Setting up Samba 2.2 as a primary domain controller with roaming profiles using Debian 3.0 Woody

Contents

• Introduction
• Significant changes to this document
• Installing Samba
• Usernames and directories - system
• The Samba configuration file (smb.conf)
• Usernames and directories - user - creating a user account
• User groups (optional)
• Shared user areas (optional)
• Configuring the Windows workstation
• Windows profiles
• Windows logon script
• Windows applications installed on each workstation (if any)
• Windows applications installed on the server (if any)
• Printing
• Samba tools
• Useful administration utilities
• Hoarding other administrative software
• Fixes for some problems
• Day-to-day administration

Introduction

Note: this document has been superceded by our document Setting up a Samba primary domain controller and file/print/software deployment server using Samba 3 on Debian 3.1 Sarge.

This document describes how to setup Samba using Debian GNU/Linux to act as a primary domain controller for Windows 2000 Pro or Windows XP Pro workstations.

Everthing described in this document that is run on the Samba server has been automated by us and included in our Twix program, available at http://thegoldenear.org/toolbox/unices/twix/. Twix incorporates all options into a single menu-driven script.

This document should be a useful companion to the following other documentation

• The Samba project's documentation: http://samba.org/samba/docs/)
• Using Samba, 2nd edition: http://samba.org/samba/docs/using_samba/toc.html)

This document is based on using Samba 2.2.3a with Debian GNU/Linux 3.0.

Significant changes to this document

7 July 2006 - smb.conf changes, the only slightly noteworthy one being that the example [shared] path changed from /home/workgroup/shared to /home/organisation_name_goes_here/shared so that it is also changed by Twix and is more explanative (this has already been changed in our downloadable smb.conf)

12 July 2004 - updated NETLOGON.BAT login script from 0.6.5 to 0.7 with its updated Windows user temp directory

10 Feb 2004 - removed various sections detailing how to script this whole configuration, instead providing a link to Twix which incorporates all such scripts into a single more usable menu-driven version

28 Oct 2003 - make files executable using chmod +x filename rather than chmod 770 filename
Location for storing software on the server changed from /usr/windows/windows-toolbox to /usr/windows/software

17 Oct 2003 - updates to smb.conf get password syncing between Windows and Samba working; and increase security

17 Oct 2003 - changed smb.conf's 'force create mode' to 0770 instead of 3770. These bits mean different things when set on files and on directories; 3 is a security risk. If you've been using this you'll want to remove this bit from all files in affected directories only:

• remove SUID, SGID and sticky bit from all files and directories in the affected area and below: chmod -R g-s,u-s,-t .
• add SGID and sticky bit to sub-directories in the affected area: chmod g+s,+t */
• and continue adding for further sub-directories using: chmod g+s,+t */*/ and chmod g+s,+t */*/*/ etc etc until it says something like "no file */*/*/"

17 Aug 2003 - changes to smb.conf's 'socket options'

7 Aug 2003 - 'shared user areas' section now describes how to set permissions on shared directories such that all subsequent files and directories created there have a specific set of permissions. This is mirrored in the 'create shared user data directories' script and in smb.conf.

Installing Samba

To install Samba using Debian:

• apt-get install samba

Usernames and directories - system

Create groups for system use

• addgroup --gid 200 admins
• addgroup --gid 201 machines

Create directories for Samba to use with Windows

• to save Windows profiles in, and backups of configured profiles
  • mkdir /home/samba
  • mkdir /home/samba/profiles
  • mkdir /home/samba/configured-profiles-backup
  • chmod 1757 /home/samba/profiles
• for logging on
  • mkdir -m 0775 /home/netlogon
  • chown root.admins /home/netlogon
• to install Windows applications to, if required. There's no convention on where they should go, we use/usr/windows
  • mkdir /usr/windows
  • mkdir /usr/windows/programs
  • the permissions for these directories may have to be changed

The Samba configuration file (smb.conf)

We have a suggested configuration file for a Windows 2000 primary domain controller (http://thegoldenear.org/toolbox/unices/smb-conf-pdc.txt)

