Cases and situations in common with mixed Windows – Linux network – WINS – PDC.
Sample smb.conf for a Primary Domain Controller
Here is an example of a configuration of an NT4 domain PDC that also acts as a Master Browser and WINS Server.
[global]
workgroup = LAB42
server string = Samba Server PDC
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap# The following is a handy directive to automatically create the machine account to /etc/passwd file when a new computer joins the domain
add machine script = /usr/sbin/useradd -d/dev/null -g machines -s /bin/false -M %u
# The directives that tell the PDC and Samba to allow login on the OST that are part of the domain
domain master = Yes
domain logons = Yes# Directives regarding the functionality of Master Browser
preferred master = Yes
os level = 250# Directives regarding the functionality of Server Wins
dns proxy = No
wins support = Yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[Documents]
path = /tmp
guest ok = Yes
[Private]
comment = Documenti Privati
path = /var/log
read only = No
Samba as a Primary Domain Controller (PDC)
Samba can perform the activities of PDC, primary domain controller in a Windows network client (or mixed).
The features supported are:
- Login on the domain (domain logon) for Windows NT/2000/XP clients.
- User-level security for Windows 9x/ME clients (these clients have no concept of domination, but support log on a domain)
- Roaming profiles, for users who can log into multiple clients while keeping their environment.
- Browse lists and master browser
- Policy NT4 style system
- Ability to obtain a list of users / groups on the Samba PDC
- Manage Active Directory (introduced, in part, from version 3.x)
The capabilities are not yet supported:
- Ability to act as a Domain Controller in an ADS domain (Active Directory)
- Use as a BDC (Backup Domain Controller) in a Windows NT4 domain with PDC.
To configure Samba as a PDC in a Windows domain, you must:
- Installing Samba on a Linux / Unix (via RPM or source)
- Configure smb.conf
- Create directories for domain logons and roaming profiles
- Add the logins and passwords for users and machines in the domain
- Configure the Windows client to join the domain.
The following instructions apply to both version 2 to 3, except for the Directive on the add machine script.
1 – Installing Samba
The installation for a PDC does not require special care compared to a normal installation of Samba using RPM or tar.gz
2 – Configure smb.conf
Let’s see an example of the configuration files of a Samba PDC. Several settings are common to any installation Samba, some are specific to a PDC (domain master = yes, security = user encrypt passwords = yes), others are necessary if you want to support the client running on a script at login (logon scripts [netlogon] share) or the use of roaming profiles (logon path, sharing [profiles]).
Carefully consider the latter option: it has the convenience of separating the use of a single physical machine from a single user (all users can use all the machines), but it involves loading each time you login or synchronization of all the “Documents and Settings ” between Windows client and server, with a potential load on the network is not indifferent and more expected by the user.
Without log files you will act on the local machine, which in turn are then synchronized with the server when logging out.
[Global]
; General Settings (valid on any Samba configuration)
And intranet workgroup = 'Domain name and / or Workgroups
netbios name = serverone And 'the name of the Samba server
server string = Samba PDC - Version% v The server description
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=IPTOS_LOWDELAY 8192 recommended default TCP Settings; Settings for the PDC and master browser
os level = 64 Set the value with which to participate in elections to the Master Browser
preferred master = yes force an election when you start and take part with a greater chance of success
local master = yes Do Samba to participate in elections for the Local Master Browser
The domain master = yes line tells Samba to work with PDC
; Managing users and security
Enforces security = user to authenticate users locally. And ‘necessary on a Samba PDC
Crypt encrypt passwords = yes username and password during authentication: required on a PDC and need to interact seamlessly with Windows NT client or later
domain logons = yes allows Windows clients to log into the domain with the Samba server authenticate
hosts allow = 127.0.0.1 192.168.0.0/255.255.255.0 Allow access only from localhost and from the network 192.168.0.0/24
add machine script = /usr/sbin/useradd-d/dev/null-g machines-s/bin/false-M% u (Only on Samba 3) the system automatically adds the account of a new machine that comes in the domain
; Management logging
log file = /var/log/samba/log.%m defines the location of the log and means to create different log on names of their respective client machines
log level = 2 Set the logging level to 2, displaying all the files read and written
max log size = 50 Sets the maximum size to 50 KB of log files
; User profiles, home directories and netlogon (these configurations in the [global] are ALWAYS adding definitions, respectively [homes], [profiles] and [netlogon] given below
logon home = \\%L\%U\. profile defines the location of the file. profile (for Win9x/ME client) to \\servername\username
logon path = \\%L\profiles\%U defines the position of the profiles directory (WinNT/2K/XP client) to \\servername\profiles\username
logon drive = H: Create the network drive H: to login to Windows clients
logon script = netlogon.bat Specify which script to run on the client at each login. The script is searched in the directory defined in the [netlogon] share
[Homes] Share special, which defines the location of home directories
comment = Home Directory for each user sharing description
And browseable = no 'right not to make publicly visible of individual users' home
writeable = yes Each user must be able to write in his home[Profiles] Share special where files are written in profile for roaming users. For every login and logout its content is synchronized with the documents folder on the local computer (C:/Documents/username.dominio)
path = /home/profiles on the Samba server's local directory where you saved the profiles. Here you are, automatically, create users with names sottodirectroy
writeable = yes Profiles are in sync with the client to login and logout and must be writable
browseable = no As for the home, including the profiles should not be visible to other users
create mask = 0600 The mask that creates the files: Full all'owner permits, no permission to other users
The 0700 directory mask = mask which creates the directory: the owner must also be executable (browsable)[Netlogon] Special Share which contains the scripts that run on Windows clients to logon to the domain. Must be run on Windows and can be used for various operations of centralized administration (local data backup, antivirus programs or update, the new mapping network shares etc..)
