Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Setting up a Linux System as a Windows Domain Controller or Server using Samba - Prof. Rob, Study notes of Computer Science

Oakton Community CollegeComputer Science
Prof. Robert J. Taylor

How to make a linux box act as a windows primary domain controller (pdc) or server for a windows workgroup. It covers installing samba, configuring it as a pdc, and sharing files and printers. The document also discusses managing user logins and passwords, and adding workstations to the domain.

Typology: Study notes

Pre 2010

Uploaded on 08/04/2009

koofers-user-jvu
koofers-user-jvu 🇺🇸

5

(1)

10 documents

1 / 18

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Windows Networking (A Brief History)
Microsoft LAN networking started with DOS LAN Manager (LANMAN), originally
3COM. It provided the ability to “share” printers and hardrives from a standalone PC
over the network. The “shares” names were of the format \\servername\sharename. LAN
Manager Drivers were installed as extensions of the BIOS over the network, hence the
term NETBIOS. Because Local Area Networks were in it’s infancy, Microsoft created
it’s own Ethernet frame type for NETBIOS, called the NETBIOS Extended User
Interface – NETBEUI, or sometimes the Netbios Frame Type (NBF) – a non-routable
LAN protocol. As a non-routeable protocol, NETBIOS/NETBEUI relied on network
broadcasts to make server names known.
TCP/IP protocol stacks were 3 party add-ons to DOS and Windows, and first integrated
into WFW 3.11 and later Windows 95, Windows NT Server and Workstation with
NETBIOS support running over IP using TCP/UDP ports 135, 137 and 139. Because
TCP/IP is a routable network protocol, a system was needed to make server names
known among multiple networks using the Windows Internet Naming Service – WINS –
which was integrated into DNS.
NETBIOS interfaced with Windows as a DOS add-on (windows.com), and was
integrated into Windows under Windows for Workgroups (WFW) 3.11, a server flavor of
the ubiquitous Windows 3.1 workstation. Password, and later user ID and password
security for network shares were added later. The server and associated user
workstations were called a Workgroup and shared a common WorkGroup name.
Windows 95 and 98 also included this type of secuity where user ID and Paswords were
stored in separate .pwl files.
In the server follow-on to WFW 3.11 - Windows NT 3.1, this security was moved from
separate userid files to an integrated database called the Security Account Management
(SAM) data base; part of the Windows Registry This security was called NT Lan
Manager or NTLM. Microsoft later extended this security from a standalone server
workgroup to groups of servers called Domains. The servers containing the shared SAM
database were called Domain Controllers. Two types of Domain Controllers are –
Primary (PDC) with a Read/Write copy of the SAM and Backup (BDC) with a
Read/Only copy of the SAM. The domain construct remained thru Windows NT 4.0.
Windows 2000 introduced an add’l layer on top of the NETBIOS / Domain construct
called Active Directory. Active Directory is an LDAP compliant network directory
structure that utilizes Dynamic DNS for name resolution instead of NETBIOS broadcasts
or WINS. Domains are grouped under Active Directory “trees” within AD “forests”.
Though Domain Controllers exist under AD, they all contain R/W copies of their Domain
information and synchronize among themselves. Security no longer relies on NTLM,
but instead uses a certificate based security called Kerberos. Active Directory supports
NETBIOS Domains and Workgroups in backwards format called “mixed” mode, which
is the defaultt. Legacy NETBIOS support goes away when the AD tree is converted to
“native” mode.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12

Partial preview of the text

Download Setting up a Linux System as a Windows Domain Controller or Server using Samba - Prof. Rob and more Study notes Computer Science in PDF only on Docsity!

