jncharli, 2009/01/22 I experienced the following error when running this script : adding entry for group Domain Admins failed! adding entry for group Domain Users failed! adding entry for group Domain Guests failed! adding entry for group Domain Computers failed!

That's why I had to change the script to :

 net groupmap set "Domain Admins" "root"
 net groupmap set "Domain Users" "ntusers"
 net groupmap set "Domain Guests" "nogroup"
 net groupmap set "Domain Computers" "ntcomputers"

And this time, it runs...

• finally, the line should look like : host$:x:505:64002:Any comment::/dev/null

Do not forget to chmod 700 _map.sh

1. (Optional) Disable the itinary profile

11. Step 8 : (Optional) Disable the itinary profile

I experienced that itinary profiles makes startup times VERY long with a laptop using WiFi?. I found the way to disable the itinary profiles, keeping the centralization of passwords offered by a PDC.

• Start > Configuration Panel > System > Advanced
• In "Users profiles", click "Parameters"
• Double-click on the line representing a profile, and choose "Local profile"

The above procedure is valid for both XP and Vista clients. Nevertheless, on a XP client, it seems that you can update the profile of all the users declared in the PDC. However, on a Vista client, it seems you can update only the profile of the logged-in profile. You must then login-update-logoff for each profile declared in the PDC.

12. Troubleshootings

4. Step 1 : Modify Samba configuration

5. Step 2 : Create mapping between Windows and Unix groups

6. Step 3 : Declare all computers of the domain in the slug

7. Step 4 : Declare the admin users of the domain in the slug

8. Step 5 : Declare all users of the domain in the slug

9. Step 6 : Restart Samba before asking a Windows client to join the domain

10. Step 7 : Ask a Windows client to join the domain

11. Troubleshootings

For example, when you request a computer to join a Windows domain, Windows will ask you for the logon/password of a trusted user that has the right to do this operation.

As the slug will be the only place to store users, it is necessary to map corresponding Unix groups to the necessary Windows groups.

• Change the comment Linux User,,, (it will appear in the start menu lf your Windows client)

• Void the startup shell (replace /bin/sh by /dev/null) to prevent any direct login from Unix

Windows knows that a user is trusted if it belongs to the Windows Domain Admins group.

In step 2, we have already mapped the Unix root built-in group with the Windows Domain Admins group. It means that all users declared in the Unix root group will be considered by Windows as trusted users.

By default, the root user is declared in the root built-in group, and so will be considered as a trusted user. All you need to do is to declare the root user in Samba if you have not done it previously (it's very likely you already declared the root user in Samba when you installed Samba).

1. Goal

Samba is able to act as a PDC (Primary Domain Controler). If you are interested in this procedure, I suppose you don't want more explanations about what a PDC is.

This procedure will turn the Slug into a PDC.
There will be no impact on its file server capabilities.

2. Prerequisites

I used XP Pro SP2? and Vista Ultimate SP1? clients to join the domain.

3. Overview

1. Modify Samba configuration
2. Create mapping between Windows and Unix groups
3. Declare all computers of the domain in the slug
4. Declare the admin users of the domain in the slug
5. Declare all users of the domain in the slug
6. Restart Samba before asking a Windows client to join the domain
7. Ask a Windows client to join the domain

Step 1 : Modify Samba configuration

I just list the parameters dedicated to setting up a PDC and not the whole set of parameters :

 # indicates the path to store the logon script
 # this path is a relative reference from [netlogon] resource

 # there must be a script file called logon.bat in [netlogon]/<login>
 # (<login> is the name of a user declared in nthe domain)

 # it means there will be a different initary profile by user, and by OS

What's in my logon.bat script file

I have declared in logon.bat all the resources I want to mount at login :

 net use Y: \\NAS\Backup
 net use Z: \\NAS\Outlook

Step 2 : Create mapping between Windows and Unix groups

Step 3 : Declare all computers of the domain in the slug

Step 4 : Declare the admin users of the domain in the slug

Step 5 : Declare all users of the domain in the slug

Step 6 : Restart Samba before asking a Windows client to join the domain

Step 7 : Ask a Windows client to join the domain

I experienced this problem only with Vista client (not XP client).

