NSLU2-Linux
view · edit · print · history

HowTo.SetUpPDCWithSamba History

Hide minor edits - Show changes to markup

February 18, 2009, at 09:39 PM by JNC --
Deleted lines 235-241:

Declare host in Samba

 smbpasswd -a host
 (without '$')

You will be prompted for a password.

January 28, 2009, at 10:40 PM by JNC --
Deleted lines 184-200:

jncharli, 2009/01/22 I experienced the following error when running this script : adding entry for group Domain Admins failed! adding entry for group Domain Users failed! adding entry for group Domain Guests failed! adding entry for group Domain Computers failed!

That's why I had to change the script to :

 net groupmap set "Domain Admins" "root"
 net groupmap set "Domain Users" "ntusers"
 net groupmap set "Domain Guests" "nogroup"
 net groupmap set "Domain Computers" "ntcomputers"

And this time, it runs...

January 22, 2009, at 08:30 PM by JNC -- Script alternative
Added lines 185-201:

jncharli, 2009/01/22 I experienced the following error when running this script : adding entry for group Domain Admins failed! adding entry for group Domain Users failed! adding entry for group Domain Guests failed! adding entry for group Domain Computers failed!

That's why I had to change the script to :

 net groupmap set "Domain Admins" "root"
 net groupmap set "Domain Users" "ntusers"
 net groupmap set "Domain Guests" "nogroup"
 net groupmap set "Domain Computers" "ntcomputers"

And this time, it runs...

January 21, 2009, at 10:14 PM by JNC --
Changed lines 234-235 from:
  • finally, the line should look like : host$:x:505:64002:Host$::/dev/null
to:
  • finally, the line should look like : host$:x:505:64002:Any comment::/dev/null
January 21, 2009, at 10:08 PM by JNC --
Changed lines 185-186 from:

Do not forget to chmod 766 _map.sh

to:

Do not forget to chmod 700 _map.sh

September 28, 2008, at 10:43 AM by JNC -- Disabling the itinary profile is tha same procedure for Vista and XP
Changed lines 348-350 from:

Nevertheless, on a XP client, it seems that you can update the profile of all the users declared in the PDC. However, on a Vista client, it seems you can update only the profile of the logged-in profile. You must then login-update-logoff for each profile declared in the PDC.

to:
August 13, 2008, at 09:42 PM by JNC -- Add the (Optional) Disable the itinary profile
Changed lines 39-40 from:
to:
  1. (Optional) Disable the itinary profile
Changed lines 338-339 from:

11. Troubleshootings

to:

11. Step 8 : (Optional) Disable the itinary profile

I experienced that itinary profiles makes startup times VERY long with a laptop using WiFi?. I found the way to disable the itinary profiles, keeping the centralization of passwords offered by a PDC.

  • Start > Configuration Panel > System > Advanced
  • In "Users profiles", click "Parameters"
  • Double-click on the line representing a profile, and choose "Local profile"

The above procedure is valid for both XP and Vista clients. Nevertheless, on a XP client, it seems that you can update the profile of all the users declared in the PDC. However, on a Vista client, it seems you can update only the profile of the logged-in profile. You must then login-update-logoff for each profile declared in the PDC.

12. Troubleshootings

June 10, 2008, at 12:48 PM by JNC --
Changed lines 326-327 from:
Enter the login/password for a user you configured previously (not necessarily root) : you must have declared this user in the previous steps
Change the domain to MAISON (well, the name of YOUR domain)
to:
Enter the login/password for a user you configured previously (not necessarily root) : you must have declared this user in the previous steps
Change the domain to MAISON (well, the name of YOUR domain)
Changed lines 329-330 from:
Enter the netbios name of your computer : you must have declared this computer in the previous steps
Set the domain to MAISON
to:
Enter the netbios name of your computer : you must have declared this computer in the previous steps
Set the domain to MAISON
Changed lines 332-334 from:
Enter root as login, and the corresponding password
Set the domain to MAISON
to:
Enter root as login, and the corresponding password
Set the domain to MAISON
June 10, 2008, at 10:09 AM by JNC --
June 10, 2008, at 09:54 AM by JNC --
Changed lines 40-41 from:

Step 1 : Modify Samba configuration

to:

4. Step 1 : Modify Samba configuration

Changed lines 97-98 from:

Step 2 : Create mapping between Windows and Unix groups

to:

5. Step 2 : Create mapping between Windows and Unix groups

Changed lines 204-205 from:

Step 3 : Declare all computers of the domain in the slug

to:

6. Step 3 : Declare all computers of the domain in the slug

Changed lines 244-245 from:

Step 4 : Declare the admin users of the domain in the slug

to:

7. Step 4 : Declare the admin users of the domain in the slug

Changed lines 259-260 from:

Step 5 : Declare all users of the domain in the slug

to:

8. Step 5 : Declare all users of the domain in the slug

Changed lines 280-281 from:

Step 6 : Restart Samba before asking a Windows client to join the domain

to:

9. Step 6 : Restart Samba before asking a Windows client to join the domain

Changed lines 286-287 from:

Step 7 : Ask a Windows client to join the domain

to:

10. Step 7 : Ask a Windows client to join the domain

Changed lines 337-338 from:

Troubleshootings

to:

11. Troubleshootings

June 10, 2008, at 09:49 AM by JNC --
Changed line 102 from:

For example, when you make a computer join a domain, Windows will ask you for the logon/password of a trusted user that has the right to do this operation.

to:

For example, when you request a computer to join a Windows domain, Windows will ask you for the logon/password of a trusted user that has the right to do this operation.

Changed lines 105-106 from:

As the slug will be the only place to store domain users, it is necessary to map corresponding Unix groups to the necessary Windows groups.

to:

As the slug will be the only place to store users, it is necessary to map corresponding Unix groups to the necessary Windows groups.

Changed line 230 from:
  • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
to:
  • Change the comment Linux User,,, (it will appear in the start menu lf your Windows client)
Changed line 232 from:
  • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login from Unix
to:
  • Void the startup shell (replace /bin/sh by /dev/null) to prevent any direct login from Unix
Deleted lines 245-246:

There must be some special trusted users, declared in the "Domain Admins" Windows group domain.\\

Changed lines 247-249 from:

I decided to re-use the root built-in Unix user (that is alredy in the Unix root group).

to:

Windows knows that a user is trusted if it belongs to the Windows Domain Admins group.

In step 2, we have already mapped the Unix root built-in group with the Windows Domain Admins group. It means that all users declared in the Unix root group will be considered by Windows as trusted users.

By default, the root user is declared in the root built-in group, and so will be considered as a trusted user. All you need to do is to declare the root user in Samba if you have not done it previously (it's very likely you already declared the root user in Samba when you installed Samba).

Deleted lines 258-259:

As the "Domain Admin" Windows group is already mapped to the root Unix group, there is nothing more to do.

June 10, 2008, at 09:33 AM by JNC --
Changed lines 1-2 from:

1. Prerequisite

to:

1. Goal

Samba is able to act as a PDC (Primary Domain Controler). If you are interested in this procedure, I suppose you don't want more explanations about what a PDC is.

This procedure will turn the Slug into a PDC.
There will be no impact on its file server capabilities.

2. Prerequisites

Changed lines 13-14 from:

For the time being, I used only XP Pro SP2? and Vista Ultimate SP1? clients to join the domain.

to:

I used XP Pro SP2? and Vista Ultimate SP1? clients to join the domain.

Changed lines 30-31 from:

2. Modify Samba configuration

to:

3. Overview

  1. Modify Samba configuration
  2. Create mapping between Windows and Unix groups
  3. Declare all computers of the domain in the slug
  4. Declare the admin users of the domain in the slug
  5. Declare all users of the domain in the slug
  6. Restart Samba before asking a Windows client to join the domain
  7. Ask a Windows client to join the domain

Step 1 : Modify Samba configuration

Changed lines 45-46 from:

I just list the parameters dedicated to the set up of a PDC and not the whole set of parameters :

to:

I just list the parameters dedicated to setting up a PDC and not the whole set of parameters :

Changed lines 64-65 from:
 # indicates the path to store the logon script (reference from [netlogon] resource)
to:
 # indicates the path to store the logon script
 # this path is a relative reference from [netlogon] resource
Changed lines 68-69 from:
 # there must be a script in a file called logon.bat in [netlogon]/WinXP? directory for Windows XP clients
 # and a file called logon.bat in [netlogon]/Win2K?.V2 for Vista clients
to:
 # there must be a script file called logon.bat in [netlogon]/<login>
 # (<login> is the name of a user declared in nthe domain)
Changed line 76 from:
 # it means there will be a different initary profile by user, and by OS of the client that connects
to:
 # it means there will be a different initary profile by user, and by OS
Changed lines 90-91 from:

3. Create mapping between Windows and Unix groups

to:

What's in my logon.bat script file

I have declared in logon.bat all the resources I want to mount at login :

 net use Y: \\NAS\Backup
 net use Z: \\NAS\Outlook

Step 2 : Create mapping between Windows and Unix groups

Changed lines 204-205 from:

4. Declare all computers of the domain in the slug

to:

Step 3 : Declare all computers of the domain in the slug

Changed lines 244-245 from:

5. Declare the admin user of the domain in the slug

to:

Step 4 : Declare the admin users of the domain in the slug

Changed lines 258-259 from:

6. Declare all users of the domain in the slug

to:

Step 5 : Declare all users of the domain in the slug

Changed lines 279-280 from:

7. Restart Samba before asking a Windows client to join the domain

to:

Step 6 : Restart Samba before asking a Windows client to join the domain

Changed lines 285-286 from:

8. Ask a Windows client to join the domain

to:

Step 7 : Ask a Windows client to join the domain

May 31, 2008, at 08:48 PM by JNC -- Procedure completion
Changed lines 316-318 from:

I experienced this problem only with Vista client (not Windows XP).

Supposing I was declaring user when joining the domain (not root), do in a Unix script :

to:

I experienced this problem only with Vista client (not XP client).

Supposing I was declaring user when joining the domain (remember, the regular user, not the root trusted user), do in a Unix script :

Changed line 321 from:

Perform again the procedure, and you will see that the Vista client declare user in smaba.

to:

Perform again the procedure, and you will see that the Vista client declares itself user in samba.

Changed line 332 from:

After changing the regustry key, all seems fine.

to:

After changing the registry key, all seems fine.

May 31, 2008, at 08:44 PM by JNC -- Procedure completion
Changed lines 263-268 from:

You find in Internet many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain implemented through Samba.

I implemented none of the following modifications, and it seems the clients are correctly part of the domain.
However, I can not certify there will not be side-effects later on. That's why I report here the most frequently reported modifications, found in Internet :

to:

You can find in Internet many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain implemented through Samba.

I implemented only one of those. I'm not Windows expert enough neither to understand exactly what it makes, nor to say if it can work without.

Changed lines 275-281 from:

The following change should enable you to connect to Samba server with a Vista client (it runs for me even without this change) :

to:

I implemented the same registry change than for Windows XP :

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 (default is 1)

However, you can find in Internet other changes that seems very important. I did NOT make those changes (and it works), but I can not certify there won't be any side-effect later-on. That's why I report those changes :

Deleted lines 292-295:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 "signsecurechannel"=dword:00000000
Changed lines 308-332 from:

And that's it...

to:

And that's it...

Troubleshootings

I experienced many issues. Here are some, and the dolutions I found.

A Vista client claims "User account already exists" when joining the domain

I experienced this problem only with Vista client (not Windows XP).

Supposing I was declaring user when joining the domain (not root), do in a Unix script :

 smbpasswd -x user

Perform again the procedure, and you will see that the Vista client declare user in smaba. You can check by cat-ing the /etc/samba/private/smbpasswd file and xheck that user is now declared in the file.

This problem does not seem reproducable : I ghosted the Vista client, and performed again the same procedure, and the problem did not occur again.

A Vista client claims "Your itinary profile has not been loaded" when logged-on

I forgot to change the registry key :

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000

After changing the regustry key, all seems fine.

May 31, 2008, at 08:15 PM by JNC --
May 31, 2008, at 08:07 PM by JNC --
Changed lines 298-299 from:
Enter the login/password for a user you configured previously (not necessarily admin) : you must have declared this user in the previous steps
Change the domain to LAN (well, the name of YOUR domain)
to:
Enter the login/password for a user you configured previously (not necessarily root) : you must have declared this user in the previous steps
Change the domain to MAISON (well, the name of YOUR domain)
Changed line 302 from:
Set the domain to LAN
to:
Set the domain to MAISON
Changed lines 304-306 from:
Enter admin as login, and the corresponding password
Set the domain to LAN
to:
Enter root as login, and the corresponding password
Set the domain to MAISON
May 31, 2008, at 08:05 PM by JNC --
Changed lines 5-6 from:

For the time being, I used only XP Pro SP2? and Vista SP1? clients to join the domain.

to:

For the time being, I used only XP Pro SP2? and Vista Ultimate SP1? clients to join the domain.

Changed lines 263-265 from:

You find many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain instatiated through Samba.

I implemented none of the followinf modifications, and it seems the clients are correctly part of the domain.\\

to:

You find in Internet many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain implemented through Samba.

I implemented none of the following modifications, and it seems the clients are correctly part of the domain.\\

Changed lines 269-273 from:
to:

Modify the following registry key :

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 (default is 1)
Added lines 276-291:

The following change should enable you to connect to Samba server with a Vista client (it runs for me even without this change) :

  • Start > Run
  • Type in the Run field: "secpol.msc." That will bring you to Vista's security policy system.
  • Once there, use "Go to: Local Policies > Security Options"
  • Find "Network Security: LAN Manager" authentication level.
  • Once there, change the Setting from "Send NTLMv2? response only" to "Send LM & NTLM -- use NTLMv2? session security if negotiated."

If you're running a version of Vista that cannot use secpol.msc, you can edit the registry instead. Just change the value of :

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Control\Lsa]
 "LMCompatibilityLevel?"=dword:3
 (default is 1)

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 "signsecurechannel"=dword:00000000
May 31, 2008, at 07:49 PM by JNC --
Changed lines 209-212 from:

Declare host$ in Samba

 smbpasswd -a host$
to:

Declare host in Samba

 smbpasswd -a host
 (without '$')
Changed lines 261-262 from:

For the time being, I used only XP Pro clients to join the domain :

to:

Prepare a Windows XP client

You find many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain instatiated through Samba.

I implemented none of the followinf modifications, and it seems the clients are correctly part of the domain.
However, I can not certify there will not be side-effects later on. That's why I report here the most frequently reported modifications, found in Internet :

Prepare a Vista client

Ask the computer to join the domain (whether Windows XP or Vista)

May 31, 2008, at 07:41 PM by JNC --
Changed line 219 from:

There must be some special trusted users, declared in the "Domain Admins" Windows group.

to:

There must be some special trusted users, declared in the "Domain Admins" Windows group

May 31, 2008, at 07:39 PM by JNC --
Changed lines 117-118 from:

It is this Unix group that I mapped to the 3Domains Admins" Windows' group.

to:

It is this Unix group that I mapped to the "Domains Admins" Windows group.

May 31, 2008, at 07:37 PM by JNC -- Updated procedure
Changed lines 15-16 from:

After this procedure, the Slug will act as a PDC for a domain called MAISON.

to:

After this procedure, the Slug will act as a PDC for a domain called MAISON, with itinary profiles.

Changed lines 20-22 from:
  1. You won't be able to add computers to the domain from any windows client,
  2. For the time being, I do not detail the procedure to have an itinary profile (it should come in the following days)
to:
  1. You won't be able to add computers to the domain from any windows client.
Added lines 27-28:

I just list the parameters dedicated to the set up of a PDC and not the whole set of parameters :

Deleted line 34:
	domain master = Yes
Added line 36:
	domain master = Yes # Yes = PDC ; No = BDC (only when domain logons = Yes)
Changed lines 46-48 from:
 # instruct the PDC how to change a password
        passwd program = /usr/bin/passwd %u
to:
 # indicates the path to store the logon script (reference from [netlogon] resource)
 # %U will substitute with the connected username
 # it means the logon script will be the same whatever the OS of the clients that connects
 # there must be a script in a file called logon.bat in [netlogon]/WinXP? directory for Windows XP clients
 # and a file called logon.bat in [netlogon]/Win2K?.V2 for Vista clients
	logon script = %U\logon.bat

 # indicates the path to store the itinary profiles
 # %N substitutes with the samba server netbios name
 # %U substitutes with the connected username
 # %a subsitutes with the OS of the client that connects
 # it means there will be a different initary profile by user, and by OS of the client that connects
	logon path = \\%N\netlogon\%U\%a

 # netlogon is traditionnaly the place to store the itinary profiles and the logon scripts
 [netlogon]
	path = /home/netlogon
	read only = No
Added lines 116-118:

There is a built-in Unix group called root. It is this Unix group that I mapped to the 3Domains Admins" Windows' group.

