Samba/Primary Domain Controller From Gentoo Linux Wiki < Samba Jump to: navigation, search
A Primary Domain Controller (PDC) allows:
* Users on a Windows domain to authenticate against a central controller.
* Users to have roaming profiles.
* Login commands run at login based on login scripts that reside on the PDC.
This article focuses on how to implement Samba as the PDC for your Windows domain. It was written with a Windows 2000/XP network in mind, but should work with any client version of Windows, though some extra client side settings may need to be configured.
If you're looking to have a PDC for your Linux domain, you're out of luck here. PDC's are strictly for Windows environments. Instead, you should look at Active Directory Authentication using LDAP. Contents
* 1 Synopsis
o 1.1 What this HOWTO will do
o 1.2 What this HOWTO will not do
* 2 The Kernel
o 2.1 USE Flags
* 3 Install Samba
* 4 Configure Samba
o 4.1 [global]
o 4.2 [netlogon]
o 4.3 [profiles]
o 4.4 [homes]
o 4.5 [public]
* 5 Configure Clients
o 5.1 Windows 2000
o 5.2 Windows XP
o 5.3 Troubleshooting
* 6 More Samba configuration
* 7 Final Steps
* 8 Using ACL
o 8.1 What are ACLs?
o 8.2 Access Control Lists
o 8.3 How to enable ACL's
o 8.4 The option profile acls
* 9 Useful Scripts
o 9.1 Example login.bat Script
o 9.2 List connected users
o 9.3 Suggested Readings
[edit] Synopsis [edit] What this HOWTO will do
* Allow Microsoft Windows (2000 and XP) clients to authenticate via your samba server.
* Provide mapped drives (based on logon scripts).
* Execute a logon script.
* Enable use of roaming profiles.
Roaming profiles
Microsoft Windows supports roaming user profiles, which allow certificates to follow users no matter which computer they use to log on. When roaming profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the computer during the logon process for the user.
[edit] What this HOWTO will not do
* Configure your Samba server for print sharing.
* Configure your Samba server for virus scanning.
* Configure your Samba server for LDAP authentication.
[edit] The Kernel
Make sure POSIX Access Control Lists are supported by the kernel on the relevant file system. Linux Kernel Configuration: Required settings
File systems --->
<*> Second extended fs support (If using Ext2) [*] Ext2 extended attributes [*] Ext2 POSIX Access Control Lists [ ] Ext2 Security Labels (NEW) [ ] Ext2 execute in place support (NEW) <*> Ext3 journalling file system support (If using Ext3) [*] Ext3 extended attributes (NEW) [*] Ext3 POSIX Access Control Lists (NEW) [ ] Ext3 Security Labels (NEW) <*> Ext4dev/ext4 extended fs support development (EXPERIMENTAL) (If using Ext4) [*] Ext4dev extended attributes (NEW) [*] Ext4dev POSIX Access Control Lists (NEW) [ ] Ext4dev Security Labels (NEW) [ ] JBD (ext3) debugging support (NEW) [ ] JBD2 (ext4dev/ext4) debugging support (NEW) <*> Reiserfs support (If using Reiserfs) [ ] Enable reiserfs debug mode (NEW) [ ] Stats in /proc/fs/reiserfs (NEW) [*] ReiserFS extended attributes [*] ReiserFS POSIX Access Control Lists (NEW) [ ] ReiserFS Security Labels (NEW) <*> JFS filesystem support (If using JFS) [*] JFS POSIX Access Control Lists [ ] JFS Security Labels [ ] JFS debugging [ ] JFS statistics <*> XFS filesystem support (If using XFS) [ ] XFS Quota support (NEW) [*] XFS POSIX ACL support (NEW) [ ] XFS Realtime subvolume support (NEW) [ ] XFS Debugging support (EXPERIMENTAL) (NEW)
[edit] USE Flags
Samba must be emerged with the acl USE flag enabled. This can be defined globaly in /etc/make.conf or only for the samba package: File: /etc/portage/package.use
... net-fs/samba acl
[edit] Install Samba emerge -av samba [edit] Configure Samba
The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria. [edit] [global]
netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. This is also the domain you will work from if you are using one. server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. Note: YOUR_DOMAIN in this context refers to a NetBIOS domain (workgroup), it's flat, non-hierarchical and shouldn't be confused with an Internet domain. File: /etc/samba/smb.conf
[global] netbios name = COMPUTER_NAME workgroup = YOUR_DOMAIN server string = PDC [on Gentoo :: Samba server %v]
hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests. File: /etc/samba/smb.conf
... hosts allow = 192.168.4.0/24 127.0.0.0/8 security = user encrypt passwords = yes interfaces = lo eth0 bind interfaces only = yes
To make your Samba server the PDC, the following four parameters are required. Setting your os level to 65 ensures your server will be the PDC in a network where there are other DC. local master allows NMBD to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes NMBD to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if NMBD is a preferred master browser for its workgroup. File: /etc/samba/smb.conf
... local master = yes os level = 65 domain master = yes preferred master = yes
null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files. File: /etc/samba/smb.conf
... null passwords = no hide unreadable = yes hide dot files = yes
domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables U must be used. They define the server name and username, respectively. You may specify any drive letter as long as it does not conflict with other drives on your Windows client.
