6.2 Creating a Samba Group

In OES 2, the Novell Samba configuration automatically creates a default Samba users group for every Samba server. This group is already LUM-enabled and is designed to make the process of enabling users for Samba easier. Read Section 6.2.1, About the Default Samba Users Group to determine whether this default group can meet your needs or whether you need to create your own Samba group.

6.2.1 About the Default Samba Users Group

A default Samba users group is created automatically on every OES 2 server that has Novell Samba installed. The default group is named server_name-W-SambaUserGroup. When you use the Samba management plug-in for iManager to add Samba users, the users are automatically made members of this group. Removing Samba users with the plug-in only removes the users as members of the default Samba users group. It does not affect their membership in other groups that might be created for Samba access.

The default Samba users group does not specify SSH as an allowed service. If you want to allow your Samba users SSH access (for instance, if you are using NetStorage and you want your Samba users to access NetStorage Storage Location Objects based on SSH), you must either modify the default Samba users group to allow SSH access or create a new Samba group that is LUM-enabled and specifies SSH as an allowed service. If you create a new group, the Samba users must be removed from the default Samba users group because SSH access is only granted when all of the groups to which a user belongs allow it. For more information, see SSH Services on OES 2 in the OES 2 SP3: Planning and Implementation Guide.

If the default Samba users group meets the needs of your Samba implementation, skip to Section 7.4, Managing Samba Users to continue the process of adding users to your Samba server.

If you need to create your own Samba group, continue with Section 6.2.2, Creating an eDirectory Group and Assigning Users to It.

6.2.2 Creating an eDirectory Group and Assigning Users to It

If you cannot use the default Samba group, you can create a new Group object for managing a subset of Samba users.

  1. If your eDirectory users are already members of a group you can enable for Linux access, skip to Section 6.2.3, Enabling the Group for Linux Access (LUM).

  2. Click Groups > Create Group,

  3. Type a name for the group.

  4. Select a context for the group. Although Group objects are often in the same container as the User objects assigned to them, this is not required.

  5. Click OK.

  6. Click Modify.

  7. Select the Members tab.

  8. Browse iManager Browse icon to the users you want to add to the group, click each User object, then click OK.

  9. Click Apply > OK.

  10. Continue with Section 6.2.3, Enabling the Group for Linux Access (LUM).

6.2.3 Enabling the Group for Linux Access (LUM)

  1. Enable the group you just created for Linux access by selecting Linux User Management > Enable Groups for Linux.

  2. In the Enable Groups for Linux page, select the group you just created.

  3. Make sure that the Linux-Enable All Users in These Groups option is selected, then click Next.

  4. Confirm that you want to enable the users for Linux by clicking Next.

  5. Browse iManager Browse icon to and select the UNIX Workstation - server_name object of each server you want users to have Samba access to, then click OK.

    UNIX Workstation objects are created in the same context as the servers they represent.

  6. Click Next, then click Finish.

  7. To add eDirectory users as Samba users in iManager, see Section 7.4, Managing Samba Users.

    With the Samba plug-in for iManager, you can add up to 500 users at once. An alternative command line method for Samba-enabling existing users is to use the smbbulkadd utility as explained in Section 6.2.4, Samba-Enabling Users with smbbulkadd.

6.2.4 Samba-Enabling Users with smbbulkadd

You can enable multiple eDirectory users for Samba by running the smbbulkadd utility at the terminal prompt.

Prerequisites

Running the smbbulkadd Utility

To enable Linux-enabled users for Samba access, do the following:

  1. Using your favorite Linux text editor (such as gedit or vi), create a text file that lists the following information for each user on a separate line. Be sure to include a blank line at the end of the file as indicated:

    -u username -x edir,context -p password (blank line—no text)

    where username is the eDirectory username, edir,context is the full eDirectory context of the user expressed using LDAP (comma-delimited) syntax, and password is the same password used to log in to the Windows workstation.

    IMPORTANT:Both the eDirectory password and the Universal Password will be set to the password you specify.

    For example, to Samba-enable three Linux-enabled eDirectory users named win1, win2, and win3 in users.doc.company, with the passwords pass1, pass2, and pass3, respectively, you could create a file named smbusers.txt in the /tmp directory with the following contents:

    -u win1 -x ou=users,ou=doc,o=company -p pass1
    
    -u win2 -x ou=users,ou=doc,o=company -p pass2
    
    -u win3 -x ou=users,ou=doc,o=company -p pass3
    
    (blank line—no text)
    

    NOTE:You can also create the text file on a Macintosh or Windows workstation, but you must convert the file to UNIX text format using the dos2unix utility before using it with smbbulkadd.

  2. While logged in to the server as the root user, run the smbbulkadd command.

    To see the various command options, enter smbbulkadd at the shell prompt.

    For example, to process the smbusers.txt file mentioned in the example in Step 1, you would enter the following command at the shell prompt:

    smbbulkadd -a cn=admin,o=company -w adpass -f /tmp/smbusers.txt

    where adpass is the eDirectory Admin user password.

    The system reports the status for each user being enabled for Samba.

  3. Check the status reported to ensure that all users were enabled. If not, correct any errors in the smbusers.txt file, such as no blank line at the end, and run smbbulkadd again.

    Users that are already enabled are ignored.

  4. After your users are enabled to use Samba file services, you need to grant access rights to the Samba shares. For instructions, see Section 7.5, Typical Samba Configuration Scenarios.