Samba as a Primary Domain Controller

Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize user and machine credentials. Samba can also use multiple backends to store the user information.

Primary Domain Controller

This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.

First, install Samba, and libpam-smbpass to sync the user accounts, by entering the following in a terminal prompt:

sudo apt-get install samba libpam-smbpass
Next, configure Samba by editing /etc/samba/smb.conf. The security mode should be set to user, and the workgroup should relate to your organization:

workgroup = EXAMPLE

security = user
In the commented “Domains” section add or uncomment the following:

domain logons = yes
logon path = \%N%Uprofile
logon drive = H:
logon home = \%N%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u
domain logons: provides the netlogon service causing Samba to act as a domain controller.

logon path: places the user’s Windows profile into their home directory. It is also possible to configure a [profiles] share placing all profiles under a single directory.

logon drive: specifies the home directory local path.

logon home: specifies the home directory location.

logon script: determines the script to be run locally once a user has logged in. The script needs to be placed in the [netlogon] share.

add machine script: a script that will automatically create the Machine Trust Account needed for a workstation to join the domain.

In this example the machines group will need to be created using the addgroup utility see the section called “Adding and Deleting Users” for details.

Also, rights need to be explicitly provided to the Domain Admins group to allow the add machine script (and other admin functions) to work. This is achieved by executing:

net rpc rights grant “EXAMPLEDomain Admins” SeMachineAccountPrivilege SePrintOperatorPrivilege
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

If you wish to not use Roaming Profiles leave the logon home and logon path options commented.

Uncomment the [homes] share to allow the logon home to be mapped:

[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
When configured as a domain controller a [netlogon] share needs to be configured. To enable the share, uncomment:

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no

The original netlogon share path is /home/samba/netlogon, but according to the Filesystem Hierarchy Standard (FHS), /srv is the correct location for site-specific data provided by the system.

Now create the netlogon directory, and an empty (for now) logon.cmd script file:

sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
You can enter any normal Windows logon script commands in logon.cmd to customize the client’s environment.

With root being disabled by default, in order to join a workstation to the domain, a system group needs to be mapped to the Windows Domain Admins group. Using the net utility, from a terminal enter:

sudo net groupmap add ntgroup=”Domain Admins” unixgroup=sysadmin rid=512 type=d

Change sysadmin to whichever group you prefer. Also, the user used to join the domain needs to be a member of the sysadmin group, as well as a member of the system admin group. The admin group allows sudo use.

Finally, restart Samba to enable the new domain controller:

sudo restart smbd
sudo restart nmbd
You should now be able to join Windows clients to the Domain in the same manner as joining them to an NT4 domain running on a Windows server.

Backup Domain Controller
With a Primary Domain Controller (PDC) on the network it is best to have a Backup Domain Controller (BDC) as well. This will allow clients to authenticate in case the PDC becomes unavailable.

When configuring Samba as a BDC you need a way to sync account information with the PDC. There are multiple ways of accomplishing this scp, rsync, or by using LDAP as the passdb backend.

Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time. However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts. See the section called “Samba and LDAP” for details.

First, install samba and libpam-smbpass. From a terminal enter:

sudo apt-get install samba libpam-smbpass
Now, edit /etc/samba/smb.conf and uncomment the following in the [global]:

workgroup = EXAMPLE

security = user
In the commented Domains uncomment or add:

domain logons = yes
domain master = no
Make sure a user has rights to read the files in /var/lib/samba. For example, to allow users in the admin group to scp the files, enter:

sudo chgrp -R admin /var/lib/samba
Next, sync the user accounts, using scp to copy the /var/lib/samba directory from the PDC:

sudo scp -r username@pdc:/var/lib/samba /var/lib

Replace username with a valid username and pdc with the hostname or IP Address of your actual PDC.

Finally, restart samba:

sudo restart smbd
sudo restart nmbd
You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a Windows client joined to the domain.

