Windows networks need a primary domain controller. The user takes over the user administration, provides login scripts and allows user profiles to be taken from computer to computer. And best of all: Linux can also provide such a domain controller. His name is Samba.
A Primary Domain Controller, or PDC for short, is worthwhile in networks starting from about five computers. It is ideal if, for example, freelancers regularly work on changing workstations in an agency: All data is available on the server and for the respective user as soon as he logs on to such a server. In this way, existing resources can be used optimally.
This entry shows how to set up a Samba server to work as a domain controller. Basic knowledge in Samba is a prerequisite to understand the work steps shown here.
The advantages of the PDC
Anyone who has exchanged data between computers in a peer-to-peer network will find it easier with a domain controller. Until now, it was necessary for folder sharing to enter the user on each computer who is allowed to access the folder. As soon as a user changes their password, it must also be exchanged on all the computers that the user wants to access.
Such circumstances are no longer necessary with the domain controller. When released, the adminstrator of a computer only retrieves the user names from the domain controller. If the password changes, this only happens on the server. Small disadvantage: The reallocation of passwords takes place on the Linux command line - here the administrator should be at least a little knowledgeable.
Another big advantage of the domain controller are login scripts: The PDC stores a login script for each of its users and, if desired, for each computer. These scripts consist of batch files with network commands for Windows. For example, net use k: servshare assigns the shared folder share of the server serv to the drive k: on the workstation . No matter which computer a user logs on to, he will always receive this script and thus the correct network assignments.
The ability to profile roaming is a strong feature of Windows 2000 and XP. All user settings, mail data and so on are in the network. When logging in on another XP computer then exactly these settings and files appear.
requirements
For server operation, an old PC of the 266 class is sufficient. Even a Pentium 90 brings enough power for small networks to ten workstations. Only: enough memory should the networker already spend the server. From 128 MByte RAM is the server to use, with 256 MByte makes the work fun. And the hard drive is 5 GB and 10 GB free. With old Pentium systems, a SCSI controller is also helpful to move larger amounts of data.
If the server is new, it should for example be prepared with Suse Linux in a minimal installation. In addition, the webmaster installs Samba version 2.2.3a or later. Advantage of this procedure: This creates a server with minimal ballast. This saves processor power as there are no more services needed in the background than necessary. It saves hard drive space as only the base system is installed. And it makes the system safer. Because the fewer services it offers, the less vulnerability it offers.
All examples in this post are for a network of computers that have Windows XP Professional installed. Even with Windows 2000 workstation, the domain-controlled network should work fine. However, Windows XP Home does not support domain login.
Incidentally, the term domain at this point has nothing to do with the domain known from the Internet. So no domain name server is needed and you do not need to change the domain name entry of the Linux server.
Important for the transition is to understand the concept of user management under Windows. Because the users registered on a workstation have nothing to do with those who manages the PDC. A user Heinz on the XP Professional workstation is therefore not identical to the Heinz, which is registered on the domain controller. For Windows always awards pairs of domain or computer names and usernames to uniquely identify a user.
That means some conversion work for the network. For the concept to be fully effective, all network participants must also log in using the user name supplied by the domain controller. This, however, gives them a completely new and empty user interface that has to be refilled first. Also, it may happen that local user rights for the user have to be reset by the domain. Therefore, be careful when changing over: Test the new network concept only a few days before you switch the entire network.
Preparations for the PDC
The main work for the domain operation takes place on the Linux computer. Log in as root. If a Samba configuration already exists, the command generates
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
a backup of the Samba configuration.
Then the networker opens the smb.conf in the directory / etc / samba /with an editor , for example with
mcedit /etc/samba/smb.conf
For example, a Samba configuration for network operation looks like this:
# smb.conf - Samba als PDC
[global]
workgroup = LXDOMAIN
security = user
encrypt passwords = Yes
guest account = Nobody
map to guest = Bad User
# Fuer jeden Computer ein Logfile
log file = /var/log/samba/%m
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
interfaces = 192.168.0.2/255.255.255.0
os level = 99
wins support = yes
character set = ISO8859-15
client code page = 850
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
domain logons = Yes
domain master = Yes
logon script = %U.bat
logon script = %m.bat
# Where to store the logon scripts.
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
For explanation:
- Under workgroup a short, catchy name for the domain should be. The working group or MSHEIMNETZ mostly used in peer-to-peer networks are too long and too cumbersome.
- The entry security should be set to the value user . Because the user data gets the Samba server from its own password file , which you manage with smbpasswd .
- The entries domain logons and domain master must be set to yes. They are the parameters actually responsible for the domain operation.
- For everything to work properly, the server must also work as a WINS server. Responsible for this is wins support = yes . WINS manages the mapping of machine names to IP addresses within the network. It is important to set the os level to a value greater than 32 , so that the PDC becomes the master browser in the network.
- In order to automatically run scripts when logging in, the server needs two values for the entry logon script , namely logon script =% U.bat and logon script =% m.bat . Instead of % U , Samba later sets the username, replacing % m with the name of the logged-in computer.
- The login scripts are located in the directory / var / lib / samba / netlogon . This is what the entries in [netlogon] determine, namely comment = Network Logon Service and path = / var / lib / samba / netlogon. It is important that the scripts for Windows computers are readable, ie with the correct line breaks (CR / LF ) come. If you write the files with Linux, you have to convert them. The command
cat raw | col -b> username.bat
does this work and converts the text from the raw file into the Windows readable username.bat file .
- If Samba has been reinstalled, it must be registered as a service. This happens to Suse via Yast in the runlevel editor. It is important to start here also the service nmbd. Because he is responsible for the Netbios name.
Heimatgefühle
For the users to have a home, the following entries are useful under [homes] :
comment = Home Directories
read only = No
create mode = 0600
directory mode = 0700
browseable = No
hide unreadable = yes
valid users = %S
path = %H
The parameters create mode and directory mode protect each home directory from external views: files created there are only accessible to the owner.
Important, especially for Windows networks, is hide unreadable . This parameter hides Linux configuration and system files located in the home directory. The value % S ensures that the currently logged-in user sees only his own home directory. The path this home directory finally plugged in % H .
This completes the preparations for smb.conf. Make sure that all other basic settings as well as the approvals are correct.
Log in to the PDC
For Samba to work as a domain controller, as is customary in Samba, every user must be registered on the Linux server and smbpasswd in Samba. What's new: This also applies to any computer that is to log on to the domain controller.
First, enter the NETBIOS name of each connected computer in the / etc / passwd file. Behind the name of the calculator must be a dollar sign $. Additionally, give the computer its own user number, a group number, and a description if needed. The result looks like this:
pegnitz$:x:400:400:Workstation_Pegnitz:/dev/null:/bin/false
rednitz$:x:401:400:Workstation_Rednitz:/dev/null:/bin/false
pilsbar$:x:402:400:Server_Pilsbar:/dev/null:/bin/false
/ dev / null stands for the - non-existent - home directory of the computer, / bin / false stands for the likewise nonexistent shell.
Then enter each of these new users in the Samba user list. This is possible with the command:
smbpasswd -m -a pegnitz
Instead of "pegnitz" write the name of the workstation you want to enter - without the previously used $ -sign. The -m parameter tells Samba to enter the machine as a machine account.
In order to be able to log on to the domain, a special Samba root account is also required. If this is not yet set up, the command helps
smbpasswd -a root
continue.
Unless already done, then all users should be entered. To do this, use the configuration program Yast under Suse or try the command useradd with the parameter -d for the home directory and -p for the password, for example:
useradd schorsch -d / home / schorsch -p test
Do not forget to create the home directory after the entry and to miss the corresponding owner. Then transfer the user with you
smbpasswd -a schorsch
in the Samba password file.
In order for computers to be able to log in later, the Linux server still needs the assignment of the computer name to the IP. Enter this value pair in the file / etc / hosts .
This completes the preparations for the Linux computer. By entering testparm on the Linux command line, the samba parameters are checked again for syntactic suitability. Then restart the Samba server with rcsmb restart under Suse.
Set up Windows computer
For Windows XP to work with the PDC, some provisions need to be relaxed there. This is done by typing gpedit.msc in the Windows command line. The Group Policy Editor provides the menu
Windows Settings / Security Settings / Local Policies / Security Options.
Here are the two options to disable:
Domain member: digitally encode secure channel data (if possible)
Domain member: Digitally encrypt or sign secure channel data (always)
If Windows XP with Service Pack 1 is used, another value must be in Computer Configuration / Administrative Templates / System / User Profiles
be changed.
These actions require administrator rights on the XP machine.
Subsequently, all drive mappings in the network should be closed in the command line input. This is done with
net use * /d /y
Now comes the big moment. Right-clicking on My Computer and clicking Properties - Computer Name will take you to the domain login menu. Here is another click on Change and the entry of the domain.
After clicking Ok , the computer wants to know the username and password of the Samba root account. After entering these parameters, the computer is logged in to the domain.
If the computer can not find the domain, it can have several causes. The most common: the server itself does not know that it is the master browser in the network. Because as this he manages the assignments of computer names and IP numbers. Make sure smb.conf parameter os level is set to a value greater than 32 - for safety's sake, take 99 immediately.
In addition, the service must run nmbd. Check that with the command
ps ax | grep nmbd
Some sources also suggest editing the lmhosts file in the C: WINDOWSsystem32driversetc directory in case of problems . Open the file lmhosts.sam in the editor, enter IP and name of the server
192.168.0.122 lx1 #PRE #DOM:lxdomain
and save the result under the name lmhosts . If you are using Notepad, put the name in quotation marks so that Notepad does not append the suffix .txt . This directive assigns the Netbios name lx1 the appropriate IP address.
With #DOM the computer is indicated as PDC of the domain lxdomain. #PRE ensures that this entry is read at system startup and maintained during operation. That improves the speed. However, the configuration presented here also works without an entry in the lmhosts.
The first registration
When the login screen appears, enter username and password. After clicking on Options the selection of the domain name follows. And with a click on Ok the registration starts. If there is a login script for the computer or the user, they will be executed. By the way: The usual login screen of Windows XP has disappeared and gives way to the classic login procedure.