Installing A Samba Pdc, Using samba 3 and WBEL/CentOS Options

[hughesjr]

Samba 3 as a Primary Domain Controller on RHEL Clones

There are a couple points that I want to make clear. Samba 3 CAN NOT do Windows 2000 Server Active Directory Services (ADS) domain control. It can provide Windows NT 4.0 type domain control.

For a time, Windows Groups could not be used by Samba. With Samba 3, Windows Groups can now be used (here is the explanation). In fact, you can control your users and groups using a Domain Member computer (an NT/2K/XP-Pro client) and the Microsoft User Manager for Domains (download srvtools.exe from here, we will discuss it's use later in the guide). If all your clients are Win 95/98/ME then you can instead use the Nexus.exe tool for Win95.

Windows 95/98/ME/XP-Home clients do not fully utilize the NT4 type domain control ... and in fact, they use a subset of it called LanMan Network Login (LanMan was the precursor to NT4 domain control). Windows NT/2000/XP-Pro clients can fully integrate into the NT4 domain.

This guide is based on information in the official Samba 3 PDC Howto. Please read that info thoroughly before starting this guide. There are several links in the PDC Howto that you need to understand, including:

Domain Membership

Group Mapping

Machine Trust Accounts

Account Information Databases

Profile Management

Policy Management

Besides the Logon server aspect (the Domain Controller), there are 2 other aspects to address in an NT 4 domain environment. They are the Master Browser and the WINS server. Both can be read about in the Network Browsing section of the Official Samba 3 Guide.

In this guide, we will configure a Samba 3 PDC that is also the Master Browser and the Primary WINS server.

Microsoft white papers about WINS and Master Browsers (1, 2, 3) ... for more information.

Now on with the guide.

I will use WhiteBox Enterprise Linux as my RedHat based server Distro. CentOS or TaoLinux can also be used (the only differences will be where the yum update servers are and where to download the initial 3 files required to add yum functionality to the server). The install would be very similar on Fedora Core 1 or 2 as well.

You will need to be able to edit files with an editor. Part of the minimal install has both vi and nano installed. If you are going to install X, then you may have gedit, kedit, emacs, or maybe another editor. I will just say edit the files ... you do so with your perfered editor.

1. The first step is going to be to do a minimal install of WhiteBoxEL. This is accomplishished by selecting a custom install and unchecking everything. This will give you an install with about 540mb of packages. It is the minumum recommended install by RedHat of their Enterprise product.

The server should have a static IP address, if possible on your network.

(There is no real reason why this server can't have X installed, it is not required that this server have only a basic install. If you want to install other services, select them as part of the installation). If you install other than a minimal install, you can issue the command:

rpm -q yum libxml2-python libxml2

If all 3 packages are installed, you can skip step 2.

2. If you did a minimal install, now install yum ... this will require the packages libxml2-python and libxml2. How I did this install for WBEL is as follows (all steps below will be on WhiteBoxEL ... CentOS steps would be similar, but the filenames might be slightly different ... as would be the yum repository locations):

CODE

wget http://www.geekstyle.net/white_box/3.0/en/os/i386/RedHat/RPMS/yum-2.0.4-2.WB1.noarch.rpm

wget  http://www.geekstyle.net/white_box/3.0/en/os/i386/RedHat/RPMS/libxml2-python-2.5.10-5.i386.rpm

wget  http://www.geekstyle.net/white_box/3.0/en/os/i386/RedHat/RPMS/libxml2-2.5.10-5.i386.rpm

After the files were downloaded, I installed them with the command:

rpm -Uvh libxml2-python-2.5.10-5.i386.rpm libxml2-2.5.10-5.i386.rpm yum-2.0.4-2.WB1.noarch.rpm

3. Now, edit the file /etc/yum.conf to add the proper repositories ... my /etc/yum.conf file is here:

http://www.hughesjr.com/wbel/yum.conf.txt

4. Update all the packages on the system to the lastest updates with this command:

yum upgrade

5. Now we need to install, or verify installed all the packages that we need for setting up a SAMBA PDC.

yum install samba samba-client samba-common

There are 2 other SAMBA tools, samba-swat and redhat-config-samba that are helpful in some senarios, but won't be particularly helpful in this situation ... so I won't install them in this guide. You can install them now as well, if you want (add their names in the bove command).

