NSLU2-Linux
view · edit · print · history

1. Goal

Samba is able to act as a PDC (Primary Domain Controler). If you are interested in this procedure, I suppose you don't want more explanations about what a PDC is.

This procedure will turn the Slug into a PDC.
There will be no impact on its file server capabilities.

2. Prerequisites

Here is the procedure I followed to set up a PDC on my slug with Samba and Swat 3.0.23c-r0.
I tested this procedure with my Linksys NSLU2, with Openslug 2.7 beta.
I used XP Pro SP2? and Vista Ultimate SP1? clients to join the domain.

I suppose that Samba and Swat are up and running on your slug. See procedures to set up Samba if it's not the case.

This is a minimalist procedure. Please feel free to complete if you have hints and tricks.

What the slug will do after this procedure

After this procedure, the Slug will act as a PDC for a domain called MAISON, with itinary profiles.

What the slug won't do after this procedure

  1. You won't be able to add users to the domain from any windows clients,
  2. You won't be able to add computers to the domain from any windows client.

3. Overview

  1. Modify Samba configuration
  2. Create mapping between Windows and Unix groups
  3. Declare all computers of the domain in the slug
  4. Declare the admin users of the domain in the slug
  5. Declare all users of the domain in the slug
  6. Restart Samba before asking a Windows client to join the domain
  7. Ask a Windows client to join the domain
  8. (Optional) Disable the itinary profile

4. Step 1 : Modify Samba configuration

The easiest way is to modify directly the smb.conf file. An alternative way is to use Swat.

I just list the parameters dedicated to setting up a PDC and not the whole set of parameters :

 [global]
 # this is the name of the domain your slug will act as a PDC
	netbios name = NAS
	workgroup = MAISON

 # instruct the slug to act as a PDC
	domain logons = Yes
	domain master = Yes # Yes = PDC ; No = BDC (only when domain logons = Yes)
	os level = 33
	preferred master = Yes
	local master = Yes

 # instruct the PDC how to handle password for the domain users
 	security = USER
        encrypt passwords = yes
        unix password sync = yes

 # indicates the path to store the logon script
 # this path is a relative reference from [netlogon] resource
 # %U will substitute with the connected username
 # it means the logon script will be the same whatever the OS of the clients that connects
 # there must be a script file called logon.bat in [netlogon]/<login>
 # (<login> is the name of a user declared in nthe domain)
	logon script = %U\logon.bat

 # indicates the path to store the itinary profiles
 # %N substitutes with the samba server netbios name
 # %U substitutes with the connected username
 # %a subsitutes with the OS of the client that connects
 # it means there will be a different initary profile by user, and by OS
	logon path = \\%N\netlogon\%U\%a

 # netlogon is traditionnaly the place to store the itinary profiles and the logon scripts
 [netlogon]
	path = /home/netlogon
	read only = No

And that's it for the smb.conf file.

It should be normally possible to instruct the PDC to add a machine and/or a user in the domain. Unfortunately, to do that automatically, you need to create a user specifying in which group it should be attached. For the time being, my adduser command is not able to do that.
Any tricks ?

What's in my logon.bat script file

I have declared in logon.bat all the resources I want to mount at login :

 net use Y: \\NAS\Backup
 net use Z: \\NAS\Outlook

5. Step 2 : Create mapping between Windows and Unix groups

In theory

Some groups are built-in in Windows, and will be used for administrative tasks. For example, when you request a computer to join a Windows domain, Windows will ask you for the logon/password of a trusted user that has the right to do this operation. Windows knows that a user is trusted when it belongs to the Windows group "Domain Admins".

As the slug will be the only place to store users, it is necessary to map corresponding Unix groups to the necessary Windows groups.

You can find in litterature that at least three Windows groups are necessary, and many other are useful.

Known entityRIDTypeMandatory
Domain Administrator500UtilisateurNon
Domain Guest501UtilisateurNon
Domain KRBTGT502UtilisateurNon
Domain Admins512GroupeOui
Domain Users513GroupeOui
Domain Guests514GroupeOui
Domain Computers515GroupeNon
Domain Controllers516GroupeNon
Domain Certificate Admins517GroupeNon
Domain Schema Admins518GroupeNon
Domain Enterprise Admins519GroupeNon
Domain Policy Admins520GroupeNon
Builtin Admins544AliasNon
Builtin users545AliasNon
Builtin Guests546AliasNon
Builtin Power Users547AliasNon
Builtin Account Operators548AliasNon
Builtin System Operators549AliasNon
Builtin Print Operators550AliasNon
Builtin Backup Operators551AliasNon
Builtin Replicator552AliasNon
Builtin RAS Servers553AliasNon

RID is the unique reference of the Windows group.

