Monday, 17 August 2009

SAMBA Domain Controller setup

SAMBA Domain Controller setup

Operating system: CENTOS 5.3

I have to install and configure SAMBA as domain controllers for many small branch offices. To provide local (inexperienced) administrators easy way to administer SAMBA users and groups, I select Microsoft User Manager For Domains from ServerTools package. Below are steps what I going through:

1.CUPS

Add printer
#links localhost:631
#cupsaddsmb -v -U root hp4250

#cat /etc/cups/printers.conf

# Printer configuration file for CUPS v1.2.4
# Written by cupsd on 2008-05-13 17:21

Info test printer
Location here*
DeviceURI http://192.168.xxx.xxx/ipp/
State Idle
StateTime 1210684915
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer



2.SAMBA


You have to disable SELINUX!!!

2.1 Add necessary users and groups

Abstract:
I configured a special user samba and domain admins group srvadmins for domain control. This prevent a necessity to pass root password to local administrators.
* Remember to set enable privileges = yes in smb.conf.

2.1.1 Add root to SAMBA - to allow samba users and groups control:

#smbpasswd -a root
Add future domain administrator user
#useradd samba
#passwd samba
#smbpasswd -a samba
After prompt enter SAMBA passwords for both users

2.1.2. srvadmins - Domain Admins. users for access to general file share

#groupadd srvadmins
#groupadd users
#groupadd computers – group to store machine accounts. Used when adding the computer to domain.

Add samba user to both groups
#usermod -G samba,srvadmins,users samba

2.1.3 Add Domain Admins and Domain Users group

#net groupmap add ntgroup="Domain Admins" unixgroup=srvadmins rid=512 type=d
#net groupmap add ntgroup="users" unixgroup=users type=d

I recommend to check of SID of sradmins group by using command:
#net groupmap list

2.2 Add rights to Domain Admins group

Detailed description of privileges available here.

#net rpc rights grant “Domain Admins” SeMachineAccountPrivilege SeTakeOwnershipPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -S PDC_name -Uroot

Password:

Successfully granted rights.

Without the message the command failed!


Disable roaming profile for samba users to prevent copying the profile to many workstations.
#pdbedit -p "" samba

3.Create necessary folders
Set necessary file and folder access right (This allows automatically create folder for users' profiles during account creation)
#mkdir -p /var/share/share /var/lib/samba/profiles /var/lib/samba/netlogon

3.1 Set file and folders owner:

#chown samba:users /var/share/share
#chown samba:srvadmins /var/lib/samba/netlogon
#chown samba:users /var/lib/samba/profiles

4. Example smb.conf
#cat /etc/samba/smb.conf

[global]
workgroup = TEST
server string = Samba Server Version %v
netbios name = TEST
interfaces = eth0, lo
bind interfaces only = Yes
username map = /etc/samba/smbusers
passdb backend = tdbsam
log level = 2
log file = /var/log/samba/%m.log
max log size = 10000
name resolve order = lmhosts wins bcast host
time server = Yes
domain logons = Yes
domain master = Yes
os level = 33
dns proxy = No
wins support = Yes
enable privileges = Yes
local master = Yes
preferred master = Yes
# Scripts
add machine script = /usr/sbin/useradd -g computers -s /bin/false -d /dev/null %u
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel %u
rename user script = /usr/sbin/usermod -l %unew %uold
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/bin/gpasswd -a %u %g
delete user from group script = /usr/bin/gpasswd -d %u %g
set primary group script = /usr/sbin/usermod -g %g %u
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
logon script = logon.bat
logon path = \\%L\Profiles\%U
hosts allow = 127., 192.168.39.
load printers = yes
printing = cups
printcap name = cups
cups options = raw
veto oplock files = /*.doc/*.xls/*.XLS/*.DOC/
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = @srvadmin
guest ok = No
browseable = No
writable = No

[Profiles]
comment = User profiles
path = /var/lib/samba/profiles
valid users = %U
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[share]
comment = File share
path = /var/share/share
valid users = @users
write list = samba, @users
read only = No
create mask = 0660
directory mask = 0770

[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = yes
guest ok = yes
writable = no
public = yes
create mode = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printerdrivers
write list = @sravdmin, root
browseable = yes
guest ok = yes


5.Make necessary changes in /var/lib/samba/netlogon/logon.bat
Note:Utility used below can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=07C2F6D7-815E-4FA0-9043-4E4635CCD417&displaylang=en


Example of logon.bat

@echo off
net time /DOMAIN:TEST

rem --- Resource for all users ----------
NET TIME \\TEST /SET /YES

net use j: \\TEST\soft
rem --- If we are using other domain member server---
net use h: \\server2\holding
net use k: \\TEST\recruit

rem ==================== by AI
rem Check first group membership in g-share
ifmember TEST\g_share
if not errorlevel 1 goto group2
rem if user not member of the group skip
rem else map resources
net use m: \\TEST\share

:group2
ifmember TEST\g_finance
if not errorlevel 1 goto group3
net use f: \\TEST\finance

:group3


5 Users and groups management using User Manager For Domains
The steps below executed on Windows XP/2000 workstation.
First download SRVTOOLS.EXE
http://support.microsoft.com/kb/173673
Unpack the file by executing it.USRMGR.exe - User Manager for Domain.

Start USRMGR
The program allow to add/remove users, add/remove groups, modify group membership, set users' profiles parameters, set domain password policy, block users' accounts and so on. More information avialible at http://searchenterpriselinux.techtarget.com


Limits:
  • Avoid to use UPPERCASE character in user names! If you, create it, you can't use User Manager For Domains to modify it.
  • It is not possible to create local users groups, only global.
Tips above are just results of my experiments, if you solve some of them please share your knowledge.

No comments: