Linux Tutorial

Installing Mandriva

Yesterday I had to install Mandriva on my PC. My preferred medium is the DVD, in fact, downloading the free version (iso 4.3GB) you get a complete picture with a lot of software available, you get cleaner installation and you have the choice of either desktop environment, both programs to be installed (also classified by category).

The problem is that the DVD should have a DVD and a DVD player on your PC when you install the operating system, for the second there are no problems, but I was lacking the first or last, and I did not want to go out and buy one.

Searching Google I found that you can install Mandriva leaving just downloaded the iso of the DVD to hard disk. To start the PC is still a cd or usb memory that allows the installer to start. This can be found in any Mandriva mirror in the path “official/2010.0/x86_64/install/images/“, adapted of course to the version and architecture used.

In this route there are several files, two are those that serve: all.img can be copied to the USB memory with the command

dd if=all.img of=/dev/sdb

(sdb is the USB meoria) boot. ISO is an ISO image to burn to a CD.

When booting the PC with one of the pictures above, a menu that asks which installation method you want to use. You can choose to do the network installation, hard drive or if you choose the path you will be asked where is the iso image, after these steps, the installation proceeds in the traditional way and very quickly.

For the record, this time I wanted to change the desktop and choose GNOME, you can still install KDE in the future, choosing the package manager “task-kde4” or “task-kde4-minimal” if you want to do a minimal installation.

Linux Mandriva

The support they have received no developers of free software and the struggle for survival are themes familiar to the creators of Mandriva. This distribution is now more than 10 years at the forefront. Initially based on Red Hat, its first versions (when it was still called Mandrake) included KDE 1.0 and most interesting programs for users and for companies.

What is certain is that Mandriva has always tried to treat both markets, resulting in a success thanks to the fact that, among the first distro, integrated assistants and, of course, has continued to improve over time. In addition to various standard applications inherited from Mandrake, as KDE 4, various firewalls and backup tools, offers its users a wide group of programs like Koffice Mandriva Smart Desktop, OpenOffice, Firefox, Moovida, …

Mandriva Linux 2010.0

Mandriva is the fruit of the union of Mandrake, Connective and Lycoris. From the time when Mandrake was only one version of Red Hat with KDE time has passed, and now Mandriva is certainly one of the giants of free software, and as a trading power and as a product to offer to users. It is distributed very updated and edited graphically. And is’ always stood out for its orientation to the desktop market, thanks to the configuration tool provides its users with tools to help you step by step to configure your PC the best to enjoy the full OS.

What’s new in Mandriva Linux 2010.0 includes the inclusion of the latest versions of KDE and Gnome, reducing boot times, hardware present on the optimization of the recognition and integration of Moblin netbook, making it even faster and more usable ultraportable on the distro

Safety: Mandriva in the past (when it was still only Mandrake) was affected by the decision to cater mainly to the desktop market and, consequently, some choices made in order to provide a system as simple to use. Over time, however, has managed to improve from this point of view, introducing new software.

Simplicity: The strength of Mandriva has always been the simplicity and it is always the beginning bar table reference for novice users, looking for discharging them at ease with their instruments.

Software Included: Many current and complete packages are available for Mandriva Linux, which can not be missed really nothing to its users: in a simple way you can get every application we need.

This distribution is one of the more usable thanks to the enormous amount of their developments, which ensure both the recognition of most of the hardware configuration of programs and devices.

The classic partitioning used in most home installations is based on the MBR (Master Boot Record) and MS-DOS partition table.

With this system you can have a maximum of 4 primary partitions or up to 3 primary partitions, extended partitions and logical partitions within it endless.

The main limitation of this architecture is given by the rigidity of the resources of this organization. The partitions are fixed and can not be separated into multiple disks can not be changed without removing and space for the file system is fixed, can neither grow nor diminish without having to remove everything and redo the partitions.

Imagining multiuser installation, if the disk is completely filled with the only solution is to buy a new drive and transfer data to, resetting the permissions as they were originally with the high cost of time, or move the data elsewhere, solution is obviously not easy to apply multi-user.

LVM (Logical Volume Manager) is revolutionizing the concept of space organization providing a dynamic allocation of space.

Structure of LVM

The figure above shows the general operation of LVM in the presence of several disks.

Each physical disk contains within it a number of partitions, and these can be used normally to mount a file system (as in the case of pointing to sda1/boot without joining LVM) or LVM may be used.

Each partition is inserted in LVM is called a physical volume (PV = Physical Volume).

Some or all physical volumes can be assigned to a volume group (VG = Volume Group). This allows you to use multiple disks/partitions together into a single data structure. The use of dedicated hardware greatly improves the operation, allowing the use of all disks connected synchronously.

The sum of all partitions dedicated to the volume group defines the size of the group, so that once you run out of space just to buy a new disk, add it to the group and its capacity will be added to the space group. In this way, we ensure the scalability on massive scale.

All the space dedicated to a volume group can be divided into one or more logical volumes (LV = Logical Volume) that will be used by the system to create the file system, simply by formatting them in the way you want, as ordinary partitions.

Advantages of using LVM

The advantages of using LVM than traditional partitioning are numerous:

• Total capacity expandable without moving data
• Dynamic allocation of space without reformatting, including adding, removing and replacing disks
• Association of names to a group of devices, regardless of which partition is used to deliver a volume group
• Breakdown (striping) of data across multiple disks
• Cloning (mirroring) volume
• Creating snapshots (snapshot) of a logical volume to get copies of the same data at the time of the snapshot

There are many ways to ruin an operating system.

Linux has a reputation for toughness but there are still many ways to damage a computer system fully functional.

We want to illustrate some of the ways you can wreak havoc on Linux, so as not to avoid making the same mistakes.

Fill a file system

If the filesystem containing /var is full, you can not write its log messages and all types of system processes and this can cause a stall.

Reinstall Windows

No, this is not typical of a Linux user anti-Microsoft – the Windows installer does not accept other operating systems or their bootloader, so if you reinstall Windows, this will overwrite the bootloader. No need to reinstall Linux, though: the installation CD usually has the ability to solve problems of the bootloader, or you can run grub-install from a live CD.

Out of memory

4GB of memory may seem like a lot, to do something stupid like start gimp *.jpg files in a directory full of pictures at 12 megapixels. The swap space will help, but will do so slowly as to make you believe that the system has frozen.

Follow the instructions on the web

The Web forums are full of useful hints, tips and commands, but there are also some that you can do serious damage. The difficulty lies in distinguishing between them, the advice can be dangerous were provided with the best intentions, some good advice or be misspelled. Pay particular attention to everything that makes use of the operators “on” or “sudo“.

Install multiple Linux systems

This is a bit ‘as the situation when you reinstall Windows. While the installer distros have a great recognition of Windows by creating a dual boot, some still do not notice other Linux distributions on your disk, this could lead to the condition that the distros will disappear from the existing bootloader, even if the distributions are still there .

Rarely update

Let a system intact for many months and then install more than 300 upgrades in one shot, do not necessarily result in corruption of the system, but if it happens to be very lucky to know who was the culprit. Little and often is the surest way to keep a system updated.

Upgrade to the blind

Do not check the list of packages to install with an upgrade of the system could do to not have any idea what went wrong if it should happen. Alternatively, use the package manager to produce a list of installed software, so you can see what has changed when things go wrong – or check the log file of the package manager.

Run Software too new

Yes, everyone likes to try new material, but be aware of the risks. The new software has had less testing. So do not you upgrade to the latest alpha version, when you really need the computer to continue working.

Delete the /home

This does not corrupt Linux, but you lose any personal settings and files stored there. That’s why it’s a good idea to keep/home on a separate partition, so you can install and upgrade without messing up the settings and data.

Losing a password

Losing the user password will not let you do anything, unless you have automatic login set. Losing your root password means that you can use your computer, but you can not install or update software or make other changes to the system. Losing the password to an encrypted file system means that you may have to go back to pen and paper.

Install a new kernel

This seems strange at first, a new kernel would be better and safer. But some devices are based on modules which are not supplied with the kernel, in particular the graphics cards and wireless networking. Some distributions will automatically reinstall, otherwise you must use a wired network, or restart with the old kernel and reinstall the drivers for what is not working.