Practically

Despite all litterature, and after many trials, it appears that only the mapping with the "Domain Admins" Windows group is mandatory.

In real life

There is a built-in Unix group called root. It is this Unix group that I mapped to the "Domains Admins" Windows group.

To make things clean, I decided to create a Unix group ntcomputers to gather all the computers of the domain.
This is not compulsory. But as I did this, it was not a big effort to map this group to the "Domain Computers" Windows group.

There is a built-in Unix group called nogroup. Even if it appears not to be compulsory, I decided to map the Unix nogroup group to the "Domain Guests" Windows group.

Just to be clean, I also decided to create a Unix group called ntusers, and to map it with "Domain Users" Windows group, but I put no accounts in this group.

Create the Unix groups

 addgroup ntcomputers
 addgroup ntusers

The built-in root Unix group encloses all the trusted users with administrative Windows rights.
The built-in nogroup Unix group encloses all the guest users declared in Windows. The ntcomputer Unix group encloses all computers of the Windows domain (this mapping does not appear to be mandatory).
The ntusers Unix group should enclose all users of the Windows domain (this mapping does not appear to be mandatory) - BUT I put no user in it.

We now need to map the Unix groups and the Windows groups as follows :

Unix groupWindows group
rootDomains Admins
ntcomputersDomains Computers
ntusersDomain Users
nogroupDomain Guests

The relevant script to map Unix and Windows groups

The fact is the mapping is cleared after each reboot. A script is then necessary.

Create a file called _map.sh in /etc/init.d directory :

 net groupmap add rid=512 type=domain unixgroup=root ntgroup="Domain Admins"
 net groupmap add rid=513 type=domain unixgroup=ntusers ntgroup="Domain Users"
 net groupmap add rid=514 type=domain unixgroup=nogroup ntgroup="Domain Guests"
 net groupmap add rid=515 type=domain unixgroups=ntcomputers ntgroup="Domain Computers"

Do not forget to chmod 700 _map.sh

Then create a link in rcS.d to that script in order for the script to be executed at each reboot :

 cd /etc/rcS.d
 ln -s /etc/init.d/_map.sh S99map_domains.sh

Time to reboot

 sync
 reboot

How to check the current mapping

After the reboot, the command net groupmap list shows all the current mapping :

 Domain Guests (S-1-5-21-1123934332-1620061200-2314455425-514) -> nogroup
 Domain Users (S-1-5-21-1123934332-1620061200-2314455425-513) -> ntusers
 Domain Computers (S-1-5-21-1123934332-1620061200-2314455425-515) -> ntcomputers
 Domain Admins (S-1-5-21-1123934332-1620061200-2314455425-512) -> root

6. Step 3 : Declare all computers of the domain in the slug

Windows dictates that every computer of the domain to be known by the PDC. As we seen before, we can not do this step in Windows, it is necessary to do this step in the slug. Let's suppose that we want to declare that host is a member of the domain.

Create the host$ Unix user

 adduser host$
 delgroup host$

where host is the Netbios name of the computer you want to declare into the domain.
adduser will prompt you for a password.
'$' is mandatory as it declares it is a computer and not a regular user.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign host$ to the Unix ntcomputers group

Go into the /etc/group file, and note the group id of the ntcomputers group.
In my example, the line describing the ntcomputers group is : ntcomputers:x:64002:
The group id of the ntcomputers group is then 64002

Go into the /etc/password file :

  • find the host$ line
  • it should appear like : host$:x:505:505:Linux User,,,:/home/host$:/bin/sh
    • Replace the group id by the group id of the ntcomputers group
    • Change the comment Linux User,,, (it will appear in the start menu lf your Windows client)
    • Delete the home directory to prevent any direct login from Unix
    • Void the startup shell (replace /bin/sh by /dev/null) to prevent any direct login from Unix
  • finally, the line should look like : host$:x:505:64002:Any comment::/dev/null

Repeat this step as many times as you have computers to join the domain.