Windows Networking (A Brief History)

Microsoft LAN networking started with DOS LAN Manager (LANMAN), originally 3COM. It provided the ability to “share” printers and hardrives from a standalone PC over the network. The “shares” names were of the format \servername\sharename. LAN Manager Drivers were installed as extensions of the BIOS over the network, hence the term NETBIOS. Because Local Area Networks were in it’s infancy, Microsoft created it’s own Ethernet frame type for NETBIOS, called the NETBIOS Extended User Interface – NETBEUI, or sometimes the Netbios Frame Type (NBF) – a non-routable LAN protocol. As a non-routeable protocol, NETBIOS/NETBEUI relied on network broadcasts to make server names known. TCP/IP protocol stacks were 3 party add-ons to DOS and Windows, and first integrated into WFW 3.11 and later Windows 95, Windows NT Server and Workstation with NETBIOS support running over IP using TCP/UDP ports 135, 137 and 139. Because TCP/IP is a routable network protocol, a system was needed to make server names known among multiple networks using the Windows Internet Naming Service – WINS – which was integrated into DNS. NETBIOS interfaced with Windows as a DOS add-on (windows.com), and was integrated into Windows under Windows for Workgroups (WFW) 3.11, a server flavor of the ubiquitous Windows 3.1 workstation. Password, and later user ID and password security for network shares were added later. The server and associated user workstations were called a Workgroup and shared a common WorkGroup name. Windows 95 and 98 also included this type of secuity where user ID and Paswords were stored in separate .pwl files. In the server follow-on to WFW 3.11 - Windows NT 3.1, this security was moved from separate userid files to an integrated database called the Security Account Management (SAM) data base; part of the Windows Registry This security was called NT Lan Manager or NTLM. Microsoft later extended this security from a standalone server workgroup to groups of servers called Domains. The servers containing the shared SAM database were called Domain Controllers. Two types of Domain Controllers are – Primary (PDC) with a Read/Write copy of the SAM and Backup (BDC) with a Read/Only copy of the SAM. The domain construct remained thru Windows NT 4.0. Windows 2000 introduced an add’l layer on top of the NETBIOS / Domain construct called Active Directory. Active Directory is an LDAP compliant network directory structure that utilizes Dynamic DNS for name resolution instead of NETBIOS broadcasts or WINS. Domains are grouped under Active Directory “trees” within AD “forests”. Though Domain Controllers exist under AD, they all contain R/W copies of their Domain information and synchronize among themselves. Security no longer relies on NTLM, but instead uses a certificate based security called Kerberos. Active Directory supports NETBIOS Domains and Workgroups in backwards format called “mixed” mode, which is the defaultt. Legacy NETBIOS support goes away when the AD tree is converted to “native” mode.

TCP/IP became the default protocol for Windows 2000 with Active Directory using TCP/ UDP ports 445 and LDAP using port 389. Native Windows file and print sharing over IP without NETBIOS is referrred to as SMB (Server Message Block – the native server language) over IP or as the Common Internet File Service or CIFS; both use port 445. It is this reason ttat Windows machines using DHCP, but can’t find a DHCP server, will automatically assign themselves IP addresses in the 169.254.0.0 range for Automatically Provideed Internet Protocol Addressing (APIPA). LDAP is a directory interface protocol derived from the old (and obsolete) CCITT X. and X.500 E-Mail interface standards and uses a naming structure of the form: CN=Donna_James,OU=Sales,DC=MYCOMPANY,DC=COM. CN means Common Name, OU means Organization Unit, DC means Domain Component. LDAP names map to DNS names of the form Donna_James@sales.mycompany.com; to AD form od user (Common Name_ Donna_James in NETBIOS domain Sales (Organizational UNIT_ with the tree name of mycompany.com (Domain Component). The Common Name (CN) is usually used to represent the NETBIOS name of a user, server or workstation in a “mixed” mode AD tree.

SAMBA

Samba is a suite of utilities that allows a Linux system to participate in a Windows Network to share resources such as files or printers as a Windows server or client.. RPM packages are: samba samba-common samba-client samba-swat You can install samba with “rpm –i samba or “yum install samba*. This document describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. By default, Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux functionality doesn't disappear when you do this. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your Linux password and immediately gain access to files in your Linux user's home directory. For added security you can make your Samba and Linux passwords different. Samba LINUX servers that act as part of another Domain are usually setup as file servers only and defer to other Domain Controllers for security. This is especially true of Active Directory networks where SAMBA support of AD ectivites is limited. Either configuration will allow everyone at home to have:

The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections: File Format - /etc/samba/smb.conf Section Description [global] (^) General Samba configuration parameters [printers] (^) Used for configuring printers [homes] (^) Defines treatment of user logins [netlogon] (^) A share for storing logon scripts. (Not created by default.) [profile] (^) A share for storing domain logon information such as "favorites" and desktop icons. (Not created by default.) You can edit this file by hand, or more simply through Samba's SWAT web interface.