Try using pulseaudio

If you have never been bitten by the complexity of Linux sound systems, you’ll know exactly what that means. Otherwise, do not worry. Your audio system will continue to operate until it stops mysteriously. Do not use other ones that have multiple layers of an onion.

Install the packages from another distro

Sometimes your distro does not have the package you want, but another has it. Do not be groped to install a “foreigner”, this is the beginning of a road to madness. It can be done with the use of Debian packages on Ubuntu, but sooner or later we will get hurt.

Run a fork bomb

A fork bomb is a small shell script that quickly creates many processes as long as they can, until the computer freezes and the only solution is to turn it off. Some distributions are configured to prevent its effects, limiting the number of processes a single user, even root. If you want to try it, here is the code

#! /bin/sh
: () {: |: &};:

Reinstall

The “solution” of choice for many Windows problems, is to reinstall the operating system. Doing this on Linux and it means the loss of custom settings and configuration, and every opportunity to discover the cause of – and solution – to the problem. Reinstall individual software packages rarely helps, since such action does not touch the settings in your home directory, where there is most often the source of your problems.

Disable swap

You would think that with a minimum of 2-4GB of RAM typically mounted in today’s laptops, the swap is an anachronism, but some processes have come to expect that some part of your code is managed by the swap. Although I do not think you need it, you may inadvertently used a lot of memory, so having some exchange available is always a good idea after all, disk space is more abundant than RAM.

Installing from source

If you want the latest version of some obscure (or just new) program, aimed at installing from source is the only option. Although this usually goes well, you could end up with different versions of the same library in /usr/lib and /usr/local/lib, with effects that are best described as “interesting”.

Lose

Linux is often incorporated into devices that are increasingly smaller, cheaper, more powerful and easier to lose. Although it is tempting to store all the details of your life on a netbook, or even a smartphone, considered the consequences of a loss (or loss “assisted”) of this device. This event will not cause breakage of the device, but its new “owner” will have full access to it and to the data, so be careful.

Treat it like Windows

Linux and Windows, even if supply desktop operating systems, with a superficial similarity, are completely different. Treating a Linux system like Windows is one of the most common causes of embarrassment and discomfort for new users. If you are new to Linux, no matter how much experience you have with Windows, do not be ashamed to ask for advice.

Pour the coffee spill on it

It ‘truly regrettable that a system so suited to hackers and programmers can still be rendered useless when it comes into contact with liquids. The mouse and the pizza does not get along, even if the hard core Linux users probably do not want to give up the mouse as much as the pizza.

Cases and situations in common with mixed Windows – Linux network – WINS – PDC.

Sample smb.conf for a Primary Domain Controller

Here is an example of a configuration of an NT4 domain PDC that also acts as a Master Browser and WINS Server.

[global]
        workgroup = LAB42
        server string = Samba Server PDC
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap

# The following is a handy directive to automatically create the machine account to /etc/passwd file when a new computer joins the domain

add machine script = /usr/sbin/useradd -d/dev/null -g machines -s /bin/false -M %u

# The directives that tell the PDC and Samba to allow login on the OST that are part of the domain

        domain master = Yes
        domain logons = Yes

# Directives regarding the functionality of Master Browser

        preferred master = Yes
        os level = 250

# Directives regarding the functionality of Server Wins

        dns proxy = No
        wins support = Yes

        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No

[Documents]
        path = /tmp
        guest ok = Yes

[Private]
        comment = Documenti Privati
        path = /var/log
        read only = No

Samba as a Primary Domain Controller (PDC)

Samba can perform the activities of PDC, primary domain controller in a Windows network client (or mixed).

The features supported are:

• Login on the domain (domain logon) for Windows NT/2000/XP clients.
• User-level security for Windows 9x/ME clients (these clients have no concept of domination, but support log on a domain)
• Roaming profiles, for users who can log into multiple clients while keeping their environment.
• Browse lists and master browser
• Policy NT4 style system
• Ability to obtain a list of users / groups on the Samba PDC
• Manage Active Directory (introduced, in part, from version 3.x)

The capabilities are not yet supported:

• Ability to act as a Domain Controller in an ADS domain (Active Directory)
•  Use as a BDC (Backup Domain Controller) in a Windows NT4 domain with PDC.