path = /home/netlogon directory on the server that contains, in a subdirectory with the same name as user login, the script defined by the 'logon script "
read only = yes Inaccessible These scripts must be read-only ...
write list = @admin ... except users in the group (@)admin
browseable = no This is a sharing service that is useless to show to other users3 – Creating additional directories
It ‘important to create the netlogon directory for the profile defined in smb.conf, and with names and correct permissions.
Based on the example configuration above should do the following on the Samba server (as root):
[root@sambaserver root] # groupadd admin Create the admin group, composed of users who can edit logon scripts. Consider that these scripts are particularly important in terms of security, since that run on Windows client
[root@sambaserver root] # mkdir-m 0775 /home/netlogon Create the directory /home/netlogon, readable and executable by ll users and editable only by owner and ownergroup
[root@sambaserver root] # chown root.admin/home/netlogon You set the directory root as owner and admin for the group (with write permission)
[root@sambaserver root] # mkdir /home/profiles You create a directory for the profiles (the same as defined in smb.conf)
[root@sambaserver root] # chmod 1757/home/profiles You set the sticky bit and make this directory writable by root and its subdirectories can be managed by their users, without the possibility of modifying the other
4 – Add login and password
Manage users in a domain with Samba is not an immediate process and should be considered some fundamental aspects:
- How to use Samba password file /etc/samba/smbpasswd (default) and a row for each user (a domain that is a normal server with authentication). In this file there is a line (with login, encrypted password and other data) for each user.
- For every user in smbpasswd file on their respective member MUST be a normal user files on Unix /etc/passwd. This is because Samba is acting on the local system as a normal Unix process, even if it runs as root, access the filesystem with the permissions of the users as configured.
- When Samba is acting as a PDC, as well as creating a login (either in /etc/samba/smbpasswd in /etc/passwd) for each user, you must create a special login for each machine in the domain. This log, called trust account or computer account has the NetBios name of the computer followed by the dollar sign ($). At the first login from the trust account is created a sort of password that is used to authenticate communications between the PDC and the client and make sure there are other machines that may join the domain with the same NetBios name.
- The management of the log (both for users and for computers, both of which smbpasswd passwd) can be done manually, with the commands below, or automatically through the use of the add user script Directive
- Windows 9x/Me although they can login to a domain, are not structured to be clients of a full-fledged domain because it does not respect the logic of security and trust.
To add a computer account to the domain manually, follow these steps:
[root@sambaserver root] # groupadd machines Create a group for all computer accounts
[root@sambaserver root] # useradd-g machines-d/dev/null-s/bin/false $nameNetBios Adds a login to the system, a member of the machines, without a home directory, without a shell, with the same name as the NetBIOS name machine followed by a $. Note that this account is used to Samba to act on the system, but it is good that it can not be used for normal login.
[root@sambaserver root] # passwd-l $ nomeNetBios will put a lock on the password in order to make it editable and not leave anything but root
[root@sambaserver root] # smbpasswd-a-m nameNetBios You create a new computer account /etc/samba/smbpasswd and set the password. The-a option allows you to create it, if it exists, the-m option indicates that it is a machine account, the NetBios name of the machine should NOT be added followed by $, in this case, when this character is added automatically. No need to remember the password you entered as it is handled directly between PDC and the client domain
If you want to avoid manually add a new account for each machine in the domain, you can try to add, as indicated above, the following line to smb.conf (only valid for Samba 3):
add machine script = /usr /sbin/useradd-d/dev/null-g machines-s/bin/false-M% u
Check the path and the syntax of the command useradd and the group make sure you have already created machines (groupadd machines).