7. Step 4 : Declare the admin users of the domain in the slug

When you will request a Windows client to join a domain, you will be prompted for the login/password of a trusted user. Windows knows that a user is trusted if it belongs to the Windows Domain Admins group.

In step 2, we have already mapped the Unix root built-in group with the Windows Domain Admins group. It means that all users declared in the Unix root group will be considered by Windows as trusted users.

By default, the root user is declared in the root built-in group, and so will be considered as a trusted user. All you need to do is to declare the root user in Samba if you have not done it previously (it's very likely you already declared the root user in Samba when you installed Samba).

 smbpasswd -a root

You will be prompted for a password.

8. Step 5 : Declare all users of the domain in the slug

As we have seen previously, we can not create the users of the domain from a Windows client. We then have to create all users directly in the slug. Let's suppose that we want to declare that User is a member of the domain.

Create the User Unix user

 adduser User

adduser will prompt you for a password.
adduser automatically creates a group with the same name as the user.

Declare User in Samba

 smbpasswd -a User

You will be prompted for a password.

Repeat this step as many times as you have users in the domain.

9. Step 6 : Restart Samba before asking a Windows client to join the domain

 /etc/init.d/samba restart

This will make the freshly created computers and users taken into account by Samba.

10. Step 7 : Ask a Windows client to join the domain

Prepare a Windows XP client

You can find in Internet many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain implemented through Samba.

I implemented only one of those. I'm not Windows expert enough neither to understand exactly what it makes, nor to say if it can work without.

Modify the following registry key :

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 (default is 1)

Prepare a Vista client

I implemented the same registry change than for Windows XP :

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 (default is 1)

However, you can find in Internet other changes that seems very important. I did NOT make those changes (and it works), but I can not certify there won't be any side-effect later-on. That's why I report those changes :

  • Start > Run
  • Type in the Run field: "secpol.msc." That will bring you to Vista's security policy system.
  • Once there, use "Go to: Local Policies > Security Options"
  • Find "Network Security: LAN Manager" authentication level.
  • Once there, change the Setting from "Send NTLMv2? response only" to "Send LM & NTLM -- use NTLMv2? session security if negotiated."

If you're running a version of Vista that cannot use secpol.msc, you can edit the registry instead. Just change the value of :

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Control\Lsa]
 "LMCompatibilityLevel?"=dword:3
 (default is 1)

Ask the computer to join the domain (whether Windows XP or Vista)

  • Start > Configuration Panel > System > Computer Name
  • Click on "Network id" wizard
  • Choose "This computer belongs to a domain [...]"
  • Choose "My company uses a network with a domain"
  • Wou will be prompted for a login / password / domain
Enter the login/password for a user you configured previously (not necessarily root) : you must have declared this user in the previous steps
Change the domain to MAISON (well, the name of YOUR domain)
  • You will be prompted for a computer name / domain
Enter the netbios name of your computer : you must have declared this computer in the previous steps
Set the domain to MAISON
  • You will be prompted for a trusted login / password / domain
Enter root as login, and the corresponding password
Set the domain to MAISON

And that's it...

11. Step 8 : (Optional) Disable the itinary profile

I experienced that itinary profiles makes startup times VERY long with a laptop using WiFi?. I found the way to disable the itinary profiles, keeping the centralization of passwords offered by a PDC.

  • Start > Configuration Panel > System > Advanced
  • In "Users profiles", click "Parameters"
  • Double-click on the line representing a profile, and choose "Local profile"

The above procedure is valid for both XP and Vista clients.

12. Troubleshootings

I experienced many issues. Here are some, and the dolutions I found.

A Vista client claims "User account already exists" when joining the domain

I experienced this problem only with Vista client (not XP client).

Supposing I was declaring user when joining the domain (remember, the regular user, not the root trusted user), do in a Unix script :

 smbpasswd -x user

Perform again the procedure, and you will see that the Vista client declares itself user in samba. You can check by cat-ing the /etc/samba/private/smbpasswd file and xheck that user is now declared in the file.

This problem does not seem reproducable : I ghosted the Vista client, and performed again the same procedure, and the problem did not occur again.

A Vista client claims "Your itinary profile has not been loaded" when logged-on

I forgot to change the registry key :

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000

After changing the registry key, all seems fine.

view · edit · print · history · Last edited by JNC.
Originally by JNC.
Page last modified on February 18, 2009, at 09:39 PM