freebsd 7, samba 3, domain controller

Discussion in 'Suggest HOWTO' started by alexdimarco, Jun 26, 2008.

  1. alexdimarco

    alexdimarco New Member

    Anyone have a simple howto for freebsd 7 and samba 3 as a domain controller?
     
  2. alexdimarco

    alexdimarco New Member

    I found a helpful howto here;

    by Stewart Frazier
    http://www.mrp3.com/windows-to-unix-samba.html

    SAMBA 3 Helper

    This web page is primarily for setting up Samba 3 on a BSD or Linux computer as a primary domain controller. If you simply want to share files and printers with windows machines on your network, using Samba 3, most of the things on this page will still be relevant to you. However, you will need to make changes to a few of the 'smb.conf' entries, such as security, local master, domain master, preferred master, domain logons, wins support, dns proxy, msdfs root, and host msdfs. These entries would typically be removed from smb.conf so that the default values will apply.

    Setting up SAMBA 3 for a Domain Controller is a bit more difficult than setting up DHCP or DNS, or CUPS (for printing). But in order to get it 'up and running' as quickly as possible, you can follow the general instructions on this web page, which are intended as a quick 'how to' guide for Samba 3 as a Domain Controller. All of the necessary files for setting up a Samba-based domain controller for FreeBSD are included 'in line' and may be 'clipped out' and used as you see fit. For other operating systems, such as Linux, you may need to edit them slightly to get them to work. In particular, the shell scripts make use of the 'pw' application to add and modify users and groups, which is specific to FreeBSD.
    Additional information can be found in the Samba documentation, which is installed in the local documentation tree on your computer, specifically the file 'samba/howto/FastStart.html' under the heading of 'Domain Controller'.

    The following is a 'short list' of the things that need to be accomplished using the sample files, plus some additional information. The first step, of course, is to install the latest version of Samba 3 on your computer. Following that, you should do each of these steps in the order specified.

    1. modify and add the contents of the sample 'group' file to the /etc/group file on your system. You will need to check for 'overlap' to make sure that no duplicate groups (or duplicate group ID's) already exist in the file.
    2. Add the user 'administrator' using the appropriate utility (such as 'adduser'), and using the 'samba' group as the primary group. Then, add it to the wheel group.
    3. Copy the 'smb-' scripts into the /usr/local/sbin/ directory, and mark them 'executable'. This can be done using 'chmod 555' on each of them.
    4. Copy the 'samba_dns_update' script to /usr/local/sbin/, and mark it 'executable'.
    5. modify 'smb.conf', specifically those entries that contain the following:
    1. the IP address '192.168.1.1'
    2. The domain name 'WORKGROUP.local'
    3. The machine name 'FreeBSDServer'
    Then, copy the 'smb.conf' file into the appropriate location. On FreeBSD, this would be /usr/local/etc/smb.conf .
    6. Create a directory /usr/local/lib/samba/profiles/, make it world-writable
    7. Create a directory /usr/local/lib/samba/drivers/, make it world-readable
    8. Create a directory /usr/local/lib/samba/netlogon/, make it world-writable
    9. Start Samba (or re-start the system). Once Samba is up and running, perform the following:
    1. Run the script 'mapgroup.sh'.
    2. smbpasswd -a root (and enter root password)
    3. smbpasswd -a administrator (and enter administrator password)
    10. If necessary, perform the following manually
    1. add a machine to the domain by first creating a user 'machinename$' (where 'machinename' is the NETBIOS name of the machine) as a member of the group 'machines'. The 'smb-add-machine' script should perform this action.
    2. use smbpasswd -m machinename$ to make it 'official'.


    NOTE: The paths '/usr/local/lib/samba', '/usr/local/sbin', and '/usr/local/etc' are all implementation-dependent. You can use 'whereis' and other utilities to determine where the files and applications reside.

