\documentclass{ictlab} \RCS $Revision: 1.22 $ \usepackage{alltt,key,xr} \externaldocument[lt-]{../../linux_training-plus-config-files-ossi/build/masterfile} \ifx\pdftexversion\undefined \else \usepackage[pdfpagemode=None,pdfauthor={Nick Urbanik}]{hyperref} \fi \renewcommand*{\subject}{Operating Systems and Systems Integration} \providecommand*{\NT}{\acro{NT}\xspace} \providecommand*{\IP}{\acro{IP}\xspace} \providecommand*{\DNS}{\acro{DNS}\xspace} \providecommand*{\BDC}{\acro{BDC}\xspace} \providecommand*{\ACL}{\acro{ACL}\xspace} % \newcommand*{\labTitle}{Configuring Samba as a Primary Domain Controller} \newcommand*{\labTitle}{Implementing a Primary Domain Controller for Windows 2000 Clients using Samba} \begin{document} \section{Aim} \label{sec:aim} After completing this exercise, you will be able to install and perform basic configuration of a Samba server as a primary domain controller (\PDC) for Windows 2000 clients. You will test it as a primary domain controller for Windows~2000 clients. \section{Background} \label{sec:background} Samba is an implementation of the networking used by Microsoft Windows\@. The core protocol is \SMB (Symmetric Message Block), hence the name of the software. It has been achieved through reverse engineering Microsoft's proprietary protocols. Samba has a good reputation for stability and performance \url{http://www.pcmag.com/article/0,2997,s%253D1474%2526a%253D16554,00.asp} \subsection{Limitations of Samba} \label{sec:limitations} \begin{itemize*} \item Samba 2.2 works as an \NT4 compatible \PDC; it does not support Active Directory in the way that a Windows 2000 server does \item Samba 2.2 can neither be a Backup Domain Controller (\BDC) nor use one \item User information stored on a Samba \PDC is not as complete as that stored on a Windows \PDC \item Samba obeys Linux group file access permissions on the \PDC, but it does not tell the client machine about it properly. Group file permissions are hard to set from a client. \item Full support for \ACL{}s (access control lists) depends on applying a patch to the Linux kernel and recompiling the kernel. \end{itemize*} Note that Samba 3 (now in alpha release) can be a member of an Active Directory domain. \subsection{An Overview} \label{sec:overview} Samba's operation is managed through a configuration file, \texttt{/etc/samba/smb.cfg}. There is a comprehensive manual page for this: do \texttt{man smb.conf}. This file is either edited with a text editor, or edited using a program such as \texttt{swat}. The process of a computer joining a Samba domain requires that the new domain member have an account created on the Samba machine; this account usually goes into the \texttt{/etc/passwd} file. The account name is the Net\BIOS name of the new member, with a dollar ``\texttt{\$}'' at the end. This account is created automatically by this statement in the Samba configuration file: \begin{verbatim} add user script = /usr/sbin/useradd \ -n \ -g machines \ -c 'Samba Machine PDC member' \ -d /dev/null \ -s /bin/false \ -M \ %m$ \end{verbatim}%$ Shares are also created in the Samba configuration file. The one provided contains a number of examples. \section{Procedure} \label{sec:procedure} \begin{enumerate} \item Choose a partner so that at least one of you has Windows 2000 Prefessional or Advanced Server, that is \emph{not} either a primary or backup domain controller. \item Make sure that samba is installed on your machine: \begin{alltt} $ \textbf{rpm -qa | grep samba} samba-swat-2.2.7-5.8.0 samba-2.2.7-5.8.0 samba-client-2.2.7-5.8.0 samba-common-2.2.7-5.8.0 \end{alltt}%$ \item If not, install the required packages, using the \key{Tab} key to reduce typing mistakes: \begin{alltt} $ \textbf{cd /home/nfs/rh-8.0-updated/RedHat/RPMS} $ \textbf{sudo rpm -Uhv samba-*.rpm} \end{alltt} \item Back up the original \texttt{smb.conf} configuration file for Samba: \begin{alltt} $ \textbf{cd /etc/samba} $ \textbf{sudo cp -p smb.conf smb.conf-orig} \end{alltt}%$ % \item turn on swat: % \begin{verbatim} % $ sudo setup % \end{verbatim}%$ % then select services, and ensure that the \texttt{swat} entry has a % star \texttt{[*]} next to it. Also ensure that \texttt{nmb} is % selected. % \item restart \texttt{xinetd}, and \texttt{samba}: % \begin{verbatim} % $ sudo /etc/rc.d/init.d/xinetd restart % $ sudo /etc/rc.d/init.d/smb restart % \end{verbatim}%$ % \item Open SWAT in your web browser by clicking on % \url{http://localhost:901/} % Note: that is a \emph{colon}, not a comma; 901 is a port number, not % part of the \DNS name. % If this doesn't work for you, then the proxy settings are wrong on % your browser. Make sure that your web browser does not ask a proxy % server in Wan Chai, but connects directly to the SWAT server on your % machine. % \item Click on the \key{\textsc{globals}} button at the top of the % page. \item Copy the new configuration file from the same directory on \texttt{ictlab}: {\small \begin{alltt} $ \textbf{sudo cp -p /home/nfs/samba/smb.conf-pdc-example /etc/samba/smb.conf} \end{alltt}}%$ \item Edit the Samba configuration file using emacs: \begin{alltt} $ \textbf{xhost +localhost} $ \textbf{sudo -v} $ \textbf{sudo emacs /etc/samba/smb.conf &} \end{alltt}%$ \begin{explanation} I \emph{strongly} suggest that you open this file, and \emph{keep it open}. It wastes time to continually open and close the configuration file. \end{explanation} \item Any time you modify this file, before using the server, tell samba to read your changes with: \begin{alltt} $ \textbf{sudo service smb reload} \end{alltt}%$ \item Set the Net\BIOS name to a \emph{unique} name: \begin{alltt} netbios name = \emph{sammy} \end{alltt} Instead of \texttt{\emph{sammy}}, put a name for your computer that will be different from the Net\BIOS names of all the other computers in your class. Avoid spaces; stay with letters (the first character of the computer name should be a letter), digits and the hyphen character ``\texttt{-}''. \item Change the ``\texttt{workgroup}'' to a \emph{unique} name of your choice, with a letter or digit appended. Note: this is the Net\BIOS \emph{domain name} for your computer. %% For example, if your computer's hostname is %% \texttt{sammy.tyict.vtc.edu.hk}, enter something like %% \texttt{sammyD}. You should understand that Net\BIOS domain names are different from \DNS domain names. \DNS domain names form a hierarchy, whereas Net\BIOS domain names are all in one big flat name space. %% Note: if your computer's hostname is \texttt{localhost.localdomain}, %% then go to step~\vref{ste:add-dns-name}. %% \item \label{ste:add-dns-name}Optional: do this if you are unable to %% establish a connection to your server. Come back here from %% step~\vref{ste:test-smb}. %% \begin{itemize} %% \item Edit \texttt{/etc/sysconfig/network} and replace any %% \texttt{HOSTNAME} entry with: %% \begin{alltt} %% HOSTNAME=\emph{sammy} %% \end{alltt} %% %HOSTNAME=\emph{sammy}.tyict.vtc.edu.hk %% making sure you do not include any spaces, since this is a shell %% assignment. %% \item Edit \texttt{/etc/sysctl.conf} and add at the end: %% \begin{alltt} %% kernel.domainname = tyict.vtc.edu.hk %% \end{alltt} %% \item reboot the computer, and verify that \DNS works okay: %% \begin{alltt} %% $ dig \emph{sammy}.tyict.vtc.edu.hk %% \end{alltt}%$ %% where, instead of \emph{sammy}, you type the unique host name %% for your computer. If you do not get an address in the answer %% from the \DNS server, ask your lecturer. %% Then check that reverse \DNS lookup works, i.e., you can look up %% your computer's host name when you give the \DNS server your \IP %% address: %% \begin{alltt} %% $ dig -x \emph{ip\_address} %% \end{alltt}%$ %% where \texttt{\emph{ip\_address}} is the \IP address of your %% Ethernet card. %% \end{itemize} %% \begin{explanation} %% To understand what \texttt{/etc/sysctl.conf} is, do \texttt{man %% sysctl.conf}, and \texttt{man sysctl}. The \texttt{sysctl} %% program modifies entries in files under \texttt{/proc/sys}. %% These entries control the operation of the computer. Here, the %% line we added to \emph{/etc/sysctl.conf} causes