0750 /home/<organisation>/restricted

Shared Directories For Particular Sub-groups / Restricted Groups (If Any)

If you copied files here using the command-line and wanted to set permissions correctly on them all because they weren't for various reasons, you can force them to be correct using the following:
chmod 0660 /home/<organisation>/restricted/<sub-group>/* -R
chmod 2770 /home/<organisation>/restricted/<sub-group>/*/
chmod 2770 /home/<organisation>/restricted/<sub-group>/*/*/
chmod 2770 /home/<organisation>/restricted/<sub-group>/*/*/*/
Carry on adding */ until it says there are no more files at that depth to operate on.
If you also lost their ownership because of, say, copying them from Winows formatted media or a Linux system with different users, you can set their owner to winuser and their group to the sub-group / restricted group using chown -R winuser.<sub-group> /home/<organisation>/restricted/<sub-group>/*

Create groups for any sub-groups / restricted groups that are required, using a descriptive name (some examples are 'finance' for accounts and 'archive' for ex-staff home directories):
# addgroup <sub-group>

Create shared directories for any restricted sub-groups that might be required:
# mkdir /home/<organisation>/restricted/<sub-group>

Set the owner of any sub-group to that of the sub-group:
# chgrp <sub group> /home/<organisation>/restricted/<sub group>

Change permissions so that only owners and those in the same group can read, write and execute; new files and directories created within the shared directory inherit the group ownership from the containing directory (corresponding smb.conf settings: force create mode = 0660 and force directory mode = 2770):
# chmod 2770 /home/<organisation>/restricted/<sub group>

Shared Database Files (Optional)

There is a commented-out share in smb.conf for sharing database files. This is based on the same settings as the main shared directory, but with level1 and level2 opportunistic locking (OpLocks) turned off. Some databases use a file that is shared amongst mutiple concurrent users using the operating system and its filesystem to manage the sharing, rather than being a fully fledged database system operating over network sockets. Windows caches file reads and writes locally for improved performance, until another workstation asks for the file or it is finished with it. Windows' caching of files isn't robust, so for high integrity database files accessed by multiple people there is the databases share. The oplocks settings allow us to trade performance for integrity, specifying that such files will be written to (level1 oplocks) and read (level2 oplocks) directly. Not only the obvious file-based databases such as Paradox, OpenOffice, Microsoft Access, etcetera, are worth hosting on this share, but also a shared version of Quickbooks, and Microsoft Outlook.

Create a directory for shared files between everyone within the organisation (a T: for people in the organisation staff group):
# mkdir /home/<organisation>/database

We change the owner of the shared directory to winadmin later when we've created that user.

Change the group of the shared directory to the organisation group:
# chgrp <organisation>-staff /home/<organisation>/database

Change permissions on the shared directory such that:

# chmod 2770 /home/<organisation>/database

To use this you also have to uncomment the corresponding [database] share in smb.conf and T: section in netlogon.bat.

Further Reading

This is very descriptive: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/locking.html

http://en.wikipedia.org/wiki/Opportunistic_Locking

http://oreilly.com/catalog/samba/chapter/book/ch05_05.html

benchmark tool: http://www.drouillard.biz/Tips&Tricks/Samba/Oplocks.htm

Windows Programs Installed On Server (Optional)

Create directory:
mkdir /usr/windows-programs

Set permissions:
chgrp samba-domain-admins /usr/windows-programs
chmod 2774 /usr/windows-programs

Actually Installing programs on the Server

TODO... but I never do this these days anyway...

Directly Copying Programs to the Server

TODO... but I never do this these days anyway...

Windows Logon Script

Windows Logon Script Directory

Create directory:
mkdir /home/samba/netlogon

Set permissions so that anyone can access the directory:
chgrp samba-domain-admins /home/samba/netlogon
chmod 2777 /home/samba/netlogon

NETLOGON.BAT

TWEAK (Unattended) is used by this logon script, available from thegoldenear.org/tweak/. It is an automated version of TWEAK for user configuration.

Here is an example logon script:

:: ###########################################
:: NETLOGON.BAT - Windows logon script
:: Version 2.2.0
::
:: For explanation and changelog see
:: http://thegoldenear.org/toolbox/unices/samba-3-pdc-print-server-debian-etch.html#smb.conf
:: This file needs Windows CR+LF newline format in order to work. If created
:: in Linux then use 'flip -m NETLOGON.BAT' to convert. If created in Windows
:: then subsequent editing in Linux's nano editor will auto save in CR+LF.
::
:: Uncomment P:, R:, T: or LPT1 in here and in smb.conf in order to use them.
:: ###########################################

:: H: is made by smb.conf, no need to include it here

:: P: for programs that are run from space on the server
:: (I don't use this but it's there if you need it)
:: net use P: \\server\programs

:: S: for shared area for everyone in the <ORGANISATION>-staff group
net use S: \\server\shared

:: R: for shared area only for restricted sub-groups
:: net use R: \\server\restricted

:: T: for shared non-cached database
:: net use T: \\server\database

:: Sync the workstation's time to that of the file-server
:: (requires permission be set for Limited accounts to change the time)
net time \\server /set /yes

:: Make connections to any printer(s)
:: net use LPT1: "\\SERVER\<printer name>"

:: Create temporary directories for %USERNAME% on TEMP partition
if not exist "D:\%username%" md "D:\%username%"
if not exist "D:\%username%\windows" md "D:\%username%\windows"
if not exist "D:\%username%\ie" md "D:\%username%\ie"
if not exist "D:\%username%\ie\Temporary Internet Files" md "D:\%username%\ie\Temporary Internet Files"
if not exist "D:\%username%\firefox" md "D:\%username%\firefox"
if not exist "D:\%username%\mozilla" md "D:\%username%\mozilla"
if not exist "D:\%username%\java" md "D:\%username%\java"
if not exist "D:\%username%\nero" md "D:\%username%\nero"
if not exist "D:\%username%\audacity" md "D:\%username%\audacity"