At this point, we need to restart our server, as we have changed the kernel. Make sure to select the new kernel when booting.

6. Now we need to backup the original configuration file (/etc/samba/smb.conf) and replace it with a file that has the setup we need.

cd /etc/samba
mv smb.conf smb.conf.orig

7. In our example, we need to make some assumptions ... I will assume that we do not need DNS or DHCP to be done by this server. It will be the Master Browser, WINS, and PDC server for the Domain.

Here is what our server can do:

The NetBIOS name of the Samba server is set to PDC

The Domain name is set to NEWDOM

The passdb backend parameter specifies the creation and use of the tdbsam password backend. This is a binary database that has excellent scalability for a large number of user account entries.

WINS serving is enabled by the wins support = Yes, and name resolution is set to use it by means of the name resolve order = wins bcast hosts entry.

The Samba server is configured for use by Windows clients as a time server.

Samba is configured to directly interface with CUPS via the direct internal interface that is provided by CUPS libraries. This is achieved with the printing = CUPS as well as the printcap name = CUPS entries.

External interface scripts are provided to enable Samba to interface smoothly to essential operating system functions for user and group management. This is important to enable workstations to join the Domain, and is also important so that you can use the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools are provided as part of the SRVTOOLS.EXE toolkit (see link above).

The smb.conf file specifies that the Samba server will operate in (default) security = user mode.

Domain logon services as well as a Domain logon script are specified. The logon script will be used to add robustness to the overall network configuration.

Roaming profiles are enabled through the specification of the parameter, logon path = \\%L\profiles\%U. %L will be the server's name ... %U is the user who logs in. It is the administrator's responsibility to ensure there is a directory in the root of the profile share for each user.

Microsoft Office files are vetoed from opportunistic locking controls. This should help to prevent lock contention related file access problems.

Explicit controls are effected to restrict access to the IPC$ share to local networks only. The IPC$ share plays an important role in network browsing and in establishment of network connections.
Every user has a private home directory on the UNIX/Linux host. This is mapped to a network drive that is the same for all users.

8. Here is new Samba configuration file (/etc/smb.conf). Add this text with your editor and save it:

http://www.hughesjr.com/wbel/smb.conf.txt

9. Make the required directories and set permissions:

mkdir -p /shared
chmod -R ug+rwxs,o+rx-w /shared

mkdir -p /var/spool/samba
mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
chown -R root.root /var/spool/samba
chown -R root.root /var/lib/samba
chmod a+rwxt /var/spool/samba

10. For each user account that is created on the system, the following commands should be executed (substitute the real username for username:

mkdir /var/lib/samba/profiles/username
chown username.users /var/lib/samba/profiles/username
chmod ug+wrx,o+wrx,-w /var/lib/samba/profiles/username

11. Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unix2dos and dos2unix) are installed (they are in our WBEL install). First, create a file called /var/lib/samba/netlogon/scripts/logon.bat.unix with the following contents (all files that contain the character are included in linked text files, because there is sometimes having that character show up in browsers):

http://www.hughesjr.com/wbel/logon.bat.unix.txt

Convert the UNIX file to a DOS file using the unix2dos as shown here:

unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix > /var/lib/samba/netlogon/scripts/logon.bat

then make the logon.bat file executable with the command:

chmod 755 /var/lib/samba/netlogon/scripts/logon.bat

12. Add the root user to the password backend as follows:

smbpasswd -a root

13. Create the Standard NT-Unix group mappings with the following commands:

net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

Add any aditional groups with the above command ... the Unix group needs to be added first via groupadd.

Check that the groups are setup with the command:

net groupmap list | sort

The output should look like this:

Account Operators (S-1-5-32-548) -> -1
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1

14. You must add all users with the command on the Linux server:

Linux:
useradd -m username
passwd username

Windows:
smbpasswd -a username
15. Setup and start the cups and samba services:

chkconfig cups on
chkconfig smb on
/etc/rc.d/init.d/cups restart
/etc/rc.d/init.d/smb restart

16: edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries:

hosts: files dns wins

Testing:

1 . Ping PDC with the command:

ping PDC

The result should be like this:

PING PDC (192.168.0.29) 56(84) bytes of data.
64 bytes from PDC (192.168.0.29): icmp_seq=0 ttl=0 time=0.102 ms
64 bytes from PDC (192.168.0.29): icmp_seq=1 ttl=0 time=0.035 ms

2 . Issue the command:

testparm -s

Output:

Load smb config files from /etc/samba/smb.conf
Processing section "[IPC$]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[shared]"
Loaded services file OK.
# Global parameters
[global]
workgroup = NEWDOM
netbios name = PDC
interfaces = eth0
bind interfaces only = Yes
passdb backend = tdbsam
pam password change = Yes
passwd chat = *New*Password* %nn *Re-enter*new*password* %nn *Password*changed*
username map = /etc/samba/smbusers
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139 445
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scriptslogon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\home\%U
domain logons = Yes
preferred master = Yes
wins support = Yes
utmp = Yes
map acl inherit = Yes
printing = cups
veto oplock files = /*.doc/*.xls/*.mdb/

[IPC$]
path = /tmp
hosts allow = 192.168.0.0/24, 127.0.0.1
hosts deny = 0.0.0.0/0

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

[shared]
comment = Network Shares
path = /shared
read only = No

3 . Issue the command:

smbclient -L PDC -U%

Output:

Domain=[NEWDOM] OS=[Unix] Server=[Samba 3.0.2-6.3E]

Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 3.0.2-6.3E)
netlogon Disk Network Logon Service
profiles Disk Profile Share
shared Disk Network Shares
ADMIN$ IPC IPC Service (Samba 3.0.2-6.3E)
Domain=[NEWDOM] OS=[Unix] Server=[Samba 3.0.2-6.3E]

Server Comment
--------- -------
PDC Samba 3.0.2-6.3E

Workgroup Master
--------- -------
HOME SERVER1
NEWDOM PDC

[hughesjr]

OK, a couple of the sections may need a little more explaination. The first one is:

[IPC$]
path = /tmp
hosts allow = 192.168.0.0/24, 192.168.1.0/24, 127.0.0.1
hosts deny = 0.0.0.0/0

The IPC$ section is important to the sharing and Logins ... only Client PCs in the hosts allow will be allowed to login and connect to shares ... in my case, my internal networks 192.168.0.0 and 192.168.1.0 and the loopback address 127.0.0.1.

----------------
In the above setup, there are 2 drives mapped on the network server ... H: is the home directory of the user, for personal storage. The P: drive is the Shared network drive, where you can put things for all users. I made a couple changes to the smb.conf file (it's 6/8/04 at 19:03 USA Central time)...it works for me now as written.
----------------
More items to expect to see here in the next couple days....

How to join the NEWDOM domian with Win98, WinME, WinNT, Win2K, WinXP clients. - done

How to install the SRVTOOLS.EXE file on WinNT/2K/XP and use server manager and User Manager for Domains. - done

How to add NEWDOM users to the system. - done

How to add NEWDOM groups to the system. - done

[hughesjr]

First, a good reference for Windows login scripts:
http://labmice.techtarget.com/scripting/lo...ogonscripts.htm

Joining windows computers to the new PDC.....

Windows 95/98/ME

1. Go to the Start menu, select Settings, then Control Panel.

2. Double-click the Network control panel.

3. Click the Identification tab.

Pick a Computer name ... it must be unique for each computer on the network.

In the Workgroup field, enter NEWDOM.


Enter a name in the Computer description field.

An example of one is shown below.

Picture

4. Click the Configuration tab.

5. If Client for Microsoft Networks is listed, skip to step 10. If it is not listed, continue to step 6.

6. Click the Add button.

7. Select Client and click Add again.

8. In the left frame, select Microsoft. In the right frame, select Client for Microsoft Networks.

Picture

9. Click OK and wait for the Network control panel to reappear. Client for Microsoft Networks should now be at the top of the list.

10. Click Client for Microsoft Networks, then the Properties button.

11. Check the box to the left of Log on to Windows NT domain.

In the Windows NT domain field, enter NEWDOM.

Select Quick logon.

