\documentclass{ictlab} \RCS $Revision: 1.1 $ \usepackage{alltt,key,xr} \externaldocument[lt-]{../../linux_training-plus-config-files-ossi/build/masterfile} \ifx\pdftexversion\undefined \else \usepackage[pdfpagemode=None,pdfauthor={Nick Urbanik}]{hyperref} \fi \renewcommand*{\subject}{Operating Systems and Systems Integration} \newcommand*{\labTitle}{Configuring and Testing Samba PDCs} \begin{document} \section{Aim} \label{sec:aim} After completing this exercise, you will be able to install and perform basic configuration of a Samba server as a primary domain controller. You will conduct a number of tests of your primary domain controller with Windows~2000 clients. %% \section{Background} %% \label{sec:background} %% I have created the final 2.2 Samba RPMs at %% \url{http://Ictlab.tyict.vtc.edu.hk/samba/}. We wish to test them %% thoroughly for suitability as a primary domain controller for %% Windows~2000 clients. \section{Procedure} \label{sec:procedure} \begin{enumerate} \item Choose a partner so that at least one of you has Windows 2000 Prefessional or Advanced Server, that is \emph{not} either a primary or backup domain controller. \item Mount the NFS drive from Ictlab, and change to the samba directory: \begin{verbatim} $ sudo mount Ictlab:/var/ftp/pub /mnt $ cd /mnt/samba \end{verbatim} \item install the 2.2.3a samba packages---if you installed the alpha packages before, you need to upgrade them to the final version. If you did not install samba 2.2 before: \begin{verbatim} $ sudo rpm -Uhv samba-*2.2.3a-4.i386.rpm \end{verbatim}%$ \item Refer to the document that I have written about installing updates, and install the updates. The Samba 2.2 RPMs will not work unless most of the OS updates are applied. % \item Verify that you have installed some of the updates for Red Hat % 7.0. For example, check that you have a current version of the main % shared libraries: % \begin{verbatim} % $ rpm -q glibc glibc-common % glibc-2.2-12 % glibc-common-2.2-12 % \end{verbatim}%$ % If the version of your main libraries is older than this, you need to % apply the updates; I have found that this version of samba will not % work with the older libraries. See the document I have written about % applying updates. \item Back up your original \texttt{smb.conf} configuration file for Samba again: \begin{verbatim} $ cd /etc/samba $ sudo cp -p smb.conf smb.conf-orig \end{verbatim} % \item turn on swat: % \begin{verbatim} % $ sudo setup % \end{verbatim}%$ % then select services, and ensure that the \texttt{swat} entry has a % star \texttt{[*]} next to it. Also ensure that \texttt{nmb} is % selected. % \item restart \texttt{xinetd}, and \texttt{samba}: % \begin{verbatim} % $ sudo /etc/rc.d/init.d/xinetd restart % $ sudo /etc/rc.d/init.d/smb restart % \end{verbatim} % \item Open SWAT in your web browser by clicking on % \url{http://localhost:901/} % Note: that is a \emph{colon}, not a comma; 901 is a port number, not % part of the DNS name. % If this doesn't work for you, then the proxy settings are wrong on % your browser. Make sure that your web browser does not ask a proxy % server in Wan Chai, but connects directly to the SWAT server on your % machine. % \item Click on the \key{\textsc{globals}} button at the top of the % page. \item Copy the new configuration file from the documentation directory of Samba: {\small \begin{verbatim} $ sudo cp -p /usr/share/doc/samba-2.2.0/smb.conf-pdc-example /etc/samba/smb.conf \end{verbatim}}%$ %% \item Install my emacs fixes if you haven't done so already (and if %% you installed Linux yourself, not using the Ghost image) from %% \url{http://nicku.org/ftp/emacs/}. \item Edit the Samba configuration file using emacs: \begin{verbatim} $ sudo emacs /etc/samba/smb.conf & \end{verbatim}%$ \begin{explanation} I \emph{strongly} suggest that you open this file, and \emph{keep it open}. It wastes time to continually open and close the configuration file. \end{explanation} \item Change the workgroup to a name based on your computers' DNS name, with a letter or digit appended. For example, if your computer's hostname is \texttt{sammy.tyict.vtc.edu.hk}, enter something like \texttt{sammyD}. You should understand that NetBIOS domain names are different from DNS domain names. DNS domain names form a hierarchy, whereas NetBIOS domain names are all in one big flat name space. % \item for the netbios name, enter the first part of your DNS name. % For example, if your computer's hostname is % \texttt{sammy.tyict.vtc.edu.hk}, enter \texttt{sammy} % \item Uncomment the line (remove the semicolon at the beginning): % \begin{verbatim} % ; username map = /etc/samba/smbusers % \end{verbatim} % \item Add to the \texttt{[Global]} section the line: % \begin{verbatim} % debug level = 1 % \end{verbatim} \item Change the \texttt{netlogon} share to be writable by the administrator, by removing the \texttt{writable = no} configuration option and changing the configuration to look something like this: \begin{verbatim} [netlogon] comment = Network Logon Service path = /var/samba/netlogon guest ok = no write list = @smbadm share modes = no \end{verbatim} \item Verify that the configuration file has no syntax errors using the \texttt{testparm} program: \begin{alltt} $ testparm \end{alltt}%$ \item Start the server with: \begin{verbatim} $ sudo samba start \end{verbatim}%$ Then check to see that it is running with: \begin{verbatim} $ samba status \end{verbatim}%$ \item You should have already created accounts for yourself, your partner and for the user \texttt{root} previously. In case