Samba as a M$Win2000 domain controler
1. What is SAMBA ?
Samba is a package of programs for UN*X, Linux or similar OS, that offers the functions of a Microsoft LanManager compatible server. With Samba it is possible to access directories and printers using a Linux system on a M$Win network. In addition, you can simulate a WinNT or 2000 Workstation in such a way that the Linux computer can work like a Microsoft PDC server (Primary Domain Controller).
You need the following packages to set up a PDC based on Samba:
Samba TNG 2.6 (The Next Generation):
This package is at http://www.sambahq.de.
We need few packages to build the programs from the sources, a running Linux system which is integrated into a network and much coffee and patience while compiling the sources.
3. Installation of Samba
First you should download the latest
Samba TNG version, e.g. in the directory /usr/src/ and
decompress it using
tar xvfz samba-tng-alpha.2.6.tar.gz
tar xvfl samba-tng-alph a.2.6.tar.gz2
Now the directory with the sources should exist. In the sub-directory /source you execute the command:
./configure --prefix=/samba-tng < Installation path --exexc-prefix=/ < From where you want to execute samba --includedir=/usr/local/include < there the include files will be ins talled --libdir=/usr/lib/samba-tng < Library path --localstateedir=/var/samba-tng --mandir=/usr/share/man < path to the manuals --with-sambaconfdir=/etc < path to the configuration file --with-lockdir=/var/lock/samba-tng --with-swatdir=/usr/local/swat < path to SWAT
If you do not enter these options,
Samba TNG tries to set the options for you system automatically.
Then you enter
and Samba TNG is ready.
4. Configuration of Samba TNG
Unfortunately, not all directories are created and you have to create a few important directories and files by your own.
mkdir /samba-tng mkdir /samba-tng/netlogon mkdir /samba-tng/private mkdir /samba-tng/profile mkdir /samba-tng/public touch /samba-tng/private/smbpasswd touch /samba-tng/private/domaingroup.map touch /samba-tng/private/domainuser.map mkdir /var/lock/samba-tng
Every user needs to save his profile
on the server, so you have to change the rights.
chmod 1777 /samba/profile
In the directory examples you find the file smb.conf.default which should be copied to /etc.
cp /usr/src/samba-tng-alpha-2.6/examples/smb.cond.default /etc/smb.conf
Nearly all our work was done for us, but only "nearly".
In the next step, you'll edit the configuration file (/etc/smb.conf) to your own requirements.
[global] workgroup = kasnet # This is the domain we want to be registered. server string = Samba Server (PDC) # Description of the server ; hosts allow = 192.168.1. 192.168.2. 127. # hosts/networks which are allowed to access the server ; load printers = yes ; printcap name = /etc/printcap ; printcap name = lpstat ; printing = bsd ; guest account = pcguest # printer settings log file = /usr/local/samba/var/log.%m # location of the log files # %m = name of the machine max log size = 50 security = user ; password server = <NT-Server-Name> encrypt passwords = yes # necessary because M$Win encrypts the network traffic socket options = TCP_NODELAY interfaces = 192.168.10.1/24 192.168.5.1/24 # The device of the server where it is allowed to log in local master = yes os level = 64 domain master = yes preferred master = yes domain logons = yes # necessary to access the server with M$Win logon script = %U.bat logon path = \\%L\Profiles\%U # Settings for the registration # %U = user # %L = server wins support = yes # we play "win server" domain group map = /samba/private/domaingroup.map domain user map = /samba/private/domainuser.map # permissions and user administration for M$Win #============= Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes # home directories (/home/user ) # Writeable = can write into the home directory [netlogon] comment = Network Logon Service path = /samba-tng/netlogon browseable = no writable = no share modes = no # registration directory # Here the registration scripts are placed [Profiles] path = /samba-tng/profile writeable = yes browseable = no guest ok = yes # directory for the profiles # Here the profiles of the users are stored ;[printers] ; comment = All Printers ; path = /usr/spool/samba ; browseable = no ; guest ok = no ; writable = no ; printable = yes # If you wanted to allow access to the printers, you would have to remove the ; [public] comment = Public Stuff path = /samba-tng/public public = yes writable = yes printable = no # public directory # Everyone should have write access to this one
If you finished all settings, you can
check the configuration file using:
. If you added
Admin = "Domain Admins"
in the file /samba/private/domaingroup.map, all users belonging to the group admin are domain administrators as well.
The logon script you write in the directory /samba/netlogon for the corresponding user (e.g. for smith = smith.bat and so on).
5. Start the Samba server automatically during the boot-up process
The directory /usr/src/samba-tng-alpha-2.6/source/script
owns the file samba-init.d after a successful compilation
of the program. This file you should copy to /etc/rc.d/samba-tng.
cp /usr/src/samba-tng-2.6/source/script/samba-init.d /etc/rc.d/samba-tng
In addition the init scripts have to be changed.
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc2.d/S50samba-tng
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc2.d/K50samba-tng
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc3.d/S50samba-tng
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc3.d/K50samba-tng
6. Start of the Samba server
You can start the samba server by
now the samba server should boot up.
You can test it typing:
ps -ax | grep smbd
The output should look similar to:
1286 ? S 0:00 smdb -D
6480 tty1 S 0:00 grep smbd
If not you should reboot samba again (just this time, because Samba TNG is still under development).
7. User account administration
The user's administration is done by samedit.
One thing first: every user that is added with samedit has to be a user on the Linux system first.
It is very important that the user
has an account on the machine which include s the name of the
computer with which he wants to announce to the server.
This machine account can be integrated to the system as follows:
If the computer has the name WKS01 (for Workstation #1), the command should look like:
useradd -s /bin/false WKS01$
Attention: the name of the machine must not star t with a number!
The $ tells UN*X that you created a machine account.
Now we look at samedit. For example, you can call it via the following command:
samedit -S . -U root -W kasnet -l log
-S stands for the server,
-U stands for the user (you need root access to add users),
-W stands for the domain and
-l for the logfile.
The password is not set because this is an alpha version (finish with ENTER).
To add a user you enter:
createuser marcel -p test01
were -p test01 means that the password is set to test01.
The output should look like:
SAM Create Domain User
Domain: KASNET Name: marcel A CB: [U]
You test the successful creation of the user account executing :
ntlogin marcel test01
One of the output line should be:
Cmd_nt_login: login(marcel) test succeeded: yes
If you see this line the way to a working samba server will be short.
Now it is time to announce the machine account to the system.
Samedit automatically detects that this is a machine account and put out:
WKS01 can now be joined to the domain, which should
Be done on private, secure network as soon possible
Create Domain User: OK
Now the user administration finished and samedit can be left with exit.
8. Put M$Win into the domain
As soon as M$Win 2000 is ready to boot with you "logging in" as the local administrator, press the right mouse button on "My Computer" and select the Preferences.
Then the settings.
In the line "member of" you select domain and enter the domain name. In my example it is Kasnet.
After you checked the OK button and
wait a while, the following dialog box should appear that
welcomes you on the new domain.
(Sometimes you are asked for a password. If so, you just enter a known user.)
Then you have to reboot the computer and you "log in" to M$Win with the user and password you created on Linux before.
Do not forget to select the domain
I wish you all the best with the PDC server.
Enter Own Comment