To manually add the user login (not machines) of the domain:
[root@sambaserver root] # useradd foo Adds the user to the /etc/passwd system
[root@sambaserver root] # passwd foo The set password. If the user does not have access to the Unix system, imposed a shell anything in /etc/passwd
[root@sambaserver root] # smbpasswd-a foo foo Adds the user to /etc/samba/smbpasswd and sets the password
NOTE: When you configure a Windows NT/2k/XP to make it part of a domain, you are prompted for an administrator password. In this situation you must use the root login with password, so you must also add the root user smbpasswd:
[root@sambaserver root] # smbpasswd-a root
Note that if by chance you change the root password with passwd and the smbpasswd file is also updated with the password which is the second text, the one in /etc/samba/smbpasswd.
For this reason and others, once a user has created a good thing to make sure that your password on the Unix system is aligned with that used by Samba network. To ensure that a password is changed via Samba also reflects on the /etc/passwd you need to add local configuration lines similar to smb.conf:
unix password sync = yes Sets the synchronization of passwords between Samba and Unix Local
passwd program = /usr/bin/passwd% u command line to change the Unix password. % U is the user’s login
passwd chat = *New*UNIX*password*%n\n*Retype*new*UNIX*password*%n\n*Enter*new*UNIX*password*%n\n*Retype*new*UNIX*password*%n\n* passwd: *all*authentication*tokens*updated*successfully* The procedure for handling requests for matching the output of passwd. Make sure your system is used on the same words
Unfortunately that does not work in reverse: if you change a password with passwd Unix, you must change it by hand with smbpasswd to keep the password synchronized with the Unix Samba passwords.
5 – Configuring Clients
Configuring a Windows system to join a domain, varies depending on the version:
Windows 95/98/ME
- Make sure you installed the “Client for Microsoft Networks” from the network properties
- Ensure that the Client for Microsoft Networks is selected as the primary network protocol (Control Panel -> Network -> Primary Network Logon).
- Go to Control Panel -> Network -> Client for Microsoft Networks -> Properties -> Logon to NT Domain.
- If you have configured smb.conf option “add user script”, select the check box Create a Computer Account, or by hand to create a user on the Samba server as the Windows machine.
- Enter your domain name and click OK.
Windows NT:
- Go to Control Panel -> Network -> Network Identification -> Properties
- Select Domain and enter the name of the domain own the copyright
- Select Create a Computer Account
- When prompted for an administrator password to enter the login and password of root, remember that the root user must be added to smbpasswd.
- You should get a message that welcomes the domain.
Windows 2000:
The procedures are the same as for Windows NT, except that the network settings are found under Control Panel -> System -> Network Identification (or, on the Desktop, right-click the My Computer icon, select Properties, Network Identification tab and click on the Properties button).
Windows XP:
The procedure is more complicated with Windows XP (Microsoft uses complaints to change specifications and implementations of its protocols for interoperability with complicate the alternatives).
Note that only XP Professional Edition can be used to join a domain, Windows XP Home Edition can not join a domain (Samba or Windows based).
- Open the Local Security Policy Editor (Start-> Control Panel-> Tools-PHASE> Local Security Policy-> Local Policies-> Security Options)
- Disable the “Domain member: Digitally encrypt or sign secure channel (always)” (Domain member: Digitally encrypt of Irma secure channel data (always))
- Disable the “Domain member: Disable machine account password changes” (Domain controller: Refuse machine account password changes)
- Disable the “Domain member: Require strong (Windows 2000 or later) session key” (Domain member: Require session key (Windows 2000 or later))
- Download from Samba.org (http://de.samba.org/samba/ftp/docs/Registry/WinXP_SignOrSeal.reg) patch to the registry WinXP_SignOrSeal. To apply the double click. Reg file and answer Yes to questions
- At this point you can join the domain as a Windows NT/2000: Right-click My Computer, select Properties, Computer Name and click on the Edit button uppure and run the Network Identification Wizard.
Linux / Unix
Even Linux systems, of course, can join a domain with a Samba PDC and if the file server, you can configure Samba to allow authentication via the domain.
