Linux as a Windows Primary Domain Controller
With apologies to Karen for two geeky posts in a row, I present “What I did last night”. I promise I’ll post a picture of Julian in the next post.
As I alluded to in my previous post, I recently decided to scratch a nagging itch and setup a Windows Domain at Casa Del Lacey. I’ve been wanting to do this for a while, but it’s recently come to a head with two Windows desktops, a linux box, Mac laptop, Windows laptop, network storage box and the Xbox 360.
Having separate accounts and associated passwords plus having to setup the desktop “just how I like it” when moving to a new machine, browser bookmarks being different, etc… was just becoming a pain. I was also relying on my wireless router to provide DNS services (which was flaky).
Something had to be done.
Initially I thought about heading over to Best Buy and picking up the cheapest machine capable of running Microsoft Small Business Server. I’d had such a great experience with it at SwitchGear that it seemed like the logical choice, but it’s expensive, even at the company store.
But then I thought “I bet those clever Open Source folks have figured this all out”.
And sure enough they have.
Samba supports operating as a Primary Domain Controller, serving up all that great single password, machine trust and roaming profile goodness. So with that, the plan of attack was to install all necessary software on my Linux box (an Apple PowerMac G5 running the Linux Debian distro):
- Install a DHCP server, and assign IP addresses to all the machines on the network.
- Install the BIND9 name server, and have it serve up DNS locally for one of my domains, creating a ‘home.judesoftware.com’ DNS domain in the process.
Now, at this point I could have configured the magic whereby the DHCP server assigns addresses dynamically and updates the DNS server in the process, but that would have required setting up keys and trust, etc… between the two services, and I didn’t have that much patience.
- Install samba and set it up as a primary domain controller.
This part was fairly easy apart from one gotcha that I’ll get to later. Basically I’m running pretty much with defaults, the trick is getting the clients set up. The following is my configuration file (/etc/samba/smb.conf) with a few modifications to protect the innocent:
[global]
workgroup = THIS_DOMAIN
netbios name = THIS_SERVERS_NETBIOS_NAME
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
#logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\profiles\%U
#logon path =
logon drive = H:
logon home = \\%L\home\%U
#logon home =
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = No
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/steve[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
This is a pretty standard setup and it gets you some cool features:
- A domain named THIS_DOMAIN. Create user and machine accounts and the world is wonderful.
- Each user’s home directory on the Linux box is magically available as H: on their Windows box when they log in.
- Roaming profiles. More on this later.
So, setting up a new user on the domain is pretty easy.
root# /usr/sbin/useradd -g users -d /home/sjl -s /bin/bash -c “Steve Lacey” steve
root# /usr/bin/smbpasswd -a steve
Pretty simple, huh? The first command creates a new unix account (you can skip this step if the users already have accounts) and the second command adds the user to samba’s domain users.
You’ll also need to make sure that you add a samba account for root as by default he’s the domain administrator.
Next up, adding machine accounts. Except you don’t need to. Just go to the Windows machine, and from the system control panel applet join the machine to the domain - you’ll need to enter the domain account and password for THIS_DOMAIN\root that you created in the previous paragraph. All is good, just reboot the Windows box and log in to the domain!
And now the problem that I encountered.
Ahhh, roaming profiles. These are a wonderful thing. They enable your settings (desktop themes, start menu choices, browser bookmarks, etc…) to be cached on the server so that when you move from machine to machine your experience is exactly the same. It’s a wonderful thing to behold (and interestingly wasn’t enabled at Microsoft when I was there).
For me, a problem occurred because I didn’t actually create the per user directory where the profile is stored. It’s the only part of the process that isn’t automated, which means that I didn’t do it.
When I logged into the domain from a Windows box for the first time, Windows told me that it couldn’t find the profile and was giving me a temporary one.
Ooops, I thought. I figured out what was wrong - I needed to create /var/lib/samba/profiles/steve and chown steve.users it.
So I did that, but Windows was stuck on the temporary roaming profile - no amount of restarting and rebooting either box could fix it.
The only way I could resolve the issue was by having the Windows box leave the domain, delete the machine account from samba, delete the normal unix account for it and then rejoin the Windows box to the domain.
For reference, the machine accounts are machinename$, but you can skip the trailing ‘$’ when talking to samba:
root# /usr/bin/smbpasswd -m -x machinename
root# /usr/sbin/userdel machinename$
And that’s it! It all works! Even my new Infrant NAS joined and participated in the domain without any problems.
After that I needed to geek out some more and installed an NTP server which goes out to the network timeservers and serves time for all the internal machines…
What’s next?
0 TrackBacks
Listed below are links to blogs that reference this entry: Linux as a Windows Primary Domain Controller.
TrackBack URL for this entry: http://www.steve-lacey.com/cgi-bin/mt/mt-bar.cgi/920
Steve, I got as far as "....linux box...." before my eyes glazed over. I'll be back tomorrow to see Julian's picture. :) See you next week.
Hey Steve, I tried doing the same thing with the same result, but had time constraints so I couldn't finish it. So all you have to do is delete the machine account, thats easy.
Next time i have a few free hours I'll setup my server box again and try again.
Michael
Thanks for the write up.
I was just about to set up a domain controller for pretty much the same reasons.
It is almost as if it was written for me. My Infrant NAS, Xbox 360, PCs, Linux, Macs on Intels and such will all be much happier now.
Cheers,
A Brit in San Francisco.
Ok, fun stuff, but how does one get a linux client box to authenticate via our shiny new domain?
HOW TO ADD A MACHINE TO DOMAIN?
Bryan - I didn't go that far... :-)
BIBIN: That's described in the post...
Do you have any idea of Samba4?
nice :)
;))
Excellent work, old bean. Should make it easier for me to get our office one up and running, provided I can figure out what to do with XP Home...
Awesome writeup! I've been looking for a way to use my old Athlon 64 system for something like this.
not working in RHEL 4 n its doing some thing fishy with machine name
How to roaming profie in samba pdc.
Any idea.......
Please advise....
Peace people
We love you
Hi,
Thanks for the write up first, I intend to try it tomorrow on our office's new linux server, after loosing the whole day today in trying to figure it out using LDAP, NIS or whatever more there is in a linux distro. :)... Hope it's going to work.
You mentioned "Install a DHCP server", please let me know the app name of a DHCP server.
Will try this! Thanks for the info!
Justin
Sunny South Africa
Justin: just the standard debian dhcp server.
Hi,
this post is usefull, thanks. just two mistakes I found:
- logon path : the %L must be preceded by two backslashes, not one,
- logon home : two backslashes are needed too, and the path is %U, not home\%U (homes is a special samba section, like printers or global)
Hi,
this write up helped me quite a bit - thanks for posting it. Just wanted to contribute a bit regarding the profile directory.
If you chmod o+rw the dir where you told samba to store the profiles (for example in your case: chmod o+rw /var/lib/samba/profiles/ ), it creates the directories all by itself anytime a new user logs on. Its a beautiful thing and sure beats doing it manually :-)
Another neat trick I found is using the %a flag if you have several versions of windows you are working with so that registry entries from an older os don't goof up a newer one. It creates a new subdirectory for every version of windows to store profiles in.
logon path = \\%L\profiles\%U\%a
Thanks for the write up I've been looking for something like this for my Ubuntu server.
For the user trying to do this with Windows XP Home you will not be able to. XP Home cannot join a domain.
Thanks a lot! I currently have a Linux box set up as an Apache/PHP/MySQL server, but wanted to set up a Windows domain. I was considering migrating the web server to Windows 2003 before I saw this.
You could have the logon script query a database with the computer name for what applications are assigned to it and which need to be installed. It should be easy to remove software too, assuming you're always using msiexec (windows installer).
I've never used Linux so I'm scared to try this.
Glad everyone is finding this useful.