/usr/share/doc/kde/HTML/en/kubuntu/sharing/samba-dc.html is in kubuntu-docs 12.04.0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 | <html><head><title>Samba as a Domain Controller</title><link rel="stylesheet" type="text/css" href="help:/common/kde-default.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-docs.css"><link rel="stylesheet" type="text/css" href="help:/common/kde-localised.css"><link rel="stylesheet" type="text/css" href="help:/common/kubuntu.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="File Sharing in Kubuntu"><link rel="up" href="index.html" title="File Sharing in Kubuntu"><link rel="prev" href="samba-fileprint-security.html" title="Securing a Samba File and Print Server"><link rel="next" href="samba-ad-integration.html" title="Samba Active Directory Integration"><link rel="copyright" href="legal.html" title="Credits and License"><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><meta name="GENERATOR" content="KDE XSL Stylesheet V1.14 using libxslt"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div id="content"><div id="header"><div id="header_content"><div id="header_left"><div id="header_right"><img src="help:/common/top-kde.jpg" width="36" height="34"> Samba as a Domain Controller</div></div></div></div><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileprint-security.html">Prev</a></td><td class="upCell"> </td><td class="nextCell"><a accesskey="n" href="samba-ad-integration.html">Next</a></td></tr></table></div><div id="contentBody"><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="samba-dc"></a>Samba as a Domain Controller</h2></div></div></div><p>
Although it cannot act as an <span class="trademark">Active Directory
Primary Domain Controller</span>® (<acronym class="acronym">PDC</acronym>), a
<span class="application">Samba</span> server can be configured to appear as a
<span class="trademark">Windows NT</span>®4-style domain controller.
A major advantage of this configuration is the ability to centralize user and
machine credentials. <span class="application">Samba</span> can also use multiple
backends to store the user information.
</p><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-pdc-smbpasswd"></a>Primary Domain Controller</h3></div></div></div><p>
This section covers configuring <span class="application">Samba</span> as a Primary
Domain Controller (<acronym class="acronym">PDC</acronym>) using the default
<span class="application">smbpasswd</span> backend.
</p><div class="procedure"><ol class="procedure" type="1"><li class="step"><p>
Install <span class="application">Samba</span> and
<span class="application">libpam-smbpass</span> to sync the user accounts, by
entering the following in a terminal prompt:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install samba libpam-smbpass</strong></span></span>
</pre></li><li class="step"><p>
Next, configure <span class="application">Samba</span> by editing
<code class="filename">/etc/samba/smb.conf</code>. The <span class="emphasis"><em>security</em></span>
mode should be set to <span class="italic">user</span>, and the
<span class="emphasis"><em>workgroup</em></span> should relate to the organization properly:
</p><pre class="programlisting">
workgroup = EXAMPLE
...
security = user
</pre></li><li class="step"><p>
In the commented <span class="quote">“<span class="quote">Domains</span>”</span> section, add or uncomment the
following:
</p><pre class="programlisting">
domain logons = yes
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d
/var/lib/samba -s /bin/false %u
</pre><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
<span class="emphasis"><em>domain logons:</em></span> provides the netlogon service causing
<span class="application">Samba</span> to act as a domain controller.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon path:</em></span> places the user's <span class="trademark">Windows</span>® profile into their home directory. It is
also possible to configure a <span class="emphasis"><em>[profiles]</em></span> share placing all
profiles under a single directory.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon drive:</em></span> specifies the home directory local path.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon home:</em></span> specifies the home directory location.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>logon script:</em></span> determines the script to be run locally once
a user has logged in. The script needs to be placed in the
<span class="emphasis"><em>[netlogon]</em></span> share.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>add machine script:</em></span> a script that will automatically
create the <span class="emphasis"><em>Machine Trust Account</em></span> needed for a workstation
to join the domain.
</p><p>
In this example, the <span class="emphasis"><em>machines</em></span> group will need to be
created using the <span class="application">addgroup</span> utility. See <a class="ulink" href="help:/kubuntu/basics/" target="_top"> Basics</a> for details.