Another thing to keep in mind is if you have configured the logon home option as a directory on the PDC, and the PDC becomes unavailable, access to the user’s Home drive will also be unavailable. For this reason it is best to configure the logon home to reside on a separate file server from the PDC and BDC.

Centos on MAC Mini

This post is about my experiences installing CentOS 6.0 on Mac Mini ’07 model. Its an absolutely wonderful piece of hardware – 1.8Ghz, 2 G, 80GB. This had been running OSX for last 4 years and finally decided to move onto linux.

One of the problems with new OSX operating systems is they tend to run slower.

Steps to install:

1. Go to centos website and download 386 ISO ( i chose minimal edition can always install software and customize the environment)

This edition of mac mini runs on Core Duo chipset hence x86_64 is not supported.

2. Burn the ISO on a RW CD

3. Reboot the system and place the media on CD drive

4. Wait for a while until you see installer and follow the steps to install the application.

5. I chose to use the entire HD for linux, don’t plan to run osx on this anymore

6. create users etc and reboot system.

Smoothwall mods

Lots of goodies at http://code.google.com/p/swemods/

Install modcommander to get a web install interface.

Mods installed on my Smoothwall Server:

Clamav
DHCP Lease
Enhanced DHCP mod
Smoothwall Backup
Vmwaretools

Howto resize an ext4 partition

CAUTION: While resizing the partition there is always some risk of data loss, so ensure you have backed up all data before you follow this guide.

Shrink a Partition:



Here i will explain how a single partition 80G disk has been broken into 50 / 1 / 29

$ sudo fdisk /dev/sda

The number of cylinders for this disk is set to 9729.

There is nothing wrong with that, but this is larger than 1024,

and could in certain setups cause problems with:

1) software that runs at boot time (e.g., old versions of LILO)

2) booting and partitioning software from other OSs

(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/sda: 80.0 GB, 80026361856 bytes

255 heads, 63 sectors/track, 9729 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

/dev/sda1 1 9729 78148161 83 Linux





$ sudo resize2fs /dev/sda1 49G
resize2fs 1.41.4 (27-Jan-2009)
Resizing the filesystem on /dev/sda1 to 12845056 (4k) blocks.
The filesystem on /dev/sda1 is now 12845056 blocks long.
Use CFDISK to
  • delete the partition (with size 80G)
  • re-create a new partition with sizes 52G
$ sudo cfdisk /dev/sda
Use resize2fs on the new partition
$ sudo resize2fs /dev/sda1
resize2fs 1.41.4 (27-Jan-2009)
Resizing the filesystem on /dev/sda1 to 12695358 (4k) blocks.
The filesystem on /dev/sda1 is now 12695358 blocks long.



NOTE: If partition size is lesser than filesystem size then you will see an error as shown below. Use cfdisk and recreate the partition.


$ sudo resize2fs /dev/sda1
resize2fs 1.41.4 (27-Jan-2009)
Resizing the filesystem on /dev/sda1 to 12450367 (4k) blocks.
resize2fs: Can’t read an block bitmap while trying to resize /dev/sda1


mount and the new partition to confirm data exists

$ sudo mount /dev/sda1 /media/
$ cd /media/
$ ls
lost+found www
$ ls -alrt
total 16
drwxr-xr-x 4 root root 4096 Dec 26 08:28 .
drwxrwxrwx 3 www-data www-data 4096 Dec 26 08:33 www
drwxrwxr-x 21 root root 4096 Dec 26 08:38 ..
drwx—— 2 root root 4096 Dec 26 11:52 lost+found
$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mmcblk0p1 1889792 894844 898952 50% /
tmpfs 256648 0 256648 0% /lib/init/rw
varrun 256648 284 256364 1% /var/run
varlock 256648 0 256648 0% /var/lock
udev 256648 120 256528 1% /dev
tmpfs 256648 0 256648 0% /dev/shm
tmpfs 256648 26592 230056 11% /var/cache/apt
/dev/sda1 49983444 240488 47203888 1% /media