Supposing I was declaring user when joining the domain (remember, the regular user, not the root trusted user), do in a Unix script :

Perform again the procedure, and you will see that the Vista client declares itself user in samba.

After changing the registry key, all seems fine.

You can find in Internet many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain implemented through Samba.

I implemented only one of those. I'm not Windows expert enough neither to understand exactly what it makes, nor to say if it can work without.

I implemented the same registry change than for Windows XP :

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 (default is 1)

However, you can find in Internet other changes that seems very important. I did NOT make those changes (and it works), but I can not certify there won't be any side-effect later-on. That's why I report those changes :

And that's it...

Troubleshootings

I experienced many issues. Here are some, and the dolutions I found.

A Vista client claims "User account already exists" when joining the domain

I experienced this problem only with Vista client (not Windows XP).

Supposing I was declaring user when joining the domain (not root), do in a Unix script :

 smbpasswd -x user

Perform again the procedure, and you will see that the Vista client declare user in smaba. You can check by cat-ing the /etc/samba/private/smbpasswd file and xheck that user is now declared in the file.

This problem does not seem reproducable : I ghosted the Vista client, and performed again the same procedure, and the problem did not occur again.

A Vista client claims "Your itinary profile has not been loaded" when logged-on

I forgot to change the registry key :

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000

After changing the regustry key, all seems fine.

Enter the login/password for a user you configured previously (not necessarily root) : you must have declared this user in the previous steps

Change the domain to MAISON (well, the name of YOUR domain)

Set the domain to MAISON

Enter root as login, and the corresponding password

Set the domain to MAISON

For the time being, I used only XP Pro SP2? and Vista Ultimate SP1? clients to join the domain.

You find in Internet many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain implemented through Samba.

I implemented none of the following modifications, and it seems the clients are correctly part of the domain.\\

Modify the following registry key :

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 (default is 1)

The following change should enable you to connect to Samba server with a Vista client (it runs for me even without this change) :

• Start > Run
• Type in the Run field: "secpol.msc." That will bring you to Vista's security policy system.
• Once there, use "Go to: Local Policies > Security Options"
• Find "Network Security: LAN Manager" authentication level.
• Once there, change the Setting from "Send NTLMv2? response only" to "Send LM & NTLM -- use NTLMv2? session security if negotiated."

If you're running a version of Vista that cannot use secpol.msc, you can edit the registry instead. Just change the value of :

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Control\Lsa]
 "LMCompatibilityLevel?"=dword:3
 (default is 1)

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Services\Netlogon\Parameters]
 "requiresignorseal"=dword:00000000
 "signsecurechannel"=dword:00000000

Declare host in Samba

 smbpasswd -a host
 (without '$')

Prepare a Windows XP client

You find many registry modifications, declared to be absolutely mandatory if you want a Windows XP client able to connect to a samba domain instatiated through Samba.

I implemented none of the followinf modifications, and it seems the clients are correctly part of the domain.
However, I can not certify there will not be side-effects later on. That's why I report here the most frequently reported modifications, found in Internet :

Prepare a Vista client

Ask the computer to join the domain (whether Windows XP or Vista)

There must be some special trusted users, declared in the "Domain Admins" Windows group

It is this Unix group that I mapped to the "Domains Admins" Windows group.

After this procedure, the Slug will act as a PDC for a domain called MAISON, with itinary profiles.

1. You won't be able to add computers to the domain from any windows client.

I just list the parameters dedicated to the set up of a PDC and not the whole set of parameters :

	domain master = Yes # Yes = PDC ; No = BDC (only when domain logons = Yes)

 # indicates the path to store the logon script (reference from [netlogon] resource)
 # %U will substitute with the connected username
 # it means the logon script will be the same whatever the OS of the clients that connects
 # there must be a script in a file called logon.bat in [netlogon]/WinXP? directory for Windows XP clients
 # and a file called logon.bat in [netlogon]/Win2K?.V2 for Vista clients
	logon script = %U\logon.bat

 # indicates the path to store the itinary profiles
 # %N substitutes with the samba server netbios name
 # %U substitutes with the connected username
 # %a subsitutes with the OS of the client that connects
 # it means there will be a different initary profile by user, and by OS of the client that connects
	logon path = \\%N\netlogon\%U\%a

 # netlogon is traditionnaly the place to store the itinary profiles and the logon scripts
 [netlogon]
	path = /home/netlogon
	read only = No

There is a built-in Unix group called root. It is this Unix group that I mapped to the 3Domains Admins" Windows' group.

Just to be clean, I also decided to create a Unix group called ntusers, and to map it with "Domain Users" Windows group, but I put no accounts in this group.

The built-in root Unix group encloses all the trusted users with administrative Windows rights.
The built-in nogroup Unix group encloses all the guest users declared in Windows. The ntcomputer Unix group encloses all computers of the Windows domain (this mapping does not appear to be mandatory).
The ntusers Unix group should enclose all users of the Windows domain (this mapping does not appear to be mandatory) - BUT I put no user in it.

 net groupmap add rid=512 type=domain unixgroup=root ntgroup="Domain Admins"

 Domain Admins (S-1-5-21-1123934332-1620061200-2314455425-512) -> root

I decided to re-use the root built-in Unix user (that is alredy in the Unix root group).

 smbpasswd -a root

You will be prompted for a password.

As the "Domain Admin" Windows group is already mapped to the root Unix group, there is nothing more to do.

6. Declare all users of the domain in the slug

As we have seen previously, we can not create the users of the domain from a Windows client. We then have to create all users directly in the slug. Let's suppose that we want to declare that User is a member of the domain.

Create the User Unix user

 adduser User

adduser automatically creates a group with the same name as the user.

Declare User in Samba

 smbpasswd -a User

After this procedure, the Slug will act as a PDC for a domain called MAISON.

	workgroup = MAISON

For the time being, I used only XP Pro SP2? and Vista SP1? clients to join the domain.

For the time being, I used only SP2? XP Pro and SP1? Vista clients to join the domain.

In the same rationale, I decided to create a Unix group called ntusers to gather all the users of the domain.\\

 addgroup ntusers

 net groupmap add rid=513 type=domain unixgroup=ntusers ntgroup="Domain Users"

 Domain Users (S-1-5-21-1123934332-1620061200-2314455425-513) -> ntusers

Assign User to the Unix ntusers group

Go into the /etc/group file, and note the group id of the ntusers group.
In my example, the line describing the ntusers group is : ntusers:x:502:
The group id of the ntusers group is then 502.

• Replace the group id by the group id of the ntusers group

1. Prerequisite

1. For the time being, I do not detail the procedure to have an itinary profile (it should come in the following days)

2. Modify Samba configuration

3. Create mapping between Windows and Unix groups

4. Declare all computers of the domain in the slug

5. Declare the admin user of the domain in the slug

6. Declare all users of the domain in the slug

7. Restart Samba before asking a Windows client to join the domain

8. Ask a Windows client to join the domain

Prerequisite

Here is the procedure I followed to set up a PDC on my slug with Samba and Swat 3.0.23c-r0.
I tested this procedure with my Linksys NSLU2, with Openslug 2.7 beta.
For the time being, I used only XP Pro clients to join the domain.

I suppose that Samba and Swat are up and running on your slug. See procedures to set up Samba if it's not the case.

This is a minimalist procedure. Please feel free to complete if you have hints and tricks.

What the slug will do after this procedure

After this procedure, the Slug will act as a PDC for a domain called LAN.

What the slug won't do after this procedure

1. You won't be able to add users to the domain from any windows clients,
2. You won't be able to add computers to the domain from any windows client,
3. For the time being, I do not detail the procedure to have an initary profile (it should come in the following days)

Modify Samba configuration

The easiest way is to modify directly the smb.conf file. An alternative way is to use Swat.