    At this point, so long as DHCP, DNS, and CUPS are correctly configured, your Samba installation should allow your UNIX or Linux server to operate as a Primary Domain Controller (PDC) and DHCP server for your network.
    The Files

    The contents of the various files are shown here. You can 'clip' the text out of the html text and paste it into the appropriately named file, modifying the text as needed for your operating system, machine name, domain name, and network settings.
    smb.conf

    #======================= Global Settings =====================================
    [global]
    # modify these for your domain name
    workgroup = WORKGROUP.local
    realm = WORKGROUP.local
    # modify these for your server name
    netbios name = FreeBSDServer
    server string = FreeBSDServer Domain Controller for WORKGROUP.local

    # modify these next entries for your IP address and netmask. The settings
    # below reflects 192.168.1/24 and 127/8, with IP addres 192.168.1.1 and 127.0.0.1
    hosts allow = 192.168.1. 127.
    socket address = 192.168.1.1 127.0.0.1

    # setting up as a domain controller. 'man smb.conf' for explanation
    security = user
    local master = yes
    domain master = yes
    preferred master = yes
    domain logons = yes
    wins support = yes
    dns proxy = yes
    os level = 33
    msdfs root = yes
    host msdfs = yes
    obey pam restrictions = yes
    time server = yes
    # force LM announcements every 2 minutes
    lm announce = yes
    lm interval = 120

    # global file masks
    directory mask = 0777
    force directory mode = 0555
    create mask = 0666
    force create mode = 0444

    # name resolution
    name resolve order = wins bcast


    # printers - configured to use CUPS and automatically load them

    load printers = yes
    printcap name = cups
    printing = cups


    # Backend to store user information in. New installations should
    # use either tdbsam or ldapsam. smbpasswd is available for backwards
    # compatibility. tdbsam requires no further configuration.
    # if you want to have a backup domain controller, or participate
    # as part of a larger domain, you will need to use 'ldapsam' and
    # do some additional configuration.
    ; passdb backend = ldapsam
    passdb backend = tdbsam

    # Uncomment this if you want a guest account, you must add this to /etc/passwd
    # otherwise the user "nobody" is used
    ; guest account = pcguest

    # Using the following line enables you to customise your configuration
    # on a per machine basis. The %m gets replaced with the netbios name
    # of the machine that is connecting.
    # Note: Consider carefully the location in the configuration file of
    # this line. The included file is read at that point.
    ; include = /usr/local/etc/smb.conf.%m


    # scripts invoked by Samba

    # These scripts are used on a domain controller or stand-alone
    # machine to add or delete corresponding unix accounts;
    # NOTE: the original entries are commented out. They may be valid on
    # some operating systems. The ones not commented out invoke the
    # script files that are copied to '/usr/local/sbin'. You should
    # update this section based upon the requirements of your OS.
    #
    ; add user script = /usr/sbin/useradd %u
    ; add group script = /usr/sbin/groupadd %g
    ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
    ; delete user script = /usr/sbin/userdel %u
    ; delete user from group script = /usr/sbin/deluser %u %g
    ; delete group script = /usr/sbin/groupdel %g
    add user script = /usr/local/sbin/smb-add-user %u
    add group script = /usr/local/sbin/smb-add-group %g
    add machine script = /usr/local/sbin/smb-add-machine %u
    add user to group script = /usr/local/sbin/smb-add-user-group %u %g
    delete user script = /usr/local/sbin/smb-rm-user %u
    delete user from group script = /usr/local/sbin/smb-rm-user-group %u %g
    delete group script = /usr/local/sbin/smb-rm-group %g

    # 'wins hook' script - call to 'nsupdate' to update DNS automatically
    wins hook = /usr/local/sbin/samba_dns_update


    # log files

    # this tells Samba to use a separate log file for each machine
    # that connects
    log file = /var/log/samba/log.%m

    # Put a capping on the size of the log files (in Kb).
    max log size = 50


    # login scripts

    # if you enable domain logons then you may want a per-machine or
    # per user logon script
    # run a specific logon batch file per workstation (machine)
    ; logon script = %m.bat
    # run a specific logon batch file per username
    ; logon script = %U.bat


    # user profiles (default is sufficient, see 'profiles' share)

    # Where to store roving profiles (only for Win95 and WinNT)
    # %L substitutes for this servers netbios name, %U is username
    # You must uncomment the [Profiles] share below
    logon path = \\%L\Profiles\%U


    # socket options

    # Most people will find that this option gives better performance.
    # See the chapter 'Samba performance issues' in the Samba HOWTO Collection
    # and the manual pages for details.
    # You may want to add the following on a Linux system:
    # SO_RCVBUF=8192 SO_SNDBUF=8192
    socket options = TCP_NODELAY



    #============================ Share Definitions ==============================

    # netlogon directory, necessary for Domain Logons
    [netlogon]
    comment = Network Logon Service
    path = /usr/local/lib/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no

    # 'Roving Profile' share (in lieu of the user's home directory)
    [Profiles]
    path = /usr/local/lib/samba/profiles
    browseable = no
    guest ok = yes
    writable = yes

    # 'printers' share (no need to individually declare them if the printers
    # are being automatically loaded and CUPS is properly configured)
    [printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    # Set public = yes to allow user 'guest account' to print
    guest ok = yes
    writable = no
    printable = yes
    printer admin = @wheel

    # path to printer drivers (see CUPS documentation)
    [print$]
    comment = Printer Drivers
    path = /usr/local/lib/samba/drivers
    browseable = yes
    guest ok = yes
    writable = no
    printable = no



    group

    You will need to add the following text to the end of the '/etc/group' file. Make sure that there are no overlaps with names or ID's for any existing groups. You can edit the group ID's as needed.
    (You should also change 'WORKGROUP' to the name of your domain, or else remove it if you do not want a group that represents the domain)

    # these group entries need to be added to the '/etc/group' file
    #
    # samba requires a 'machines' group equal to 100
    machines:*:100:
    # locally defined groups. the first is the domain group 'WORKGROUP'
    # you should change this depending upon the domain
    WORKGROUP:*:1001:
    # group added for 'dhcpd'
    dhcpd:*:1002:
    # group added for 'samba' (default for all new Samba users)
    samba:*:1003:administrator,root
    # additional 'operator' groups for Samba - print, account, backup
    print:*:1004:
    account:*:1005:
    backup:*:1006:



    mapgroup.sh

    The following script will associate the various 'Samba' groups (compatible with Windows) with UNIX groups defind in the '/etc/group' file. Some of the examples were left 'as-is' and commented out, using examples obtained from the Samba documentation. Additional information as comments has been placed at the end of the script in order to document the correct 'RID' values, should you need to re-create the groups yourself.
    (You should make sure that each of the groups referenced in the script actually exist, and add them to the '/etc/group' file if they do not).

    #!/bin/sh
    #### Keep this as a shell script for future re-use

    # assign well known groups for the domain
    # net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=d rid=512
    # net groupmap add ntgroup="Domain Users" unixgroup=samba type=d rid=513
    # net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d rid=514

    net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
    net groupmap modify ntgroup="Domain Users" unixgroup=samba
    net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

    # now, do the local groups. Change 'WORKGROUP' to the group that is
    # associated with the domain name.
    net groupmap modify ntgroup="Administrators" unixgroup=wheel
    net groupmap modify ntgroup="Users" unixgroup=samba
    net groupmap modify ntgroup="Guests" unixgroup=guest
    net groupmap modify ntgroup="Power Users" unixgroup=WORKGROUP
    net groupmap modify ntgroup="Account Operators" unixgroup=account
    net groupmap modify ntgroup="System Operators" unixgroup=operator
    net groupmap modify ntgroup="Print Operators" unixgroup=print
    net groupmap modify ntgroup="Backup Operators" unixgroup=backup
    net groupmap modify ntgroup="Replicators" unixgroup=staff