12. Click OK.

Picture
-------------------------------------------------------------------------------------------------
Windows 2000

1. Right-click on the My Computer icon on the desktop and select Properties.

2. Click the Network Identification tab.

3. Click the Properties button, as illustrated in this picture.

4. Your computer's "Computer name" must be unique.

5. Pick the Domain box and enter NEWDOM and press OK ... then enter a username (Administrator) and password (your root user's password on the linux server) that is a member of the Domain Administrators group. See this picture
----------------------------------------------------------------------------------------------------
Windows XP

1. Go to the Start menu and Right-click on the My Computer icon. Select Properties.

2. Click the Computer Name tab.

3. Click the Change button.

Follow the instructions in steps 4 and 5 for Windows 2000 above.
-----------------------------------------------------------------------------------------------------
Now each of the clients should be able to login to the NEWDOM domain.

[hughesjr]

Downloading and installing the SRVTOOLS.EXE file on a Windows NT/2K/XP computer

1. The PC must be a member of the domain (see the above post on how to join a PC to the domain). Login as an administrator user for the NEWDOM Domain (the root user from the Linux Server can be logged into by using the Login Administrator, the password of the linux root user, and the Domain as NEWDOM).

2. Go to the following page and download SRVTOOLS.EXE.

3. Copy the downloaded file (SRVTOOLS.EXE) to the %SystemRoot%system32 directory using Windows Explorer. (Usually either c:winntsystem32 or c:windowssystem32. You may have to unhide directories (if asked) while clicking to get to the the system32 directory.

4. Once the SRVTOOLS.EXE file is in the system 32 directory, double click to expand it. 4 new files should now be at the bottom of the explorer window ... create shorcuts that point to %SystemRoot%system32USRMGR.EXE and %SystemRoot%system32SRVMGR.EXE from your desktop.

5. You should be able to add new users and groups via the USRMGR. After you add new users via the USRMGR, you have to login to the linux server (as root) and issue the following commands to create the new profile for that user:

cd /var/lib/samba/profiles
mkdir username
chown -R username.users username
chmod -R 771 username

6. To make it a little bit easier, I am including a script to do this .... edit the file /usr/bin/mk_smb_profile and paste in the following:

CODE

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin

if [ $1"x" == "x" ]; then
 echo $"Usage: $0 username"
 exit 1
fi

SMB_PROFILES=/var/lib/samba/profiles

if [ -d $SMB_PROFILES/$1 ]; then
 echo $"$1 user profile already exists"
 exit 1
fi

cd $SMB_PROFILES
mkdir $1
chown -R $1".users" $1
chmod -R 771 $1
exit 0

then do:

chmod 755 /usr/bin/mk_smb_profile

To add the new user, just issue the command:

mk_smb_profile username

Now you should be able to login as the new user on the windows machines.

-----------------EDIT-----------------6/8/04 22:05 CDT

OK ... I decided to try and automate the profile creation and combine it with the user creation ... and it seems to work great (if both the smb.conf file and the mk_smb_profile were working properly before.). Here is what you need to do ... edit the file /etc/samba/smb.conf and find the line that says:

add user script = /usr/sbin/useradd -m %u

and change it to this:

add user script = /usr/bin/mk_smb_profile %u

then

edit the file /usr/bin/mk_smb_profile

and add the line:

/usr/sbin/useradd -m $1

just before the line:

cd $SMB_PROFILES

So now, here is the new /etc/samba/smb.conf file I am using:
http://www.hughesjr.com/wbel/smb.conf.new.txt

and here is the new /usr/bin/mk_smb_profile:

CODE

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin

if [ $1"x" == "x" ]; then
 echo $"Usage: $0 username"
 exit 1
fi

SMB_PROFILES=/var/lib/samba/profiles

if [ -d $SMB_PROFILES/$1 ]; then
 echo $"$1 user profile already exists"
 exit 1
fi

/usr/sbin/useradd -m $1

cd $SMB_PROFILES
mkdir $1
chown -R $1".users" $1
chmod -R 771 $1
exit 0

[hughesjr]

Now, to reiterate, All group adds and removes, all new user adds and removes, and all new user changes (group switches, etc.) can be done via the USRMGR.EXE (User Manager for Domains) on a Windows Client. You should not have to do anything on the Linux server to add new domain users OR manage the global groups.

The only groups that can be created via the USRMGR are Global groups {no local groups can be created or used via Samba}... and you can not put a one group inside another group.

I have noticed that you have to press the F5 key to update the screen after making changes via USRMGR.