Samba Web Administration Tool (SWAT)

SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box has its own online help. SWAT edits the smb.conf file but also strips out any comments you may have manually entered into it Samba SWAT Main Menu

Basic SWAT Setup The enabling and disabling, starting and stopping of SWAT is controlled by xinetd. Here is a sample: service swat { port = 901 socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/swat log_on_failure += USERID disable = no only_from = localhost } To activate SWAT use: chkconfig swat on You can make SWAT accessible from other servers by adding IP address entries to the only_from parameter of the SWAT configuration file. only_from = localhost 192.168.1.3. If localhost is IP address 192.168.1.100, point your browser to http://192.168.1.100:901/.

workgroup (^) "homenet" The name of the Windows domain we'll create. The name you select is your choice. I've decided to use "homenet". security (^) user Make domain logins query the Samba password database located on the samba server itself. Here's how to set the values using SWAT.  Log into SWAT and click on the [global] section.  Click the Advanced button to see all the options. Make your changes and click on the Commit Changes button when finished. Your smb.conf file should resemble the example below when you're finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them. [global] workgroup = HOMENET time server = Yes domain logons = Yes os level = 65 preferred master = Yes domain master = Yes Note: security = user and WINS support = yes are default settings for Samba and they may not show up in your smb.conf file, even though you may see them in SWAT. The SWAT utility has a Wizard button that can be used to configure your server as a PDC quickly. However the defaults may not be to your liking, for example, the default domain is MYGROUP and some of the [global] parameters mentioned previously will be set to auto. The [homes] Section Part of the process of adding a user to a Samba domain requires you to create a Linux user on the Samba PDC itself. When you log into the Samba PDC, you'll see a new drive, usually named Z:, added to your PC. This is actually a virtual drive that maps to the corresponding Linux users' login directories on the Linux PDC. Samba considers all directories to be shares that can be configured with varying degrees of security. The [homes] section governs how Samba handles default login directories. This table explains the minimum settings you need to create a functional [Homes] section.

smb.conf Minimum Settings, "Home" Section Parameter Value Description browseable (^) No Doesn't allow others to browse the contents of the directory read only (^) No Allows the samba user to also write to their Samba Linux directory create mask (^0664) Makes new files created by the user to have "644" permissions. You want to change this to "0600" so that only the login user has access to files. directory mask 0775 Makes new sub-directories created by the user to have "775" permissions. You want to change this to "0700" so that only the login user has access to directories. Here's how to set the values using SWAT:  Click on the SWAT shares button to proceed to where shared directories are configured.  Click the Advanced button to see all the options.  Choose the Homes share.  Make your changes and click on the Commit Changes button when finished.  Your smb.conf file should resemble this when finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them. [homes] read only = No browseable = No create mask = 0644 directory mask = 0755 The [netlogon] and [profiles] Share Sections The [netlogon] share section contains scripts that the windows clients may use when they log into the domain. The [profiles] share section stores settings related to the look and feel of windows so that the user has the same settings no matter which Windows PC is logged into. The [profiles] share section stores things such as favorites and desktop icons. Your smb.conf file should look like this when you're finished: [netlogon] path = /home/samba/netlogon

How To Create A Samba PDC Administrator User To do both SWAT and user administration with Samba you'll need to create administrator accounts on the Samba PDC Linux server. By default, the root user is the Samba administrator, and SWAT requires you to use the Linux root password to be used. Fortunately, you can add workstations to the Windows domain by creating a Samba specific root password. This is done using the smbpasswd command. /usr/bin/smbpasswd -a root password Remember that regular Linux logins via the console, Telnet or SSH require the Linux passwd command. Samba domain logins use the smbpasswd password. Samba passwords are stored in the /etc/samba/smbpasswd file. In a corporate environment, you may want more than one person to administer Samba, each with their own usernames. To do this:

  1. Create a Linux user group, such as sysadmin with the groupadd command.
  2. Use SWAT to update your smb.conf file so that the sysadmin group is listed in the [global] parameter settings. domain admin group = @sysadmin admin users = @sysadmin printer admin = @sysadmin
  3. Create individual Linux users that are part of this group.
  4. Use the smbpasswd command to create Samba passwords for Domain logins for this group. For security reasons this password may be different from the Linux password used to log into the Linux system from the console, via telnet or ssh. (Remember that Linux passwords are changed with the passwd command.)

