Cost Control

Setting Up Users in the Domain

Once all of the prerequisites for operating a domain are met, you can start to set up the groups and users. For groups, admins need to consider the following:

• Will the group only be used for granting privileges on this host? If so, you need only set up a Linux group to hold the Linux users.
• Will the group be used to gather users and then set permissions on another file server in the domain? It does not matter whether it is another Samba server or a Windows server, you must create a group mapping. All other group mappings can be created, like the domain groups that were set up to prepare the domain, except you do not need to specify the RID; it is automatically assigned.

You can create all other users with pdbedit (as in the example with the domain administrator). All the parameters and their descriptions are excellently explained in the man page for the pdbedit command. Listing 7 shows how to create a user and a group mapping. The user settings can be changed with parameters when creating the accounts.

root@samba:~# groupadd authors
root@samba:~# net groupmap add ntgroup="authors" unixgroup=authors type=d
No rid or sid specified, choosing a RID
Got RID 1001
Successfully added group authors to the mapping db as a domain group
root@samba:~# useradd -g domusers -G authors -m -s /bin/bash skania
root@samba:~# useradd -g domusers -G authors -m -s /bin/bash skania
root@samba:~# pdbedit -a -u skania -G 513 -c "[U]" -f "Stefan Kania"
new password:
retype new password:
Unix username:        skania
NT username:
Account Flags:        [U     ]
User SID:             S-1-5-21-2851015207-2192045402-886076809-1002
Primary Group SID:    S-1-5-21-2851015207-2192045402-886076809-513
Full Name:            Stefan Kania
Home Directory:       \\admin-magazine\skania
HomeDir Drive:
Logon Script:
Profile Path:         \\admin-magazine\skania\profiles
Domain:               ADMINDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          9223372036854775807 seconds since the Epoch
Kickoff time:         9223372036854775807 seconds since the Epoch
Password last set:    Fri, 04 Jan 2013 11:14:33 CET
Password can change:  Fri, 04 Jan 2013 11:14:33 CET
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

This time, the name of the Linux group and the name of the group mapping are identical and will not cause problems. Also, the RID is not predetermined but assigned automatically. The Linux user has not been assigned a password because, later, this user will not be logging on to the Linux system, just a Windows client in the domain. Following this pattern, you can now create new groups and users.

The group memberships of the users are always managed in the Linux group; the group mapping ensures that the members are also known on the Windows system in the domain.

Clients in the Domain

To add Windows clients to a domain, an account must exist for every Windows client in the domain. This account must always use the NetBIOS name of the Windows client. The account can be created either manually for each host or automatically by a script when adding a client to the domain. If you want to create the accounts manually, follow the procedure in Listing 8.

root@samba:/# useradd -g domcomputer -s /bin/false 'win7$'
root@samba:/# pdbedit -a -m win7 -G 515 -c "[UW]" -p "" -h""
Unix username:        win7$
NT username:
Account Flags:        [W     ]
User SID:             S-1-5-21-2851015207-2192045402-886076809-1009
Primary Group SID:    S-1-5-21-2851015207-2192045402-886076809-515
Full Name:
Home Directory:
HomeDir Drive:
Logon Script:
Profile Path:
Domain:               ADMINDOM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          9223372036854775807 seconds since the Epoch
Kickoff time:         9223372036854775807 seconds since the Epoch
Password last set:    Sat, 05 Jan 2013 13:00:47 CET
Password can change:  Sat, 05 Jan 2013 13:00:47 CET
Password must change: never
Last bad Password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

The first step generates a Linux account for the client, as was previously done for a user. The dollar sign after the name is important because it distinguishes a client account from a user account. The second step is to run pdbedit to create the Samba account. Setting the group RID to 515 and the flags to [UW] tells Windows that this is a client account.

The other way to create client accounts is through a script that runs while joining a client to the domain. The script is inserted into the [global] section of smb.conf:

add machine script = /usr/sbin/useradd -d /var/lib/nobody -g domcomputer -s /bin/2 Ptfalse -M %u

The Samba server then sets up the required accounts autonomously. After joining the domain, the accounts can also be listed with getent passwd and pdbedit -L. Incidentally, if you want to join Windows 7 clients to the domain, you will need to patch the registry beforehand [2].

After creating the client account, you can join the client to the domain in the usual way. Figure 2 shows this process. A while after entering the username and password, you will see the message Welcome to the ADMINDOM domain . After restarting the system, Samba users can log in.

Figure 2: Adding a client to the domain.

Centrally Managed Home Directories

A special Samba share for managing user directories automatically creates a home directory on the server for each user. Additionally, you can specify the drive letter, under which the user directory appears in Explorer.

First, you have to add the share to your smb.conf. The share name must be [homes] so that Samba can assign home directories. As you can see in Listing 9, no path to a specific directory is specified for the share. This is because Samba determines the user information independently and then shares the path for the user. In the example here, other parameters are used to ensure that only the new owner has rights to new entries and that they cannot assign rights to others.

[homes]
  comment = user home directories
  read only = no
  valid users = %S
  force create mode = 0700
  security mask = 0700
  force directory mode = 0700
  directory security mask = 0700
  inherit owner = yes

To view the user's account properties, you can then type:

pdbedit -v -L user

The Home Directory parameter already points to the relevant share on the server. The only thing missing is the parameter for Home Drive, which you can use to set the drive letter for the user directory. This parameter is set by the

pdbedit -D "H:" user

command. Now when users log in to the domain on a client, Explorer automatically takes them to their home directory and displays the directory content.