godot
02-05-2002, 08:40 PM
Do you have multiple windows NT (2000,XP) machines and a linux box? If so you might want to keep your user profiles on a server. Samba can act as an NT Domain Controller and do everything for you, here I'll guide you through step-by-step to set up your NT Domain.
First of all, install samba. I just 'apt-get install samba' and I'm done. Otherwise it's easy to compile.
Now, you need a smbpasswd file. This is where samba stores encrypted passwords. Since it has to maintain win95 plaintext password capability it can't use /etc/passwd. To do this type the following commands (the location of /etc/passwd is distro-specific, I'm going to use debian's default).
#cat /etc/passwd | mksmbpasswd > /etc/samba/smbpasswd
#chmod 0600 /etc/samba/smbpasswd
(you don't want just anyone reading your smbpasswd file....
Now you have to create passwords and enable access for each user who's going to use samba (you're going to need root too, at least to get the computers in the domain). Type this command to create the password
#smbpasswd user_name
and this to enable the user
#smbpasswd -e user_name
Now we move on to the smb.conf file. In debian this is stored in /etc/samba/smb.conf, in redhat i think it's /etc/smb.conf. I will post my smb.conf file and explain what the important parts do.
[global]
workgroup = DVI #self explanatory, the workgroup name
netbios name = GOLLUM #duh...
server string = %h server (Samba %v) #what your server's comments will be in NT
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
encrypt passwords = yes #Vitally important, you cannot run a domain without.
syslog = 0
max log size = 1000
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
printcap name = lpstat
os level = 64
local master = yes #Should be the master browser, although I've read it may not actually be necessary
domain master = yes
preferred master = yes
security = user #another must
status = yes
domain logons = yes #allows domain logins
domain admin group = @adm
add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
#should create machine trust accounts for computers that connect, doesn't seem to work though :(
logon path = \\%N\profiles\%U #the share clients will connect to for profiles
# logon drive = G: #should map the next line to this point, i don't use it
# logon home = \\%N\%U #what should be mapped to the above point, %N refers to the server's netbios name
logon script = logon.cmd
#script to be run by clients, must follow windows file format, so I'd make it with notepad
dns proxy = No
printing = cups #i use cups for printing, maybe i'll do a write-up on it later
#necessary share for domain controller
[netlogon]
path = /etc/samba/netlogon
writable = no
write list = ntadmin
#the profiles share, you want them to be accessible, right?
[profiles]
path = /home/profiles/%U/
writable = yes
create mask = 0600
directory mask = 0700
root preexec = /bin/mkdir /home/profiles/%U; \
/bin/chown %U /home/profiles/%U; \
/bin/chmod 700 /home/profiles/%U
#I share the home folders, my logon script maps it as G:
[homes]
comment = Home Directories
read only = No
create mask = 0644
Share that printer!
[printers]
comment = All Printers
path = /tmp
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr -P %p -o raw %s -r
lpq command = lpstat -o %p
lprm command = cancel %p-%j
browseable = No
Good, now that's set up. Go through there and make all those directories it points to (you don't have to use the same file system structure as I did, if you want to put your profiles in /profiles just change the profiles share to reflect that).
Make the logon script (has to be windows format, so I'd make it in notepad). Here's mine:
net time \\gollum /set /yes
@echo off
net.exe use g: \\gollum\homes
Now you need to create machine trust accounts for every machine that will be joining the domain. There's a script in my smb.conf file that should do this, but it doesn't work so I have to do it manually. Type these commands (dollar sign essential):
# useradd -g 100 -d /dev/null -c "client description" -s /bin/false machine_name$
# passwd -l machine_name$
# smbpasswd -a -m machine_name
where machine_name is the netbios name of the client you're trying to connect to the domain.
Easy enough. Restart samba and it should be running your domain, now we have to take care of windows. (I'm using XP, locations of menus may be different in 2000, NT4)
First you have to join the domain, right click on my computer, select computer name tab, click the change button in the bottom right to change its workgroup or domain. Select the domain toggle and enter your domain name (Mine is DVI). This should bring up a login box and you need to enter root, and the root password. You only have to do this once on each computer. Now reboot the windows machine. In XP it will disable the graphical login screen, which is disappointing but understandable from a security standpoint.
Log back into the computer, and go to the computer administration console, select the users and groups snap-in, right click on the user whose profile you want stored on the server and select Properties, click on the Profile tab of the properties window and enter this for Profile path:
\\server_netbios_name\profiles\
Not done yet, reboot again and log in, right click on My Computer, go to the advanced tab, and click on the Uesr Profiles settings button. Select the user whose profile you're currently trying to store on the server and click the "Change Type" button, select "roaming profile" and say ok. Now when you log out it should copy everything to the server, I recommend watching your hub to make sure it's transferring.
I went ahead and rebooted again, to make sure it would load through the network. After bootup give it a few seconds at the login prompt to resolve all the netbios names, or else it won't be able to fine your domain controller, then watch as it downloads your profile and you're good to go.
I haven't yet been able to add users to windows while a member of the domain and a few other kinks have yet to be worked out, but I hope this helps for anyone who wants to set this up because reading the samba documentation is tough work. (Think this is NHF material?)