To configure Samba as a PDC in a Windows domain, you must:

1. Installing Samba on a Linux / Unix (via RPM or source)
2. Configure smb.conf
3. Create directories for domain logons and roaming profiles
4. Add the logins and passwords for users and machines in the domain
5. Configure the Windows client to join the domain.

The following instructions apply to both version 2 to 3, except for the Directive on the add machine script.

1 – Installing Samba

The installation for a PDC does not require special care compared to a normal installation of Samba using RPM or tar.gz

2 – Configure smb.conf

Let’s see an example of the configuration files of a Samba PDC. Several settings are common to any installation Samba, some are specific to a PDC (domain master = yes, security = user encrypt passwords = yes), others are necessary if you want to support the client running on a script at login (logon scripts [netlogon] share) or the use of roaming profiles (logon path, sharing [profiles]).
Carefully consider the latter option: it has the convenience of separating the use of a single physical machine from a single user (all users can use all the machines), but it involves loading each time you login or synchronization of all the “Documents and Settings ” between Windows client and server, with a potential load on the network is not indifferent and more expected by the user.
Without log files you will act on the local machine, which in turn are then synchronized with the server when logging out.

[Global]
; General Settings (valid on any Samba configuration)

    And intranet workgroup = 'Domain name and / or Workgroups
    netbios name = serverone And 'the name of the Samba server
    server string = Samba PDC - Version% v The server description
    socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=IPTOS_LOWDELAY 8192 recommended default TCP Settings

; Settings for the PDC and master browser

os level = 64 Set the value with which to participate in elections to the Master Browser
preferred master = yes force an election when you start and take part with a greater chance of success
local master = yes Do Samba to participate in elections for the Local Master Browser
The domain master = yes line tells Samba to work with PDC

; Managing users and security

Enforces security = user to authenticate users locally. And ‘necessary on a Samba PDC
Crypt encrypt passwords = yes username and password during authentication: required on a PDC and need to interact seamlessly with Windows NT client or later
domain logons = yes allows Windows clients to log into the domain with the Samba server authenticate
hosts allow = 127.0.0.1 192.168.0.0/255.255.255.0 Allow access only from localhost and from the network 192.168.0.0/24
add machine script = /usr/sbin/useradd-d/dev/null-g machines-s/bin/false-M% u (Only on Samba 3) the system automatically adds the account of a new machine that comes in the domain

; Management logging

log file = /var/log/samba/log.%m defines the location of the log and means to create different log on names of their respective client machines
log level = 2 Set the logging level to 2, displaying all the files read and written
max log size = 50 Sets the maximum size to 50 KB of log files

; User profiles, home directories and netlogon (these configurations in the [global] are ALWAYS adding definitions, respectively [homes], [profiles] and [netlogon] given below

logon home = \\%L\%U\. profile defines the location of the file. profile (for Win9x/ME client) to \\servername\username
logon path = \\%L\profiles\%U defines the position of the profiles directory (WinNT/2K/XP client) to \\servername\profiles\username
logon drive = H: Create the network drive H: to login to Windows clients
logon script = netlogon.bat Specify which script to run on the client at each login. The script is searched in the directory defined in the [netlogon] share

[Homes] Share special, which defines the location of home directories

    comment = Home Directory for each user sharing description
    And browseable = no 'right not to make publicly visible of individual users' home
    writeable = yes Each user must be able to write in his home

[Profiles] Share special where files are written in profile for roaming users. For every login and logout its content is synchronized with the documents folder on the local computer (C:/Documents/username.dominio)

    path = /home/profiles on the Samba server's local directory where you saved the profiles. Here you are, automatically, create users with names sottodirectroy
    writeable = yes Profiles are in sync with the client to login and logout and must be writable
    browseable = no As for the home, including the profiles should not be visible to other users
    create mask = 0600 The mask that creates the files: Full all'owner permits, no permission to other users
    The 0700 directory mask = mask which creates the directory: the owner must also be executable (browsable)

[Netlogon] Special Share which contains the scripts that run on Windows clients to logon to the domain. Must be run on Windows and can be used for various operations of centralized administration (local data backup, antivirus programs or update, the new mapping network shares etc..)