    # list of domain groups and RID's
    # Domain Admins 200H
    # Domain Users 201H
    # Domain Guests 202H

    # list of local groups
    # Administrators 26
    # Users 27
    # Guests 28
    # Power Users 29
    # Account Operators 30
    # System Operators 31
    # Print Operators 32
    # Backup Operators 33
    # Replicators 34



    samba_dns_update

    This script is called by Samba to automatically update DNS. You should modify it as necessary for your system, and change the 'WORKGROUP.local' and IP address information accordingly.

    #!/bin/sh
    #
    # Example script for "wins hook". This attempts to update the DNS with
    # new A records for the NETBIOS name that Samba passes us. We do this
    # the simple way, by deleting all DNS records for the name and then
    # readding all the expected 'A' records.
    #
    # Written by Stephen Rothwell
    #

    #
    # Configurable things
    #
    # The domain in which to create names
    # YOU MUST CHANGE THIS
    # N.B. include the trailing dot
    #
    # It is a good idea to use a subdomain of your primary domain to ensure
    # that rogue machines can't take over (or delete) important names on
    # your network.
    DOMAIN=WORKGROUP.local.

    #
    # The DNS TTL to give the records (in seconds)
    #
    TTL=3600
    #
    # NETBIOS name types that we want to create DNS records for:
    # 20 is server
    # 00 is workstation
    # 03 is user
    #
    USEFUL_TYPES="20 00 03"
    #
    # The name of a cache file to use to avoid continual updates
    # of the same name and IP addresses. If you comment this out
    # then the cache is not kept at all.
    #
    #CACHE_FILE=/usr/local/samba/var/wins_update.cache

    if [ $# -lt 4 ]; then
    echo "Usage: $0 op name type ttl [ip_addr ...]" 1>&2
    echo " op is one of add, refresh, delete" 1>&2
    echo " name is the NETBIOS name" 1>&2
    echo " type is the NETBIOS name type" 1>&2
    echo " ttl is the NETBIOS time to live" 1>&2
    echo " ip_addr's are the remaining IP addresses for this name" 1>&2
    exit 1
    fi

    NSUPDATE=`which nsupdate`
    [ -x "$NSUPDATE" ] || NSUPDATE=/usr/bin/nsupdate
    [ -x "$NSUPDATE" ] || NSUPDATE=/sbin/nsupdate
    [ -x "$NSUPDATE" ] || NSUPDATE=/usr/sbin/nsupdate
    [ -x "$NSUPDATE" ] || {
    echo "Cannot find nsupdate." 1>&2
    exit 1
    }

    OP=$1
    NAME=$2
    TYPE=$3
    WINS_TTL=$4
    shift 4
    IP_ADDRS="$@"

    do_update=0
    for i in $USEFUL_TYPES
    do
    [ "$TYPE" = "$i" ] && do_update=1
    done
    [ $do_update = 1 ] || exit 0

    if [ -n "$CACHE_FILE" ]; then
    if [ -r "$CACHE_FILE" ]; then
    fgrep -q -x -i "$NAME $IP_ADDRS" "$CACHE_FILE" &&
    exit 0
    grep -v -i "^$NAME " "$CACHE_FILE" >"$CACHE_FILE".$$
    fi
    echo "$NAME $IP_ADDRS" >>"$CACHE_FILE".$$
    mv "$CACHE_FILE" "$CACHE_FILE".old 2>/dev/null
    mv "$CACHE_FILE".$$ "$CACHE_FILE"
    fi

    {
    echo update delete $NAME.$DOMAIN
    for i in $IP_ADDRS
    do
    echo update add $NAME.$DOMAIN $TTL A $i
    done
    echo
    } 2>/dev/null | $NSUPDATE >/dev/null 2>&1 &

    exit 0



    smb-add-group

    Script called by Samba to add a group. Modify this for your system, as needed.

