Monday, June 16, 2008

GNU/Linux as PDC for M$ Windows with samba

This blog throws light on configuring Samba as PDC for M$ Windows machines on your network. The Linux distribution used is RHEL 5.0.
Eventhough, this works quite well, samba developers need to work more to make it compatible with M$ Windows ADC. Hope all will enjoy this...

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

#vim /etc/samba/smb.conf
;start global configuration section.
netbios name = TIKANGA
;this samba machine is given a NETBIOS name.

workgroup = PSEUDO
;this samba server acts a PDC for the domain PSEUDO

encrypt passwords = yes
;encrypted password negotiation

domain master = yes
;the samba server handles browsing elections for the
;domain across multiple subnets

local master = yes
;this makes samba force an election when it starts up.
;this 'oc level' (follows below) parameters makes it win
;the election, as this value is higher
than any other
;M$ server implementations.

;Note: Make sure no other samba machine is set with higher
;'os level' value than this.

preferred master = yes
;this also forces the election at startup

os level = 65

security = user
;samba will prompt for a username and password.
;security = domain | ads is used if another DC
;handles the logons.

domain logons = yes
;this makes samba handle domain logons.

logon path = \\%L\profiles\%u
;this parameter is necessay if we want to support
;roaming profiles for ;win200x/XP/NT clients.

;this actually expands to \\PSEUDO\profiles\username

;we have a sharename profiles coming later
;in the configuration file.

logon script = logon.bat
;name of the MS-DOS batch file which must be executed
;when client logs
on to the domain. The path
;specified is relative to the [netlogon] share

;specified later.

logon drive = L:
;this allows the home directory (if exists) of the user
;to be connected to L: drive under My Computer on client.

time server = yes
;this samba machine advertises itself as a
;time server for the domain.

admin users = mj0vy
;this list of users who have administrative
;privilege in this domain,
such as joining clients
;to the domain and make work the
;machine add script
on the fly.

add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
;each client is considered as a user and
;are added on the fly as each client tries

;to connect with the administrative user account.

;Start of shares
path = /etc/samba/netlogon
writable = no
browseable = no
;the [netlogon] share is necessary for samba
;to handle domain logons as

;M$ clients need to contact it during the
;logon process and if this share is not
logon process would fail.
;For security reason, writable and
;browseable permissions are removed.

path = /etc/samba/profiles
browseable = no
writeable = yes
create mask = 0600
directory mask = 0700

;the [profiles] share is used to store
;the roaming profiles of the
;The path points to a directory on the samba
;server where the updated profiles are saved

;on each individual user logons.
;Clients must read and write
;to this share.

read only = no
browseable = no
guest ok = no
map archive = yes
;guest logons are disabled and there will
;be no path parameter as it will be
;fetched from /etc/passwd.

comment = A Test share to check logon scripts!
path = /backups/samba
valid users = mj0vy sujith sreejith
writeable = yes
create mask = 0765
;this share is actually used to check whether
;the logon script has worked successfully or not!

;In logon.bat file, we will be scpecifying to make
;this share available as K: drive in the
My Computer of every client. Sticky Bit file
;permissions are recommended for file security.

Making the users and shares:
Add the administrator (mj0vy) who could add machine users on the fly. [admin users = mj0vy]
#useradd -d /dev/null -s /sbin/nologin mj0vy
Lock down his unix accound password for security reasons.
#passwd -l mj0vy

Make him a samba user.
#smbpasswd -a mj0vy
#smbpasswd -e mj0vy (this is not required in higher samba versions)

Make the domain users.
#useradd sujith
#passwd -l sujith
#smbpasswd -a sujith
#smbpasswd -e sujith

#useradd sreejith
#passwd -l sreejith
#smbpasswd -a sreejith
#smbpasswd -e sreejith

Now make the directories for [netlogon], [profiles] and [backups] shares.

#mkdir -m 777 /etc/samba/{netlogon,profiles}
#mkdir -p -m 1777 /backups/samba

Now make logon.bat file inside /etc/samba/netlogon and make it executable by the root user.
Note: Running dos2unix against this file is recommended.

#vim /etc/samba/netlogon/logon.bat
net use K: \\TIKANGA\backups

Now start the samba service
#/etc/init.d/smb start
#chkconfig smb on

Note: running smbtree command gives you a tree like view of all the domains, servers and shares on the servers.

Adding Windows clients:
Right click My Computer, Take Computer Name, click change.
In the 'Member of' field enter the samba domain 'PSEUDO'. This will prompt a username and password who could
add this machine to the domain. (mj0vy here). You will be prompted to restart the machine once you joined the Domain.
When the machine comes up, press Ctrl+Alt+Del (hardcore M$ Windows users must be used to this TRAP) and select PSEUDO insead of This Machine.
Try logging in as the samba users.

Hope you enjoyed reading...



greyhunter said...

hi dude,

this is my first time here and i love it.

just note that you mistyped the path for directory /samba/backup , as /backup/samba in the article.

nice work really.. keep up the good work.

Sreejith Anujan said...

thank you greyhunter for pointing that mistake :)
Changed now!

Suggestions are welcome!

credits to /dev/null :P