</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
If <span class="emphasis"><em>Roaming Profiles</em></span> will not be used, leave the
<span class="emphasis"><em>logon home</em></span> and <span class="emphasis"><em>logon path</em></span> options
commented.
</p></div></li><li class="step"><p>
Uncomment the <span class="emphasis"><em>[homes]</em></span> share to allow the <span class="italic">logon home</span> to be mapped:
</p><pre class="programlisting">
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
</pre></li><li class="step"><p>
When configured as a domain controller, a <span class="emphasis"><em>[netlogon]</em></span> share
needs to be configured. To enable the share, uncomment:
</p><pre class="programlisting">
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The original <span class="emphasis"><em>netlogon</em></span> share path is
<code class="filename">/home/samba/netlogon</code>, but according to the Filesystem
Hierarchy Standard (<acronym class="acronym">FHS</acronym>), <a class="ulink" href="http://www.pathname.com/fhs/pub/fhs-2.3.%20html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM" target="_top">/srv</a> is the correct location
for site-specific data provided by the system.
</p></div></li><li class="step"><p>
Now create the <code class="filename">netlogon</code> directory and an
empty (for now) <code class="filename">logon.cmd</code> script file:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo mkdir -p /srv/samba/netlogon</strong></span></span>
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo touch /srv/samba/netlogon/logon.cmd</strong></span></span>
</pre><p>
Any normal <span class="trademark">Windows</span>® logon script
commands can be entered in <code class="filename">logon.cmd</code> to customize the
client's environment.
</p></li><li class="step"><p>
With <span class="emphasis"><em>root</em></span> being disabled by default, in order to join a
workstation to the domain, a system group must be mapped to the <span class="trademark">Windows</span>® <span class="emphasis"><em>Domain Admins</em></span>
group. Using the <span class="application">net</span> utility, from a terminal enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin
rid=512 type=d</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Change <span class="italic">sysadmin</span> to the preferred group. The
user used to join the domain needs to be a member of the
<span class="emphasis"><em>sysadmin</em></span> group, as well as a member of the system
<span class="emphasis"><em>admin</em></span> group. The <span class="emphasis"><em>admin</em></span> group allows
<span class="application">sudo</span> use.
</p></div></li><li class="step"><p>
Finally, restart <span class="application">Samba</span> to enable the new domain
controller:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre></li><li class="step"><p>
It is now possible to join <span class="trademark">Windows</span>®
clients to the domain in the same manner as joining them to an <span class="trademark">NT4</span>® domain running on a <span class="trademark">Windows</span>® server.
</p></li></ol></div></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-bdc-smbpasswd"></a>Backup Domain Controller</h3></div></div></div><p>
With a Primary Domain Controller (<acronym class="acronym">PDC</acronym>) on the network, it is
best to have a Backup Domain Controller (<acronym class="acronym">BDC</acronym>) as well. This
will allow clients to authenticate in case the <acronym class="acronym">PDC</acronym> becomes
unavailable.
</p><p>
When configuring <span class="application">Samba</span> as a <acronym class="acronym">BDC</acronym>,
there must be a way to sync account information with the
<acronym class="acronym">PDC</acronym>. There are multiple ways of accomplishing this, such as
<span class="application">scp</span>, <span class="application">rsync</span>, or by using
<span class="application">LDAP</span> as the <span class="emphasis"><em>passdb backend</em></span>.
</p><p>
Using <span class="application">LDAP</span> is the most robust way to sync account
information, because both domain controllers can use the same information in
real time. However, setting up an <span class="application">LDAP</span> server may be
overly complicated for a small number of user and computer accounts. See
<span class="application">Samba</span> <a class="ulink" href="http://wiki.samba.org/index.php/Samba_&_LDAP" target="_top">
<span class="application">LDAP</span></a> page for details.