Deleted lines 122-125:

In the same rationale, I decided to create a Unix group called ntusers to gather all the users of the domain.
This is not compulsory. But as I did this, it was not a big effort to map this group to the "Domain Users" Windows group.

Added lines 126-127:

Just to be clean, I also decided to create a Unix group called ntusers, and to map it with "Domain Users" Windows group, but I put no accounts in this group.

Deleted line 129:
 addgroup ntadmins
Changed lines 133-138 from:

The first Unix group encloses all the trusted users with administrative Windows rights.
The second Unix group encloses all computers of the Windows domain (this mapping does not appear to be mandatory).
The third Unix group encloses all users of the Windows domain (this mapping does not appear to be mandatory).

The Unix nogroup group already exists, and encloses all the Windows guest users.

to:

The built-in root Unix group encloses all the trusted users with administrative Windows rights.
The built-in nogroup Unix group encloses all the guest users declared in Windows. The ntcomputer Unix group encloses all computers of the Windows domain (this mapping does not appear to be mandatory).
The ntusers Unix group should enclose all users of the Windows domain (this mapping does not appear to be mandatory) - BUT I put no user in it.

Changed line 141 from:
ntadminsDomains Admins
to:
rootDomains Admins
Changed line 153 from:
 net groupmap add rid=512 type=domain unixgroup=ntadmins ntgroup="Domain Admins"
to:
 net groupmap add rid=512 type=domain unixgroup=root ntgroup="Domain Admins"
Changed lines 176-177 from:
 Domain Admins (S-1-5-21-1123934332-1620061200-2314455425-512) -> ntadmins
to:
 Domain Admins (S-1-5-21-1123934332-1620061200-2314455425-512) -> root
Changed lines 223-229 from:

In our configuration, it means we have to create a user in the slug that is member of the ntadmins Unix group.

Create the admin Unix user

 adduser admin
 delgroup admin
to:

I decided to re-use the root built-in Unix user (that is alredy in the Unix root group).

 smbpasswd -a root

You will be prompted for a password.

As the "Domain Admin" Windows group is already mapped to the root Unix group, there is nothing more to do.

6. Declare all users of the domain in the slug

As we have seen previously, we can not create the users of the domain from a Windows client. We then have to create all users directly in the slug. Let's suppose that we want to declare that User is a member of the domain.

Create the User Unix user

 adduser User
Changed lines 242-262 from:

adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign admin to the Unix ntadmins group

Go into the /etc/group file, and note the group id of the ntadmins group.
In my example, the line describing the ntadmins group is : ntadmins:x:64003:
The group id of the ntadmins group is then 64003.

Go into the /etc/password file :

  • find the admin line
  • it should appear like : admin:x:506:506:Linux User,,,:/home/admin:/bin/sh
    • Replace the group id by the group id of the ntadmins group
    • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
    • Delete the home directory to prevent any direct login in Unix
    • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login in Unix
  • finally, the line should look like : admin:x:506:64003:Admin::/dev/null

Declare host$ in Samba

 smbpasswd -a admin
to:

adduser automatically creates a group with the same name as the user.

Declare User in Samba

 smbpasswd -a User
Deleted lines 249-283:

6. Declare all users of the domain in the slug

As we have seen previously, we can not create the users of the domain from a Windows client. We then have to create all users directly in the slug. Let's suppose that we want to declare that User is a member of the domain.

Create the User Unix user

 adduser User
 delgroup User

adduser will prompt you for a password.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign User to the Unix ntusers group

Go into the /etc/group file, and note the group id of the ntusers group.
In my example, the line describing the ntusers group is : ntusers:x:502:
The group id of the ntusers group is then 502.

Go into the /etc/password file :

  • find the User line
  • it should appear like : User:x:507:507:Linux User,,,:/home/admin:/bin/sh
    • Replace the group id by the group id of the ntusers group
    • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
    • Delete the home directory to prevent any direct login in Unix
    • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login in Unix
  • finally, the line should look like : User:x:507:502:User::/dev/null

Declare User in Samba

 smbpasswd -a User

You will be prompted for a password.

May 31, 2008, at 07:03 PM by JNC --
Changed lines 15-16 from:

After this procedure, the Slug will act as a PDC for a domain called LAN.

to:

After this procedure, the Slug will act as a PDC for a domain called MAISON.

Changed lines 31-32 from:
	workgroup = LAN
to:
	workgroup = MAISON
May 31, 2008, at 07:02 PM by JNC --
Changed lines 5-6 from:

For the time being, I used only SP2? XP Pro and SP1? Vista clients to join the domain.

to:

For the time being, I used only XP Pro SP2? and Vista SP1? clients to join the domain.

May 31, 2008, at 07:01 PM by JNC --
Changed lines 5-6 from:

For the time being, I used only XP Pro clients to join the domain.

to:

For the time being, I used only SP2? XP Pro and SP1? Vista clients to join the domain.

May 26, 2008, at 12:35 PM by JNC --
Changed line 103 from:

In the same rationale, I decided to create a Unix group called intranet to gather all the users of the domain.\\

to:

In the same rationale, I decided to create a Unix group called ntusers to gather all the users of the domain.\\

Changed lines 114-115 from:
 addgroup intranet
to:
 addgroup ntusers
Changed line 127 from:
intranetDomain Users
to:
ntusersDomain Users
Changed line 138 from:
 net groupmap add rid=513 type=domain unixgroup=intranet ntgroup="Domain Users"
to:
 net groupmap add rid=513 type=domain unixgroup=ntusers ntgroup="Domain Users"
Changed line 158 from:
 Domain Users (S-1-5-21-1123934332-1620061200-2314455425-513) -> intranet
to:
 Domain Users (S-1-5-21-1123934332-1620061200-2314455425-513) -> ntusers
Changed lines 252-257 from:

Assign User to the Unix intranet group

Go into the /etc/group file, and note the group id of the intranet group.
In my example, the line describing the intranet group is : intranet:x:502:
The group id of the intranet group is then 502.

to:

Assign User to the Unix ntusers group

Go into the /etc/group file, and note the group id of the ntusers group.
In my example, the line describing the ntusers group is : ntusers:x:502:
The group id of the ntusers group is then 502.

Changed line 261 from:
  • Replace the group id by the group id of the intranet group
to:
  • Replace the group id by the group id of the ntusers group
May 26, 2008, at 12:33 PM by JNC --
Changed lines 1-2 from:

Prerequisite

to:

1. Prerequisite

Changed lines 21-24 from:
  1. For the time being, I do not detail the procedure to have an initary profile (it should come in the following days)

Modify Samba configuration

to:
  1. For the time being, I do not detail the procedure to have an itinary profile (it should come in the following days)

2. Modify Samba configuration

Changed lines 54-55 from:

Create mapping between Windows and Unix groups

to:

3. Create mapping between Windows and Unix groups

Changed lines 162-163 from:

Declare all computers of the domain in the slug

to:

4. Declare all computers of the domain in the slug

Changed lines 201-202 from:

Declare the admin user of the domain in the slug

to:

5. Declare the admin user of the domain in the slug

Changed lines 238-239 from:

Declare all users of the domain in the slug

to:

6. Declare all users of the domain in the slug

Changed lines 275-276 from:

Restart Samba before asking a Windows client to join the domain

to:

7. Restart Samba before asking a Windows client to join the domain

Changed lines 281-282 from:

Ask a Windows client to join the domain

to:

8. Ask a Windows client to join the domain

May 25, 2008, at 01:29 PM by JNC --
Added lines 1-299:

Prerequisite

Here is the procedure I followed to set up a PDC on my slug with Samba and Swat 3.0.23c-r0.
I tested this procedure with my Linksys NSLU2, with Openslug 2.7 beta.
For the time being, I used only XP Pro clients to join the domain.

I suppose that Samba and Swat are up and running on your slug. See procedures to set up Samba if it's not the case.

This is a minimalist procedure. Please feel free to complete if you have hints and tricks.

What the slug will do after this procedure

After this procedure, the Slug will act as a PDC for a domain called LAN.

What the slug won't do after this procedure

  1. You won't be able to add users to the domain from any windows clients,
  2. You won't be able to add computers to the domain from any windows client,
  3. For the time being, I do not detail the procedure to have an initary profile (it should come in the following days)

Modify Samba configuration

The easiest way is to modify directly the smb.conf file. An alternative way is to use Swat.

 [global]
 # this is the name of the domain your slug will act as a PDC
	netbios name = NAS
	workgroup = LAN

 # instruct the slug to act as a PDC
	domain master = Yes
	domain logons = Yes
	os level = 33
	preferred master = Yes
	local master = Yes

 # instruct the PDC how to handle password for the domain users
 	security = USER
        encrypt passwords = yes
        unix password sync = yes

 # instruct the PDC how to change a password
        passwd program = /usr/bin/passwd %u

And that's it for the smb.conf file.