• the configuration file is /etc/samba/smb.conf, so move to that directory:
  cd /etc/samba
• backup Debian's version of the file:
  cp smb.conf smb.conf.original
• you can download our suggested smb.conf
  • Wget is useful for this, so if it isn't already installed, do so:
    apt-get install wget
  • wget http://thegoldenear.org/toolbox/unices/smb-conf-pdc.txt
• replace Debian's smb.conf with the new one:
  cp smb-conf-pdc.txt smb.conf
• change parts of it that might differ from your preferences. You'll want to atleast consider changing the 'workgroup' (the domain name), 'netbios name' (the server name); [shared] 'path' and 'hosts allow' sections, perhaps using:
  nano smb.conf
• restart Samba:
  /etc/inint.d/samba restart

Our smb.conf configuration file looks like this:

# smb.conf - Samba 2.2.x configuration file
# From http://thegoldenear.org/toolbox/unices/
# Licence: GNU General Public License

######################################################################################
# CHANGELOG
######################################################################################
# 1.0.0 07/07/2006 - Removed 'keep alive' as the default of 600 (5 mins) is OK. (should have read 'keepalive' not 'keep alive'.
#                  - Removed printing section as it was outdated and never utilised.
#                  - Changed [profiles] 'create mask' to 'create mode' and 'directory mask' to 'directory mode'
#                    ('create mode' is a synonym for 'create mask' and we'd used create mode elsewhere so better to standardise)
#                  - Increased 'max log size' from 50 to 100
# 0.9.7 24/02/2005 - Changed [shared] path = '/home/workgroup/shared' to /home/organisation_name_goes_here/shared
# - Changed [shared] 'force create mode' to use '0660' rather than '0770' as files don't need to be executable
# 0.9.6 20/07/2004 - Replaced domain name 'workgroup' with 'domain_name_goes_here'
# 0.9.5 18/10/2003 - Replaced 'passwd program' and 'passwd chat' settings with 'pam password change = yes'
#                    to get password syncing between Windows and Samba working.
#                    Un-commented and amended 'hosts allow' and 'hosts deny' settings which now work, for increased security
# 0.9.4 17/10/2003 - 0.8.3's advice to use 'Unix' rather than 'UNIX' was wrong. This smb.conf didn't change anyway!
# 0.9.3 17/10/2003 - 'force create mode' should use 0770 rather than 3770
# 0.9.2 17/08/2003 - added 'SO_KEEPALIVE' to 'socket options'
# - changed SO_SNDBUF and SO_RCVBUF from 8192 to 14596 for potential performance gain
# - 'locking = no' on [cdrom] as its a read-only file system. previously this was suggested but commented out
# - tidied up comments
# 0.9.1 14/08/2003 - 'force create mask = 5770' should have been 'force create mode = 3770'
# and 'force directory mask = 5770' and 'force directory mode = 3770'
# 0.9.0 07/08/2003 - Added 'force create mask = 5770' and 'force directory mask = 5770' to
# [shared] to match changes to Unix permissions on shared directories.
# Changed /tge/ in [shared] share to /workgroup/ indicating more clearly
# in this example that it refers to the organisation name.
# 0.8.5 09/04/2003 - [programs] browseable = yes rather than 'no'
# 0.8.4 09/04/2003 - added [shared]
# - 'server' renamed 'file-server'
# 0.8.3 03/03/2003 - Unix password sync command used 'Unix' rather than 'UNIX'
# 0.8.2 31/03/2003 - [programs] path = /usr/windows rather than /usr/windows/programs
# - removed 'wins support = yes' as Windows 2000 doesn't need a WINS server
######################################################################################

[global]
# The domain name
workgroup = domain_name_goes_here

# The server's name
netbios name = file-server

# Comment describing what the machine is
server string = the file server

# Workstations will set their time by this server
time server = yes

# SECURITY AND LOGGING SETTINGS

this must be 'user' on a PDC
security = user

# Allow connections only from the local machine and the 10.0.0.* address range:
# (you'll want to change this if your network uses a different addressing range)
hosts allow = 127.0.0.1 10.0.0.

# Don't allow connections from any other IP address ranges than defined by 'hosts allow':
hosts deny 0.0.0.0/0

# Only allow connections from ethernet cards and the loopback address:
interfaces = eth* lo
bind interfaces only = yes

# For Windows 2000/XP encrypted passwords
encrypt passwords = yes

# Provide logon scripts, home directories, etc as well as authentication
domain logons = yes

log file = /var/log/samba/log.%m

# log level = 2

# Put a capping on the size (in kB) of the log file
max log size = 100

# PDC and master browser settings
os level = 64 ; ensure this machine is consulted 1st regarding current browse list
preferred master = yes
local master = yes
domain master = yes ; This defines it as the Primary Domain Controller

# Automatedly add a Linux / Unix and Samba machine account when joining a machine to the domain
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u


# User profiles and home directory.
# the local path to which the home ([HOMES]) directory will be connected
logon drive = H:

# Where 'profiles' = [profiles] further on
logon path = \\%L\profiles\%U

logon script = netlogon.bat ; the logon script, whose location is defined in [NETLOGON]

# Define user mappings between this system and Windows systems.
# Without this you get asked for a password even if none is required
# username map = /etc/samba/users.map
# but if you've created SMB users on here you don't need it

# Fine-tuning Samba for increased speed on Linux systems
# SO_KEEPALIVE - sends a probe every 4 hours to check that a connection is still active. if the connection does not respond, it is closed
# TCP_NODELAY -
# IPTOS_LOWDELAY -
# SO_SNDBUF=14596 - 14596 is roughly the best in most ciscumstances, it may be able to be tuned better for your system
# SO_RCVBUF=14596 - same reason as above
socket options = TCP_NODELAY, IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596

# Keep the case in file/directory names; when looking for a file
# matching is done without regard to case, as expected by Windows
preserve case = yes
short preserve case = yes
case sensitive = no

# Sync Unix passwords from Windows workstations using PAM
# (allows users to change their passwords)
unix password sync = yes
pam password change = yes


# --- shares ---

[profiles]
comment = Windows user profile directories
path = /home/samba/profiles
read only = no
browseable = no
create mode = 0600 ; rwx-xxx-xxx - only the user can read/write files
directory mode = 0700 ; rwx-xxx-xxx - directories must be executable if they are to be navigated

# [root]
# For administration purposes
# path = /
# browseable = no
# writeable = yes
# valid users = @admins


[homes]
# 'logon drive' won't work without this section

# If you want to set the home directory somewhere other than the Unix home:
# path =

volume = HOME
comment = home directories
read only = no
# Don't display a 'homes' share as well as the '%U' share
browseable = no
public = no
create mode = 0750


[programs]
# Map P: to this; use it to install programs to
# and to point programs to that don't like using UNC
comment = installed programs
path = /usr/windows
read only = yes
write list = @admins
browseable = yes


[shared]
comment = shared space for everyone
path = /home/organisation_name_goes_here/shared
read only = no
browseable = yes

# Match Unix permissions set on files
force create mode = 0660

# Match Unix permissions set on the directory
force directory mode = 3770


[cdrom]
comment = Server's CD-ROM
path = /cdrom
read only = yes

# Speed up file access as this is a read-only file system
locking = no


[NETLOGON]
# Required for Windows authentication

comment = The domain logon service
path = /home/netlogon
read only = yes
# 'read only' can be changed to 'no' whilst you edit this file
# but revert back to 'yes' for normal secure operation
browseable = no
write list = @admins

Usernames and directories - user - creating a user account

Create Unix accounts and home directories for each user

• adduser 'username'

Create Samba accounts and Windows profile directories for each user, including root

• smbpasswd -a 'username'
• mkdir /home/samba/profiles/'username'
• chown 'username' /home/samba/profiles/'username'
• ? chgrp users /home/samba/profiles/'username' ?

User groups (optional)

You'll want to be able to designate different groups of users so as to enable different functionality for them. Its probably easier to use a syntax of group or organisation-group else you may clash with existing system groups such as 'users' and 'staff'

Add any relevant users to the 'admins' group for Windows / Samba administration

Create the groups you need

• for most people:
  addgroup organisation
• and perhaps any sub-groups, for example:
  addgroup organisation-staff and addgroup organisation-students

add users to the groups

• add users to the organisational group:
  adduser 'username' 'group'
• add users to sub-groups:
  adduser 'username' 'group'

Shared user areas (optional)

make a top-level directory to hold all the organisations' different shared directories:
mkdir /home/organisation

make a publicly shared directory that everyone in the organisation can use:
mkdir /home/organisation/shared

change permissions for that directory, so that all subsequent files created within it have the permissions best suited to your environment, for example use one of these

• chmod 3770 /home/organisation/shared so that:
  1. new files created there belong to the same group as the directory
  2. only file owners, and root, can delete files
  3. all file owners can read, write and navigate to files in this directory
  4. all group members can read, write and navigate to files in this directory
  5. all people who're not owners or members of the same group cannot read, write or navigate to files in this directory
• or chmod 2770 /home/organisation/shared so that:
  1. new files created there belong to the same group as the directory
  2. the file owner, or anyone in the group, can delete files
  3. all file owners can read, write and navigate to files in this directory
  4. all group members can read, write and navigate to files in this directory
  5. all people who're not owners or members of the same group cannot read, write or navigate to files in this directory

The following table describes what these numbers mean (where 'u' means 'setuid' (set user id), 'g' means 'setgid' (set group id), 's' means 'sticky bit' (can be deleted only by file owner or root), 'r' means 'read', 'w' means 'write' and 'x' means 'execute' (navigate to a directory):

Set the group membership of the directory to be the same as the group that will share it (i.e. the whole organisation):
chgrp organisation /home/organisation/shared

Match these permissions in Samba's smb.conf using force create mode and force directory mode.

You could similarly create shared directories for sub-groups of the organisation in /home/organisation/group where members of one group are restricted from accessing another group's files in various ways, such as not having access to them at all (same as above but set each directory's group membership respective to that directory), or being able to read files but not change or remove them.

Configuring the Windows workstation

• authenticate each workstation
  • logon to the Windows workstation as any user with administrative privileges
  • Using Windows 2000: Start → Settings → Control Panel → System → Network Identification → Properties → Member of → Domain → type the domain name as specified in the 'workgroup' section of smb.conf → ok
  • enter the root username and password for the Samba server
• (if you simply wish to transfer existing users from a workstation, then if a user exists on the Samba server and on the workstation, at this point you could log them into the Samba server and their profile from the workstation would be copied to the Samba server when they log out)

Windows profiles

there is a choice of methods here

• for each user to continue using their existing profile, always using the same machine with its own applications installed
  • after having created an account for them on the server, simply logon to the server and the existing Windows profile on the local machine will be used (as there won't be one already on the server) and copied over to the server. This is fine if they only ever use the same computer but beware, the profile may have references to software installed only on their machine, so if they want to login from other machines it is probably worth starting over with a fresh profile and setting up each machine exactly the same; see the next method
• for each user to have their own profile, which they can alter, donated to them efficiently using a single template profile; and that they can roam with from one machine to another; each machine having the same applications installed, or installed on the server
  • configure a Windows user account on a workstation the way you want it
    (if you try to create a user account after you've created a machine account for this machine on the Samba server, creating the account on the workstation will fail and elicit a message saying you can't create accounts in that domain. We don't know what this is about but to work around it you can use Users and Passwords' Advanced → Advanced → Users → Action → New User... option (or create the account without the workstation being part of a domain (do so before-hand, or temporarily revert back to a workgroup).
    This will be a 'Restricted User' account.
    This account will be the template user profile. (We use TWEAK - The Windows Environment and Application Konfigurator, available from http://thegoldenear.org/tweak/, to configure the template user account quickly and easily (you only need run the per-user options (including Roaming Computing System specific options, A → P → P)).
    create the template without running any applications, that will be done later; consider where you're going to keep icons for applications by reading the section on applications further on.
    Any applications that require their preferences pre-installing manually (rather than dealing with it themselves) in the Windows profile will want that doing so now (see applications section further on)
  • get the template Windows profile to the server
    • on the server, make a Windows profile directory for the template user:
      mkdir /home/samba/profiles/template
    • using Windows Explorer, make a connection to \\FILE-SERVER\ by navigating there, when asked enter the username and password for an administrative account, i.e. root
    • copy the template user's Windows profile to the server with Windows 2000's System Properties → User Profiles → 'Copy To...' to \\FILE-SERVER\profiles\template
    • change ownership to Everyone (what difference does it make between setting Everyone for the local machine or the domain?)
    • ? chgrp user /home/samba/profiles/template/ -R
  • propogate the template Windows profile to users' Windows profile directories on the server
    • cp /home/samba/profiles/template/* /home/samba/profiles/'username'/ -R
    • chown 'username' /home/samba/profiles/'username' -R
    • ? chgrp 'username' /home/samba/profiles/'username' -R
  • get the new users' Windows profile working
    • login to the server from a workstation. the workstation will create a 'local' profile based on its default settings
    • logout and log back in again. the workstation will label the profile a 'roaming' profile and get the pre-configured profile from the server
    • Windows will have created some extra default icons you may want to get rid of
• We do not cover the situation where all users share a single mandatory profile, which they cannot alter, that they can roam with from one machine to another; each machine having the same applications installed, or installed on the server