the equivalent %% of: %% \begin{alltt} %% # echo "tyict.vtc.edu.hk" > /proc/sys/kernel/domainname %% \end{alltt} %% to be executed when the computer boots. %% \end{explanation} % \item for the netbios name, enter the first part of your \DNS name. % For example, if your computer's hostname is % \texttt{sammy.tyict.vtc.edu.hk}, enter \texttt{sammy} % \item Uncomment the line (remove the semicolon at the beginning): % \begin{verbatim} % ; username map = /etc/samba/smbusers % \end{verbatim} % \item Add to the \texttt{[Global]} section the line: % \begin{alltt} % debug level = 1 % \end{alltt} %% \item Change the \texttt{netlogon} share to be writable by the %% administrator, by removing the \texttt{writable = no} configuration %% option and changing the configuration to look something like this: %% \begin{alltt} %% [netlogon] %% comment = Network Logon Service %% path = /var/samba/netlogon %% guest ok = no %% write list = @smbadm %% share modes = no %% \end{alltt} \item Create two groups: \texttt{machines} and \texttt{smbadm}. Make the user \texttt{root} a member of \texttt{smbadm}. \begin{alltt} $ \textbf{sudo groupadd machines} $ \textbf{sudo groupadd smbadm} $ \textbf{sudo gpasswd -a root smbadm} \end{alltt}%$ \item Verify that the configuration file has no syntax errors using the \texttt{testparm} program: \begin{alltt} $ \textbf{testparm} Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[netlogon]" Processing section "[printers]" Loaded services file OK. Press enter to see a dump of your service definitions \end{alltt}%$ \item Start the two servers with: \begin{alltt} $ \textbf{sudo service smb start} \end{alltt}%$ Then check to see that it is running with: \begin{alltt} $ \textbf{sudo service smb status} smbd (pid 2696) is running... nmbd (pid 2701) is running... \end{alltt}%$ \item Make sure that samba runs next time you boot by making the correct symbolic links in the \texttt{/etc/rc.d/rc[345].d} directories: \begin{alltt} $ \textbf{sudo chkconfig smb on} \end{alltt}%$ \item Create a number of samba account passwords. Each of them must have an entry in the \texttt{/etc/passwd} file (i.e., perhaps you added the account earlier using \texttt{useradd}. Note that today, we will use separate passwords for samba and for logging into Linux. Example of adding a user that is not in your password file already: \begin{alltt} $ \textbf{sudo useradd -c 'Nick Urbanik (local)' nickl} $ \textbf{sudo smbpasswd -a nickl} \end{alltt} Example of adding a user that is already in your password file: \begin{alltt} $ \textbf{sudo smbpasswd -a nickl} \end{alltt}%$ \item Add a password for root: \begin{alltt} $ \textbf{sudo smbpasswd -a root} \end{alltt}%$ Note that this password should be different from the Linux login password for root, for security reasons. You will need to give your partner this password. \item Create a directory to hold the policy files, and another to hold the logon scripts: \begin{alltt} $ \textbf{sudo mkdir -p /var/samba/netlogon/scripts} \end{alltt}%$ \item Examine the log files while you do the following steps. The log files are in \texttt{/var/log/samba}. Give yourself permission to change into and read the samba log files by: \begin{alltt} $ \textbf{sudo chgrp \meta{yourStudentID} /var/log/samba} $ \textbf{sudo chmod g+rx /var/log/samba} \end{alltt} You can then change into and read files in that directory. Open some windows and run \texttt{tail -f} on the log files. A new log file is created for each machine you connect to. Start with \texttt{smbd.log} if no machine specific file is created yet: \begin{alltt} $ \textbf{cd /var/log/samba} $ \textbf{ls -ltr} $ \textbf{tail -f smbd.log} \end{alltt}%$ \item \label{ste:test-smb}Test that your Windows 2000 machine can share out your home directory; you can do this by right-clicking on the w2k equivalent of network neighbourhood, selecting map network drive, and choose ``\texttt{Log in as a different user}'' and enter your user name and your Samba password for your own account. For the share, type: \begin{alltt} \bs\bs\emph{sammy}\bs{}\emph{nickl} \end{alltt} where, instead of \texttt{\emph{sammy}}, you enter the Net\BIOS name of your samba server, and instead of \texttt{\emph{nickl}}, you enter your user name for your own account. Do not proceed with the remaining steps until this is successful. %% First, go back to %% step~\vref{ste:add-dns-name} and make sure that your computer has a %% valid \DNS name, and an entry in the name server. \item Log into a Windows 2000 machine \emph{locally} as \texttt{administrator}. Note: this Windows machine must not already be a primary domain controller, since a \PDC cannot be made a member of another domain. You can use Windows 2000 Advanced Server, as long as it is not a \PDC or \acro{BDC}. If you have no Windows 2000 Professional for which you have administrator access, you can use Windows 98, but this will reduce what you can test. \begin{enumerate} \item In Windows 2000, if \texttt{ipconfig /all} shows the \WINS server is different from 192.168.68.240, then from \TCPIP settings, add 192.168.68.240 as the \WINS server address. Select the radio button \textsf{Enable Net\BIOS over \TCPIP}. \item In Windows 2000, right-click Network Places and select \texttt{Properties}; from the \texttt{Advanced} menu, select \texttt{Network Identification}. Press \texttt{Properties}. \item Choose \texttt{Domain}, enter the domain name of your samba server. Click \key{OK}. \item Enter the user name \texttt{administrator} and enter the Samba password for \texttt{root} on your Samba server. \item Wait for confirmation and reboot when prompted. \end{enumerate} \begin{explanation} Two problems may arise: \begin{itemize} \item Your Windows computer may have a Net\BIOS name that starts with a digit, or \item You may have a connection to a share on your samba server from the Windows machine already. Solving that is simple: just ``disconnect the drive''. \end{itemize} If the name of your Windows machine starts with a digit, then \texttt{useradd} will not create a machine account for it. You could either rename the Windows machine with a name that begins with a letter, and contains only letters, digits and hyphens (rebooting when prompted), or add the machine account to your \texttt{/etc/passwd} file manually by: \begin{enumerate} \item manually enter a command like this: \begin{alltt} $ \textbf{sudo useradd -n -g machines -c 'Samba Machine PDC member' \bs} \ \ \textbf{-d /dev/null -s /bin/false -M \meta{machineName}$} \end{alltt}%$ where \meta{machineName} is the computer name of your Windows machine with leading digits removed. \item Add the digit(s) manually with the \texttt{vipw} command. First edit the password file: \begin{alltt} $ \textbf{sudo vipw} \end{alltt}%$ then add the digit(s) to the username for your Windows computer. \end{enumerate} \end{explanation} \item Now test this as a primary domain controller. Note that it is an NT4 compatible \PDC, not a Windows 2000 \PDC\@. Read the documentation in \texttt{/usr\allowbreak /share\allowbreak /doc\allowbreak /samba-2.2.7\allowbreak /docs\allowbreak /Samba-\allowbreak HOWTO-\allowbreak Collection.pdf}. Being a \emph{primary domain controller} means allowing other machines to join the domain so that when any user logs into the domain, then: \begin{itemize} \item the user can access any resources (e.g., shares, printers) that are \begin{itemize} \item provided by any of the machines that are members of the domain and that \item they have the rights to access \end{itemize} \item without entering a password again. \end{itemize} \item Login in to the domain as \texttt{administrator} from your Windows 2000 box. Browse to the \texttt{netlogon} share, and create some logon scripts using notepad. For the user \texttt{nickl}, the script is the file \texttt{/var/\allowbreak samba/\allowbreak netlogon/\allowbreak scripts/\allowbreak nickl.bat}. The logon script is run by the client when it logs in. Here is an example of a logon script: \begin{verbatim} @echo off net time \\nicksbox /set /yes if %OS%.