 [global]
 # this is the name of the domain your slug will act as a PDC
	netbios name = NAS
	workgroup = LAN

 # instruct the slug to act as a PDC
	domain master = Yes
	domain logons = Yes
	os level = 33
	preferred master = Yes
	local master = Yes

 # instruct the PDC how to handle password for the domain users
 	security = USER
        encrypt passwords = yes
        unix password sync = yes

 # instruct the PDC how to change a password
        passwd program = /usr/bin/passwd %u

And that's it for the smb.conf file.

It should be normally possible to instruct the PDC to add a machine and/or a user in the domain. Unfortunately, to do that automatically, you need to create a user specifying in which group it should be attached. For the time being, my adduser command is not able to do that.
Any tricks ?

Create mapping between Windows and Unix groups

In theory

Some groups are built-in in Windows, and will be used for administrative tasks. For example, when you make a computer join a domain, Windows will ask you for the logon/password of a trusted user that has the right to do this operation. Windows knows that a user is trusted when it belongs to the Windows group "Domain Admins".

As the slug will be the only place to store domain users, it is necessary to map corresponding Unix groups to the necessary Windows groups.

You can find in litterature that at least three Windows groups are necessary, and many other are useful.

RID is the unique reference of the Windows group.

Practically

Despite all litterature, and after many trials, it appears that only the mapping with the "Domain Admins" Windows group is mandatory.

In real life

To make things clean, I decided to create a Unix group ntcomputers to gather all the computers of the domain.
This is not compulsory. But as I did this, it was not a big effort to map this group to the "Domain Computers" Windows group.

In the same rationale, I decided to create a Unix group called intranet to gather all the users of the domain.
This is not compulsory. But as I did this, it was not a big effort to map this group to the "Domain Users" Windows group.

There is a built-in Unix group called nogroup. Even if it appears not to be compulsory, I decided to map the Unix nogroup group to the "Domain Guests" Windows group.

Create the Unix groups

 addgroup ntadmins
 addgroup ntcomputers
 addgroup intranet

The first Unix group encloses all the trusted users with administrative Windows rights.
The second Unix group encloses all computers of the Windows domain (this mapping does not appear to be mandatory).
The third Unix group encloses all users of the Windows domain (this mapping does not appear to be mandatory).

The Unix nogroup group already exists, and encloses all the Windows guest users.

We now need to map the Unix groups and the Windows groups as follows :

The relevant script to map Unix and Windows groups

The fact is the mapping is cleared after each reboot. A script is then necessary.

Create a file called _map.sh in /etc/init.d directory :

 net groupmap add rid=512 type=domain unixgroup=ntadmins ntgroup="Domain Admins"
 net groupmap add rid=513 type=domain unixgroup=intranet ntgroup="Domain Users"
 net groupmap add rid=514 type=domain unixgroup=nogroup ntgroup="Domain Guests"
 net groupmap add rid=515 type=domain unixgroups=ntcomputers ntgroup="Domain Computers"

Do not forget to chmod 766 _map.sh

Then create a link in rcS.d to that script in order for the script to be executed at each reboot :

 cd /etc/rcS.d
 ln -s /etc/init.d/_map.sh S99map_domains.sh

Time to reboot

 sync
 reboot

How to check the current mapping

After the reboot, the command net groupmap list shows all the current mapping :

 Domain Guests (S-1-5-21-1123934332-1620061200-2314455425-514) -> nogroup
 Domain Users (S-1-5-21-1123934332-1620061200-2314455425-513) -> intranet
 Domain Computers (S-1-5-21-1123934332-1620061200-2314455425-515) -> ntcomputers
 Domain Admins (S-1-5-21-1123934332-1620061200-2314455425-512) -> ntadmins

Declare all computers of the domain in the slug

Windows dictates that every computer of the domain to be known by the PDC. As we seen before, we can not do this step in Windows, it is necessary to do this step in the slug. Let's suppose that we want to declare that host is a member of the domain.