:: %USERPROFILE%\Start Menu\Programs\startup\desktop.ini, which is created by
:: our setting a view mode in Windows Explorer, combined with setting .ini
:: files to open in a text editor, causes desktop.ini to open in the text editor
:: on login for some people. So delete some desktop.ini files.
del "%USERPROFILE%\Start Menu\desktop.ini"
del "%USERPROFILE%\Start Menu\Programs\desktop.ini"
del "%USERPROFILE%\Start Menu\Programs\startup\desktop.ini"
del "%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini"

:: Housekeeping - delete Windows profile directories left behind by software apps we no longer use
rmdir /S /Q "%USERPROFILE%\.gimp-2.2"
rmdir /S /Q "%USERPROFILE%\.gimp-2.4"
rmdir /S /Q "%USERPROFILE%\.gimp-2.6"
rmdir /S /Q "%APPDATA%\.gaim"
rmdir /S /Q "%APPDATA%\FRISK Software"
rmdir /S /Q "%APPDATA%\OpenOffice"
rmdir /S /Q "%APPDATA%\OpenOffice.org"
rmdir /S /Q "%APPDATA%\OpenOffice.org2"
rmdir /S /Q "%APPDATA%\KompoZer"

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: This section allows automated user configuration to be performed using other scripts.
:: The example framework for doing this uses batch files from TWEAK (Unattended)
:: (http://thegoldenear.org/tweak/)

:: Create a drive mapping to the Windows admin area on the server and change to the
:: directory with the scripts so those scripts can access files in relative paths.
net use W: \\server\windows-admin /persistent:no
W:
cd "\tweak-unattended"

:: When rolling out this automated config for the first time, if you have existing users who're already
:: configured, *temporarily* uncomment mark-all-user-config-as-done.bat so it can mark everyone that logs
:: in as having been configured. Later, user-config-rcs-if-not-already-done.bat 
:: won't configure anything for them.
:: (You can alter mark-all-user-config-as-done.bat so some config is applied and not other.
:: IF EXIST "mark-all-user-config-as-done.bat" call "mark-all-user-config-as-done.bat"

:: ---- Put user config here required by each new iteration of your software suite ----
:: E.g. this will induce user-config-rcs-if-not-already-done.bat to replace everyone's desktop shortcuts
:: IF NOT EXIST "%USERPROFILE%\RCS36-CONFIG-DONE" del "%USERPROFILE%\tweak-log\refresh-user-shortcuts.log"
:: IF NOT EXIST "%USERPROFILE%\RCS36-CONFIG-DONE" mkdir "%USERPROFILE%\RCS36-CONFIG-DONE"
:: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:: Apply all config required (in this case for a Roaming Computing System user account):
IF EXIST "user-config-rcs-if-not-already-done.bat" call "user-config-rcs-if-not-already-done.bat"

:: Lose the temporary drive mapping
net use W: /delete /no
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: For debugging purposes, uncomment the pause
:: pause

Prepare it in one of two ways:

NETLOGON.BAT Changelog

References

The Official Samba-3 HOWTO and Reference Guide: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/;

Samba documentation site: http://wiki.samba.org/

This has some info on Windows XP's differences when joining a domain: http://www.wlug.org.nz/SambaAsPDC

Samba 3 release notes: http://www.samba.org/samba/history/samba-3.0.0.html

HOWTO implement Samba as your PDC: http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC

For smb.conf settings see the man page (use man smb.conf) or http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html.

Samba-3 by Example - Practical Exercises in Successful Samba Deployment - John H. Terpstra: http://us4.samba.org/samba/docs/man/Samba-Guide/

File System Permissions at Wikipedia: http://en.wikipedia.org/wiki/File_system_permissions

User Accounts

Domain Administrators - 'winadmin'

Members of the group 'Domain Admins' are granted administrator privileges within the domain and on the workstation when they login to the domain from Windows.

The first person to add is our Windows administrative user 'winadmin':
net rpc user add winadmin -U root

Set winadmin's password:
net rpc user password winadmin "<password>" -U root

There is a bug where by accounts created with net rpc user add are disabled and need enabling, so do that:
smbpasswd -e winadmin

Samba will automatically create the Windows profile directory, setting the user whose profile directory it is the owner, and setting the group to users. However with our current smb.conf settings you don't have permission to save your profile there when you logout, so the smb.conf settings need to be changed to deal with this (however when you log in again it's ok.). For now we do this:

Give winadmin access to shared files on S:
adduser winadmin <organisation>-staff

To add users to a Windows group we use the syntax 'net rpc group addmem "<Windows group>" <username>'. It uses the smb.conf setting add user to group script. Using this, make winadmin a Domain Administrator:
net rpc group addmem "Domain Admins" winadmin -U root

Henceforth you can use the winadmin account for domain administration, such as joining a workstation to a domain, rather than the root account.

Limited - 'winuser' and Other User Accounts

Regular Windows domain (and thus Samba) accounts are Limited accounts, not in the Administrators or Power Users groups. All your user accounts should be of this type for massively increased security.

Use a consistent naming convention for your organisation's user accounts. Examples are first name; first name and first letter of surname; or role name.

As well as accounts for specific individuals, it may be useful to have 'volunteer' for trusted volunteer staff, with access to S:; and 'visitor' for untrusted people who drop in (an account called guest isn't allowed) without access to S:.

Create the winuser account (for testing and for WPKG (see later)) and any other user accounts you require using the following:
net rpc user add winuser -U root
net rpc user password winuser "<password>" -U root
smbpasswd -e winuser
mkdir /home/samba/profiles/winuser
chown winuser /home/samba/profiles/winuser

(If you were to script the above, to save any interaction during the script you should append the net rpc user commands with %<root password>.)

Groups

If they're to have access to shared files on S: (in Unix /home/samba/<organisation>/shared or in Windows \\server\shared) add them to the organisation's group, otherwise they only have their home directory (H:):
adduser winuser <organisation>-staff
(Note that users without access to S: will be prompted for logon credentials to S: when they login, which they can disregard by pressing [Enter])

If they're to have access to any restricted sub-groups on R: (in Unix /home/samba/<organisation>/restricted or in Windows \\server\restricted) add them to any of those specific groups, individually:
adduser winuser <sub-group>

Reference: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#sbeuseraddn

(Note that if you choose to use the above to write a script to create accounts for your specific users (which is more efficient and less error prone), then to save manually entering the password each time, append commands that use '-U root' with '-U root%<password>' instead)

Power User accounts

Power User accounts are a feature of the Windows workstation, not the Samba server, see Power Users in the workstation section.

Windows Workstations and the Samba Domain Controller

Requirements

The Windows operating systems that will work in this environment are Windows 2000 Professional and Windows XP Professional. Windows XP Home, by design, will not join a domain. I don't have experience of it but I _suspect_ Windows Vista Business and Windows Vista Ultimate will work; Windows Vista Home Basic and Windows Vista Home Premium will not.

Client for Microsoft Networks.

NetBIOS over TCP/IP.

Disable LMHOSTS.

Set the WINS server address - this is most efficiently done by specifying the WINS server on your DHCP server so workstations get it automatically but otherwise you can set it manually
(Note that WINS requires the 'remote registry service' be running in order to function)

Join the Domain

You can do this during Windows installation. If instead you already have Windows installed, follow this procedure:

Login to the local machine as an administrative user.

Start → Control Panel → System → Network Identification → Properties → Member of → Domain - enter the domain name and choose 'OK'.

You should be prompted for a username and password with which to authenticate with the server. Enter the username winadmin and the corresponding password.

Now you can login to the domain with user accounts you've already created. Windows will automatically create a user profile on the workstation and copy it to the server when you log out. This same profile is then available at any other workstation that's joined to this domain.

Login

When you login from a workstation, Windows will automatically create the user profile for you.

Windows Configuration

Our TWEAK tool incorporates most of the following settings, and more worthwhile settings for Windows workstations.

Synchronised time. We want the time on workstations to be synchronised with time on the server. The net time \\server /set /yes in the logon script and the time server = yes in smb.conf facilitate this but Restricted / Limited users aren't allowed to change the time in Windows. To change permissions so that all authenticated users are allowed to change the time:
Control Panel → Administrative Tools → Local Security Policy → Local Policies → User Rights Assignment → Change the system time → double-click → Add → choose Authenticated Users → Add → OK → OK
(Note: does anyone know the corresponding registry setting?)

Remove the Recycle Bin from the desktop. In an environment where people save files on the server it leads people into a false sense of security to have a visible recycle bin because deleting a file from the server just deletes it. Windows doesn't copy deleted files across the network to the local recycle bin.
To remove the recycle bin, remove this registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\Namespace\{645FF040-5081-101B-9F08-00AA002F954E}

Log users off when their roaming profile fails:
Group Policy → Local Computer Policy → Computer Configuration → Administrative Templates → System → Logon → Log users off when their roaming profile fails
This is the corresponding registry setting:
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\ProfileErrorAction = 00000001 (DWORD)

Power Users

Well-Known Entity RID SID Our Unix Group Type domain/local/builtin Purpose Essential for Samba?
Builtin Power Users 547 S-1-5-32-547 n/a Alias builtin can create local users and groups; modify and delete accounts that they have created; remove users from the Power Users/Users/Guests groups; install programs; create, manage, and delete local printers; create and delete file shares. No

"When a Windows NT4/2000/XP client joins a domain, the domain global Domain Admins group is added to the membership of the local Administrators group on the client. Any user who is a member of the domain global Domain Admins group will have administrative rights on the Windows client. This is often not the most desirable solution because it means that the user will have administrative rights and privileges on domain servers also. The Power Users group on Windows client workstations permits local administration of the workstation alone. The Power Users group is a group that is local to each Windows 2000/2003/XP Professional workstation. Any domain global user or domain global group (i.e. Domain Users) can be added to the membership of the local workstation group Power Users."

"Because the Power Users group exists on the Windows workstation, you don't add people to it in the way we assign rights, groups and relative identifiers. It must be done in one of the following ways:"

It's also possible to add everyone in the domain's Domain Users group to the Windows workstation's Power Users group.

Note, when using the Windows GUI on the workstation, do not use Control Panel → User Accounts → Add... → enter 'User name' and 'Domain' → Next → Other → Power Users.

Domain Account Password Change

Users can change their domain account password through normal means on their Windows workstation, such as ctrl+alt+del → Change Password.

Mac OS X Workstations and the Samba Domain Controller

In theory Mac OS X workstations should be able to login to the domain. I know no more than that. Mac OS X includes Samba. The later the version of OS X you have the more likely this will work as the version of Samba included is constantly updated.

Printing

CUPS

Packages

CUPS Print Queues

Setup CUPS print queues as described in 'Server Setup with Debian 4.0 'Etch''

CUPS Permissions

If Samba runs on the same host as CUPS, you only need to allow localhost to print. If you want to run something like cupsaddsmb from a remote computer you'll need to set permissions accordingly in the <Location /printer> section of cupsd.conf. Similarly if Samba and CUPS run on different machines you'll need to make sure the Samba host gets access to printing on CUPS.

If you need to, setup CUPS sharing / serving as described in 'Server Setup with Debian 4.0 'Etch''.

Samba

smb.conf Additions for Printer Serving

(We do not setup Samba for Raw CUPS printing support, where specific drivers for each printer are installed on each workstation and they print as though to a direct printer, to a raw queue; where CUPS does not try to convert documents, just sending them on in their raw, binary, form to the printer. This would require 'application/octet-stream' in /etc/cups/mime.types; 'application/octet-stream application/vnd.cups-raw 0 -' in /etc/cups/mime.convs; 'raw queue' and 'client driver' settings in smb.conf. We don't do this because instead we have simplified driver installation on clients; the risk of using buggy drivers in NT kernel mode compared with a very well tested stable PostScript driver; the ability to get statistics or apply quotas on printing.

This part goes in the [global] section of the Samba configuration file /etc/smb.conf, replacing 'printcap name = /dev/null' and 'load printers = no':

########## Printing ##########

# Also see [printers], [print$] and any printer-specific shares further on

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# CUPS printing. CUPS should take over the print jobs for this share.
# See also the cupsaddsmb(8) manpage in the cupsys-client package.
# With 'printing' enabled, any (otherwise manually) set print command in smb.conf is ignored.
# ('printcap' is a synonym for 'printcap name')
   printing = cups
   printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
   printer admin = root, @lpadmin

This part goes at the bottom of the [global] section, before the [homes] section, of the Samba configuration file /etc/smb.conf:

#------------ Printer shares ---------------
[printers]
# Printing defaults for all printers unless they're specified explicitly
# Printing for authenticated users, not guests.
# If you want unauthenticated printing set 'guest ok = yes / public'
   comment = All Printers
   printable = yes
   writable = yes
   browseable = yes
   public = yes
   # public should probably be no

   # Incoming spool directory.
   # Print jobs go from here to spool directory of Unix print subsystem, i.e. /var/spool/cups.
   # This directory needs to be created.
   path = /var/spool/samba
   create mode = 666 ; this is liberal so anyone can print; may be better to tighten it and set a group on the directory

   printer admin = @lpadmin


[print$]
# Windows printer driver location.
# Windows clients look for this share name as a source of downloadable printer drivers.
   comment = Printer Drivers
   path = /var/lib/samba/printers
   # location of drivers; make sure it's writable by users in write list and read/executable by others.
   browseable = yes
   read only = yes
   guest ok = no
   # Allow remote administration of Windows print drivers.
   # For users to use cupsaddsmb, they need to be represented in this write list.
   write list = root, @lpadmin
   # if you want to use root with this setting then don't have 'invalid users = root' in [global]

Rights, groups, relative identifiers and domain administrators

Counter to the other Unix groups, where we create a new group with a corresponding name and group ID to the Windows group, for print operators we use the already existing and functionally corresponding Unix group lpadmin. This will additionally allow Print Operators to administer through the CUPS web interface.
Map the Windows builtin Print Operators group to the Unix lpadmin group:
net groupmap add ntgroup="Print Operators" unixgroup="lpadmin" sid="S-1-5-32-550" type=builtin -U winadmin

Assign appropriate privileges to the group:
net rpc rights grant lpadmin SePrintOperatorprivilege -U winadmin

Create print administrators

The syntax to add people to the group is:
net rpc group addmem "Print Operators" <username> -U winadmin

Add our Windows administrator account to the print operators group:
adduser winadmin lpadmin.
(When using net rpc group addmem "Print Operators" <username> -U winadmin people don't get added to the lpadmin Unix group and so can't use the CUPS web interface - can they use the Windows interface instead?)

Can we add a group of users to the Print Operators group? Unix doesn't support nested groups (a group being a member of another group); supposedly Samba supports nested groups if you have winbind and NSS winbind (libnss_winbind) installed. (Adduser and net rpc group addmem, without winbind installed, don't complain when you add one group to another). I don't yet see how you can add a group of users to the Print Operators group.

How do we additionally allow users to be able to use the CUPS web interface? Adding users to the Samba/Windows Print Operators group doesn't add them to the Unix lpadmin group. I presume the Print Operators group works when the user is using the Windows printer administration interface, where upon it maps through to lpadmin. Because of this if you want users to be able to use the CUPS web interface you need to additionally add them to the Unix lpadmin group (can this be automated?)

To additionally allow users to use the CUPS web interface:
adduser <username> lpadmin

Now add any other users you want to be able to administer printers through either Windows or the CUPS web interface, one-by-one.

Directories and Permissions

Create the Samba incoming print job directory:
mkdir /var/spool/samba

Set liberal permissions on the directory:
chmod 0777 /var/spool/samba
(we could set the group ID on this directory instead)
(corresponding smb.conf setting: [printers] create mode = 666)

Create the Windows printer driver directory (cupsaddsmb expects to find them here):
mkdir /usr/share/cups/drivers.

Set permissions on that directory such that it is readable by the user you're using cupsaddsmb with (probably a member of the Print Operators / lpadmin group):
chgrp lpadmin /usr/share/cups/drivers -R
chmod g+w /usr/share/cups/drivers -R

make sure the Windows driver directory (and below) is writable by the users specified by the smb.conf write list directive; (and readable and executable by all users, but this is the default):
chgrp lpadmin /var/lib/samba/printers -R
chmod g+w /var/lib/samba/printers -R

Windows Drivers

CUPS drivers for Windows

Go to the software section of the CUPS web site at http://www.cups.org/windows/software.php and download the source package. Extract these files from the package:

Copy the driver files there: cp cups6.inf cups6.ini cupsps6.dll cupsui6.dll /usr/share/cups/drivers

Adobe drivers for Windows

This is the PostScript driver. This is not the PPD file. We recommend those from Adobe because the Microsoft ones can be hard to find. Get the 'Adobe Universal PostScript Windows Driver Installer' from http://www.adobe.com/support/downloads/detail.jsp?ftpID=1500. There are downloads available for multiple spoken languages. At time of writing this is version 1.0.6. The English download is called winsteng.exe.
Extract it from the current directory to the temp directory with 7-zip (first, install the p7zip-full package): 7z x winsteng.exe -o/tmp/adobe-windows-postscript-drivers.

