With apologies to Karen for two geeky posts in a row, I present “What I did last night”. I promise I'll post a picture of Julian in the next post.
As I alluded to in my previous post, I recently decided to scratch a nagging itch and setup a Windows Domain at Casa Del Lacey. I've been wanting to do this for a while, but it's recently come to a head with two Windows desktops, a linux box, Mac laptop, Windows laptop, network storage box and the Xbox 360.
Having separate accounts and associated passwords plus having to setup the desktop “just how I like it” when moving to a new machine, browser bookmarks being different, etc… was just becoming a pain. I was also relying on my wireless router to provide DNS services (which was flaky).
Something had to be done.
Initially I thought about heading over to Best Buy and picking up the cheapest machine capable of running Microsoft Small Business Server. I'd had such a great experience with it at SwitchGear that it seemed like the logical choice, but it's expensive, even at the company store.
But then I thought “I bet those clever Open Source folks have figured this all out”.
And sure enough they have.
Samba supports operating as a Primary Domain Controller, serving up all that great single password, machine trust and roaming profile goodness. So with that, the plan of attack was to install all necessary software on my Linux box (an Apple PowerMac G5 running the Linux Debian distro
- Install a DHCP server, and assign IP addresses to all the machines on the network.
- Install the BIND9 name server, and have it serve up DNS locally for one of my domains, creating a 'home.judesoftware.com' DNS domain in the process.
Now, at this point I could have configured the magic whereby the DHCP server assigns addresses dynamically and updates the DNS server in the process, but that would have required setting up keys and trust, etc… between the two services, and I didn't have that much patience.
- Install samba and set it up as a primary domain controller.
This part was fairly easy apart from one gotcha that I'll get to later. Basically I'm running pretty much with defaults, the trick is getting the clients set up. The following is my configuration file (/etc/samba/smb.conf) with a few modifications to protect the innocent:
workgroup = THIS_DOMAIN
netbios name = THIS_SERVERS_NETBIOS_NAME
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
#logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\profiles\%U
#logon path =
logon drive = H:
logon home = \\%L\home\%U
#logon home =
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
comment = Home Directories
valid users = %S
read only = No
browseable = No
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = No
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/steve
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
This is a pretty standard setup and it gets you some cool features:
- A domain named THIS_DOMAIN. Create user and machine accounts and the world is wonderful.
- Each user's home directory on the Linux box is magically available as H: on their Windows box when they log in.
- Roaming profiles. More on this later.
So, setting up a new user on the domain is pretty easy.
root# /usr/sbin/useradd -g users -d /home/sjl -s /bin/bash -c "Steve Lacey" steve
root# /usr/bin/smbpasswd -a steve
Pretty simple, huh? The first command creates a new unix account (you can skip this step if the users already have accounts) and the second command adds the user to samba's domain users.
You'll also need to make sure that you add a samba account for root as by default he's the domain administrator.
Next up, adding machine accounts. Except you don't need to. Just go to the Windows machine, and from the system control panel applet join the machine to the domain - you'll need to enter the domain account and password for THIS_DOMAIN\root that you created in the previous paragraph. All is good, just reboot the Windows box and log in to the domain!
And now the problem that I encountered.
Ahhh, roaming profiles. These are a wonderful thing. They enable your settings (desktop themes, start menu choices, browser bookmarks, etc…) to be cached on the server so that when you move from machine to machine your experience is exactly the same. It's a wonderful thing to behold (and interestingly wasn't enabled at Microsoft when I was there).
For me, a problem occurred because I didn't actually create the per user directory where the profile is stored. It's the only part of the process that isn't automated, which means that I didn't do it.
When I logged into the domain from a Windows box for the first time, Windows told me that it couldn't find the profile and was giving me a temporary one.
Ooops, I thought. I figured out what was wrong - I needed to create /var/lib/samba/profiles/steve and chown steve.users it.
So I did that, but Windows was stuck on the temporary roaming profile - no amount of restarting and rebooting either box could fix it.
The only way I could resolve the issue was by having the Windows box leave the domain, delete the machine account from samba, delete the normal unix account for it and then rejoin the Windows box to the domain.
For reference, the machine accounts are machinename$, but you can skip the trailing '$' when talking to samba:
root# /usr/bin/smbpasswd -m -x machinename
root# /usr/sbin/userdel machinename$
And that's it! It all works! Even my new Infrant NAS joined and participated in the domain without any problems.
After that I needed to geek out some more and installed an NTP server which goes out to the network timeservers and serves time for all the internal machines…