kubuntu-docs 12.04.0ubuntu1 / usr / share / doc / kde / HTML / en / kubuntu / sharing / samba-dc.html

This file is indexed.

/usr/share/doc/kde/HTML/en/kubuntu/sharing/samba-dc.html is in kubuntu-docs 12.04.0ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
<html><head><title>Samba as a Domain Controller</title><link rel="stylesheet" type="text/css" href="help:/common/kde-default.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-docs.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-localised.css"><link rel="stylesheet" type="text/css" href="help:/common/kubuntu.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="File Sharing in Kubuntu"><link rel="up" href="index.html" title="File Sharing in Kubuntu"><link rel="prev" href="samba-fileprint-security.html" title="Securing a Samba File and Print Server"><link rel="next" href="samba-ad-integration.html" title="Samba Active Directory Integration"><link rel="copyright" href="legal.html" title="Credits and License"><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><meta name="GENERATOR" content="KDE XSL Stylesheet V1.14 using libxslt"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div id="content"><div id="header"><div id="header_content"><div id="header_left"><div id="header_right"><img src="help:/common/top-kde.jpg" width="36" height="34"> Samba as a Domain Controller</div></div></div></div><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileprint-security.html">Prev</a></td><td class="upCell"> </td><td class="nextCell"><a accesskey="n" href="samba-ad-integration.html">Next</a></td></tr></table></div><div id="contentBody"><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="samba-dc"></a>Samba as a Domain Controller</h2></div></div></div><p>
Although it cannot act as an <span class="trademark">Active Directory 
Primary Domain Controller</span>® (<acronym class="acronym">PDC</acronym>), a 
<span class="application">Samba</span> server can be configured to appear as a 
<span class="trademark">Windows NT</span>®4-style domain controller. 
A major advantage of this configuration is the ability to centralize user and 
machine credentials. <span class="application">Samba</span> can also use multiple 
backends to store the user information.
</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-pdc-smbpasswd"></a>Primary Domain Controller</h3></div></div></div><p>
This section covers configuring <span class="application">Samba</span> as a Primary 
Domain Controller (<acronym class="acronym">PDC</acronym>) using the default 
<span class="application">smbpasswd</span> backend.
</p><div class="procedure"><ol class="procedure" type="1"><li class="step"><p>
Install <span class="application">Samba</span> and 
<span class="application">libpam-smbpass</span> to sync the user accounts, by 
entering the following in a terminal prompt:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install samba libpam-smbpass</strong></span></span>
</pre></li><li class="step"><p>
Next, configure <span class="application">Samba</span> by editing 
<code class="filename">/etc/samba/smb.conf</code>. The <span class="emphasis"><em>security</em></span> 
mode should be set to <span class="italic">user</span>, and the 
<span class="emphasis"><em>workgroup</em></span> should relate to the organization properly:
</p><pre class="programlisting">
workgroup = EXAMPLE
...
security = user
</pre></li><li class="step"><p>
In the commented <span class="quote">&#8220;<span class="quote">Domains</span>&#8221;</span> section, add or uncomment the 
following:
</p><pre class="programlisting">
domain logons = yes
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d 
/var/lib/samba -s /bin/false %u
</pre><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<span class="emphasis"><em>domain logons:</em></span> provides the netlogon service causing 
<span class="application">Samba</span> to act as a domain controller.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon path:</em></span> places the user's <span class="trademark">Windows</span>® profile into their home directory. It is 
also possible to configure a <span class="emphasis"><em>[profiles]</em></span> share placing all 
profiles under a single directory.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon drive:</em></span> specifies the home directory local path.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon home:</em></span> specifies the home directory location.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon script:</em></span> determines the script to be run locally once
a user has logged in. The script needs to be placed in the 
<span class="emphasis"><em>[netlogon]</em></span> share.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>add machine script:</em></span> a script that will automatically 
create the <span class="emphasis"><em>Machine Trust Account</em></span> needed for a workstation 
to join the domain.
</p><p>
In this example, the <span class="emphasis"><em>machines</em></span> group will need to be 
created using the <span class="application">addgroup</span> utility. See <a class="ulink" href="help:/kubuntu/basics/" target="_top"> Basics</a> for details.
</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
If <span class="emphasis"><em>Roaming Profiles</em></span> will not be used, leave the
<span class="emphasis"><em>logon home</em></span> and <span class="emphasis"><em>logon path</em></span> options
commented.
</p></div></li><li class="step"><p>
Uncomment the <span class="emphasis"><em>[homes]</em></span> share to allow the <span class="italic">logon home</span> to be mapped:
</p><pre class="programlisting">
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
</pre></li><li class="step"><p>
When configured as a domain controller, a <span class="emphasis"><em>[netlogon]</em></span> share
needs to be configured. To enable the share, uncomment:
</p><pre class="programlisting">
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The original <span class="emphasis"><em>netlogon</em></span> share path is
<code class="filename">/home/samba/netlogon</code>, but according to the Filesystem
Hierarchy Standard (<acronym class="acronym">FHS</acronym>), <a class="ulink" href="http://www.pathname.com/fhs/pub/fhs-2.3.%20html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM" target="_top">/srv</a> is the correct location
for site-specific data provided by the system.
</p></div></li><li class="step"><p>
Now create the <code class="filename">netlogon</code> directory and an
empty (for now) <code class="filename">logon.cmd</code> script file:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo mkdir -p /srv/samba/netlogon</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo touch /srv/samba/netlogon/logon.cmd</strong></span></span>
</pre><p>
Any normal <span class="trademark">Windows</span>® logon script 
commands can be entered in <code class="filename">logon.cmd</code> to customize the 
client's environment.
</p></li><li class="step"><p>
With <span class="emphasis"><em>root</em></span> being disabled by default, in order to join a
workstation to the domain, a system group must be mapped to the <span class="trademark">Windows</span>® <span class="emphasis"><em>Domain Admins</em></span> 
group. Using the <span class="application">net</span> utility, from a terminal enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin
rid=512 type=d</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Change <span class="italic">sysadmin</span> to the preferred group. The
user used to join the domain needs to be a member of the 
<span class="emphasis"><em>sysadmin</em></span> group, as well as a member of the system
<span class="emphasis"><em>admin</em></span> group. The <span class="emphasis"><em>admin</em></span> group allows 
<span class="application">sudo</span> use.
</p></div></li><li class="step"><p>
Finally, restart <span class="application">Samba</span> to enable the new domain 
controller:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre></li><li class="step"><p>
It is now possible to join <span class="trademark">Windows</span>® 
clients to the domain in the same manner as joining them to an <span class="trademark">NT4</span>® domain running on a <span class="trademark">Windows</span>® server.
</p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-bdc-smbpasswd"></a>Backup Domain Controller</h3></div></div></div><p>
With a Primary Domain Controller (<acronym class="acronym">PDC</acronym>) on the network, it is 
best to have a Backup Domain Controller (<acronym class="acronym">BDC</acronym>) as well. This 
will allow clients to authenticate in case the <acronym class="acronym">PDC</acronym> becomes 
unavailable.
</p><p>
When configuring <span class="application">Samba</span> as a <acronym class="acronym">BDC</acronym>, 
there must be a way to sync account information with the 
<acronym class="acronym">PDC</acronym>. There are multiple ways of accomplishing this, such as
<span class="application">scp</span>, <span class="application">rsync</span>, or by using
<span class="application">LDAP</span> as the <span class="emphasis"><em>passdb backend</em></span>.
</p><p>
Using <span class="application">LDAP</span> is the most robust way to sync account 
information, because both domain controllers can use the same information in 
real time. However, setting up an <span class="application">LDAP</span> server may be 
overly complicated for a small number of user and computer accounts. See 
<span class="application">Samba</span> <a class="ulink" href="http://wiki.samba.org/index.php/Samba_&amp;_LDAP" target="_top">
<span class="application">LDAP</span></a> page for details.