you need to make some more accounts, here is the procedure, repeated from last time: \begin{enumerate} \item Create a number of samba account passwords. Each of them must have an entry in the \texttt{/etc/passwd} file (i.e., perhaps you added the account earlier using \texttt{useradd}. Note that today, we will use separate passwords for samba and for logging into Linux. Example of adding a user that is not in your password file already: \begin{verbatim} $ sudo useradd -c 'Nick Urbanik' nicku $ sudo smbpasswd -a nicku \end{verbatim} Example of adding a user that is already in your password file: \begin{verbatim} $ sudo smbpasswd -a nicku \end{verbatim}%$ \item Add a password for root: \begin{verbatim} $ sudo smbpasswd -a root \end{verbatim}%$ Note that this password should be different from the Linux login password for root, for security reasons. You will need to give your partner this password. \end{enumerate} \item Examine the log files while you do the following steps. The log files are in \texttt{/var/log/samba}. You need to su to root before you can change into that directory. Open some windows and run \texttt{tail -f} on the log files. \item You should already have made a Windows 2000 machine a member of your domain last time, but in case you have a new partner today, here is the procedure: \begin{enumerate} \item Log into a Windows 2000 machine locally as administrator. Note: this Windows machine must not already be a primary domain controller, since a PDC cannot be made a member of another domain. You can use Windows 2000 Advanced Server, as long as it is not a \textsc{PDC} or \textsc{BDC}\@. If you have no Windows 2000 Professional for which you have administrator access, you can use Windows 98, but this will reduce what you can test. \begin{enumerate} \item In Windows 2000, from TCP/IP settings, add 192.168.68.240 as the WINS server address. Select the radio button \textsf{Enable NetBIOS over TCP/IP}. \item In Windows 2000, right-click Network Places and select \texttt{Properties}; from the \texttt{Advanced} menu, select \texttt{Network Identification}. Press \texttt{Properties}. \item Choose \texttt{Domain}, enter the domain name of your samba server. Click \key{OK}. \item Enter the user name \texttt{administrator} and enter the Samba password for \texttt{root} on your Samba server. \item Wait for confirmation and reboot when prompted. \end{enumerate} \end{enumerate} \item Now test this as a primary domain controller. Note that it is an \NT4 compatible \PDC, not a Windows 2000 \PDC\@. Being a \emph{primary domain controller} means allowing other machines to join the domain so that when any user logs into the domain, then: \begin{itemize} \item the user can access any resources (e.g., shares, printers) that are \begin{itemize} \item provided by any of the machines that are members of the domain and that \item they have the rights to access \end{itemize} \item without entering a password again. \end{itemize} \item Login in to the domain as \texttt{administrator} from your Windows 2000 box. Browse to the \texttt{netlogon} share, and create some logon scripts using notepad. For the user \texttt{nickl}, the script is the file \texttt{/var/\allowbreak samba/\allowbreak netlogon/\allowbreak scripts/\allowbreak nickl.bat}. The logon script is run by the client when it logs in. Here is an example of a logon script: \begin{verbatim} @echo off net time \\nicksbox /set /yes if %OS%.==Windows_NT. goto WinNT :Win9x net use z: \\nicksbox\nickl net use p: \\nicksbox\ossi net use q: \\nicksbox\notlinux net use r: \\nicksbox\linux goto end :WinNT net use z: \\nicksbox\nickl /persistent:no net use p: \\nicksbox\ossi /persistent:no net use q: \\nicksbox\notlinux /persistent:no net use r: \\nicksbox\linux /persistent:no :end \end{verbatim} Note that each line must be terminated by a carriage return/linefeed pair. \item Documentation for the new features of Samba 2.2 is in \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak samba-2.2.3a/\allowbreak docs/\allowbreak Samba\allowbreak -HOWTO\allowbreak -Collection\allowbreak .pdf}. Open this up: \begin{verbatim} $ cd /usr/share/doc/samba-2.2.3a/docs $ acroread Samba-HOWTO-Collection.pdf & \end{verbatim} and move to page 45 (by page numbering in the document itself), or page 50 if count pages starting from beginning as page 1. This section is about System Policies and Profiles\@. \item I have extracted the policy editor \texttt{poledit.exe} from the NT4 Service pack 6a, and put it, together with the files \texttt{common.adm} and \texttt{winnt.adm} into the directory \texttt{profile-editor-from-service-pack-6a} in the \texttt{samba} NFS directory from \texttt{Ictlab}\@. Test editing policies on your samba server from the Windows 2000 machine. \item I have also downloaded the server manager for \NT4. You will find it in the \texttt{samba} \NFS directory from \texttt{Ictlab}\@. Test the server manager. \item Samba 2.2 supports downloadable printer drivers. This is described in the \texttt{Samba\allowbreak -HOWTO\allowbreak -Collection\allowbreak .pdf} file on page 30(35). Test it. \item Samba 2.2 supports \DFS\@. The \RPM package provides a directory that is a \DFS root. Read the documentation about it on page 22(27) in the \texttt{Samba\allowbreak -HOWTO\allowbreak -Collection\allowbreak .pdf} file. Also see \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak samba-2.2.3a/\allowbreak docs/\allowbreak htmldocs/\allowbreak msdfs\_setup.html}. \item Test your domain controller as much as you can. \end{enumerate} \end{document}