It includes many files for various versions of Windows, these are the files for Windows 2000 and XP:

You want to choose files from those marked '*'. We don't want all the files because some equivalents are instead drawn from the CUPS drivers for Windows. Note that the Windows 2000 and XP files are not identical, the DLL files differ, so we recommend using the Windows 2000 drivers so you can cope with clients with either operating system, because you can only choose one of these two sets of drivers and "NT5 drivers are always NT5.1 compatible (NT 5.1 drivers are very rarely NT5 compabtible, but they can be".

Copy the driver files there:
cd /tmp/adobe-windows-postscript-drivers/Win2000
cp PSCRIPT.NTF PSCRIPT.HLP PSCRIPT5.DLL PS5UI.DLL /usr/share/cups/drivers

cupsaddsmb needs the driver filenames to be lowercase, so convert them:
rename 'y/A-Z/a-z/' /usr/share/cups/drivers/*

CUPS drivers

PPD files for each non-PostScript printer

Make sure the PPD file is in the /usr/share/cups/model directory (not a sub-directory below there).

These you should have gotten when you configured CUPS earlier when following the document 'Server Setup with Debian 4.0 'Etch''. If the PPD file isn't available in a Debian package then see if it can be download from http://linuxprinting.org/printer_list.cgi.

PPD files for each PostScript printer

Make sure the PPD file is in the /usr/share/cups/model directory (not a sub-directory below there).

These you should have gotten when you configured CUPS earlier when following the document 'Server Setup with Debian 4.0 'Etch''. If the PPD file isn't available in a Debian package then see if it can be download from http://linuxprinting.org/printer_list.cgi and if not from there try the printer's manufacturer.

Enabling Windows drivers

Note: these instructions currently only cover Windows 2000/XP/2003 clients. It wouldn't take much to add printing support for Windows 95/98/Me by choosing additional driver files from Adobe (not Microsoft); also bear in mind the CUPS drivers themselves are not available for Windows 95/98/Me so the Adobe (not Microsoft) portion must be used in place of them.

Use cupsaddsmb to automate transferring PostScript driver files and each printer's PPD file from CUPS to Samba's [print$] share (from where Windows expects to find them when using Point'n'Print (Point'n'Print means automatic download from the server and installation on the workstation)) and configure Samba using 'rpcclient adddriver' and 'rpcclient setdriver'. cupsaddsmb requires security = user in the smb.conf [global] section.

Export a specific printer (in verbose mode so we can see if it failed at anything):
cupsaddsmb -U winadmin -v <printer>

Export all known printers (in verbose mode so we can see if it failed at anything): cupsaddsmb -U winadmin -v -a

Here's an example of cupsaddsmb in use:

server:/usr/share/cups/drivers# cupsaddsmb -v lamlash -U winadmin
Password for winadmin required to access localhost via SAMBA:
Running command: smbclient //localhost/print\$ -N -U'winadmin%winadmin' -c 'mkdir W32X86;\
put /var/spool/cups/tmp/454a0f9a251b7 W32X86/lamlash.ppd;put /usr/share/cups/drivers/ps5ui.dll W32X86/ps5ui.dll;\
put /usr/share/cups/drivers/pscript.hlp W32X86/pscript.hlp;put /usr/share/cups/drivers/pscript.ntf W32X86/pscript.ntf;\
put /usr/share/cups/drivers/pscript5.dll W32X86/pscript5.dll'
Domain=[ORGANISATION] OS=[Unix] Server=[Samba 3.0.14a-Debian]
NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
putting file /var/spool/cups/tmp/454a0f9a251b7 as \W32X86/lamlash.ppd (946.0 kb/s) (average 946.0 kb/s)
putting file /usr/share/cups/drivers/ps5ui.dll as \W32X86/ps5ui.dll (2540.0 kb/s) (average 1956.8 kb/s)
putting file /usr/share/cups/drivers/pscript.hlp as \W32X86/pscript.hlp (541.4 kb/s) (average 1441.1 kb/s)
putting file /usr/share/cups/drivers/pscript.ntf as \W32X86/pscript.ntf (1402.3 kb/s) (average 1409.6 kb/s)
putting file /usr/share/cups/drivers/pscript5.dll as \W32X86/pscript5.dll (1259.1 kb/s) (average 1357.1 kb/s)

Running command: rpcclient localhost -N -U'winadmin%winadmin' -c 'adddriver "Windows NT x86" \
"lamlash:pscript5.dll:lamlash.ppd:ps5ui.dll:pscript.hlp:NULL:RAW:pscript.ntf"'
Printer Driver lamlash successfully installed.

Running command: rpcclient localhost -N -U'winadmin%winadmin' -c 'setdriver lamlash lamlash'
Succesfully set lamlash to driver lamlash.

References

Chapter 22 of The Official Samba-3 HOWTO and Reference Guide, CUPS Printing Support - Advanced Configuration, describes in detail every aspect of CUPS support in Samba and how it works that you will likely want to know, in a very readable manner that enables you to have a complete understanding of the topic from a system administrator's standpoint: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html#id2645046

Windows and the Print Server

Windows printer driver settings

Configure PostScript drivers as administrator before users add the printer for themselves.

Note: don't get the following menu options confused with the per-user settings in Start → Settings → Printers → right-click on the printer → Printing Preferences or Start → Settings → Printers → right-click on the printer → Properties → General → Printing Preferences.

Start → Settings → Printers → right-click on the printer → Properties → Advanced →

Users already connected to the printer may need their own comparitive settings changing in ?.

From http://samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html#cups-avoidps1.

Windows Administration Area

Samba Settings

These are the Samba settings you need to add at the bottom of the smb.conf file:

[windows-admin]
   comment = Windows administration and package deployment
   path = /usr/windows-admin
   read only = yes
   browseable = yes
   write list = @samba-domain-admins
   # New files created here are forced to have these permissions
   force create mode = 0660
   # New directories created here are forced to have these permissions
   force directory mode = 2770

Restart Samba:
/etc/init.d/samba restart

Directories

Create a directory for software deployment tools:
mkdir /usr/windows-admin

Make the directory a member of the group samba-domain-admins / Windows Domain Admins, rather than root:
chgrp samba-domain-admins /usr/windows-admin

Set permissions to additionally give samba-domain-admins write access and that new files/directories will be owned by the samba-domain-admins group; (Note that WPKG uses the winuser account to access the packages here); permissions will then be rwxrwsr-x:
chmod g+wxs /usr/windows-admin

Make a directory for Windows administration tools (i.e. JkDefrag, CloneZilla, GParted Live):
mkdir /usr/windows-admin/tools

Set permissions to additionally give samba-domain-admins write access; permissions will then be rwxrwsr-x:
chmod g+w /usr/windows-admin/tools

Make a directory for storing workstation clone images (i.e. from CloneZilla) in:
mkdir /usr/windows-admin/images

Set permissions to additionally give samba-domain-admins write access, and people other than root and members of samba-domain-admins no access; permissions will then be rwxrws---:
chmod g+w,o-rx /usr/windows-admin/images

Copy An Existing Tools Directory From Another Machine (Optional)

You can copy an existing tools directory from another machine, using the command-line, across a network, to a new server.

Either copy from a machine you're currently logged in to with a tools directory, to a remote new server:
scp -rqv /usr/windows-admin/tools/* root@<new server name or IP>:/usr/windows-admin/tools/
Or copy from a remote machine with a tools directory, to a new server you're currently logged in to:
scp -rqv root@<machine with tools name or IP>:/usr/windows-admin/tools/* /usr/windows-admin/tools/

Set permissions on the files you copied:
chmod g+w /usr/windows-admin/tools -R

Set the group owner to samba-domain-admins as it's useful to be able to work with these files whilst logged into Windows as winadmin:
chgrp samba-domain-admins /usr/windows-admin/tools -R

Windows software deployment

WPKG - Windows Package Management

"WPKG is an automated software deployment, upgrade and removal program for Windows. It can be used to push/pull software packages, such as Service Packs, hotfixes, or program installations from a central server (for example, Samba or Active Directory) to a number of workstations. It can run as a service to install software in the background (silent install), without user interaction."

Directories

Create a directory for WPKG:
mkdir /usr/windows-admin/wpkg

Create a directory for WPKG packages:
mkdir /usr/windows-admin/wpkg/packages

Create a directory for tools to use with WPKG package management:
mkdir /usr/windows-admin/wpkg/tools
We keep things in here such as unzip.exe which is used when installing Firefox and Thunderbird extensions / add-ons

Set permissions to additionally give samba-domain-admins write access; permissions will then be rwxrwsr-x (allowing WPKG to use the winuser account to access package installers here):
chmod g+w /usr/windows-admin/wpkg -R
(If you'd created these directories by connecting from Windows via Samba then this would have already been the case but we're connecting through Unix)

Configure WPKG

Download WPKG ('server') and save to /usr/windows-admin/wpkg/

Download WPKG Client installer and save to /usr/windows-admin/wpkg/ so it can be manually installed on workstations from \\server\windows-admin\wpkg\WPKG Client\

Write your own packages.xml, profiles.xml and hosts.xml files and save them to /usr/windows-admin/wpkg/

Save various application installers in their own directories in /usr/windows-admin/wpkg/packages/

Save any application-specific installer configuration files with their application installers in /usr/windows-admin/wpkg/packages/.

Delete WPKG's 'hosts' and 'profiles' directories (in /usr/windows-admin/wpkg/) so that room1 and room2 sample XML files aren't processed on each workstation startup

Save wpkg-client-settings.xml to \\server\windows-admin\wpkg\WPKG Client\ and insert your system's specific winuser password by installing WPKG Client onto one workstation, loading this file into it, adding the password manually then re-exporting the configuration over the copy of the file on the server. This will be manually loaded into WPKG Client during other workstation setup.

Copy An Existing WPKG Installation (Optional)

You can copy an existing WPKG installation, using the command-line, across a network, to a new server.

Either copy from a machine you're currently logged in to with an existing WPKG installation, to a remote new server:
scp -rqv /usr/windows-admin/wpkg/* root@<new server name or IP>:/usr/windows-admin/wpkg/
Or copy from a remote machine with an existing WPKG installation, to a new server you're currently logged in to:
scp -rqv root@<machine with WPKG name or IP>:/usr/windows-admin/wpkg/* /usr/windows-admin/wpkg/

Set permissions on the files you copied (permissions on directories will then be rwxrwsr-x, permissions on files will then be rwxrw-r--):
chmod g+w /usr/windows-admin/wpkg -R

Set the group owner to be samba-domain-admins as it's useful to be able to work with these files whilst logged into Windows as winadmin:
chgrp samba-domain-admins /usr/windows-admin/wpkg -R

Maintenance

Keep a copy of the Samba domain SID, because if it changes for some reason then the workstations will need re-authenticating with the domain. You can display the domain SID using: net getlocalsid.

"All persistent tdb files should be regularly backed up. Use the tdbbackup utility to backup the tdb files. All persistent tdb files must be preserved during machine migrations, updates and upgrades.". The tdb files live in /var/lib/samba/ and are account_policy.tdb, ntdrivers.tdb, ntprinters.tdb, secrets.tdb, group_mapping.tdb, ntforms.tdb, passdb.tdb, registry.tdb and share_info.tdb. The backup command might be tdbbackup *.tdb, I'm not yet sure. Alternatively you could just copy them somewhere.

Troubleshooting

Techniques for troubleshooting Samba permissions issues: 'Debugging Samba: Deciphering Access Denied by Jack Loftus' - http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1270003,00.html

Check you haven't made any basic syntactic errors in smb.conf: testparm.