Add Workstations To Your Samba Domain

Adding workstations to a Samba domain is a two step process involving the creation of workstation trust accounts on the Samba server and then logging into each workstation to add them to the domain. PDCs will accept user logins only from trusted PCs that have been placed in its PC client database. Samba can create these Machine Trusts in two ways, either manually or automatically. Manual Creation Of Machine Trust Accounts (NT Only) The commands in this example create a special Linux group for Samba clients and then add a special machine user that's a member of the group. The password for this user is

then disabled and the machine is then added to the smbpasswd file to help keep track of which devices are members of the domain. In summary, a machine trust account needs to have entries in the /etc/passwd and /etc/smbpasswd files. Pay careful attention to the dollar sign ($) at the end and replace machine_name with the name of the Windows client machine. groupadd samba-clients /usr/sbin/useradd -g samba-clients
-d /dev/null -s /bin/false machine_name$ passwd -l machine_name$ smbpasswd -a -m machine_name This is the only way to configure machine trusts using Windows NT. Dynamic Creation of Machine Trust Accounts Although you can use the manual method, the recommended way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the Windows clients join the domain which known as making a machine account on the fly. You can set this up by editing the /etc/samba/smb.conf file to automatically add the required users. The easiest way to do this using SWAT in the Global menu to modify the add machine script parameter. [global]

<...remainder of parameters...>

add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u When you have completed the modifications, you'll need to create the samba-clients Linux group that will be used to help identify the all the domain's Windows clients listed in the /etc/passwd file: groupadd samba-clients

Point PC Clients To Your Samba PDC

Windows 95/98/ME and Windows XP Home Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts. Here's what you need to do:

  1. Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network)
  2. Select the Configuration tab
  3. Highlight "Client for Microsoft Networks"
  4. Click the Properties button.
  5. Check "Log onto Windows NT Domain", and enter the domain name.
  6. Click all the OK buttons and reboot!

First, go through the process of adding users in Linux just as you would normally. Passwords won't be necessary unless you want the users to log in to the Samba server via telnet or ssh. Create the user: useradd -g 100 peter Give them a Linux Password (password is only necessary if the user needs to log into the Samba server directly): **passwd peter

  1. Mapping The Linux Users To An smbpassword** Create Samba domain login passwords for the user: /usr/bin/smbpasswd -a username password The -a switch adds the user to the /etc/smbpasswd file. Use a generic password then have users change it immediately from their workstations in the usual way. Remember the smbpasswd sets the Windows Domain login password for a user, which is different from the Linux login password to log into the Samba box. 3) Mapping A Private Windows Drive Share By default, Samba automatically gives each user logged into the domain an H: drive that maps to the /home/username directory on the Linux box.  If the auto-mapping doesn't work then try:
  1. Let the user log into the domain.
  2. Right-click on the "My Computer" icon on the desktop.
  3. Click on "Map Network Drive".
  4. Select a drive letter.
  5. Browse to the HOMENET domain, then the Samba server, then the user's home directory.
  6. Click on the check box "Reconnect at Logon", to make the change permanent You can use the command-line method and possibly make it into a script.
  7. Create a master logon batch file for all users: vi /home/samba/netlogon/login.bat
  8. Add the following lines to mount the user's share as drive P:. *REM Drive Mapping Script net use P: \bigboy*
  9. Make the file world readable using: chmod 644 /home/samba/netlogon/login.bat
  10. Linux and Windows format text files slightly differ. As the file resides on a Linux box, but will be interpreted by a Windows machine, you'll have to convert the file to the Windows format. Use the unix2dos command: unix2dos /home/samba/netlogon/login.bat
  11. The final step is to edit your smb.conf file's [global] section have a valid entry for the logon script parameter. This can be done using SWAT via the Globals menu.

[global] logon script = login.bat Now your users will have additional disk space available on a Windows P: drive whenever they login.

Domain Groups And Samba

Samba supports domain groups that will allow users who are members of the group to be able to have Administrator rights on each PC in the domain. This enables them to add software and configure network settings. In Windows, Domain Groups also have the ability to join machines to the domain: however, Samba does not support this currently. The domain admin group parameter specifies users who will have domain administrator rights. The argument is a space-separated list of user names or group names (group names must have an @ sign prefixed). For example: domain admin group = USER USER2 @GROUP How To Delete Users From Your Samba Domain Deleting users from your Samba domain is a two stage process in which you have to remove the user from the Linux server and also remove the user's corresponding smbpasswd entry.

  1. Delete the users using the smbpasswd with the -x switch: smbpasswd -x john
  2. Delete The Linux User by following the normal deletion process. For example: userdel -r john 3.You may not want to delete the user's files so that they can be accessed by other userssojust deactivate the user's account: passwd -l username. How To Modify Samba Passwords You can set your Samba server to allow users to make changes in their domain passwords and have these mirrored automatically in their Linux login passwords. This table explains the [global] smb.conf parameters that you need to change. smb.conf Settings, Enabling Online Password Changes Parameter Value Description unix passwd sync Yes Enables Samba/Linux password synchronization passwd program Use the SWAT Lists the location of the Linux password file which is usually /bin/passwd.

Accessing Windows Drives Using a Linux SAMBA Client - Linux

as a Windows Client

Up to this point setup has been for your Linux server being a Samba server, but it can also mimic a Windows client using Samba's client software. Windows Setup – CDROM Example The Windows client box should be setup first as a member of a Samba domain or workgroup. The next step is to make the CD-ROM drive shared. The steps you used depend on which version of Windows you have. For Windows 98/ME

  1. Double click 'My Computer'
  2. Right click on the CD-ROM drive and choose 'Sharing'
  3. Set the Share Name as 'cdrom' with the appropriate access control
  4. Restart windows For Windows 2000
  5. Double click 'My Computer'
  6. Right click on the CD-ROM drive and choose 'Sharing'
  7. Set the Share Name as 'cdrom' and the appropriate access control
  8. Logout and login again as normal using your current login For Windows XP
  9. Double click 'My Computer'
  10. Right click on the CD-ROM drive and choose 'Sharing and Properties'
  11. Set the Share Name as 'cdrom' and the appropriate access control
  12. Logout and login again as normal using your current login Test Your Windows Client Configuration Use the smbclient command to test your share. Substitute the name of your Windows client PC for "WinClient," and in place of "username" provide a valid workgroup/domain username that normally has access to the Windows client. You should get output like this when using the username's corresponding password: smbclient -L WinClient -U username Password: non-display password

OR

smbclient -L WinClient -U username%password Create A CD-ROM Drive Mount Point On Your Samba Server You'll now need to create the mount point on the Linux server to mount and access the CD-ROM drive. Password Prompt Method The Linux mount command will try to access the CD-ROM device as user "username" by using the "username=" option. You will be prompted for a password. mkdir /mnt/winclient-cdrom mount -t smbfs -o username=username //winclient/cdrom /mnt/winclient-cdrom No Prompt Method Linux won't prompt you for a password if you embed the access password into the mount command string along with username as in the example below. mkdir /mnt/winclient-cdrom mount -t smbfs -o username=username,password=password //winclient/cdrom /mnt/ cdrom The smbmount Command Method smbmount //winclient/cdrom /mnt/winclient-cdrom -o username=username Password: non-display password Some versions don’t support smbmount. Try using smbmount, or Linux mount command. Automating Mounting With Linux SAMBA Clients You can also automate the mounting of shares by placing entries in your /etc/fstab file. In the example below the home directory of user peter on server 192.168.1.100 will be mounted on the /mnt/smb mount point as a samba filesystem (smbfs) using the login information in the file named /etc/cred.

File: /etc/fstab

//192.168.1.100/peter /mnt/smb smbfs credentials=/etc/cred 0 0