In OES 2, the Novell Samba configuration automatically creates a default Samba users group for every Samba server. This group is already LUM-enabled and is designed to make the process of enabling users for Samba easier. Read Section 6.2.1, About the Default Samba Users Group to determine whether this default group can meet your needs or whether you need to create your own Samba group.
A default Samba users group is created automatically on every OES 2 server that has Novell Samba installed. The default group is named server_name-W-SambaUserGroup. When you use the Samba management plug-in for iManager to add Samba users, the users are automatically made members of this group. Removing Samba users with the plug-in only removes the users as members of the default Samba users group. It does not affect their membership in other groups that might be created for Samba access.
The default Samba users group does not specify SSH as an allowed service. If you want to allow your Samba users SSH access (for instance, if you are using NetStorage and you want your Samba users to access NetStorage Storage Location Objects based on SSH), you must either modify the default Samba users group to allow SSH access or create a new Samba group that is LUM-enabled and specifies SSH as an allowed service. If you create a new group, the Samba users must be removed from the default Samba users group because SSH access is only granted when all of the groups to which a user belongs allow it. For more information, see SSH Services on OES 2
in the OES 2 SP3: Planning and Implementation Guide.
If the default Samba users group meets the needs of your Samba implementation, skip to Section 7.4, Managing Samba Users to continue the process of adding users to your Samba server.
If you need to create your own Samba group, continue with Section 6.2.2, Creating an eDirectory Group and Assigning Users to It.
If you cannot use the default Samba group, you can create a new Group object for managing a subset of Samba users.
If your eDirectory users are already members of a group you can enable for Linux access, skip to Section 6.2.3, Enabling the Group for Linux Access (LUM).
Click
> ,Type a name for the group.
Select a context for the group. Although Group objects are often in the same container as the User objects assigned to them, this is not required.
Click
.Click
.Select the
tab.Browse to the users you want to add to the group, click each User object, then click
.Click
> .Continue with Section 6.2.3, Enabling the Group for Linux Access (LUM).
Enable the group you just created for Linux access by selecting
> .In the Enable Groups for Linux page, select the group you just created.
Make sure that the
option is selected, then click .Confirm that you want to enable the users for Linux by clicking
.Browse to and select the UNIX Workstation - server_name object of each server you want users to have Samba access to, then click
UNIX Workstation objects are created in the same context as the servers they represent.
Click
, then click .To add eDirectory users as Samba users in iManager, see Section 7.4, Managing Samba Users.
With the Samba plug-in for iManager, you can add up to 500 users at once. An alternative command line method for Samba-enabling existing users is to use the smbbulkadd utility as explained in Section 6.2.4, Samba-Enabling Users with smbbulkadd.
You can enable multiple eDirectory users for Samba by running the smbbulkadd utility at the terminal prompt.
The users must already exist in eDirectory and must be assigned a Samba-qualified password policy, as described in Section 6.1.1, Creating an eDirectory Container for User Objects.
The users must also be members of a Samba group that has been LUM-enabled for Linux access.
You can either make the users members of the default Samba users group, which is already LUM-enabled, or create your own Samba group as instructed in Section 6.2.2, Creating an eDirectory Group and Assigning Users to It and Section 6.2.3, Enabling the Group for Linux Access (LUM)).
If you need to add a large number of users to a LUM-enabled group, you can run the nambulkadd utility to perform the LUM-enabling and group assignment tasks that are prerequisite to running smbbulkadd. When you run numbulkadd, you specify the primary group and/or secondary group(s) when LUM-enabling users. You can then run smbbulkadd to update the User objects to include Samba-specific schema information.
For instructions on how to run nambulkadd, see Using Command Line Utilities to Manage Users and Groups
in the OES 2 SP3: Novell Linux User Management Administration Guide.
To enable Linux-enabled users for Samba access, do the following:
Using your favorite Linux text editor (such as gedit or vi), create a text file that lists the following information for each user on a separate line. Be sure to include a blank line at the end of the file as indicated:
-u username -x edir,context -p password (blank line—no text)
where username is the eDirectory username, edir,context is the full eDirectory context of the user expressed using LDAP (comma-delimited) syntax, and password is the same password used to log in to the Windows workstation.
IMPORTANT:Both the eDirectory password and the Universal Password will be set to the password you specify.
For example, to Samba-enable three Linux-enabled eDirectory users named win1, win2, and win3 in users.doc.company, with the passwords pass1, pass2, and pass3, respectively, you could create a file named smbusers.txt in the /tmp directory with the following contents:
-u win1 -x ou=users,ou=doc,o=company -p pass1
-u win2 -x ou=users,ou=doc,o=company -p pass2
-u win3 -x ou=users,ou=doc,o=company -p pass3
(blank line—no text)
NOTE:You can also create the text file on a Macintosh or Windows workstation, but you must convert the file to UNIX text format using the dos2unix utility before using it with smbbulkadd.
While logged in to the server as the root user, run the smbbulkadd command.
To see the various command options, enter smbbulkadd at the shell prompt.
For example, to process the smbusers.txt file mentioned in the example in Step 1, you would enter the following command at the shell prompt:
smbbulkadd -a cn=admin,o=company -w adpass -f /tmp/smbusers.txt
where adpass is the eDirectory Admin user password.
The system reports the status for each user being enabled for Samba.
Check the status reported to ensure that all users were enabled. If not, correct any errors in the smbusers.txt file, such as no blank line at the end, and run smbbulkadd again.
Users that are already enabled are ignored.
After your users are enabled to use Samba file services, you need to grant access rights to the Samba shares. For instructions, see Section 7.5, Typical Samba Configuration Scenarios.