    #!/bin/sh
    # called by samba to add a group

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    x=`pw groupnext`
    if $( test ! -n "$x" )
    then
    echo "unable to get next group ID";
    else
    if $( test -n "$1" )
    then
    pw groupadd -n $1 -g $x ;
    fi
    fi



    smb-add-machine

    Script called by Samba to add a machine, by adding a user to the 'machines' group. Modify this for your system, as needed. If this script does not function correctly, you will not be able to join a domain without manually adding the machine as a user, both to the UNIX password database and the Samba password database.

    #!/bin/sh
    # called by samba to add a machine as a special user

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    x=`pw usernext`
    if $( test ! -n "$x" )
    then
    echo "unable to get next user ID";
    else
    if $( test -n "$1" )
    then
    pw useradd -q -n $1 -u $x -d /dev/null -s /sbin/nologin -g machines ;
    fi
    fi



    smb-add-user

    Script called by Samba to add a user. Modify this for your system, as needed.

    #!/bin/sh
    # called by samba to add a user

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    x=`pw usernext`
    if $( test ! -n "$x" )
    then
    echo "unable to get next user ID";
    else
    if $( test -n "$1" )
    then
    pw useradd -q -n $1 -u $x -d /dev/null -s /sbin/nologin -g samba ;
    fi
    fi



    smb-add-user-group

    Script called by Samba to add a user to a group. Modify this for your system, as needed.

    #!/bin/sh -f
    # the '-f' parameter prevents file name expansion

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    if ( test -n "$1" )
    then
    if ( test -z "$2" )
    then
    echo "missing group name";
    else
    x=`pw groupshow -n $2 | sed s/:/,/g ` ;
    y=1
    u="$1"
    g="$2"
    m=
    IFS=,
    c=""

    for i in $x ; do
    if ( test $y -gt 3 )
    then
    if ( test "$u" = "$i" )
    then
    exit 1;
    fi
    fi
    y=$(expr $y + 1)
    done

    unset IFS

    pw groupmod -n $g -m $u ;

    fi
    fi



    smb-rm-group

    Script called by Samba to remove a group. Modify this for your system, as needed.

    #!/bin/sh
    # called by samba to delete a user

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    if $( test -n "$1" )
    then
    pw groupdel -n $1;
    fi



    smb-rm-user

    Script called by Samba to remove a user. Modify this for your system, as needed.

    #!/bin/sh
    # called by samba to delete a user

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    if $( test -n "$1" )
    then
    pw userdel -n $1;
    fi



    smb-rm-user-group

    Script called by Samba to remove a user from a group. Modify this for your system, as needed.
    (I am rather proud of this script, actually, being one of the more creative things I've done recently)

    #!/bin/sh -f
    # the '-f' parameter prevents file name expansion

    echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

    if ( test -n "$1" )
    then
    if ( test -z "$2" )
    then
    echo "missing group name";
    else
    x=`pw groupshow -n $2 | sed s/:/,/g ` ;
    y=1
    u="$1"
    g="$2"
    m=""
    IFS=,
    c=""

    for i in $x ; do
    if ( test $y -gt 3 )
    then
    if ( test "$u" = "$i" )
    then
    c="pw groupmod -n $g -M";
    elif ( test -z "$m")
    then
    m="$i";
    else
    m="$m,$i";
    fi
    fi
    y=$(expr $y + 1)
    done

    unset IFS
    if ( test -n "$c" )
    then
    eval $c $m ;
    fi
    fi
    fi



    Additional Configuration

    Of course, you will need to add shares to your 'smb.conf' file, but this should be relatively straightforward. For more information you can use 'man smb.conf' or look at the sample 'smb.conf' file that was installed when you installed Samba. The shares that were put into the 'smb.conf' sample, above, are the minimum required to get the system running properly. Still, they can serve as examples for setting up your own shares. A few were commented out that demonstrate typical read/write shares. If you want to set up access lists, make the shares unlistable or read-only, you should check the documentation on Samba and smb.conf for information on how to do that. The point of the files here is to "get you started" and not be a general guide for administering your system.