</p><div class="procedure"><ol class="procedure" type="1"><li class="step"><p>
First, install <span class="application">samba</span> and 
<span class="application">libpam-smbpass</span>. From a terminal, enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install samba libpam-smbpass</strong></span></span>
</pre></li><li class="step"><p>
Now, edit <code class="filename">/etc/samba/smb.conf</code> and uncomment the following
in the <span class="emphasis"><em>[global]</em></span>:
</p><pre class="programlisting">
workgroup = EXAMPLE
...
security = user
</pre></li><li class="step"><p>
In the commented <span class="emphasis"><em>Domains</em></span>, uncomment or add:
</p><pre class="programlisting">
domain logons = yes
domain master = no
</pre></li><li class="step"><p>
Make sure a user has rights to read the files in 
<code class="filename">/var/lib/samba</code>. For example, to allow users in the 
<span class="emphasis"><em>admin</em></span> group to <span class="application">scp</span> the files, 
enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo chgrp -R admin /var/lib/samba</strong></span></span>
</pre></li><li class="step"><p>
Next, sync the user accounts, using <span class="application">scp</span> to copy the
<code class="filename">/var/lib/samba</code> directory from the <acronym class="acronym">PDC</acronym>:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo scp -r username@pdc:/var/lib/samba /var/lib</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Replace <span class="emphasis"><em>username</em></span> with a valid username and
<span class="emphasis"><em>pdc</em></span> with the hostname or <acronym class="acronym">IP</acronym> Address of 
the actual <acronym class="acronym">PDC</acronym>.
</p></div></li><li class="step"><p>
Finally, restart <span class="application">samba</span>:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre></li></ol></div><p>
Test that the Backup Domain controller is working by stopping the 
<span class="application">Samba</span> daemon on the <span class="application">PDC</span>, 
then trying to login to a <span class="trademark">Windows</span>® 
client joined to the domain.
</p><p>
If the <span class="emphasis"><em>logon home</em></span> option has been configured as a 
directory on the <acronym class="acronym">PDC</acronym>, and the <acronym class="acronym">PDC</acronym> becomes 
unavailable, access to the user's <span class="emphasis"><em>Home</em></span> drive will also be 
unavailable. For this reason, it is best to configure the <span class="emphasis"><em>logon 
home</em></span> to reside on a separate file server from the 
<acronym class="acronym">PDC</acronym> and <acronym class="acronym">BDC</acronym>.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-dc-resources"></a>Resources</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
For indepth <span class="application">Samba</span> configurations, see the <a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/" target="_top">
<span class="application">Samba</span> HOWTO Collection</a>.
</p></li><li class="listitem"><p>
The guide is also available in <a class="ulink" href="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228" target="_top">printed format
</a>.
</p></li><li class="listitem"><p>
O'Reilly's <a class="ulink" href="http://www.oreilly.com/catalog/9780596007690/" target="_top">Using
<span class="application">Samba</span></a> is also a good reference.
</p></li><li class="listitem"><p>
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html" target="_top">
Chapter 4</a> of the <span class="application">Samba</span> HOWTO Collection 
explains setting up a Primary Domain Controller.
</p></li><li class="listitem"><p>
<a class="ulink" href="http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html" target="_top">
Chapter 5</a> of the <span class="application">Samba</span> HOWTO Collection 
explains setting up a Backup Domain Controller.
</p></li></ul></div></div></div></div><div id="footer"><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileprint-security.html">Prev</a></td><td class="upCell"><a accesskey="h" href="index.html">Home</a></td><td class="nextCell"><a accesskey="n" href="samba-ad-integration.html">Next</a></td></tr><tr><td class="prevCell">Securing a Samba File and Print Server </td><td class="upCell"> </td><td class="nextCell"> Samba Active Directory Integration</td></tr></table></div><div id="footer_text"><br><a href="mailto:ubuntu-docs@lists.ubuntu.com" class="footer_email">
	  Ubuntu Documentation Project
        </a></div></div></div></body></html>

APT Browse - Built by Thomas Orozco.