Create the host$ Unix user

 adduser host$
 delgroup host$

where host is the Netbios name of the computer you want to declare into the domain.
adduser will prompt you for a password.
'$' is mandatory as it declares it is a computer and not a regular user.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign host$ to the Unix ntcomputers group

Go into the /etc/group file, and note the group id of the ntcomputers group.
In my example, the line describing the ntcomputers group is : ntcomputers:x:64002:
The group id of the ntcomputers group is then 64002

Go into the /etc/password file :

• find the host$ line
• it should appear like : host$:x:505:505:Linux User,,,:/home/host$:/bin/sh
  • Replace the group id by the group id of the ntcomputers group
  • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
  • Delete the home directory to prevent any direct login from Unix
  • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login from Unix
• finally, the line should look like : host$:x:505:64002:Host$::/dev/null

Declare host$ in Samba

 smbpasswd -a host$

You will be prompted for a password.

Repeat this step as many times as you have computers to join the domain.

Declare the admin user of the domain in the slug

There must be some special trusted users, declared in the "Domain Admins" Windows group. domain.
When you will request a Windows client to join a domain, you will be prompted for the login/password of a trusted user.

In our configuration, it means we have to create a user in the slug that is member of the ntadmins Unix group.

Create the admin Unix user

 adduser admin
 delgroup admin

adduser will prompt you for a password.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign admin to the Unix ntadmins group

Go into the /etc/group file, and note the group id of the ntadmins group.
In my example, the line describing the ntadmins group is : ntadmins:x:64003:
The group id of the ntadmins group is then 64003.

Go into the /etc/password file :

• find the admin line
• it should appear like : admin:x:506:506:Linux User,,,:/home/admin:/bin/sh
  • Replace the group id by the group id of the ntadmins group
  • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
  • Delete the home directory to prevent any direct login in Unix
  • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login in Unix
• finally, the line should look like : admin:x:506:64003:Admin::/dev/null

Declare host$ in Samba

 smbpasswd -a admin

You will be prompted for a password.

Declare all users of the domain in the slug

As we have seen previously, we can not create the users of the domain from a Windows client. We then have to create all users directly in the slug. Let's suppose that we want to declare that User is a member of the domain.

Create the User Unix user

 adduser User
 delgroup User

adduser will prompt you for a password.
adduser automatically creates a group with the same name as the user. This group is absolutely useless, and then we deleted it with delgroup.

Assign User to the Unix intranet group

Go into the /etc/group file, and note the group id of the intranet group.
In my example, the line describing the intranet group is : intranet:x:502:
The group id of the intranet group is then 502.

Go into the /etc/password file :

• find the User line
• it should appear like : User:x:507:507:Linux User,,,:/home/admin:/bin/sh
  • Replace the group id by the group id of the intranet group
  • Change the comment Linux User,,, (it will appear in Windows, in the start menu)
  • Delete the home directory to prevent any direct login in Unix
  • Void the startup shell (replace /bin/sh by /dev/null) to avoid to prevent any direct login in Unix
• finally, the line should look like : User:x:507:502:User::/dev/null

Declare User in Samba

 smbpasswd -a User

You will be prompted for a password.

Repeat this step as many times as you have users in the domain.

Restart Samba before asking a Windows client to join the domain

 /etc/init.d/samba restart

This will make the freshly created computers and users taken into account by Samba.

Ask a Windows client to join the domain

For the time being, I used only XP Pro clients to join the domain :

• Start > Configuration Panel > System > Computer Name
• Click on "Network id" wizard
• Choose "This computer belongs to a domain [...]"
• Choose "My company uses a network with a domain"
• Wou will be prompted for a login / password / domain
  Enter the login/password for a user you configured previously (not necessarily admin) : you must have declared this user in the previous steps
  Change the domain to LAN (well, the name of YOUR domain)
• You will be prompted for a computer name / domain
  Enter the netbios name of your computer : you must have declared this computer in the previous steps
  Set the domain to LAN
• You will be prompted for a trusted login / password / domain
  Enter admin as login, and the corresponding password
  Set the domain to LAN

And that's it...