==Windows_NT. goto WinNT :Win9x net use y: \\nicksbox\nickl net use p: \\nicksbox\ossi net use q: \\nicksbox\notlinux net use r: \\nicksbox\linux goto end :WinNT net use y: \\nicksbox\nickl /persistent:no net use p: \\nicksbox\ossi /persistent:no net use q: \\nicksbox\notlinux /persistent:no net use r: \\nicksbox\linux /persistent:no :end \end{verbatim} Note that each line must be terminated by a carriage return/linefeed pair. Each share is a share section in \texttt{smb.conf}. \item Documentation for the new features of Samba 2.2 is in \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak samba-2.2.7/\allowbreak docs/\allowbreak Samba\allowbreak -HOWTO\allowbreak -Collection\allowbreak .pdf}. Open this up: \begin{alltt} $ \textbf{cd /usr/share/doc/samba-2.2.7/docs} $ \textbf{acroread Samba-HOWTO-Collection.pdf &} \end{alltt} and move to page 48 (by page numbering in the document itself), or page 53 if count pages starting from beginning as page 1. This section is about \emph{System Policies and Profiles}\@. \item I have extracted the policy editor \texttt{poledit.exe} from the NT4 Service pack 6a, and put it, together with the files \texttt{common.adm} and \texttt{winnt.adm} into the directory \texttt{profile-editor-from-service-pack-6a} in the \texttt{samba} NFS directory from \texttt{ictlab}\@. Test editing policies on your samba server from the Windows 2000 machine. \item I have also downloaded the server manager for \NT4. You will find it in the \texttt{samba} \NFS directory from \texttt{Ictlab}\@. Test the server manager. \item Samba 2.2 supports downloadable printer drivers. This is described in the \texttt{Samba\allowbreak -HOWTO\allowbreak -Collection\allowbreak .pdf} file on page 27(32). Test it. \item Samba 2.2 supports \DFS\@. Read the documentation about it on page 20(25) in the \texttt{Samba\allowbreak -HOWTO\allowbreak -Collection\allowbreak .pdf} file. Also see \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak samba-2.2.7/\allowbreak docs/\allowbreak htmldocs/\allowbreak msdfs\_setup.html}. \item Test your domain controller as much as you can. %% Prepare for the %% lab test by setting up Samba to match the requirements. %% The services Samba provides include: %% \begin{itemize} %% \item allowing other machines to join the domain %% \item When any user logs into the domain, then %% \begin{itemize} %% \item the user can access any resources (e.g., shares, printers) %% that are %% \begin{itemize} %% \item provided by any of the machines that are members of the %% domain and that %% \item they have the rights to access %% \end{itemize} %% \item without entering a password again. %% \end{itemize} %% \item Samba 2.2 supports login scripts; for the user \texttt{nickl}, %% the script is the file \texttt{/var/\allowbreak samba/\allowbreak %% netlogon/\allowbreak scripts/\allowbreak nickl.bat}. The logon %% script is run by the client when it logs in. Here is an example %% of a logon script: %% \begin{alltt} %% @echo off %% net time \\nicksbox /set /yes %% if %OS%.==Windows_NT. goto WinNT %% :Win9x %% net use z: \\nicksbox\nickl %% net use p: \\nicksbox\ossi %% net use q: \\nicksbox\notlinux %% net use r: \\nicksbox\linux %% goto end %% :WinNT %% net use z: \\nicksbox\nickl /persistent:no %% net use p: \\nicksbox\ossi /persistent:no %% net use q: \\nicksbox\notlinux /persistent:no %% net use r: \\nicksbox\linux /persistent:no %% :end %% \end{alltt} %% Note that each line must be terminated by a carriage %% return/linefeed pair. %% \item Samba 2.2 supports user profiles. %% \item Samba 2.2 supports policies. You need a policy editor to %% create them. You can get a policy editor from the \acro{NT} service %% packs, as described in the Samba 2.2 \PDC \FAQ. %% \item Samba 2.2 supports downloadable printer drivers. %% \item Samba 2.2 supports \DFS. Read the documentation about it in %% \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak %% samba-2.2.3a/\allowbreak docs/\allowbreak htmldocs/\allowbreak %% msdfs\_setup.html}. %% \end{itemize} %% \item Test your domain controller as much as you can. \end{enumerate} \end{document}