Please post here if you have any problems, I will try to help.
[ 05 February 2002: Message edited by: godot ]
[ 05 February 2002: Message edited by: godot ]
First of all, install samba. I just 'apt-get install samba' and I'm done. Otherwise it's easy to compile.
Now, you need a smbpasswd file. This is where samba stores encrypted passwords. Since it has to maintain win95 plaintext password capability it can't use /etc/passwd. To do this type the following commands (the location of /etc/passwd is distro-specific, I'm going to use debian's default).
#cat /etc/passwd | mksmbpasswd > /etc/samba/smbpasswd
#chmod 0600 /etc/samba/smbpasswd
(you don't want just anyone reading your smbpasswd file....
Now you have to create passwords and enable access for each user who's going to use samba (you're going to need root too, at least to get the computers in the domain). Type this command to create the password
#smbpasswd user_name
and this to enable the user
#smbpasswd -e user_name
Now we move on to the smb.conf file. In debian this is stored in /etc/samba/smb.conf, in redhat i think it's /etc/smb.conf. I will post my smb.conf file and explain what the important parts do.
[global]
workgroup = DVI #self explanatory, the workgroup name
netbios name = GOLLUM #duh...
server string = %h server (Samba %v) #what your server's comments will be in NT
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
encrypt passwords = yes #Vitally important, you cannot run a domain without.
syslog = 0
max log size = 1000
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
printcap name = lpstat
os level = 64
local master = yes #Should be the master browser, although I've read it may not actually be necessary
domain master = yes
preferred master = yes
security = user #another must
status = yes
domain logons = yes #allows domain logins
domain admin group = @adm
add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
#should create machine trust accounts for computers that connect, doesn't seem to work though :(
logon path = \\%N\profiles\%U #the share clients will connect to for profiles
# logon drive = G: #should map the next line to this point, i don't use it
# logon home = \\%N\%U #what should be mapped to the above point, %N refers to the server's netbios name
logon script = logon.cmd
#script to be run by clients, must follow windows file format, so I'd make it with notepad
dns proxy = No
printing = cups #i use cups for printing, maybe i'll do a write-up on it later
#necessary share for domain controller
[netlogon]
path = /etc/samba/netlogon
writable = no
write list = ntadmin
#the profiles share, you want them to be accessible, right?
[profiles]
path = /home/profiles/%U/
writable = yes
create mask = 0600
directory mask = 0700
root preexec = /bin/mkdir /home/profiles/%U; \
/bin/chown %U /home/profiles/%U; \
/bin/chmod 700 /home/profiles/%U
#I share the home folders, my logon script maps it as G:
[homes]
comment = Home Directories
read only = No
create mask = 0644
Share that printer!
[printers]
comment = All Printers
path = /tmp
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr -P %p -o raw %s -r
lpq command = lpstat -o %p
lprm command = cancel %p-%j
browseable = No
Good, now that's set up. Go through there and make all those directories it points to (you don't have to use the same file system structure as I did, if you want to put your profiles in /profiles just change the profiles share to reflect that).
Make the logon script (has to be windows format, so I'd make it in notepad). Here's mine:
net time \\gollum /set /yes
@echo off
net.exe use g: \\gollum\homes
Now you need to create machine trust accounts for every machine that will be joining the domain. There's a script in my smb.conf file that should do this, but it doesn't work so I have to do it manually. Type these commands (dollar sign essential):
# useradd -g 100 -d /dev/null -c "client description" -s /bin/false machine_name$
# passwd -l machine_name$
# smbpasswd -a -m machine_name
where machine_name is the netbios name of the client you're trying to connect to the domain.
Easy enough. Restart samba and it should be running your domain, now we have to take care of windows. (I'm using XP, locations of menus may be different in 2000, NT4)
First you have to join the domain, right click on my computer, select computer name tab, click the change button in the bottom right to change its workgroup or domain. Select the domain toggle and enter your domain name (Mine is DVI). This should bring up a login box and you need to enter root, and the root password. You only have to do this once on each computer. Now reboot the windows machine. In XP it will disable the graphical login screen, which is disappointing but understandable from a security standpoint.
Log back into the computer, and go to the computer administration console, select the users and groups snap-in, right click on the user whose profile you want stored on the server and select Properties, click on the Profile tab of the properties window and enter this for Profile path:
\\server_netbios_name\profiles\
Not done yet, reboot again and log in, right click on My Computer, go to the advanced tab, and click on the Uesr Profiles settings button. Select the user whose profile you're currently trying to store on the server and click the "Change Type" button, select "roaming profile" and say ok. Now when you log out it should copy everything to the server, I recommend watching your hub to make sure it's transferring.
I went ahead and rebooted again, to make sure it would load through the network. After bootup give it a few seconds at the login prompt to resolve all the netbios names, or else it won't be able to fine your domain controller, then watch as it downloads your profile and you're good to go.
I haven't yet been able to add users to windows while a member of the domain and a few other kinks have yet to be worked out, but I hope this helps for anyone who wants to set this up because reading the samba documentation is tough work. (Think this is NHF material?)
Please post here if you have any problems, I will try to help.
[ 05 February 2002: Message edited by: godot ]
[ 05 February 2002: Message edited by: godot ]