Networking

Hardware

Software

Consultation

 

Samba as a Primary Domain Controller

 
 

Setting up Samba as a PDC (Primary Domain Controller) on a Ubuntu 10.04 LTS is pretty straight forward. This may seem like a long tutorial but it could easily allow a novice to set up a basic PDC.

This entire tutorial requires that you be logged on as root, or a healthy use of the sudo command. I prefer the former.
Assumptions

There must be a working Samba server installed (configured or not). Next, for this tutorial I'm going to use the following values:

PLEASE, change to suit your own needs.

Domain:			
PDC Hostname:		
PDC IP:			
User:			
Client Hostname:	

If there is not a working Samba server running:

 tasksel install samba-server

Should do the trick.

If you cannot ping your domain controller from your client you cannot join the domain.

Preliminary Testing

From your windows client in the command line try:

ping testgate

  Pinging testgate [192.168.1.1] with 32 bytes of data:

  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

  Ping statistics for 192.168.1.1:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 0ms, Average = 0ms

ping testdomain.loc

  Pinging testdomain.loc [192.168.1.1] with 32 bytes of data:

  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
  Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

  Ping statistics for 192.168.1.1:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 0ms, Average = 0ms

Try this if it doesn't work fix it BEFORE moving on. By not working I mean; If these two tests do not give you the same IP, and that IP is not for the internal interface.

On to the PDC

Ensure that all things are functioning as expected:

Ping the servers netbios name

ping testgate
  PING testgate.testdomain.loc (127.0.1.1) 56(84) bytes of data.
  64 bytes from testgate.testdomain.loc (127.0.1.1): icmp_seq=1 ttl=64 time=0.022 ms
  64 bytes from testgate.testdomain.loc (127.0.1.1): icmp_seq=2 ttl=64 time=0.025 ms
  64 bytes from testgate.testdomain.loc (127.0.1.1): icmp_seq=3 ttl=64 time=0.027 ms
  64 bytes from testgate.testdomain.loc (127.0.1.1): icmp_seq=4 ttl=64 time=0.028 ms

  --- testgate.testdomain.loc ping statistics ---
  4 packets transmitted, 4 received, 0% packet loss, time 2997ms
  rtt min/avg/max/mdev = 0.022/0.025/0.028/0.005 ms

Then try this

nslookup testgate

  Server:         127.0.0.1
  Address:        127.0.0.1#53

  Name:           testgate.testdomain.loc
  Address:        192.168.1.1

If that does not work, make sure that "hostname" gives you "testgate", and that "dnsdomainname" gives you "testdomain.loc". If they do not change the hostname:

echo testgate > /etc/hostname; hostname testgate

then change the /etc/hosts file to reflect the changes, change the line starting with 127.0.1.1, as in:

127.0.1.1    testgate.testdomain.loc testgate

You may also want to configure your DNS server to offer testgate.testdomain.loc as 192.168.1.1 on your local network.

Samba Configuration

Now for the samba server.

The configuration will be mostly default values (see List Default Samba Values, for instructions on how to list all the default values).

First save the old smb.conf file, and create a new one

mv /etc/samba
mv smb.conf{,.dist}
touch smb.conf

Place the following in the smb.conf file:

[global]
    domain logons = yes
    domain master = Yes
    netbios name = testgate
    workgroup = testdomain.loc
    os level = 255
    preferred master = yes
    security = user
    wins support = yes

[homes]
    valid users = %S
    read only = no
    browseable = no
    create mode = 0600
    directory mode = 0700

The only interesting values in the above configuration are "netbios name" and "workgroup".

  • "netbios name" should be the local hostname without the parent domain name, for example if the FQDN is testgate.testdomain.loc the "netbios name" should be testgate.
  • "workgroup" should be the parent domain name, for example if the FQDN is testgate.testdomain.loc then the "workgroup" should be testdomain.loc.

Save the file. Then restart the samba services.

service smbd restart
service nmbd restart

Or

/etc/init.d/samba restart

We need to create a group for the samba users:

groupadd smbuser
groupadd workstation

Next we need to create a few users.

useradd -d /home/sean -g smbuser -s /bin/false -m sean
useradd -d /dev/null -g workstation -s /bin/false testdesktop$

Now we need to add the users to the samba database.

smbpasswd -a sean
smbpasswd -a root
smbpasswd -a -m testdesktop$

Notice that we added the client desktop to the users and to the samba database, this is very important, the computer will not be able to join the domain without it's name in the samba database.

The "$" is required at the end of the machine name, do not forget it.

Windows is NOT case sensitive but Linux IS, so make sure that all user and machine names are typed EXACTLY the same, otherwise very strange things can happen.

Check the database like so:

pdbedit -Lv

There should be four users including a "nobody" user.

Take the time to check that all seems right, make sure that the domain is correct, etc...

You can also list just one user by:

pdbedit -v sean

If you would like change your fullname:

pdbedit -r -f "sean Shust" sean


Adding your domain user to the administrator group

Once you are finished and have joined the domain, when you reboot you may notice that the domain user has no privileges. This may be what you want, but if it isn't, how do you give admin rights to a domain user?

Samba no longer allows you to change the Primary Group SID directly, it is now set dynamically from group mappings. By default all users receive an RID of the Domain Users Group which is 513, for the Domain Admins Group the RID needs to be 512. This is the final three digits in the Primary Group SID as in:

Primary Group SID:   S-#-#-##-#########-#########-##########-513

When you created the user for use within the domain, you added it to a group:

useradd -d /home/sean -g smbuser -s /bin/false -m sean

If this was the first user added to the system it likely received a UID of 1000, and smbuser also likely received a GID of 1000. You can check this with "id"

id sean

  uid=1000(sean) gid=1000(smbuser) groups=1000(smbuser)

You could groupmap the GID of 1000(smbuser) to the admin group:

net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=smbuser

But this would make any user id in the smbuser group an admin user. A better choice is to create a new "admin" group and add the appropriate users to it.

groupadd -g 2000 smbadmin

Then change the GID of the user:

usermod -g smbadmin sean

Confirm the change with:

groups sean

It should return "smbadmin".

Then groupmap the new GID to the windows admin group:

net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=smbadmin

Then check that the Primary Group SID: has changed:

pdbedit -v sean

Look for the line

Primary Group SID:   S-#-#-##-#########-#########-##########-512

and make sure the last three numbers are 512.

If the last three numbers didn't change, change the user to a different group and then change back:

usermod -g root sean
usermod -g smbadmin sean

Then check again...


Make root The Domain Administrator

Not sure were this would be relative, but, as a purely informative exercise, here is how you would make your root user the Domain Administrator:

pdbedit -r -U500 root

Check to see if the change took by issuing the following

pdbedit -v root | grep "User SID:"

And check that the line ends with 500.


Trouble Shooting

I've had a few issues with log ins and the like, and here are a few things you can try


If you've successfully joined the domain but can seem to log into the client on the domain:

Log into the client locally as an admin user and delete the users folder. --PLEASE-- backup any data you need. In XP it would be under "c:\Documents And Settings". Then on the Samba server delete the profile folder within the users folder, "/home/sean/profile" in our examples. Then try loggin in again.


If your database is all messed up, create a backup of it:

mv /var/lib/samba/passdb.tdb{,.`date +%F`}

and run

dpkg-reconfigure samba

accept the defaults.
You may have to re-add the root user, but all of the other required users should be added for you.

This method will also require the deletion of the user folder on the client machine. Again, --PLEASE-- backup any data you need.

Comments  

 
+2 #1 Mike F 2013-11-13 11:50
Hi - this TUTORIAL is perfect! I got stuck on admin rights... 5 minutes later everything worked! Thanks a bunch!