Tuesday, October 30, 2012

Install Samba as Primary Domain Controller

1- apt-get update
2- apt-get upgrade
3- apt-get install ssh openssh-server
4- apt-get install acl
5- change fstab to enable ACL
6- apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient

7- Edit smb.conf:
#Domain name
workgroup = MSHOME

# Sets the primary NetBIOS name of the Samba server
netbios name = CLIENT-PDC

# Sets a descriptive string for the Samba server
server string = %h

# The three passdb backends that are fully maintained (actively supported) by
# the Samba Team are: smbpasswd (being obsoleted), tdbsam (a tdb-based binary file
# format), and ldapsam (LDAP directory).
# Of these, only the ldapsam backend stores both POSIX (UNIX) and Samba user
# and group account information in a single repository.
# The smbpasswd and tdbsam backends store only Samba user accounts.
# It is recommended to use the tdbsam method for all simple systems.
# Use ldapsam for larger and more complex networks.
passdb backend = tdbsam

# Make domain logins query the Samba password db located on the samba server itself
security = user

# File for user mapping
username map = /etc/samba/smbusers

# lmhost: Uses a LAN Manager LMHOSTS file
# hosts: Uses the standard name resolution methods of the Unix system
# wins: Uses the WINS server
# bcast: Uses a broadcast method
name resolve order = wins bcast hosts

# Tells Samba to become the PDC
domain logons = yes

# Makes the PDC act as the central store for names of all windows clients,
# servers and printers
preferred master = yes

# Samba will act as a WINS server
wins support = yes

# Set CUPS for printing
printcap name = CUPS
printing = CUPS

# Default logon

#Drive letter under which the SAMBA share will appear in the Windows Explorer
logon drive = H:

# you can specify a Windows batch script that is executed as soon as a
# Windows workstation logs in
# This option specifies a Windows .BAT or .CMD file with lines
# ending in carriage-return/line feed that will be executed on the
# client after a user has logged on to the domain. Each logon
# script should be stored
# at the base of a share entitled [netlogin]
logon script = login.bat

# The base directory that supports the profiles
logon path = \\client-pdc\profile\%U

# Useradd scripts
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
idmap uid = 15000-20000
idmap gid = 15000-20000

# sync smb passwords with linux passwords
passwd program = /usr/bin/passwd %u

# This option works like a Unix chat
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

# Sends debug logs of the password-change process
# to the log files with a level of 100
passwd chat debug = yes

# Samba updates the standard Unix password db,
# when a user changes his encrypted password
unix password sync = yes

# set the loglevel
log level = 3

#Defines the users home directiory
comment = Home

# specifies a list of users that should be allowed to login to this service
# %S: Name of present share
valid users = %S

# Allows the samba user to also write to their Samba directory
read only = no

# Does'nt allow others to browse the contents of the directory
browsable = no

comment = All Printers
path = /var/spool/samba
printable = yes
guest ok = yes
browsable = no

# Make sure permissions are 755
# Contains scripts that the windows clients may use when they log into the domain
comment = Network Logon Service
path = /home/samba/netlogon
admin users = Administrator

# specifies a list of users that should be allowed to login to this service
# %u: Unix current username
valid users = %U
read only = no

# User roaming profiles.
# Make sure the direcory is owned and group owned by root
# Make sure its permission is 755
# Stores things such as favorite and desktop icons
comment = User profiles
path = /home/samba/profiles
valid users = %U
create mode = 0600
directory mode = 0700
writable = yes
browsable = no

8- Create the directories for domain logons and profiles:
mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
mkdir /var/spool/samba
chmod 777 /var/spool/samba/
chown -R root:users /home/samba/
chmod -R 771 /home/samba

9- restart Samba:
/etc/init.d/samba restart

10- Edit /etc/nsswitch.conf. Change the line:

hosts: files dns


hosts: files wins dns

11- Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.

smbpasswd -a root

12- Create the file /etc/samba/smbusers and add the line by executing:

echo "root = Administrator" > /etc/samba/smbusers

13- Now test if the setup is correct:

smbclient -L localhost -U%

The output should look similar to this:

Domain=[MSHOME] OS=[Unix] Server=[Samba 3.0.24]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Domain=[MSHOME] OS=[Unix] Server=[Samba 3.0.24]

Server Comment
--------- -------
CLIENT-PDC client-PDC server (Samba, Ubuntu)

Workgroup Master
--------- -------

14- Setup the default domain groups for windows:

net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nogroup

15-Now add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

15-1- Add a linux user tom:

useradd tom -m -G users

15-2- Add the linux user tom to the SAMBA password database:

smbpasswd -a tom

16- Now add a share that is accessible by all users.

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

17- At the end of the file /etc/samba/smb.conf add the following lines:

comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

18- restart Samba

19- acl Support:

With a Samba server, only the owner of a file or folder may change its permissions. When modifying the ACLs of files via the ACL dialog, you will need to login as the user who owns those files in order to make the changes. For files that will be managed by multiple administrators, change the owner of those files to Administrator or some other common user. To modify permissions of these files via the ACL dialog, you will need to login as this user.

20- Configure Windows XP clients

You should start the process for Windows XP clients by a complete Windows Update. After the release of Service Pack 2, Microsoft Windows way of dealing with profile has changed a bit. You will need to start by login into your Windows XP client locally as Administrator and execute :


then, you must navigate to :

Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles

and change the setting of the key 'Do not check for user ownership of Roaming Profile Folders' from 'Not Configured' to 'Enable'. If that key is not present, you should try visiting Windows Update again. Then you can use 'File / Exit'. This is needed because WinXP actually checks ACL Permission in your profile file system (which isn't really that easy to develop under *NIX). Once this is completed, you can procede as for Windows 2000.

Alternatively, you can add the following registry key:


No comments: