Setting up Samba 2.2 as a primary domain controller with roaming profiles using Debian 3.0 Woody

Contents

Introduction

Note: this document has been superceded by our document Setting up a Samba primary domain controller and file/print/software deployment server using Samba 3 on Debian 3.1 Sarge.

This document describes how to setup Samba using Debian GNU/Linux to act as a primary domain controller for Windows 2000 Pro or Windows XP Pro workstations.

Everthing described in this document that is run on the Samba server has been automated by us and included in our Twix program, available at http://thegoldenear.org/toolbox/unices/twix/. Twix incorporates all options into a single menu-driven script.

This document should be a useful companion to the following other documentation

This document is based on using Samba 2.2.3a with Debian GNU/Linux 3.0.

Significant changes to this document

7 July 2006 - smb.conf changes, the only slightly noteworthy one being that the example [shared] path changed from /home/workgroup/shared to /home/organisation_name_goes_here/shared so that it is also changed by Twix and is more explanative (this has already been changed in our downloadable smb.conf)

12 July 2004 - updated NETLOGON.BAT login script from 0.6.5 to 0.7 with its updated Windows user temp directory

10 Feb 2004 - removed various sections detailing how to script this whole configuration, instead providing a link to Twix which incorporates all such scripts into a single more usable menu-driven version

28 Oct 2003 - make files executable using chmod +x filename rather than chmod 770 filename
Location for storing software on the server changed from /usr/windows/windows-toolbox to /usr/windows/software

17 Oct 2003 - updates to smb.conf get password syncing between Windows and Samba working; and increase security

17 Oct 2003 - changed smb.conf's 'force create mode' to 0770 instead of 3770. These bits mean different things when set on files and on directories; 3 is a security risk. If you've been using this you'll want to remove this bit from all files in affected directories only:

17 Aug 2003 - changes to smb.conf's 'socket options'

7 Aug 2003 - 'shared user areas' section now describes how to set permissions on shared directories such that all subsequent files and directories created there have a specific set of permissions. This is mirrored in the 'create shared user data directories' script and in smb.conf.

Installing Samba

To install Samba using Debian:

Usernames and directories - system

Create groups for system use

Create directories for Samba to use with Windows

The Samba configuration file (smb.conf)

We have a suggested configuration file for a Windows 2000 primary domain controller (http://thegoldenear.org/toolbox/unices/smb-conf-pdc.txt)

Our smb.conf configuration file looks like this:

# smb.conf - Samba 2.2.x configuration file
# From http://thegoldenear.org/toolbox/unices/
# Licence: GNU General Public License

######################################################################################
# CHANGELOG
######################################################################################
# 1.0.0 07/07/2006 - Removed 'keep alive' as the default of 600 (5 mins) is OK. (should have read 'keepalive' not 'keep alive'.
#                  - Removed printing section as it was outdated and never utilised.
#                  - Changed [profiles] 'create mask' to 'create mode' and 'directory mask' to 'directory mode'
#                    ('create mode' is a synonym for 'create mask' and we'd used create mode elsewhere so better to standardise)
#                  - Increased 'max log size' from 50 to 100
# 0.9.7 24/02/2005 - Changed [shared] path = '/home/workgroup/shared' to /home/organisation_name_goes_here/shared
# - Changed [shared] 'force create mode' to use '0660' rather than '0770' as files don't need to be executable
# 0.9.6 20/07/2004 - Replaced domain name 'workgroup' with 'domain_name_goes_here'
# 0.9.5 18/10/2003 - Replaced 'passwd program' and 'passwd chat' settings with 'pam password change = yes'
#                    to get password syncing between Windows and Samba working.
#                    Un-commented and amended 'hosts allow' and 'hosts deny' settings which now work, for increased security
# 0.9.4 17/10/2003 - 0.8.3's advice to use 'Unix' rather than 'UNIX' was wrong. This smb.conf didn't change anyway!
# 0.9.3 17/10/2003 - 'force create mode' should use 0770 rather than 3770
# 0.9.2 17/08/2003 - added 'SO_KEEPALIVE' to 'socket options'
# - changed SO_SNDBUF and SO_RCVBUF from 8192 to 14596 for potential performance gain
# - 'locking = no' on [cdrom] as its a read-only file system. previously this was suggested but commented out
# - tidied up comments
# 0.9.1 14/08/2003 - 'force create mask = 5770' should have been 'force create mode = 3770'
# and 'force directory mask = 5770' and 'force directory mode = 3770'
# 0.9.0 07/08/2003 - Added 'force create mask = 5770' and 'force directory mask = 5770' to
# [shared] to match changes to Unix permissions on shared directories.
# Changed /tge/ in [shared] share to /workgroup/ indicating more clearly
# in this example that it refers to the organisation name.
# 0.8.5 09/04/2003 - [programs] browseable = yes rather than 'no'
# 0.8.4 09/04/2003 - added [shared]
# - 'server' renamed 'file-server'
# 0.8.3 03/03/2003 - Unix password sync command used 'Unix' rather than 'UNIX'
# 0.8.2 31/03/2003 - [programs] path = /usr/windows rather than /usr/windows/programs
# - removed 'wins support = yes' as Windows 2000 doesn't need a WINS server
######################################################################################

[global]
# The domain name
workgroup = domain_name_goes_here

# The server's name
netbios name = file-server

# Comment describing what the machine is
server string = the file server

# Workstations will set their time by this server
time server = yes

# SECURITY AND LOGGING SETTINGS

this must be 'user' on a PDC
security = user

# Allow connections only from the local machine and the 10.0.0.* address range:
# (you'll want to change this if your network uses a different addressing range)
hosts allow = 127.0.0.1 10.0.0.

# Don't allow connections from any other IP address ranges than defined by 'hosts allow':
hosts deny 0.0.0.0/0

# Only allow connections from ethernet cards and the loopback address:
interfaces = eth* lo
bind interfaces only = yes

# For Windows 2000/XP encrypted passwords
encrypt passwords = yes

# Provide logon scripts, home directories, etc as well as authentication
domain logons = yes

log file = /var/log/samba/log.%m

# log level = 2

# Put a capping on the size (in kB) of the log file
max log size = 100

# PDC and master browser settings
os level = 64 ; ensure this machine is consulted 1st regarding current browse list
preferred master = yes
local master = yes
domain master = yes ; This defines it as the Primary Domain Controller

# Automatedly add a Linux / Unix and Samba machine account when joining a machine to the domain
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u


# User profiles and home directory.
# the local path to which the home ([HOMES]) directory will be connected
logon drive = H:

# Where 'profiles' = [profiles] further on
logon path = \\%L\profiles\%U

logon script = netlogon.bat ; the logon script, whose location is defined in [NETLOGON]

# Define user mappings between this system and Windows systems.
# Without this you get asked for a password even if none is required
# username map = /etc/samba/users.map
# but if you've created SMB users on here you don't need it

# Fine-tuning Samba for increased speed on Linux systems
# SO_KEEPALIVE - sends a probe every 4 hours to check that a connection is still active. if the connection does not respond, it is closed
# TCP_NODELAY -
# IPTOS_LOWDELAY -
# SO_SNDBUF=14596 - 14596 is roughly the best in most ciscumstances, it may be able to be tuned better for your system
# SO_RCVBUF=14596 - same reason as above
socket options = TCP_NODELAY, IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596

# Keep the case in file/directory names; when looking for a file
# matching is done without regard to case, as expected by Windows
preserve case = yes
short preserve case = yes
case sensitive = no

# Sync Unix passwords from Windows workstations using PAM
# (allows users to change their passwords)
unix password sync = yes
pam password change = yes


# --- shares ---

[profiles]
comment = Windows user profile directories
path = /home/samba/profiles
read only = no
browseable = no
create mode = 0600 ; rwx-xxx-xxx - only the user can read/write files
directory mode = 0700 ; rwx-xxx-xxx - directories must be executable if they are to be navigated

# [root]
# For administration purposes
# path = /
# browseable = no
# writeable = yes
# valid users = @admins


[homes]
# 'logon drive' won't work without this section

# If you want to set the home directory somewhere other than the Unix home:
# path =

volume = HOME
comment = home directories
read only = no
# Don't display a 'homes' share as well as the '%U' share
browseable = no
public = no
create mode = 0750


[programs]
# Map P: to this; use it to install programs to
# and to point programs to that don't like using UNC
comment = installed programs
path = /usr/windows
read only = yes
write list = @admins
browseable = yes


[shared]
comment = shared space for everyone
path = /home/organisation_name_goes_here/shared
read only = no
browseable = yes

# Match Unix permissions set on files
force create mode = 0660

# Match Unix permissions set on the directory
force directory mode = 3770


[cdrom]
comment = Server's CD-ROM
path = /cdrom
read only = yes

# Speed up file access as this is a read-only file system
locking = no


[NETLOGON]
# Required for Windows authentication

comment = The domain logon service
path = /home/netlogon
read only = yes
# 'read only' can be changed to 'no' whilst you edit this file
# but revert back to 'yes' for normal secure operation
browseable = no
write list = @admins

Usernames and directories - user - creating a user account

Create Unix accounts and home directories for each user

Create Samba accounts and Windows profile directories for each user, including root

User groups (optional)

You'll want to be able to designate different groups of users so as to enable different functionality for them. Its probably easier to use a syntax of group or organisation-group else you may clash with existing system groups such as 'users' and 'staff'

Add any relevant users to the 'admins' group for Windows / Samba administration

Create the groups you need

add users to the groups

Shared user areas (optional)

make a top-level directory to hold all the organisations' different shared directories:
mkdir /home/organisation

make a publicly shared directory that everyone in the organisation can use:
mkdir /home/organisation/shared

change permissions for that directory, so that all subsequent files created within it have the permissions best suited to your environment, for example use one of these

The following table describes what these numbers mean (where 'u' means 'setuid' (set user id), 'g' means 'setgid' (set group id), 's' means 'sticky bit' (can be deleted only by file owner or root), 'r' means 'read', 'w' means 'write' and 'x' means 'execute' (navigate to a directory):

Special permissions User permissions Group permissions Others' permissions
Permissions ugs rwx rwx rwx
Which ones we want enabled, in binary 021 421 421 000
Total ('bitmask') of those we want enabled 3 7 7 0

Set the group membership of the directory to be the same as the group that will share it (i.e. the whole organisation):
chgrp organisation /home/organisation/shared

Match these permissions in Samba's smb.conf using force create mode and force directory mode.

You could similarly create shared directories for sub-groups of the organisation in /home/organisation/group where members of one group are restricted from accessing another group's files in various ways, such as not having access to them at all (same as above but set each directory's group membership respective to that directory), or being able to read files but not change or remove them.

Configuring the Windows workstation

Windows profiles

there is a choice of methods here

Windows logon script

The logon script, netlogon.bat, is a batch file containing commands that are run when a user logs onto the server. It needs to be a plain text file in DOS CR/LF (carriage-return/line-feed) format. You can create the logon script on a Windows workstation then copy it to the server using WinSCP, as any Windows user. Alternatively, if you have Samba administrative privileges you can copy and edit it directly on the server from a Windows workstation.
On the server, to setup the logon script follow these points:

Windows applications installed on each workstation (if any)

Windows applications installed on the server (if any)

you can install applications from a Windows workstation to the Samba server so that they're served to multiple Windows workstations

Printing

So far we've only used HP LaserJet printers with JetDirect print servers and printed _direct_ to them (using the RAW protocol) from each Windows workstation, rather than setting up a print server using CUPS and Samba. See our printer configuration document for details of how we configured them: http://thegoldenear.org/toolbox/windows/docs/printer-config.html.
Our document 'Server Setup with Debian GNU/Linux' describes how to setup a print server using CUPS and Samba.

Samba testing tools

List current Samba connections (verbose output): smbstatus -d

Print a list of smbd processes: smbstatus -p

List current Samba connections (only for a particular user): smbstatus -u 'username'

Get a list of shares available on a host: smbclient -L file-server

Test the ability to use a service within the domain : smbclient //file-server/shared -U username

Start, stop and restart Samba: /etc/inint.d/samba start|stop|restart

Useful administration utilities

It can be useful to have access to various utilities for system administration. They can be kept in P:\programs\utils so they're available from all workstations. We use:

Hoarding other administrative software

Keep a library of administrative software so that it is available at all times from all workstations. This is best kept out of the way of users' shared areas.

Fixes for some problems

When trying to authenticate a workstation you get the message 'you're using a machine account, use your global user account or...'. You may have already authenticated this machine and something gone wrong. Removing the line for the machine account from the /etc/samba/smbpasswd file can fix this.

Day-to-day administration

To create new user accounts you should follow the 'Usernames and directories - user - creating a user account' section.

To introduce new machines you should follow the 'Configuring the Windows workstation' section.