< Day Day Up > |
23.12.1 ProblemYou want to set up a Samba primary domain controller for your LAN to provide domain authentication. 23.12.2 SolutionA domain controller provides a single central password database, so once users log in, they have access to domain resources without having to reauthenticate themselves as they access file or printer shares in the domain. The hardworking sysadmin can also easily lock out users, if necessary. Because file and printer shares are configured centrally on the Samba server, access to shares is easy to manage. Unlike in a peer network, the sysadmin has complete control of network shares.
There are five steps to the setup process:
Installing Samba is the easy part. You can install from sources or packages, whatever you prefer. Here is a complete, minimal smb.conf for your new domain controller. This configures authentication and users' homes shares. It does not define file or printer shares. The workgroup name becomes your new domain name: [global] workgroup = holstein netbios name = windbag server string = Samba PDC domain master = yes os level = 64 preferred master = yes local master = yes domain logons = yes logon script = netlogon.bat security = user encrypt passwords = yes log file = /var/log/samba/log log level = 2 max log size = 50 hosts allow = 192.168.1. [netlogon] comment = Network Logon Service path = /var/samba/netlogon guest ok = Yes browseable = No [homes] comment = User's Home Directories valid users = %S browseable = no writeable = yes See the "Discussion" section of this recipe for a copy of the logon script, netlogon.bat. Save and close smb.conf, then run testparm to check for syntax errors: # testparm Then restart Samba. Next, create these administrative groups, using system group numbers: # groupadd -g 112 sadmins # groupadd -g 113 machines Then create the netlogon directory: # mkdir -m 0775 /var/samba/netlogon # chown root.sadmins /var/samba/netlogon Each PC in your new Samba domain must have a machine account. First, create Linux accounts on the Samba server for every PC. The dollar sign indicates that this is a "trust," or machine, account: # useradd -g machines -d /dev/null -c "stinkpad" -s /bin/false stinkpad$ # passwd -l stinkpad$ Then add each account to the Samba password database. Leave the dollar sign off the machine name: # smbpasswd -a -m stinkpad Added user stinkpad$. Finally, create a root account on Samba with smbpasswd. You need this every time you join a new Windows NT/2000/XP machine to the domain, because you must make your first domain login as the Samba root user. Don't forget to do this, or your Windows NT/2000/XP PCs will not be able to join the domain. Log in to the domain as soon as possible, in order to synchronize with the server and to prevent someone else from possibly hijacking the account. stinkpad and Samba will exchange authentication tokens, so that Samba will always recognize stinkpad. That is where the "trust" happens. The steps for joining clients running different versions of Windows to a Samba domain are all different; see the next three recipes to learn how. 23.12.3 DiscussionThere are a couple of easy tests you can run to confirm that your Samba domain controller is working. First, always run testparm: $ testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Processing section "[homes]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Server role: ROLE_DOMAIN_PDC is the line you want to see. Then run smbtree on the server: $ smbtree -N added interface ip=192.168.1.5 bcast=192.168.1.255 nmask=255.255.255.0 Got a positive name query response from 192.168.1.5 ( 192.168.1.5 ) Got a positive name query response from 192.168.1.5 ( 192.168.1.5 ) HOLSTEIN Got a positive name query response from 192.168.1.5 ( 192.168.1.5 ) \\WINDBAG Samba PDC To test connectivity, run smbtree from another Linux host on the LAN. This is a bare-bones configuration. You can easily add file and printer shares as you need, just like for any Samba server. The netlogon share contains a script that is automatically downloaded to Windows clients. It mounts the users' homes shares on their local Z drives. This is the whole script: REM NETLOGON.BAT net use z: \\linux\samba /yes Be sure to name it netlogon.bat, and store it in /var/samba/netlogon. These are the directives that tell Samba it is a primary domain controller (PDC): domain master = yes os level = 64 preferred master = yes local master = yes domain logons = yes Remember, There Can Be Only One don't put two PDCs on the same domain, or nothing will work right. You may have multiple Samba file servers, but only one PDC. 23.12.4 See Also
|
< Day Day Up > |