For the logon script, you should use a static file name. Using U is equal to the user name establishing the connection. File: /etc/samba/smb.conf
... domain logons = yes logon script = login.bat OR %U.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U\.9xprofile
wins support controls if the NMBD process in Samba will act as a WINS server. name resolve order is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client. File: /etc/samba/smb.conf
... wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no
time server determines if NMBD advertises itself as a time server to Windows clients. log file allows you to override the name of the Samba log file, also known as the debug file. max log size specifies the maximum size the log file should grow. smb passwd file sets the path to the encrypted smbpasswd file. By default, the path to the smbpasswd file is compiled into Samba. File: /etc/samba/smb.conf
... time server = yes log file = /var/log/samba/log.%m max log size = 50 passdb backend = tdbsam
The following are parameters to assist you in adding/deleting users/machines from a client. (Carter, Ts, Eckstein, 2007) File: /etc/samba/smb.conf
... add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
- a nice replacement for above line:
- add machine script = /usr/sbin/useradd -d /dev/null -g 'machines' -c 'Machine Account' -s /bin/false '%u'
- you need to add a "machines" group to use it
passwd program = /usr/bin/passwd %u passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r "*Password changed*"
Note: In the smb.conf.example the "add machine script" is slightly separated from these other directives
unix charset specifies the character set the Unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the character sets other SMB clients use. You should leave this undefined unless your machine does not support the default UTF-8 character set. File: /etc/samba/smb.conf
... unix charset = ISO8859-1
[edit] [netlogon]
[netlogon] is the service section where your Default Profile for new users and log in script reside. Make sure the directory is set to root for user and group, and permissions are 755: mkdir /var/lib/samba/netlogon chmod -R 0755 /var/lib/samba/netlogon File: /etc/samba/smb.conf
... [netlogon]
path = /var/lib/samba/netlogon guest ok = no read only = yes browseable = no
[edit] [profiles]
[profiles] is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 0755). Inside this directory is where you user profiles are located. Make sure the user profile directories themselves are owned by the user and group owned by users. Make sure user directories permission are 770 (chmod -R 0770).
Make sure the directory is set to root for user and group, and permissions are 755: mkdir /var/lib/samba/profiles chmod 0755 /var/lib/samba/profiles File: /etc/samba/smb.conf
... [profiles]
path = /var/lib/samba/profiles browseable = no writeable = yes default case = lower preserve case = no short preserve case = no case sensitive = no hide files = /desktop.ini/ntuser.ini/NTUSER.*/ write list = @smbusers @root create mask = 0600 directory mask = 0700 csc policy = disable
[edit] [homes]
[homes] defines the users home directory. Nothing special needs to be done to this directive or directory. File: /etc/samba/smb.conf
... [homes]
path = /home/%U browseable = no valid users = %S read only = no guest ok = no inherit permissions = yes
[edit] [public]
[public] is an example of a share that everyone can access. This is handy to have if there are documents to which everyone needs access. You do not need one if you do not want one. You can have however many you want with whatever names you want. It does not have to be named [public]. File: /etc/samba/smb.conf
... [public]
comment = Public Resources path = /public public = yes read only = yes browseable = yes write list = @users
[edit] Configure Clients [edit] Windows 2000
This is another simple step. Log into your Windows 2000 client locally as Administrator and add your client machine to your domain. This is achieved by right clicking My Computer => Properties => Network Identification => Properties button. You will be prompted for a username/password of an authorised domain user. You'll need to use your root account (the reason root was added to smbpasswd).
After changing your domain, you'll need to reboot (no surprise there). When it reboots, you'll have the fancy login screen with the nice little graphic instructing you to do a "ctrl-alt-del" to get to the actual login screen. If you only see fields for you username and password, click on the "Options" button and a domain dropdown will appear. Your choices should be "computer name\local" AND your new domain.
In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of the hidden file C:\Documents and Settings\Default User to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into (assuming the usage of roaming profiles).
I suggest making sure the latest service pack is installed.