On smb.conf there must be the following lines:
[Global]
workgroup =
netbios name =
security = DOMAIN
encrypt passwords = Yes
password server =
preferred master = False
domain master = FalseObviously on the Samba PDC to be created a computer account for our local Samba (as specified in the netbios name) and, in this case, the local computer must first join the domain, a procedure that is comparable to those seen above for Windows clients. On Linux / Unix local enough to write:
smbpasswd-j-r-U root
You have to provide the root password of Samba PDC (remember that the password is stored in the smbpasswd and not in passwd/shadow, in case they are different).
Levels of interoperability between Windows networks and Samba
The possibilities of interoperability between Windows and Samba client and server in a local network for file sharing are varied and can be grouped into two baseline scenarios:
- Windows server with mixed client (Windows, Linux/Unix, MacOS).
- Linux/Unix Samba server with mixed client.
And ‘possible to configure Samba to:
- Act as a Primary Domain Controller (PDC from an NT domain, but not an Active Directory Domain Controller) with a mixed network, including managing profiles and login to Windows machines on the domain. Such an option allows a Linux machine with Samba to perform the same functions of a NT domain PDC.
- To operate as normal File Server for mixed client. The authentication methods may be different depending on the method used and may take several actions on the server and client.
- Work as a Domain Member with the functions of file servers accessible on the basis of the domain login and password. Samba can be either part of an NT domain (Samba 2 or higher) that of an Active Directory (Samba 3 and above)
- Work as a WINS server (or be configured to use a different WINS server). In this case the configuration is simple, fast and effective, does not present any particular problems of compatibility and interoperability.
- Work as a Master Browser in a mixed network.
Samba does NOT allow you to manage instead of a machine as Backup Domain Controller of a Windows PDC, can not be a Backup Browser and can not be a Secondary WINS Server.
On the client side, however, there are no particular problems with using Samba to connect to Windows or Linux server: the remote network share is usually mounted on the local file system and you can normally access with permissions granted.
Integrating Linux in a domain with Winbind WinNT/2000
In this article I want to address a problem a bit ‘but I think particularly interesting: the integration of a Linux (of course equipped with Samba) in an NT domain or a Windows 2000 active directory by using Winbind.
I intend to integrate the possibility that the Linux machine to become part of the actual domain or active directory, but also and above all that the authentication of Linux users (note: Linux users, not users Samba) is obtained from the Windows Primary Domain Controller.
I believe that this possibility is very interesting in those situations where you want to introduce Linux in a network already established on the Windows platform, without having to redefine all users in the new environment.
The context I am referring to is a school network, which is seen in schools that I work professionally, but the proposed solution can be effectively implemented in other environments.
I imagine the objections of the “purists” about the opportunity to “live with the enemy” instead of replacing proprietary products with free software, preferred for ethical reasons, philosophical, educational, economic has often been discussed in the pages of this magazine; the fact is that many times this is not possible, or at least not “immediately”. In some cases you need at least a period of “collaborating” in which to gradually introduce Linux and free software in the meantime to allow for the formation and spread a “culture” profitable enough to operate and manage these tools.
The procedure presented here has been used on a Red Hat 7.3 but it is also applicable to other distributions.
From RedHat version 8.0 allows you to configure your login to a NT domain directly through the command authconfig custom, making these tasks much easier.
SET UP THE TOOLS NEEDED
Winbind is a new software became part of the whole of the Samba suite of tools from version 2.2.2 and is contained in the rpm package samba-common. They include 2 libraries for the Name Service Switch (nsswitch) and Pluggable Authentication Modules (PAM), a utility, and wbinfo a demon winbindd, which allow users to access the Linux machine (and those that provide the services ‘PAM) using account information is already in a Windows Domain Controller.
More specifically provides information on winbindd users and groups nsswitch NT service that is now present in all modern C libraries and allows for data to users, groups and hosts several different types of sources (NIS, DNS, and now also Winbind), the authentication service is ensured, however, by the presence of a suitable PAM module.
We see the steps needed to achieve the desired result (the tests were done on a Linux machine with RedHat 7.3, Samba 2.2.3, part of a network managed by a NT 4.0 PDC named ANDREA:
1) Changes in smb.conf
In the Samba configuration file /etc/samba/smb.conf, add in the [global] section the following guidelines:
; NT domain name
workgroup name = PALLADIUM
; Managing encrypted passwords
encrypt passwords = yes
; Settings on the server PDC
security = domain
password server = *
; Settings for the demon winbindd
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
Some comments on the options that allow you to configure the daemon winbindd:
with winbind separator is the character set that combines the name of NT domain and user name to form the name Linux user, it is recommended to choose a different font than the default “\” that can cause problems as it has a special meaning in the shell, the choice of a “+” should be the best.
winbind uid and winbind gid are used to set the range of user IDs and groups that winbind uses to “remap” windows users and groups on Linux users and groups.
winbind enum users winbind enum groups and used to activate the enumeration of groups and users.
template homedir template shell and allow you to define respectively the shell and the user’s home directory, note the use of “variable samba” domain name =%Q%U=NT and NT user name (in this case the user PALLADIUM + foo will have the home directory /home/PALLADIUM/foo).
2) Changes in nsswitch.conf
In the /etc/nsswitch.conf contains the service configuration nsswitch need to add winbind between the sources of data about users and groups.
So its lines, which usually appear as follows:
passwd: files
group: files
must become:
passwd: files winbind
group: files winbind
The order lists the sources is significant and in this case is appropriately left to the priority in obtaining information for system files (passwd and group).
3) Changes to the configuration file of the WFP
This is the most delicate and “dangerous” operations carried out on the awkward configuration files in /etc/pam.d/, can lead to the impossibility to log in or allow anyone to enter without a password or other similar problems . And ‘so appropriate a copy of the files you are about to change and it is also advisable to keep the reserve open a task as “root” so you can retrace your steps if the tests do not give positive results.
It would also be a discussion about the use of PAM is a very versatile and powerful but it is not possible here.
Thus we see only the changes I’ve made in my tests:
in /etc/pam.d/system-auth I added the line
auth sufficient /usr/lib/security/pam_winbind.so
after the first line already in the auth and I changed the line
auth sufficient/lib/security/pam_unix.so nullok likeauth
in
auth sufficient/lib/security/pam_unix.so nullok likeauth use_first_pass
in /etc/pam.d/login I have added the following two lines, respectively, as the first line as the last line account session required:
account sufficient /lib/security/pam_winbind.so
session required /lib/security/skel = pam_mkhomedir.so /etc/skel/umask = 0022
In particular the last one is very interesting as it is created automatically means that the user’s home directory when it connects for the first time to Linux, referring to the settings described above, when you connects the user + foo PALLADIUM creates the users home directory /home/PALLADIUM/ foo (this of course if and only if the directory / home / PALLADIUM already exists).
A final observation about the change to the file system-auth, its configuration being used in many other PAM configuration files (and not only login) pam_stack through the module, can be a good idea to leave it unchanged, copy and modify the copy of such naming system-auth-winbind. Obviously, references to the file system-auth file contains login will be amended accordingly.
4) Activate and test
Must first enter the Linux machine in NT domain acting on the NT server with the Server Manager on Linux and running the following command:
smbpasswd-j-r ANDREA PALLADIO-U Administrator
If all goes well after entering the password (which has Administrator on NT) you get the message:
Joined domain PALLADIUM
At this point you can turn on smb and winbind services and test the proper functioning of the latter with the commands
wbinfo-u
wbinfo-g
respectively, to obtain the list of users and domain groups.
It ‘can also have a list of all users and groups and those in the domain that those “native” Linux with the commands:
getent passwd
getent group
Finally, you can proceed to the most important evidence that the accreditation on the Linux machine to an existing user in the NT domain, the login user name is written according to the syntax established (in our case “PALLADIUM + foo”) and password of that ‘user in the NT domain.
In my case, to log an error message appears: “[: too many arguments" quite mysterious, are not able to determine the origin even after searching the Internet, however, does not affect in any way the success of the operations carried out by ' user.
It 'also possible to obtain accreditation for other users of services provided that they have support for PAM, for example in the machine under test was active graphical login with gdm and the mechanism to get that worked well in this mode it was necessary to add the file /etc/pam.d/gdm line:
session required/lib/security/skel = pam_mkhomedir.so/etc/skel/umask = 0022
CONCLUSIONS
Through the use of Winbind in combination with other tools for Samba administrators have the ability to bring together different platforms using the database of users and groups defined in an existing Windows environment.
This is a further confirmation of the goodness of the choice of GNU/Linux and Free Software in general, at the level of "openness" and possibility of integration between different environments. It 'also confirms the developers of these programs devoted to such topics and the great advantage in this area has free software against proprietary software, which very often is characterized by closed solutions if not "armored" .
Example di smb.conf per un server Linux domain member
[global]
workgroup = LAB42
server string = Samba Server - Si Autentica su PDC esterno
security = domain
password server = 10.42.42.173
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
add user script = /usr/sbin/adduser -d /dev/null -s /bin/false %u
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[Documenti]
comment = Documenti Vari
path = /tmp
read only = No
