Samba as a M$Win2000 domain controler

1. What is SAMBA ?

Samba is a package of programs for UN*X, Linux or similar OS, that offers the functions of a Microsoft LanManager compatible server. With Samba it is possible to access directories and printers using a Linux system on a M$Win network. In addition, you can simulate a WinNT or 2000 Workstation in such a way that the Linux computer can work like a Microsoft PDC server (Primary Domain Controller).

2. Requirements

You need the following packages to set up a PDC based on Samba:

Samba TNG 2.6 (The Next Generation): This package is at http://www.sambahq.de.
We need few packages to build the programs from the sources, a running Linux system which is integrated into a network and much coffee and patience while compiling the sources.

3. Installation of Samba

First you should download the latest Samba TNG version, e.g. in the directory /usr/src/ and decompress it using
tar xvfz samba-tng-alpha.2.6.tar.gz
or
tar xvfl samba-tng-alph a.2.6.tar.gz2

Now the directory with the sources should exist. In the sub-directory /source you execute the command:

    ./configure --prefix=/samba-tng < Installation path
       --exexc-prefix=/ < From where you want to execute samba
       --includedir=/usr/local/include < there the include files will be ins talled
       --libdir=/usr/lib/samba-tng < Library path
       --localstateedir=/var/samba-tng
       --mandir=/usr/share/man < path to the manuals
       --with-sambaconfdir=/etc < path to the configuration file
       --with-lockdir=/var/lock/samba-tng
       --with-swatdir=/usr/local/swat < path to SWAT 
  

If you do not enter these options, Samba TNG tries to set the options for you system automatically.
Then you enter

make
and
make install
and Samba TNG is ready.

4. Configuration of Samba TNG

Unfortunately, not all directories are created and you have to create a few important directories and files by your own.

                  mkdir /samba-tng
                  mkdir /samba-tng/netlogon
                  mkdir /samba-tng/private
                  mkdir /samba-tng/profile
                  mkdir /samba-tng/public
                  touch /samba-tng/private/smbpasswd
                  touch /samba-tng/private/domaingroup.map
                  touch /samba-tng/private/domainuser.map
                  mkdir /var/lock/samba-tng
    

Every user needs to save his profile on the server, so you have to change the rights.

chmod 1777 /samba/profile

In the directory examples you find the file smb.conf.default which should be copied to /etc.

cp /usr/src/samba-tng-alpha-2.6/examples/smb.cond.default /etc/smb.conf

Nearly all our work was done for us, but only "nearly".

In the next step, you'll edit the configuration file (/etc/smb.conf) to your own requirements.

   [global]
   workgroup = kasnet
   # This is the domain we want to be registered.
   
   server string = Samba Server (PDC)
   # Description of the server
   
   ;   hosts allow = 192.168.1. 192.168.2. 127.
   # hosts/networks which are allowed to access the server
   
   ;   load printers = yes
   ;   printcap name = /etc/printcap
   ;   printcap name = lpstat
   ;   printing = bsd
   ;   guest account = pcguest
   # printer settings
   
   log file = /usr/local/samba/var/log.%m
   # location of the log files
   # %m = name of the machine
  
   max log size = 50
   security = user
   ;   password server = <NT-Server-Name>
   
   encrypt passwords = yes
   # necessary because M$Win encrypts the network traffic
   
   socket options = TCP_NODELAY
   
   interfaces = 192.168.10.1/24 192.168.5.1/24
   # The device of the server where it is allowed to log in
   
   local master = yes
   os level = 64
   domain master = yes
   preferred master = yes
   domain logons = yes
   # necessary to access the server with M$Win
   
   logon script = %U.bat
   logon path = \\%L\Profiles\%U
   # Settings for the registration
   # %U = user
   # %L = server
   
   wins support = yes
   # we play "win server"
   
   domain group map = /samba/private/domaingroup.map
   domain user map = /samba/private/domainuser.map
   # permissions and user administration for M$Win
   
   #============= Share Definitions ==============================
   [homes]
   comment = Home Directories
   browseable = no
   writable = yes
   # home directories (/home/user )
   # Writeable = can write into the home directory
   
   [netlogon]
   comment = Network Logon Service
   path = /samba-tng/netlogon
   browseable = no
   writable = no
   share modes = no
   # registration directory
   # Here the registration scripts are placed
   
   [Profiles]
   path = /samba-tng/profile
   writeable = yes
   browseable = no
   guest ok = yes
   # directory for the profiles
   # Here the profiles of the users are stored
   
   ;[printers]
   ;   comment = All Printers
   ;   path = /usr/spool/samba
   ;   browseable = no
   ;   guest ok = no
   ;   writable = no
   ;   printable = yes
   # If you wanted to allow access to the printers, you would have to remove the ;
   
   [public]
   comment = Public Stuff
   path = /samba-tng/public
   public = yes
   writable = yes
   printable = no
   # public directory
   # Everyone should have write access to this one
  

If you finished all settings, you can check the configuration file using:

testparm

. If you added
Admin = "Domain Admins"
in the file /samba/private/domaingroup.map, all users belonging to the group admin are domain administrators as well.

The logon script you write in the directory /samba/netlogon for the corresponding user (e.g. for smith = smith.bat and so on).

5. Start the Samba server automatically during the boot-up process

The directory /usr/src/samba-tng-alpha-2.6/source/script owns the file samba-init.d after a successful compilation of the program. This file you should copy to /etc/rc.d/samba-tng.

cp /usr/src/samba-tng-2.6/source/script/samba-init.d /etc/rc.d/samba-tng

In addition the init scripts have to be changed.

ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc2.d/S50samba-tng
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc2.d/K50samba-tng
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc3.d/S50samba-tng
ln -snf /etc/rc.d/samba-tng /etc/rc.d/rc3.d/K50samba-tng

6. Start of the Samba server

You can start the samba server by hand executing:

/etc/rc.d/samba-tng start

now the samba server should boot up.

You can test it typing:

            ps -ax | grep smbd
   

The output should look similar to:

1286 ?     S   0:00 smdb -D
6480 tty1  S   0:00 grep smbd

If not you should reboot samba again (just this time, because Samba TNG is still under development).

7. User account administration

The user's administration is done by samedit.

One thing first: every user that is added with samedit has to be a user on the Linux system first.

It is very important that the user has an account on the machine which include s the name of the computer with which he wants to announce to the server.
This machine account can be integrated to the system as follows:

If the computer has the name WKS01 (for Workstation #1), the command should look like:

useradd -s /bin/false WKS01$

Attention: the name of the machine must not star t with a number!
The $ tells UN*X that you created a machine account.

Now we look at samedit. For example, you can call it via the following command:

samedit -S . -U root -W kasnet -l log

where
-S stands for the server,
-U stands for the user (you need root access to add users),
-W stands for the domain and
-l for the logfile.

The password is not set because this is an alpha version (finish with ENTER).

To add a user you enter:

createuser marcel -p test01

were -p test01 means that the password is set to test01.
The output should look like:

SAM Create Domain User
Domain: KASNET Name: marcel A CB: [U]

You test the successful creation of the user account executing :

ntlogin marcel test01

One of the output line should be:

Cmd_nt_login: login(marcel) test succeeded: yes

If you see this line the way to a working samba server will be short.

Now it is time to announce the machine account to the system.

createuser WKS01$

Samedit automatically detects that this is a machine account and put out:

WKS01 can now be joined to the domain, which should
Be done on private, secure network as soon possible
Create Domain User: OK

Now the user administration finished and samedit can be left with exit.

8. Put M$Win into the domain

As soon as M$Win 2000 is ready to boot with you "logging in" as the local administrator, press the right mouse button on "My Computer" and select the Preferences.

Then the settings.

In the line "member of" you select domain and enter the domain name. In my example it is Kasnet.

After you checked the OK button and wait a while, the following dialog box should appear that welcomes you on the new domain.
(Sometimes you are asked for a password. If so, you just enter a known user.)

Then you have to reboot the computer and you "log in" to M$Win with the user and password you created on Linux before.

Do not forget to select the domain

I wish you all the best with the PDC server.

Talkback Area