Show open ports and whether they listen on just localhost or for remote connections: netstat -l -t -p

Users

List users: net rpc user (optionally giving user to connect as)

Info on a particular user: net rpc user info <name>

List a user's properties: pdbedit -c -u <username>

List users in a particular group, for example Domain Admins: net rpc group members "Domain Admins" -U <user to connect as>

List all users, including machine accounts, giving extended information: pdbedit -Lv

List all Unix accounts: getent passwd

List users in domain: wbinfo -u

List groups in domain: wbinfo -g

Test whether a particular user can connect to a Samba share: smbclient \\\\server\\shared -U <username>

Delete a user account: net rpc user delete <username>

If someone cannot access a shared directory, check they're in the correct Unix group, i.e. <organisation>-staff, with cat /etc/group

Groups

List current group map: net groupmap list.

To delete a group mapping:
net groupmap delete ntgroup="<Windows group name>" -U winadmin.
If you mistakenly have more than one with the same name but different SIDs then you instead use:
net groupmap delete sid="<SID>" -U winadmin

Machines / Workstations

List all machine / workstation accounts (and user accounts) in a simple list: pdbedit -L

List all machine / workstation accounts (and user accounts) giving extended information: pdbedit -Lv

Delete a machine account: pdbedit --delete --machine -u <machine name>
(alternatively you can use pdbedit -x -u <machine name>)
This leaves an entry in /etc/passwd, which isn't removed using net rpc delete, but is removed with userdel <machine name>$

Logging

tail -f /var/log/samba/log.<machine name> - see what's happening when users do things such as log in

tail -f /var/log/samba/log.nmbd - logs server side of things such as when joining the domain

tail -f /var/log/syslog

You can adjust the verbosity of Samba's log on quite a fine grain, using smb.conf's 'log level' setting with any of these parameters: all, tdb, printdrivers, lanman, smb, rpc_parse, rpc_srv, rpc_cli, passdb, sam, auth, winbind, vfs, idmap, quota, acls, locking, msdfs, dmapi, registry. For example 'log level = 3 passdb:5 auth:10 winbind:2'. The default log level is 0.

Miscellaneous

"Check if Samba 'sees' the printer, for example either this way:
# rpcclient transmeta -N -U'root%password' -c 'enumprinters 0' | grep ir85wm
Or this way:
# rpcclient transmeta -N -U'root%password' -c 'getprinter ir85wm'
cmd = getprinter ir85wm
flags:[0x800000]
name:[\\transmeta\ir85wm]
description:[\\transmeta\ir85wm,ir85wm,DPD]
comment:[CUPS PostScript-Treiber for Windows NT/200x/XP]
"

If, when issuing commands that interact with Samba, such as net, you get errors such as:
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED

and:
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
Failed to add user 'winadmin' with: Failed to connect to IPC$ share on localhost.
Then this could be because you have another server within reach with the same name.

Gotchas

Bugs in this Document

Can't create Print Operators with net command

It takes a couple of minutes before a new Samba user account becomes usable, before then it is claimed it is disabled. When you use 'smbclient \\\\server\\shared -U pete' it says "session setup failed: NT_STATUS_ACCOUNT_DISABLED". When you try to login on a workstation it says "Your account has been disabled. Please see your system administrator."

I'd rather use the winadmin account for all admin but smbpasswd -e <username> won't work unless you're root because you can't specify other users to run smbpasswd with '-U winadmin' or use it for this kind of operation unless you're root.

We should only disable smb.conf's invalid users = root temporarily to allow us to use the root account to setup the system. Then restart Samba. Turning this back off when you're done. This needs to be re-assessed now that we're using Debian 4.0 Etch.

Bugs in Upstream Packages

http://www.samba.org/samba/docs/man/Samba3-HOWTO/NetCommand.html implies you can create Unix accounts with spaces which you can't:

	"The following demonstrates that the POSIX (UNIX/Linux system account) group
	has been created by calling the 
	add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" interface script:
	root#  getent group
	...
	Domain Admins:x:512:root"

/usr/share/doc/samba-doc/htmldocs/speed.html is referenced but there's no such document.

smb.conf uses passwd chat and passwd program but I replaced that with pam passwd change = yes to get passwd syncing working.

There's no mention in the net man page of net rpc group addmem or net rpc group delmem.

The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) needs to mention this too. You need to include a step before "Once you have extracted the driver files" to say to use p7zip.

(I don't know how to convert to lowercase when using p7zip, as one would use the -L switch with unzip).

bug: what is this on about?: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html#id2645046:
"Recognizing Different Driver Files - Note - If both the Adobe driver files and the CUPS driver files for the support of Windows NT/200x/XP are presently installed on the server, the Adobe files will be ignored and the CUPS files will be used. If you prefer for whatever reason to use Adobe-only drivers, move away the three CUPS driver files. The Windows 9x/Me clients use the Adobe drivers in any case."

Bug: The cupsaddsmb man page in Debian doesn't say if when using CUPS driver you still need to get Microsoft drivers and that these need to be gotten from a Windows system. The online man page from CUPS does: http://www.cups.org/doc-1.2/man-cupsaddsmb.html.