    Backing Up your Configuration

    It is VERY VERY IMPORTANT that you back up your system configuration as often as you can. Samba, like any software, is not perfect, and files can occasionally become corrupted for a number of reasons, including power outages. Because this is a domain controller, you should back your initial configuration at the very least, and each time you add a workstation or a user to the system. This way, if the database becomes corrupt or loses data, you can restore everything without having to 'rejoin the domain' on every workstation. The configuration nightmare of THAT scenario is not something I'd wish upon anyone. And this goes double if you are using the 'TDB' system rather than LDAP (or if you are using LDAP without a backup domain controller to restore from).

    If you are using the TDB method (the default) to store the configuration data, you should make sure you shut down 'smbd' and 'nmbd' before you back up the data. To do this, you can use the following commands:
    smbcontrol nmbd shutdown
    smbcontrol smbd shutdown
    This will shut down all running instances of nmbd and smbd. Next, you need to know where all of the files are stored. If you enter 'man tdbbackup' you will get a hint of where they MIGHT be, but this is sometimes less than helpful. However, on a FreeBSD system, the files you are interested in are located in the following directories:
    /var/db/samba
    /usr/local/private
    Again, on your system it may differ slightly (see 'man tdbbackup'). Once you have located the files, backing them up is as changing to the appropriate directory, and entering the following command:
    tdbbackup *.tdb
    This will generate a group of files with '.bak' extensions that are backups of the TDB files in the directory. Using the same application you can also verify AND automatically restore any backed up tdb files.

    Since the password information is stored in the 'private' directory ('/usr/local/private' on a FreeBSD system), it is extremely important that you back THIS up. Not making a backup of the password information for a domain controller might mean a weekend or all-night stay at 'the office' re-configuring everybody's workstation for the 'new' domain because when you re-initialize a domain controller, all of the security ID's change, and windows machines will recognize that as a DIFFERENT domain, and all of the user settings for the OLD logon will be lost, and though you can recover them with a little creativity, it's not the easiest process in the world, and requires knowledge of the registry, re-assignment of security settings. and some creativity in 'hacking' certain registry entries. But someday I might write an application to do just this. It IS something that can be rather painful to deal with if your domain controller ever goes down, and you have to create a new one. And I've seen this happen before.
    NOTE: The procedure to recover user settings after a domain crash on a Windows 2000 or XP workstation can be found HERE.



    Additional SAMBA-related Links
    www.Samba.org Official Samba web site, with the latest code, patches, and announcements
    9-user Server Example Article from 'www.informit.com', regarding an example 9 user network configuration using Samba 3. It details the necessary configuration file entries for 'smb.conf' and for CUPS to meet the requirements of the example network.

    ©2005 by Stewart~Frazier Tools, Inc. - all rights reserved
    Last Update: 6/28/2005
    Back to 'Windows to Unix' page
    Back to S.F.T. Inc. main page
     
  3. ryazkhan

    ryazkhan New Member

    Yes I have an easy to go setup here

    This will give you very basic primary domain controller. Please let me know if you need further assistance with it
     
    Last edited: Nov 5, 2010
  4. rockstar9840

    rockstar9840 New Member

    @alexdimarco, nice discussion and thanks for the link.

    @ryazkhan, I can't open your link. Is there any problem or the link is dead?
     
  5. ryazkhan

    ryazkhan New Member

    Sorry I never got chance to update all that, here is the new link http://cns.selfip.net/pages/howtos.php

    here you will find more than you are looking for

    feel free to email me with any question [email protected]
     
  6. rockstar9840

    rockstar9840 New Member

    Thank you.
     
  7. ryazkhan

    ryazkhan New Member

    You are very welcome
     

Share This Page