It should be normally possible to instruct the PDC to add a machine and/or a user in the domain. Unfortunately, to do that automatically, you need to create a user specifying in which group it should be attached. For the time being, my adduser command is not able to do that.
Any tricks ?

Create mapping between Windows and Unix groups

In theory

Some groups are built-in in Windows, and will be used for administrative tasks. For example, when you make a computer join a domain, Windows will ask you for the logon/password of a trusted user that has the right to do this operation. Windows knows that a user is trusted when it belongs to the Windows group "Domain Admins".

As the slug will be the only place to store domain users, it is necessary to map corresponding Unix groups to the necessary Windows groups.

You can find in litterature that at least three Windows groups are necessary, and many other are useful.

Known entityRIDTypeMandatory
Domain Administrator500UtilisateurNon
Domain Guest501UtilisateurNon
Domain KRBTGT502UtilisateurNon
Domain Admins512GroupeOui
Domain Users513GroupeOui
Domain Guests514GroupeOui
Domain Computers515GroupeNon
Domain Controllers516GroupeNon
Domain Certificate Admins517GroupeNon
Domain Schema Admins518GroupeNon
Domain Enterprise Admins519GroupeNon
Domain Policy Admins520GroupeNon
Builtin Admins544AliasNon
Builtin users545AliasNon
Builtin Guests546AliasNon
Builtin Power Users547AliasNon
Builtin Account Operators548AliasNon
Builtin System Operators549AliasNon
Builtin Print Operators550AliasNon
Builtin Backup Operators551AliasNon
Builtin Replicator552AliasNon
Builtin RAS Servers553AliasNon

RID is the unique reference of the Windows group.

Practically

Despite all litterature, and after many trials, it appears that only the mapping with the "Domain Admins" Windows group is mandatory.

In real life

To make things clean, I decided to create a Unix group ntcomputers to gather all the computers of the domain.
This is not compulsory. But as I did this, it was not a big effort to map this group to the "Domain Computers" Windows group.

In the same rationale, I decided to create a Unix group called intranet to gather all the users of the domain.
This is not compulsory. But as I did this, it was not a big effort to map this group to the "Domain Users" Windows group.

There is a built-in Unix group called nogroup. Even if it appears not to be compulsory, I decided to map the Unix nogroup group to the "Domain Guests" Windows group.

Create the Unix groups

 addgroup ntadmins
 addgroup ntcomputers
 addgroup intranet

The first Unix group encloses all the trusted users with administrative Windows rights.
The second Unix group encloses all computers of the Windows domain (this mapping does not appear to be mandatory).
The third Unix group encloses all users of the Windows domain (this mapping does not appear to be mandatory).

The Unix nogroup group already exists, and encloses all the Windows guest users.

We now need to map the Unix groups and the Windows groups as follows :

Unix groupWindows group
ntadminsDomains Admins
ntcomputersDomains Computers
intranetDomain Users
nogroupDomain Guests

The relevant script to map Unix and Windows groups

The fact is the mapping is cleared after each reboot. A script is then necessary.

Create a file called _map.sh in /etc/init.d directory :

 net groupmap add rid=512 type=domain unixgroup=ntadmins ntgroup="Domain Admins"
 net groupmap add rid=513 type=domain unixgroup=intranet ntgroup="Domain Users"
 net groupmap add rid=514 type=domain unixgroup=nogroup ntgroup="Domain Guests"
 net groupmap add rid=515 type=domain unixgroups=ntcomputers ntgroup="Domain Computers"

Do not forget to chmod 766 _map.sh

Then create a link in rcS.d to that script in order for the script to be executed at each reboot :

 cd /etc/rcS.d
 ln -s /etc/init.d/_map.sh S99map_domains.sh

Time to reboot

 sync
 reboot

How to check the current mapping

After the reboot, the command net groupmap list shows all the current mapping :

 Domain Guests (S-1-5-21-1123934332-1620061200-2314455425-514) -> nogroup
 Domain Users (S-1-5-21-1123934332-1620061200-2314455425-513) -> intranet
 Domain Computers (S-1-5-21-1123934332-1620061200-2314455425-515) -> ntcomputers
 Domain Admins (S-1-5-21-1123934332-1620061200-2314455425-512) -> ntadmins

Declare all computers of the domain in the slug

Windows dictates that every computer of the domain to be known by the PDC. As we seen before, we can not do this step in Windows, it is necessary to do this step in the slug. Let's suppose that we want to declare that host is a member of the domain.