    path = /home/netlogon directory on the server that contains, in a subdirectory with the same name as user login, the script defined by the 'logon script "
    read only = yes Inaccessible These scripts must be read-only ...
    write list = @admin ... except users in the group (@)admin
    browseable = no This is a sharing service that is useless to show to other users

3 – Creating additional directories

It ‘important to create the netlogon directory for the profile defined in smb.conf, and with names and correct permissions.
Based on the example configuration above should do the following on the Samba server (as root):

[root@sambaserver root] # groupadd admin Create the admin group, composed of users who can edit logon scripts. Consider that these scripts are particularly important in terms of security, since that run on Windows client

[root@sambaserver root] # mkdir-m 0775 /home/netlogon Create the directory /home/netlogon, readable and executable by ll users and editable only by owner and ownergroup

[root@sambaserver root] # chown root.admin/home/netlogon You set the directory root as owner and admin for the group (with write permission)

[root@sambaserver root] # mkdir /home/profiles You create a directory for the profiles (the same as defined in smb.conf)

[root@sambaserver root] # chmod 1757/home/profiles You set the sticky bit and make this directory writable by root and its subdirectories can be managed by their users, without the possibility of modifying the other

4 – Add login and password

Manage users in a domain with Samba is not an immediate process and should be considered some fundamental aspects:

- How to use Samba password file /etc/samba/smbpasswd (default) and a row for each user (a domain that is a normal server with authentication). In this file there is a line (with login, encrypted password and other data) for each user.

- For every user in smbpasswd file on their respective member MUST be a normal user files on Unix /etc/passwd. This is because Samba is acting on the local system as a normal Unix process, even if it runs as root, access the filesystem with the permissions of the users as configured.

- When Samba is acting as a PDC, as well as creating a login (either in /etc/samba/smbpasswd in /etc/passwd) for each user, you must create a special login for each machine in the domain. This log, called trust account or computer account has the NetBios name of the computer followed by the dollar sign ($). At the first login from the trust account is created a sort of password that is used to authenticate communications between the PDC and the client and make sure there are other machines that may join the domain with the same NetBios name.

- The management of the log (both for users and for computers, both of which smbpasswd passwd) can be done manually, with the commands below, or automatically through the use of the add user script Directive

- Windows 9x/Me although they can login to a domain, are not structured to be clients of a full-fledged domain because it does not respect the logic of security and trust.

To add a computer account to the domain manually, follow these steps:
[root@sambaserver root] # groupadd machines Create a group for all computer accounts

[root@sambaserver root] # useradd-g machines-d/dev/null-s/bin/false $nameNetBios Adds a login to the system, a member of the machines, without a home directory, without a shell, with the same name as the NetBIOS name machine followed by a $. Note that this account is used to Samba to act on the system, but it is good that it can not be used for normal login.

[root@sambaserver root] # passwd-l $ nomeNetBios will put a lock on the password in order to make it editable and not leave anything but root

[root@sambaserver root] # smbpasswd-a-m nameNetBios You create a new computer account /etc/samba/smbpasswd and set the password. The-a option allows you to create it, if it exists, the-m option indicates that it is a machine account, the NetBios name of the machine should NOT be added followed by $, in this case, when this character is added automatically. No need to remember the password you entered as it is handled directly between PDC and the client domain

If you want to avoid manually add a new account for each machine in the domain, you can try to add, as indicated above, the following line to smb.conf (only valid for Samba 3):

add machine script = /usr /sbin/useradd-d/dev/null-g machines-s/bin/false-M% u

Check the path and the syntax of the command useradd and the group make sure you have already created machines (groupadd machines).

To manually add the user login (not machines) of the domain:

[root@sambaserver root] # useradd foo Adds the user to the /etc/passwd system
[root@sambaserver root] # passwd foo The set password. If the user does not have access to the Unix system, imposed a shell anything in /etc/passwd
[root@sambaserver root] # smbpasswd-a foo foo Adds the user to /etc/samba/smbpasswd and sets the password

NOTE: When you configure a Windows NT/2k/XP to make it part of a domain, you are prompted for an administrator password. In this situation you must use the root login with password, so you must also add the root user smbpasswd:

[root@sambaserver root] # smbpasswd-a root

Note that if by chance you change the root password with passwd and the smbpasswd file is also updated with the password which is the second text, the one in /etc/samba/smbpasswd.

For this reason and others, once a user has created a good thing to make sure that your password on the Unix system is aligned with that used by Samba network. To ensure that a password is changed via Samba also reflects on the /etc/passwd you need to add local configuration lines similar to smb.conf:

unix password sync = yes Sets the synchronization of passwords between Samba and Unix Local
passwd program = /usr/bin/passwd% u command line to change the Unix password. % U is the user’s login
passwd chat = *New*UNIX*password*%n\n*Retype*new*UNIX*password*%n\n*Enter*new*UNIX*password*%n\n*Retype*new*UNIX*password*%n\n* passwd: *all*authentication*tokens*updated*successfully* The procedure for handling requests for matching the output of passwd. Make sure your system is used on the same words

Unfortunately that does not work in reverse: if you change a password with passwd Unix, you must change it by hand with smbpasswd to keep the password synchronized with the Unix Samba passwords.

5 – Configuring Clients

Configuring a Windows system to join a domain, varies depending on the version:
Windows 95/98/ME
- Make sure you installed the “Client for Microsoft Networks” from the network properties
- Ensure that the Client for Microsoft Networks is selected as the primary network protocol (Control Panel -> Network -> Primary Network Logon).
- Go to Control Panel -> Network -> Client for Microsoft Networks -> Properties -> Logon to NT Domain.
- If you have configured smb.conf option “add user script”, select the check box Create a Computer Account, or by hand to create a user on the Samba server as the Windows machine.
- Enter your domain name and click OK.

Windows NT:
- Go to Control Panel -> Network -> Network Identification -> Properties
- Select Domain and enter the name of the domain own the copyright
- Select Create a Computer Account
- When prompted for an administrator password to enter the login and password of root, remember that the root user must be added to smbpasswd.
- You should get a message that welcomes the domain.

Windows 2000:
The procedures are the same as for Windows NT, except that the network settings are found under Control Panel -> System -> Network Identification (or, on the Desktop, right-click the My Computer icon, select Properties, Network Identification tab and click on the Properties button).

Windows XP:
The procedure is more complicated with Windows XP (Microsoft uses complaints to change specifications and implementations of its protocols for interoperability with complicate the alternatives).
Note that only XP Professional Edition can be used to join a domain, Windows XP Home Edition can not join a domain (Samba or Windows based).
- Open the Local Security Policy Editor (Start-> Control Panel-> Tools-PHASE> Local Security Policy-> Local Policies-> Security Options)
- Disable the “Domain member: Digitally encrypt or sign secure channel (always)” (Domain member: Digitally encrypt of Irma secure channel data (always))
- Disable the “Domain member: Disable machine account password changes” (Domain controller: Refuse machine account password changes)
- Disable the “Domain member: Require strong (Windows 2000 or later) session key” (Domain member: Require session key (Windows 2000 or later))
- Download from Samba.org (http://de.samba.org/samba/ftp/docs/Registry/WinXP_SignOrSeal.reg) patch to the registry WinXP_SignOrSeal. To apply the double click. Reg file and answer Yes to questions
- At this point you can join the domain as a Windows NT/2000: Right-click My Computer, select Properties, Computer Name and click on the Edit button uppure and run the Network Identification Wizard.

Linux / Unix
Even Linux systems, of course, can join a domain with a Samba PDC and if the file server, you can configure Samba to allow authentication via the domain.
On smb.conf there must be the following lines:

[Global]
        workgroup =
        netbios name =
        security = DOMAIN
        encrypt passwords = Yes
        password server =
        preferred master = False
        domain master = False

Obviously on the Samba PDC to be created a computer account for our local Samba (as specified in the netbios name) and, in this case, the local computer must first join the domain, a procedure that is comparable to those seen above for Windows clients. On Linux / Unix local enough to write:

smbpasswd-j-r-U root

You have to provide the root password of Samba PDC (remember that the password is stored in the smbpasswd and not in passwd/shadow, in case they are different).

Levels of interoperability between Windows networks and Samba

The possibilities of interoperability between Windows and Samba client and server in a local network for file sharing are varied and can be grouped into two baseline scenarios:
- Windows server with mixed client (Windows, Linux/Unix, MacOS).
- Linux/Unix Samba server with mixed client.