Windows logon script

The logon script, netlogon.bat, is a batch file containing commands that are run when a user logs onto the server. It needs to be a plain text file in DOS CR/LF (carriage-return/line-feed) format. You can create the logon script on a Windows workstation then copy it to the server using WinSCP, as any Windows user. Alternatively, if you have Samba administrative privileges you can copy and edit it directly on the server from a Windows workstation.
On the server, to setup the logon script follow these points:

• move to the logon script directory:
  cd /home/netlogon
• download our pre-configured logon script:
  wget http://thegoldenear.org/toolbox/unices/samba/NETLOGON.BAT
  which looks like this:

  rem ###########################################
  rem logon script
  rem version 0.7.0
  rem
  rem remember this file needs DOS CR/LF to work
  rem ###########################################
  rem Change Log
  rem 0.7.1 07-July-2006 - removed 'audition'
  rem 0.7.0 13-Dec-2003
  rem  - added a new user TEMP location of e:\%username%\windows and e:\windows
  rem  - changed 'cooledit' directory name to 'audition' to reflect that program's name change
  rem  - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively
  rem 0.6.5 08-April-2003
  rem  - renamed 'server' to 'file-server'
  rem  - removed '/PERSISTANT:YES'
  rem -------------------------------------------
  
  net use P: \\file-server\programs
  rem (only admins group can write there in our Samba configuration)
  
  rem make mappings to shared areas, i.e.:
  rem H: is made by smb.conf
  net use S: \\file-server\shared
  
  rem sync the workstation's time to that of the file-server
  net time \\file-server /set /yes
  
  rem make connections to any printer(s):
  rem net use LPT1:
  
  rem create temporary directories for %USERNAME% on TEMP partition
  rem (remove any for applications not used on your system):
  if not exist "e:\%username%" md "e:\%username%"
  
  if not exist "e:\%username%\winnt" md "e:\%username%\winnt"
  if not exist "e:\%username%\windows" md "e:\%username%\windows"
  rem ('winnt' remains for backwards compatibility. we changed to 'windows' on 12 Dec 03 / TWEAK 0.8.32)
  
  if not exist "e:\%username%\ie" md "e:\%username%\ie"
  if not exist "e:\%username%\ie\Temporary Internet Files" md "e:\%username%\ie\Temporary Internet Files"
  if not exist "e:\%username%\mozilla" md "e:\%username%\mozilla"
  if not exist "e:\%username%\java" md "e:\%username%\java"
  if not exist "e:\%username%\nero" md "e:\%username%\nero"
  if not exist "e:\%username%\audacity" md "e:\%username%\audacity"
  
  :EOF
  

• enable all users access to read the logon script:
  chmod a+r /home/netlogon/NETLOGON.BAT

Windows applications installed on each workstation (if any)

• Install applications to each workstation, with administrative privileges, choosing exactly the same directory name each time (we use just the program name on its own, without spaces)
• Organise Start Menu and Desktop icons for applications, either:
  • Start Menu and Desktop icons in template profile, so each user gets their own. A disadvantage of this is when some applications don't exist on some workstations. An advantage is that you have control as to where they're placed on the desktop.
  • Start Menu and Desktop icons in workstation's All Users, thus enforced upon everyone - but what happens when enforced desktop icons mix with user desktop icons?
• If a user doesn't have a profile for that application already (applications that automatically create profiles will do so only for the user who installed the application) then one will be created in the local profile and copied to the server on exit. At this point you can insert any pre-configuration techniques you have that haven't already been made (if a program uses a configuration file in the Windows profile and it can be pre-configured by just placing a file in the template profile then presumably you'll have already done that), and/or run any applications' manual profile installers if there are any that work that way (i.e. OpenOffice).
• If a program's cache lives within the Windows profile directory, that cache directory should be set as one of the directories exempt from being restored to and from the server when the user logs in and out.
• Ihis section needs to be continued...

Windows applications installed on the server (if any)

you can install applications from a Windows workstation to the Samba server so that they're served to multiple Windows workstations

• Choose your applications carefully...
• An advantage with applications on the server is the ease by which they can be maintained and upgraded. A disadvantage is that they will run slower than if they were installed locally
• If the user's Windows profile only uses C:, then applications should work everywhere. If you are using multiple partitions on workstations and the Windows profiles use that then tweaks will have to be made...
• Ihis section needs to be continued...

Printing

So far we've only used HP LaserJet printers with JetDirect print servers and printed _direct_ to them (using the RAW protocol) from each Windows workstation, rather than setting up a print server using CUPS and Samba. See our printer configuration document for details of how we configured them: http://thegoldenear.org/toolbox/windows/docs/printer-config.html.
Our document 'Server Setup with Debian GNU/Linux' describes how to setup a print server using CUPS and Samba.

Samba testing tools

List current Samba connections (verbose output): smbstatus -d

Print a list of smbd processes: smbstatus -p

List current Samba connections (only for a particular user): smbstatus -u 'username'

Get a list of shares available on a host: smbclient -L file-server

Test the ability to use a service within the domain : smbclient //file-server/shared -U username

Start, stop and restart Samba: /etc/inint.d/samba start|stop|restart

Useful administration utilities

It can be useful to have access to various utilities for system administration. They can be kept in P:\programs\utils so they're available from all workstations. We use:

• WinSCP (from Martin Prikryl) - for easily and securely copying files between Windows workstations and the server and changing their permissions on the server
• Putty (from Simon Tatham) - for remotely and securely connecting from a Windows workstation to the server to carry out almost any tasks that would otherwise require you to sit at the server itself
• Regmon (from Sysinternals) - monitors registry accesses, useful when diagnosing problems on Windows workstations
• Filemon (from Sysinternals) - monitors file access, useful when diagnosing problems on Windows workstations
• PsTools Suite (from Sysinternals) - we haven't reviewed these much yet but expect them to be very worthwhile

Hoarding other administrative software

Keep a library of administrative software so that it is available at all times from all workstations. This is best kept out of the way of users' shared areas.

• P:\drivers - device drivers for the various hardware used on workstations, i.e. printer drivers
• P:\software - various software application installation programs

Fixes for some problems

When trying to authenticate a workstation you get the message 'you're using a machine account, use your global user account or...'. You may have already authenticated this machine and something gone wrong. Removing the line for the machine account from the /etc/samba/smbpasswd file can fix this.

Day-to-day administration

To create new user accounts you should follow the 'Usernames and directories - user - creating a user account' section.

To introduce new machines you should follow the 'Configuring the Windows workstation' section.

Document ¤ Version: 0.9.46 | Licence: GNU General Public License | Copyright: © 2003-2007 Pete Boyd
Site ¤ - URL: http://thegoldenear.org/ | Email: inkwire at thegoldenear dot org
Built using HTML 4.01 Strict and CSS. For best results, use a browser that supports open Standards.