Create the host$ Unix user

 adduser host$
 delgroup host$

where host is the Netbios name of the computer you want to declare into the domain.
adduser will prompt you for a password.
'$' is mandatory as it declares it is a computer and not a regular user.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign host$ to the Unix ntcomputers group

Go into the /etc/group file, and note the group id of the ntcomputers group.
In my example, the line describing the ntcomputers group is : ntcomputers:x:64002:
The group id of the ntcomputers group is then 64002

Go into the /etc/password file :

  • find the host$ line
  • it should appear like : host$:x:505:505:Linux User,,,:/home/host$:/bin/sh
    • Replace the group id by the group id of the ntcomputers group
    • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
    • Delete the home directory to prevent any direct login from Unix
    • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login from Unix
  • finally, the line should look like : host$:x:505:64002:Host$::/dev/null

Declare host$ in Samba

 smbpasswd -a host$

You will be prompted for a password.

Repeat this step as many times as you have computers to join the domain.

Declare the admin user of the domain in the slug

There must be some special trusted users, declared in the "Domain Admins" Windows group. domain.
When you will request a Windows client to join a domain, you will be prompted for the login/password of a trusted user.

In our configuration, it means we have to create a user in the slug that is member of the ntadmins Unix group.

Create the admin Unix user

 adduser admin
 delgroup admin

adduser will prompt you for a password.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign admin to the Unix ntadmins group

Go into the /etc/group file, and note the group id of the ntadmins group.
In my example, the line describing the ntadmins group is : ntadmins:x:64003:
The group id of the ntadmins group is then 64003.

Go into the /etc/password file :

  • find the admin line
  • it should appear like : admin:x:506:506:Linux User,,,:/home/admin:/bin/sh
    • Replace the group id by the group id of the ntadmins group
    • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
    • Delete the home directory to prevent any direct login in Unix
    • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login in Unix
  • finally, the line should look like : admin:x:506:64003:Admin::/dev/null

Declare host$ in Samba

 smbpasswd -a admin

You will be prompted for a password.

Declare all users of the domain in the slug

As we have seen previously, we can not create the users of the domain from a Windows client. We then have to create all users directly in the slug. Let's suppose that we want to declare that User is a member of the domain.

Create the User Unix user

 adduser User
 delgroup User

adduser will prompt you for a password.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign User to the Unix intranet group

Go into the /etc/group file, and note the group id of the intranet group.
In my example, the line describing the intranet group is : intranet:x:502:
The group id of the intranet group is then 502.

Go into the /etc/password file :

  • find the User line
  • it should appear like : User:x:507:507:Linux User,,,:/home/admin:/bin/sh
    • Replace the group id by the group id of the intranet group
    • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
    • Delete the home directory to prevent any direct login in Unix
    • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login in Unix
  • finally, the line should look like : User:x:507:502:User::/dev/null

Declare User in Samba

 smbpasswd -a User

You will be prompted for a password.

Repeat this step as many times as you have users in the domain.

Restart Samba before asking a Windows client to join the domain

 /etc/init.d/samba restart

This will make the freshly created computers and users taken into account by Samba.

Ask a Windows client to join the domain

For the time being, I used only XP Pro clients to join the domain :

  • Start > Configuration Panel > System > Computer Name
  • Click on "Network id" wizard
  • Choose "This computer belongs to a domain [...]"
  • Choose "My company uses a network with a domain"
  • Wou will be prompted for a login / password / domain
    Enter the login/password for a user you configured previously (not necessarily admin) : you must have declared this user in the previous steps
    Change the domain to LAN (well, the name of YOUR domain)
  • You will be prompted for a computer name / domain
    Enter the netbios name of your computer : you must have declared this computer in the previous steps
    Set the domain to LAN
  • You will be prompted for a trusted login / password / domain
    Enter admin as login, and the corresponding password
    Set the domain to LAN

And that's it...

view · edit · print · history · Last edited by JNC.
Originally by JNC.
Page last modified on February 18, 2009, at 09:39 PM