CUPS should say which Adobe drivers to use if you have both Windows 2000 and XP clients

CUPS Bugs Reported

bug STR #2038: The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) says "The base driver for Windows 2000 and higher is the Microsoft PostScript driver, which is available on any system running Windows 2000 or higher in the %WINDOWS%\SYSTEM32\SPOOL\DRIVERS\W32X86\3 folder." The "%WINDOWS%" location doesn't exist on any version of Windows that I know of. What you mean is %WINDIR%.

bug STR #2039: The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) says "The base driver for Windows 2000 and higher is the Microsoft PostScript driver, which is available on any system running Windows 2000 or higher in the %WINDOWS%\SYSTEM32\SPOOL\DRIVERS\W32X86\3 folder." This directory is empty on Windows XP. If you try to install them using the add printer drivers dialog, there appears to be no such driver available.

bug STR #2040: Trying to download CUPS drivers for Windows, you're presented with a page with options for 'Source Code', and 'Binaries'. The CUPS drivers are mixed up in the source code downloads and the binaries section says see the source code for the binaries. It would be a lot easier to follow if the binaries section had a download package for just the binary drivers.

bug STR #2041: The CUPS drivers for Windows described in the cupsaddsmb man page are cups6.inf, cups6.ini, cupsps6.dll and cupsui6.dll. However the CUPS drivers for Windows include cups6.ppd, for which there's no mention. [(maybe it's the "the "cups" device (essential to print to non-PS printers from CUPS)]

bug STR #2042: include Adobe driver for Windows 2000 and XP. The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) says "However, currently only Windows 2000 and higher is supported by the Microsoft driver, so you will also need to get the Adobe driver to support Windows 95, 98, and Me clients. The Adobe and Microsoft drivers for Windows 2000 are identical."

- It seems the Microsoft driver is too difficult (for me) to find. Adobe have drivers for both Windows 95/98/Me and Windows 2k/XP drivers in the form of the 'Adobe Universal PostScript Windows Driver Installer' (http://www.adobe.com/support/downloads/product.jsp?product=44&platform=Windows) - winsteng.exe. The cupsaddsmb man page says the 95/98/Me drivers are available from Adobe, recomending people use the Microsoft ones for 2000/XP. Please also say that there exists Adobe drivers for Windows 2000/XP and preferably even recommend them rather than the Microsoft ones as they seem simpler to find.

Adobe's description of the driver package is this: "The Adobe Universal PostScript Windows Driver Installer installs the latest version of the AdobePostScript (AdobePS) driver for each supported Microsoft Windows platform:
- AdobePS 4.5.3: Windows 95, Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
- AdobePS 5.2.2: Windows NT 4.0
- PScript 5: Windows 2000 or Windows XP "

Also, when the cupsaddsmb man page describes how to locate the Adobe driver for Windows 95/98/Me, it says to go to http://www.adobe.com. The link used above, http://www.adobe.com/support/downloads/product.jsp?product=44&platform=Windows, provides direct links to drivers for all supported operating systems in all supported languages, so is a better place to link people to than http://www.adobe.com.

bug STR #2043: 7z not unzip for unzipping self-extracting zip files. http://www.cups.org/doc-1.1/sam.html says "If you download the Adobe drivers, use the free unzip software to extract the files from the self-extracting ZIP file containing the drivers;". As far as I can tell the free unzip software doesn't unzip from self-extracting zip files. If it does can you please include in the documentation the switch by which to do so. If it actually doesn't then you should recommend using p7zip instead, i.e. using '7z x winsteng.exe'. On Debian the package name is p7zip-full.

To Do

Need to read: Sample smb.conf Add Group Script - http://www.samba.org/samba/docs/man/Samba3-HOWTO/groupmapping.html#id2568922

See the comments in here: Debian Administration - Debian, CUPS, Samba... Days of grief: http://www.debian-administration.org/articles/300

This page describes creating Windows profiles automatedly: http://www.hughesjr.com/content/view/26/2/Site_News

Some administration can be done from a Windows workstation rather than on the server. For example, to delete a samba user account: net user <username> /delete /domain

User Profile Hive Cleanup Service - http://www.microsoft.com/downloadS/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en - when logging out, a user's session may not properly terminate, this service monitors sessions and ensures they're terminated properly.

To Do - Printing

Setting up printers on workstations manually

"11. (Optional.) Tickle the driver into a correct device mode.

It is important that you execute this step as a Samba printer admin (as defined in smb.conf). Here is 
another method to do this on Windows XP. It uses a command line, which you may type into the "DOS box" 
(type root's smbpassword when prompted):

C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry \
	/in /n \\sambaserver\mysmbtstprn"

Change any printer setting once (like changing portrait to landscape), click on Apply, and change the 
setting back.

12. Install the printer on a client (Point'n'Print).

C:\> rundll32 printui.dll,PrintUIEntry /in /n "\\sambaserver\mysmbtstprn"

If it does not work, it could be a permissions problem with the [print$] share."


"Samba and UNIX obviously do not have such a Registry"
- as elsewhere, lower case 'registry'

"Nowadays, most Linux distributions rely on the utilities from the Linuxprinting.org to create their 
printing-related software"

"The utilities from this sire have a very end-user-friendly interface"

"while the new-style PPDs are now call foomatic-rip"

"Save foomatic-rip either directly in /usr/lib/cups/filter/foomatic-rip or somewhere in your $PATH" - 
shouldn't you also say peope with distros will want to use their distro's method

"From CUPS 1.1.16 and later releases, you can use the CUPS PostScript driver for Windows NT/200x/XP 
clients (which is tagged in the download area of http://www.cups.org/ as the cups-samba-1.1.16.tar.gz 
package)"

"This is the best system currently available, and there are huge improvements under development for 
CUPS 1.2:"
- so it would be good to brand this document as correct as per a specific version of CUPS

"Shut all Explorer Windows."
- windows

Manually Installing the PostScript Driver on a Client

"install the CUPS printer PPD on top of the Adobe PostScript driver on clients. Then point the client's printer queue to the Samba printer share for a UNC type of connection:
C:\> net use lpt1: \\sambaserver\printershare /user:ntadmin
Should you desire to use the CUPS networked PostScript RIP functions. (Note that user "ntadmin" needs to be a valid Samba user with the required privileges to access the printershare.) This sets up the printer connection in the traditional LanMan way (not using MS-RPC)."

Administrator Cannot Install Printers for All Local Users

"Windows XP handles SMB printers on a "per-user" basis. This means every user needs to install the printer himself or herself. To have a printer available for everybody, you might want to use the built-in IPP client capabilities of Win XP. Add a printer with the print path of http://cupsserver:631/printers/printername. We're still looking into this one. Maybe a logon script could automatically install printers for all users.