« Previous 1 2 3 4 Next »
Save money with Samba as the domain controller on a legacy Windows NT-style domain
Cost Control
Setting Up Users in the Domain
Once all of the prerequisites for operating a domain are met, you can start to set up the groups and users. For groups, admins need to consider the following:
- Will the group only be used for granting privileges on this host? If so, you need only set up a Linux group to hold the Linux users.
- Will the group be used to gather users and then set permissions on another file server in the domain? It does not matter whether it is another Samba server or a Windows server, you must create a group mapping. All other group mappings can be created, like the domain groups that were set up to prepare the domain, except you do not need to specify the RID; it is automatically assigned.
You can create all other users with pdbedit
(as in the example with the domain administrator). All the parameters and their descriptions are excellently explained in the man page for the pdbedit
command. Listing 7 shows how to create a user and a group mapping. The user settings can be changed with parameters when creating the accounts.
Listing 7
Creating More Users and Groups
root@samba:~# groupadd authors root@samba:~# net groupmap add ntgroup="authors" unixgroup=authors type=d No rid or sid specified, choosing a RID Got RID 1001 Successfully added group authors to the mapping db as a domain group root@samba:~# useradd -g domusers -G authors -m -s /bin/bash skania root@samba:~# useradd -g domusers -G authors -m -s /bin/bash skania root@samba:~# pdbedit -a -u skania -G 513 -c "[U]" -f "Stefan Kania" new password: retype new password: Unix username: skania NT username: Account Flags: [U ] User SID: S-1-5-21-2851015207-2192045402-886076809-1002 Primary Group SID: S-1-5-21-2851015207-2192045402-886076809-513 Full Name: Stefan Kania Home Directory: \\admin-magazine\skania HomeDir Drive: Logon Script: Profile Path: \\admin-magazine\skania\profiles Domain: ADMINDOM Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set: Fri, 04 Jan 2013 11:14:33 CET Password can change: Fri, 04 Jan 2013 11:14:33 CET Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
This time, the name of the Linux group and the name of the group mapping are identical and will not cause problems. Also, the RID is not predetermined but assigned automatically. The Linux user has not been assigned a password because, later, this user will not be logging on to the Linux system, just a Windows client in the domain. Following this pattern, you can now create new groups and users.
The group memberships of the users are always managed in the Linux group; the group mapping ensures that the members are also known on the Windows system in the domain.
Clients in the Domain
To add Windows clients to a domain, an account must exist for every Windows client in the domain. This account must always use the NetBIOS name of the Windows client. The account can be created either manually for each host or automatically by a script when adding a client to the domain. If you want to create the accounts manually, follow the procedure in Listing 8.
Listing 8
Creating Accounts
root@samba:/# useradd -g domcomputer -s /bin/false 'win7$' root@samba:/# pdbedit -a -m win7 -G 515 -c "[UW]" -p "" -h"" Unix username: win7$ NT username: Account Flags: [W ] User SID: S-1-5-21-2851015207-2192045402-886076809-1009 Primary Group SID: S-1-5-21-2851015207-2192045402-886076809-515 Full Name: Home Directory: HomeDir Drive: Logon Script: Profile Path: Domain: ADMINDOM Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set: Sat, 05 Jan 2013 13:00:47 CET Password can change: Sat, 05 Jan 2013 13:00:47 CET Password must change: never Last bad Password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
The first step generates a Linux account for the client, as was previously done for a user. The dollar sign after the name is important because it distinguishes a client account from a user account. The second step is to run pdbedit
to create the Samba account. Setting the group RID to 515
and the flags to [UW]
tells Windows that this is a client account.
The other way to create client accounts is through a script that runs while joining a client to the domain. The script is inserted into the [global]
section of smb.conf
:
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g domcomputer -s /bin/2 Ptfalse -M %u
The Samba server then sets up the required accounts autonomously. After joining the domain, the accounts can also be listed with getent passwd
and pdbedit -L
. Incidentally, if you want to join Windows 7 clients to the domain, you will need to patch the registry beforehand [2].
After creating the client account, you can join the client to the domain in the usual way. Figure 2 shows this process. A while after entering the username and password, you will see the message Welcome to the ADMINDOM domain . After restarting the system, Samba users can log in.
Centrally Managed Home Directories
A special Samba share for managing user directories automatically creates a home directory on the server for each user. Additionally, you can specify the drive letter, under which the user directory appears in Explorer.
First, you have to add the share to your smb.conf
. The share name must be [homes]
so that Samba can assign home directories. As you can see in Listing 9, no path to a specific directory is specified for the share. This is because Samba determines the user information independently and then shares the path for the user. In the example here, other parameters are used to ensure that only the new owner has rights to new entries and that they cannot assign rights to others
.
Listing 9
Adding a Share
[homes] comment = user home directories read only = no valid users = %S force create mode = 0700 security mask = 0700 force directory mode = 0700 directory security mask = 0700 inherit owner = yes
To view the user's account properties, you can then type:
pdbedit -v -L user
The Home Directory
parameter already points to the relevant share on the server. The only thing missing is the parameter for Home Drive
, which you can use to set the drive letter for the user directory. This parameter is set by the
pdbedit -D "H:" user
command. Now when users log in to the domain on a client, Explorer automatically takes them to their home directory and displays the directory content.
« Previous 1 2 3 4 Next »