Pages

Scenario 3 SMB Samba server as domain controller

Scenario 3 SMB Samba server as domain controller
SAMBA server will be configured on our machine
mainserver.mydomain.com. The workgroup name can be same as the domain
name already being used in the current windows setup (provided the NT server for
the domain is off line), BUT it should never be of the name name as your DNS
domain name. We will create a new workgroup named SAMBADOMAIN on SAMBA
machine (the server), and configure the windows clients to be a part of this domain.
(Confusing? Well, on a SAMBA machine,
in /etc/samba/smb.conf, the word workgroup serves for workgroup as well
as domain for windows computers).
Server side configuration:
1) Modify the /etc/samba/smb.conf file and give the following entries:
[root@mainserver /]# vi /etc/samba/smb.conf
[global]
workgroup = SAMBADOMAIN
comment = samba server on the local lan placed in the
server room
hosts allow = 192.168.1. 192.168.2. 127.
security = user
load printers = yes
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd
domain logons = yes
os level = 64
preferred master = yes
domain master = yes
wins support = yes
[homes]
comment = home directories of users
read only = no
create mask = 0750
browseable = no
[netlogon]
comment = SAMBA network logon services for microsoft
clients
path = /users/netlogon
guest ok = yes
browseable = no
locking = no
[cdrom]

comment = CDROM on SAMBA server
path = /mnt/cdrom
read only = yes
browseable = yes
public = yes
[floppy]
comment = Floppy drive on SAMBA server
path = /mnt/floppy
read only = no
browseable = yes
valid users = @students ; note that the group students exists in
/etc/groups
[linuxproject]
comment = project on linux by MS 4 students
path = /users/ms4/linuxproject
read only = no
browseable = yes
valid users = nayyar, inam
Note: All paths defined in the smb.conf file must exist. If they don’t create them
yourself. Also if you are going to use clients of Windows 98 and onwards or
Windows NT service pack 3 or higher, then these systems use encrypted passwords
by default. We need to provide either encrypted password support in SAMBA server
or modify the registry of the windows computers and enable plain text passwords in
them.
To enable support for encrypted passwords in the SAMBA server, perform the
following steps:
a. Create a separate password file for Samba. To create one based on your
existing /etc/passwd file, at a shell prompt, type the following command:
[root@mainserver /]# cat /etc/passwd mksmbpasswd.sh > /etc/samba/smbpasswd
The mksmbpasswd.sh script is installed in your /usr/bin directory with the
samba package.
b. Use the following command to change permissions on the Samba password
file so that only root has read and write permissions:
[root@mainserver /]# chmod 600 /etc/samba/smbpasswd


c. The script does not copy user passwords to the new file. To set each Samba
user’s password, use the command smbpasswd username(replace username
with each user’s username). A Samba user account will not be active until a Samba
password is set for it.
[root@mainserver /]# smbpasswd -a inam
d. The next step is to enable encrypted passwords in the Samba configuration
file. In the file smb.conf, uncomment the following lines:
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd
2) Test your smb.conf file by running testparm command which is only
available for SAMBA. This command should show all the shares without any errors.
[root@mainserver /]# testparm
3) If the above command works fine then run the smb services now by:
[root@mainserver /]# /etc/rc.d/init.d/smb start
Notes:
Windows NT 4 :
At present, Samba needs to have a *nix account for every entry in the 'smbpasswd'
file, so this means that each Windows NT4/2000computer needs a *nix account on
the Domain Controller. Machine accounts are differentiated from user accounts by
appending a $ to the end of the machine's name. For Windows NT clients, you can
create these accounts manually. To make a domain machine account, issue the
following commands on the samba Domain Controller as 'root':
Create the group "machines" by:
[root@mainserver /]# groupadd machines
[root@mainserver /]# useradd -d /dev/null -g machines -c 'Machine Account'
 -s /bin/false -M $
[root@mainserver /]# smbpasswd -am


e.g. To add a machine account of a machine win98 on the samba server, you would
use:
[root@mainserver /]# groupadd machines
[root@mainserver /]# useradd -d /dev/null -g machines -c 'Machine Account' -s
 /bin/false -M win98$
[root@mainserver /]# smbpasswd -am win98
Windows 2000/XP :
Windows 2000 is different than NT. As far as NT is concerned, while joining the
domain, you are given an option to create a computer account in the domain server.
This allows machine accounts to be made on the fly. At the moment the only user
that can create computer accounts automatically is root. This means we must first
make a samba password for 'root' with:
[root@mainserver /]# smbpasswd -a root
It is recommended that you use a different password than real Linux password for
root for security reasons. To make a domain machine account, issue the following
commands on the Domain Controller as 'root':
[root@mainserver /]# groupadd machines
[root@mainserver /]# useradd -d /dev/null -g machines -c 'Machine Account'
 -s /bin/false -M win2k$
[root@mainserver /]# smbpasswd -am win2k
Optionally in order to make the computer accounts on the fly while joining the
domain, you need the following entry in the smb.conf file.
add user script = /usr/sbin/useradd -d /dev/null -g machines
 -c 'Machine account' -s /bin/false -M %u
Note the absence of $ in this script, SAMBA automatically adds the $ for you when
it is configured as domain log on server. Also the group machines was already
created manually. This also works for Windows XP.
The above solution specifically solves the problem when you are joining the
Windows 2000 workstation to a samba domain and you get the following error:
"The account used is a computer account. Use your global user account or local
user account to access the server". This problem comes with Windows 2000


machines with service pack 2. Another solution is to try changing the windows
computer's machine name from Network properties, but this seldom works (depends
on the mood of win 2000 machine).
Client side configuration:
On the client side, i.e. on the computer having Microsoft Windows, open the network
neighborhood properties, and in the identification tab, type in SAMBADOMAIN in
the DOMAIN textbox. Also set the other network related properties, e.g. IP
addresses, address of DNS and name of Primary WINS server which is the IP
address of SAMBA server. Press ok and restart the windows machine. Once
restarted, type in any user name and password of the user defined on SAMBA server
and select the domain SAMBADOMAIN in the drop down list. You will be greeted
after a pause of 10 to 30 seconds. Restart and log on to the new domain with the user
name inam, lets say. Now you should be able to see the SAMBA server in the
Network Neighborhood window. Double click it, and you should be able to see the
shares: inam, cdrom, floppy and linuxproject. On double clicking on the share
linuxproject you should be able to see the contents of this share. You will be asked
for the password if you logged on as someone else other than inam or nayyar, this
will be the password of one of the users nayyar or inam (as shown above), which are
defined in the machine running SAMBA. Similarly password of one of the users in
the group students (defined in SAMBA machine) may be required once accessing the
share floppy. To assign a drive letter to a share, you can either right click on the
share and select Map to drive. Or you can use the command on the windows DOS
shell prompt:
C:\> net use F: \\mainserver.mydomain.com\cdrom

Forex Trading