After adding the client to the domain and rebooting, lets leave this screen as is. We'll come back to it later. [edit] Windows XP
You should start the process for Windows XP clients by a complete Windows Update. After the release of Service Pack 2, Microsoft Windows way of dealing with profiles has changed a bit. You will need to start by logging into your Windows XP client locally as Administrator and execute:
gpedit.msc
then, you must navigate to :
Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles
and change the setting of the key 'Do not check for user ownership of Roaming Profile Folders' from 'Not Configured' to 'Enable'. If that key is not present, you should try visiting Windows Update again. Then you can use 'File / Exit'. This is needed because WinXP actually checks ACL Permission in your profile file system (which isn't really that easy to develop under *NIX). Once this is completed, you can procede as for Windows 2000.
Alternatively, you can add the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "CompatibleRUPSecurity"=dword:00000001
Add this in [profile] section in samba 3.25. (See man smb.conf for more details.) File: /etc/samba/smb.conf
[profile] profile acls = yes ....
[edit] Troubleshooting
For problems with log in and roaming profiles, trace both the server side and the client side. For client debugging, see Microsoft's KB221833 article. [edit] More Samba configuration
This step maps your Windows groups to your Unix groups. This is an important step if you want administration rights on your Windows clients once you have logged onto the client authorizing against the PDC.
First, view the list of Windows groups. This way you know what you're mapping. net groupmap list Code: Example output of net groupmap list
System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Guests (S-1-5-21-3885047494-3765334852-1543503842-514) -> nobody Domain Admins (S-1-5-21-3885047494-3765334852-1543503842-512) -> ntadmins Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> 1 Account Operators (S-1-5-32-548) -> -1 Domain Users (S-1-5-21-3885047494-3765334852-1543503842-513) -> users Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
It is possible that for some reason your groupmap is empty. Although unfortunate, its not a big deal as you only need the 3 mapped groups in there. Just run the following commands: net groupmap add rid=512 unixgroup=ntadmins ntgroup="Domain Admins" net groupmap add rid=513 unixgroup=users ntgroup="Domain Users" net groupmap add rid=514 unixgroup=nobody ntgroup="Domain Guests"
As you can see, there only mapped 3 groups. That's all that is really required. You may add more if you desire. Additionally, you may want to create a Unix group called ntadmins. groupadd ntadmins
After you create your required Unix groups, you need to map them to your Windows groups replacing the ntgroup value with a Windows group listed above and unixgroup is the Unix group you wish to map the Windows group to (remember, the Unix group must already exist). net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins type=d
You'll need to perform this command for each Unix group you wish to map. You can now use your new groups for specific group parameters in either your global or service scopes. (Carter, Ts, Eckstein, 2007) [edit] Final Steps
Now that you are done with configuring Samba, start it and add it to your default run level. /etc/init.d/samba start rc-update add samba default
At this point, you should be able to log into your domain using your username and password (not root). If you wish to use a roaming profile, you'll need to tell the client. This is done by right clicking My Computer => Properties => User Profiles. Select your user and "Change type". [edit] Using ACL [edit] What are ACLs?
Extended attributes are arbitrary name/value pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects. The attr(5) manual page describes which kinds of extended attributes are defined. [edit] Access Control Lists
On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.
Some applications require more control over permissions than this model offers. Access control lists implement a more fine-grained permission model: In addition to the file owner, the file group, and others, additional users and groups can be granted or denied access. [edit] How to enable ACL's
For installation and usage please take a look at HOWTO Use filesystem ACLs. [edit] The option profile acls
This option has nothing to do with the ACL's on a filesystem. It is, rather, an emulation of an ACL to make sure that XP and 2000 clients can read their profile from the server. More information can be found in the man smb.conf. [edit] Useful Scripts [edit] Example login.bat Script Code: login.bat
echo Setting Current Time... net time \\<server> /set /yes
echo Mapping Network Drives to Domain network server... net use H: /HOME net use X: \\<server>\public net use Y: \\<server>\audio net use Z: \\<server>\video
When mapping your home drive, please make sure the letter you specify in logon drive in your global service is the same as net use X: /HOME command, where X is the drive letter. [edit] List connected users
This bash script produce a list with all users currently logged in. It can be useful in order to determine if a specific user is logged in or if there are users still connected. For example if you want to shutdown your PDC you must be sure that no user is connected. Code: list_users.sh
- !/bin/bash
SMBUSERS=`/usr/bin/smbstatus -b|/usr/bin/sed -e '/------/d' -e '/PID/d' -e '/Samba version/d' -e '/^$/d'|/usr/bin/awk -F ' ' '{print $2;}'` SMBUSERCOUNT=0 for SMBUSER in $SMBUSERS do
echo $SMBUSER #each username let "SMBUSERCOUNT += 1"
done echo $SMBUSERCOUNT #number of user logged in exit 0