</p><div class="procedure"><ol class="procedure" type="1"><li class="step"><p>
First, install <span class="application">samba</span> and
<span class="application">libpam-smbpass</span>. From a terminal, enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo apt-get install samba libpam-smbpass</strong></span></span>
</pre></li><li class="step"><p>
Now, edit <code class="filename">/etc/samba/smb.conf</code> and uncomment the following
in the <span class="emphasis"><em>[global]</em></span>:
</p><pre class="programlisting">
workgroup = EXAMPLE
...
security = user
</pre></li><li class="step"><p>
In the commented <span class="emphasis"><em>Domains</em></span>, uncomment or add:
</p><pre class="programlisting">
domain logons = yes
domain master = no
</pre></li><li class="step"><p>
Make sure a user has rights to read the files in
<code class="filename">/var/lib/samba</code>. For example, to allow users in the
<span class="emphasis"><em>admin</em></span> group to <span class="application">scp</span> the files,
enter:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo chgrp -R admin /var/lib/samba</strong></span></span>
</pre></li><li class="step"><p>
Next, sync the user accounts, using <span class="application">scp</span> to copy the
<code class="filename">/var/lib/samba</code> directory from the <acronym class="acronym">PDC</acronym>:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo scp -r username@pdc:/var/lib/samba /var/lib</strong></span></span>
</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Replace <span class="emphasis"><em>username</em></span> with a valid username and
<span class="emphasis"><em>pdc</em></span> with the hostname or <acronym class="acronym">IP</acronym> Address of
the actual <acronym class="acronym">PDC</acronym>.
</p></div></li><li class="step"><p>
Finally, restart <span class="application">samba</span>:
</p><pre class="screen">
<span xmlns:doc="http://nwalsh.com/xsl/documentation/1.0" class="command"><span class="command"><strong>sudo /etc/init.d/samba restart</strong></span></span>
</pre></li></ol></div><p>
Test that the Backup Domain controller is working by stopping the
<span class="application">Samba</span> daemon on the <span class="application">PDC</span>,
then trying to login to a <span class="trademark">Windows</span>®
client joined to the domain.
</p><p>
If the <span class="emphasis"><em>logon home</em></span> option has been configured as a
directory on the <acronym class="acronym">PDC</acronym>, and the <acronym class="acronym">PDC</acronym> becomes
unavailable, access to the user's <span class="emphasis"><em>Home</em></span> drive will also be
unavailable. For this reason, it is best to configure the <span class="emphasis"><em>logon
home</em></span> to reside on a separate file server from the
<acronym class="acronym">PDC</acronym> and <acronym class="acronym">BDC</acronym>.
</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="samba-dc-resources"></a>Resources</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
For indepth <span class="application">Samba</span> configurations, see the <a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/" target="_top">
<span class="application">Samba</span> HOWTO Collection</a>.
</p></li><li class="listitem"><p>
The guide is also available in <a class="ulink" href="http://www.amazon.com/exec/obidos/tg/detail/-/0131882228" target="_top">printed format
</a>.
</p></li><li class="listitem"><p>
O'Reilly's <a class="ulink" href="http://www.oreilly.com/catalog/9780596007690/" target="_top">Using
<span class="application">Samba</span></a> is also a good reference.
</p></li><li class="listitem"><p>
<a class="ulink" href="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html" target="_top">
Chapter 4</a> of the <span class="application">Samba</span> HOWTO Collection
explains setting up a Primary Domain Controller.
</p></li><li class="listitem"><p>
<a class="ulink" href="http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html" target="_top">
Chapter 5</a> of the <span class="application">Samba</span> HOWTO Collection
explains setting up a Backup Domain Controller.
</p></li></ul></div></div></div></div><div id="footer"><div class="navCenter"><table class="navigation"><tr><td class="prevCell"><a accesskey="p" href="samba-fileprint-security.html">Prev</a></td><td class="upCell"><a accesskey="h" href="index.html">Home</a></td><td class="nextCell"><a accesskey="n" href="samba-ad-integration.html">Next</a></td></tr><tr><td class="prevCell">Securing a Samba File and Print Server </td><td class="upCell"> </td><td class="nextCell"> Samba Active Directory Integration</td></tr></table></div><div id="footer_text"><br><a href="mailto:ubuntu-docs@lists.ubuntu.com" class="footer_email">
Ubuntu Documentation Project
</a></div></div></div></body></html>
|