And ‘possible to configure Samba to:
- Act as a Primary Domain Controller (PDC from an NT domain, but not an Active Directory Domain Controller) with a mixed network, including managing profiles and login to Windows machines on the domain. Such an option allows a Linux machine with Samba to perform the same functions of a NT domain PDC.
- To operate as normal File Server for mixed client. The authentication methods may be different depending on the method used and may take several actions on the server and client.
- Work as a Domain Member with the functions of file servers accessible on the basis of the domain login and password. Samba can be either part of an NT domain (Samba 2 or higher) that of an Active Directory (Samba 3 and above)
- Work as a WINS server (or be configured to use a different WINS server). In this case the configuration is simple, fast and effective, does not present any particular problems of compatibility and interoperability.
- Work as a Master Browser in a mixed network.

Samba does NOT allow you to manage instead of a machine as Backup Domain Controller of a Windows PDC, can not be a Backup Browser and can not be a Secondary WINS Server.

On the client side, however, there are no particular problems with using Samba to connect to Windows or Linux server: the remote network share is usually mounted on the local file system and you can normally access with permissions granted.

Integrating Linux in a domain with Winbind WinNT/2000

In this article I want to address a problem a bit ‘but I think particularly interesting: the integration of a Linux (of course equipped with Samba) in an NT domain or a Windows 2000 active directory by using Winbind.

I intend to integrate the possibility that the Linux machine to become part of the actual domain or active directory, but also and above all that the authentication of Linux users (note: Linux users, not users Samba) is obtained from the Windows Primary Domain Controller.

I believe that this possibility is very interesting in those situations where you want to introduce Linux in a network already established on the Windows platform, without having to redefine all users in the new environment.

The context I am referring to is a school network, which is seen in schools that I work professionally, but the proposed solution can be effectively implemented in other environments.

I imagine the objections of the “purists” about the opportunity to “live with the enemy” instead of replacing proprietary products with free software, preferred for ethical reasons, philosophical, educational, economic has often been discussed in the pages of this magazine; the fact is that many times this is not possible, or at least not “immediately”. In some cases you need at least a period of “collaborating” in which to gradually introduce Linux and free software in the meantime to allow for the formation and spread a “culture” profitable enough to operate and manage these tools.

The procedure presented here has been used on a Red Hat 7.3 but it is also applicable to other distributions.
From RedHat version 8.0 allows you to configure your login to a NT domain directly through the command authconfig custom, making these tasks much easier.

SET UP THE TOOLS NEEDED
Winbind is a new software became part of the whole of the Samba suite of tools from version 2.2.2 and is contained in the rpm package samba-common. They include 2 libraries for the Name Service Switch (nsswitch) and Pluggable Authentication Modules (PAM), a utility, and wbinfo a demon winbindd, which allow users to access the Linux machine (and those that provide the services ‘PAM) using account information is already in a Windows Domain Controller.

More specifically provides information on winbindd users and groups nsswitch NT service that is now present in all modern C libraries and allows for data to users, groups and hosts several different types of sources (NIS, DNS, and now also Winbind), the authentication service is ensured, however, by the presence of a suitable PAM module.

We see the steps needed to achieve the desired result (the tests were done on a Linux machine with RedHat 7.3, Samba 2.2.3, part of a network managed by a NT 4.0 PDC named ANDREA:

1) Changes in smb.conf

In the Samba configuration file /etc/samba/smb.conf, add in the [global] section the following guidelines:

; NT domain name
workgroup name = PALLADIUM
; Managing encrypted passwords
encrypt passwords = yes
; Settings on the server PDC
security = domain
password server = *
; Settings for the demon winbindd
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U

Some comments on the options that allow you to configure the daemon winbindd:
with winbind separator is the character set that combines the name of NT domain and user name to form the name Linux user, it is recommended to choose a different font than the default “\” that can cause problems as it has a special meaning in the shell, the choice of a “+” should be the best.

winbind uid and winbind gid are used to set the range of user IDs and groups that winbind uses to “remap” windows users and groups on Linux users and groups.

winbind enum users winbind enum groups and used to activate the enumeration of groups and users.

template homedir template shell and allow you to define respectively the shell and the user’s home directory, note the use of “variable samba” domain name =%Q%U=NT and NT user name (in this case the user PALLADIUM + foo will have the home directory /home/PALLADIUM/foo).

2) Changes in nsswitch.conf

In the /etc/nsswitch.conf contains the service configuration nsswitch need to add winbind between the sources of data about users and groups.

So its lines, which usually appear as follows:

passwd: files
group: files
must become:
passwd: files winbind
group: files winbind

The order lists the sources is significant and in this case is appropriately left to the priority in obtaining information for system files (passwd and group).

3) Changes to the configuration file of the WFP

This is the most delicate and “dangerous” operations carried out on the awkward configuration files in /etc/pam.d/, can lead to the impossibility to log in or allow anyone to enter without a password or other similar problems . And ‘so appropriate a copy of the files you are about to change and it is also advisable to keep the reserve open a task as “root” so you can retrace your steps if the tests do not give positive results.

It would also be a discussion about the use of PAM is a very versatile and powerful but it is not possible here.

Thus we see only the changes I’ve made in my tests:
in /etc/pam.d/system-auth I added the line

auth sufficient /usr/lib/security/pam_winbind.so

after the first line already in the auth and I changed the line

auth sufficient/lib/security/pam_unix.so nullok likeauth
in
auth sufficient/lib/security/pam_unix.so nullok likeauth use_first_pass

in /etc/pam.d/login I have added the following two lines, respectively, as the first line as the last line account session required:
account sufficient /lib/security/pam_winbind.so
session required /lib/security/skel = pam_mkhomedir.so /etc/skel/umask = 0022

In particular the last one is very interesting as it is created automatically means that the user’s home directory when it connects for the first time to Linux, referring to the settings described above, when you connects the user + foo PALLADIUM creates the users home directory /home/PALLADIUM/ foo (this of course if and only if the directory / home / PALLADIUM already exists).
A final observation about the change to the file system-auth, its configuration being used in many other PAM configuration files (and not only login) pam_stack through the module, can be a good idea to leave it unchanged, copy and modify the copy of such naming system-auth-winbind. Obviously, references to the file system-auth file contains login will be amended accordingly.

4) Activate and test

Must first enter the Linux machine in NT domain acting on the NT server with the Server Manager on Linux and running the following command:

smbpasswd-j-r ANDREA PALLADIO-U Administrator

If all goes well after entering the password (which has Administrator on NT) you get the message:

Joined domain PALLADIUM

At this point you can turn on smb and winbind services and test the proper functioning of the latter with the commands

wbinfo-u
wbinfo-g

respectively, to obtain the list of users and domain groups.
It ‘can also have a list of all users and groups and those in the domain that those “native” Linux with the commands:

getent passwd
getent group

Finally, you can proceed to the most important evidence that the accreditation on the Linux machine to an existing user in the NT domain, the login user name is written according to the syntax established (in our case “PALLADIUM + foo”) and password of that ‘user in the NT domain.

In my case, to log an error message appears: “[: too many arguments" quite mysterious, are not able to determine the origin even after searching the Internet, however, does not affect in any way the success of the operations carried out by ' user.

It 'also possible to obtain accreditation for other users of services provided that they have support for PAM, for example in the machine under test was active graphical login with gdm and the mechanism to get that worked well in this mode it was necessary to add the file /etc/pam.d/gdm line:

session required/lib/security/skel = pam_mkhomedir.so/etc/skel/umask = 0022

CONCLUSIONS
Through the use of Winbind in combination with other tools for Samba administrators have the ability to bring together different platforms using the database of users and groups defined in an existing Windows environment.

This is a further confirmation of the goodness of the choice of GNU/Linux and Free Software in general, at the level of "openness" and possibility of integration between different environments. It 'also confirms the developers of these programs devoted to such topics and the great advantage in this area has free software against proprietary software, which very often is characterized by closed solutions if not "armored" .

Example di smb.conf per un server Linux domain member

[global]
workgroup = LAB42
server string = Samba Server - Si Autentica su PDC esterno
security = domain
password server = 10.42.42.173
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
add user script = /usr/sbin/adduser -d /dev/null -s /bin/false %u
[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[Documenti]
comment = Documenti Vari
path = /tmp
read only = No