Samba based Primary Domain Controller

Summary

This document was created because of a need to increase security on my home network and provide a way for my family to get the same start menu, desktop and internet favorites no matter which machine they logged in from. Setting up a Primary Domain Controller was the perfect solution because Windows profiles are stored in a common location on the server. This also allows me to create a default policy to help control what the kids can do on their computers (I haven't implemented the polocies yet but will update this How-To once I do).

Requirements

Linux OS

root access to the Linux box

Samba 2.2.x or greater installed and operational (3.0 provides more PDC type options and Active Directory integration)

Windows 95/98/ME/XP Pro/NT workstation(s)/2000

Fully functioning network with machines which are able to ping each other

Familiarity with Linux Command prompt and Windows Networking

Note: This document does not cover the installation of these packages, services or OSs.

Conventions used in this document

Words in Italics are commands to be typed at the command prompt

Words in bold are things that you'll have to modify to match your setup / system

Words in the Courier New font represent the smb.conf file or some other file which needs to be modified on your Linux box

This sequence of characters <--- represents a comment

Doing the setup

This process really wasn't that difficult for me. I admit I am very familiar with getting around at the command prompt in Linux and with setting up networking in Windows. So, to start off with, you'll need to backup your smb.conf file. My installation was done in RedHat Linux 8.0. So, I will be using the paths which were installed by default during the RedHat 8.0 installation.

Backup the smb.conf file:

Login as root
cd /etc/samba
cp /etc/samba/smb.conf /etc/samba/smb.conf.old

Now edit the smb.conf file with your favorite text editor and add or modify the [Global] section to match the following (bolded words are things that you'll have to change to match your server / setup)Some paths to the log files and other files may be different depending upon your distribution:

[global]
log file = /var/log/samba/%m.log
load printers = yes
smb passwd file = /etc/samba/smbpasswd
username level = 8
socket options = TCP_NODELAY
domain master = yes
encrypt passwords = yes
passwd program = /usr/bin/passwd %u
password level = 8
wins support = true
dns proxy = no
netbios name = servername
server string = Redhat 8.0 PDC
printing = lprng
logon script = logon.bat
default = homes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *password* %n *password* %n *successful*
local master = yes
workgroup = DOMAIN NAME
os level = 64
add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
printcap name = /etc/printcap
security = user
domain admin group = @LinuxGroupName
domain logons = yes
logon path = servernameprofiles%U

Now edit the smb.conf file and add the required shares (bolded words are things that you'll have to change to match your server / setup). %U = UserName of user logging into domain:

[homes]
comment = Home Directories
path = /home/%U
browseable = yes
writable = yes

[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
guest ok = yes
browseable = no
write list = LinuxGroupName <--- This is a group that you created on your Linux box or an already existing group name

[public]
comment = Public Directory
path = /home/public
browseable = yes
writable = yes
guest ok = yes
create mask = 0777

[Profiles]
path = /home/profiles
writeable = yes
create mask = 0600
directory mask = 0700

OK, now that smb.conf is setup we now have to add machines and users. Be sure you save smb.conf before we proceed. This is a very simple process and fairly straight forward. But, both a Machine account (ending with $) must be created and a user account must also be created in order for the Domain Controller to be able to authenticate logins.

You should still be logged in as root. Open /etc/passwd in your favorite text editor and add the following line:

machineName$:x:520:501:NTMachine:/dev/null:/bin/false <--- Here machineName$ is the machine name of the machine that will logon to the Domain and NTMachine is a description for that machine

machineName$ being the name of the machine you are adding to the domain. The $ says that this is a machine entry. Also while we're here we have to add the root account to the smb password list and you'll need to add root and if you are the administrator your user name to your Domain Admin group. Now we must add the users to Samba with the following commands:

smbpasswd -a -m machineName$<-- the -m makes this a Workstation Trust Account smbpasswd -a root smbpasswd -a username <--- Here username is your username that you will use to logon to the Domain

Now, lets create our shared directories and our logon.bat file to run when someone logs into the Domain. First, we'll create the directories, issue the next few commands. You should still be logged on as root:

cd /home

mkdir /home/public/

mkdir /home/profiles/

mkdir /home/netlogon/

chmod 777 /home/public

chmod 775 /home/netlogon

chmod 777 /home/profiles <---- Note: I'm not 100% sure that these permissions are absolutly correct, but each user needs to have access to write to this directory so that's what made sense.

If you don't use the profiles share and directory, the user's profiles will be saved in their home directory under a directory called profiles (/home/user/profiles/)

Now, we'll create our logon.bat file. Ensure you use an editor that is capable of saving the file as a text file with DOS CR/LF at the end of each line. vi is perfectly capable of this. Also remember that this is a DOS batch file, not a unix script, so backslashes must be used ( ) not forward slashes ( / ). My logon script looks like this:

net time servername /y
net use G: servernamepublic -y
Save it as /home/netlogon/logon.bat.
chmod 775 /home/netlogon/logon.bat

OK, I know that's kinda simple, but drive Z: will also be mapped which will be the user's home dir. You can add to or take away from this script as you see fit to include adding other shares or to perform other actions on the machine which is logging into the Domain.

Restart Samba with the following command to make all your changes take effect:

/etc/rc.d/init.d/smb restart

Now, goto your windows machine and for this example I'm assuming you are using Windows XP Professional or Windows 2000 (Windows XP Home doesn't have the option of connecting to a Domain) and perform the following actions:

Open the control panel

Double Click the System Icon

Goto the Computer Name Tab

Click the Change Button

Click the Domain Radio Button

Enter the Domain Name and click OK (See Figure 1)

When prompted for a password you must use the root account so enter root as the username and whatever the password is and click OK (See Figure 2)

You should receive another Dialog Box stating "Welcome to the Domain Name Domain", click OK

Apply this registry patch. You will not be able to login unless you apply this change.

Restart your computer

Once the machine has come back up, you should have a new line on your logon box with a drop down menu. Select the Domain Name from the drop down box, enter your user name and password, click OK and you should see the logon.bat file running, probably minimized in the lower left hand corner of your screen. You should now be logged onto the Domain.

Open up My Computer and ensure that you have all the mapped drives you defined in the logon.bat file and that you have the proper permissions to those drives.

Add your Domain ID to the Administrators group on the local machine, your Domain ID will be Domain Name/username and also that the Domain Name/Domain Administrators group is in the Administrators group also. (See Figure 3)

Conclusions

Samba is a very powerful server. Especially recently as they have added the capability of using Samba as an NT/Win2K Primary Domain Controller. This adds alot of flexibility and power to the server and also gives normal people a chance to learn how networks work. I hope you find this How-To useful and as always on keithstric.com I will attempt to provide useful information and be a source of reference for things to do with your Home based Linux server and mixed environment network. With the wealth of information available on the internet and all the opensource software available there is no reason why anyone with a desire to set these kinds of things up shouldn't be able to do so. Until next time....

Keith

Figure 1: