Linux as a Windows Primary Domain Controller

With apolo­gies to Karen for two geeky posts in a row, I pre­sent “What I did last night”. I promise I'll post a pic­ture of Ju­lian in the next post.

As I al­luded to in my pre­vi­ous post, I re­cently de­cided to scratch a nag­ging itch and setup a Win­dows Do­main at Casa Del Lacey. I've been want­ing to do this for a while, but it's re­cently come to a head with two Win­dows desk­tops, a linux box, Mac lap­top, Win­dows lap­top, net­work stor­age box and the Xbox 360.

Hav­ing sep­a­rate ac­counts and as­so­ci­ated pass­words plus hav­ing to setup the desk­top “just how I like it” when mov­ing to a new ma­chine, browser book­marks being dif­fer­ent, etc… was just be­com­ing a pain. I was also re­ly­ing on my wire­less router to pro­vide DNS ser­vices (which was flaky).

Some­thing had to be done.

Ini­tially I thought about head­ing over to Best Buy and pick­ing up the cheap­est ma­chine ca­pa­ble of run­ning Mi­crosoft Small Busi­ness Server. I'd had such a great ex­pe­ri­ence with it at SwitchGear that it seemed like the log­i­cal choice, but it's ex­pen­sive, even at the com­pany store.

But then I thought “I bet those clever Open Source folks have fig­ured this all out”.

And sure enough they have.

Samba sup­ports op­er­at­ing as a Pri­mary Do­main Con­troller, serv­ing up all that great sin­gle pass­word, ma­chine trust and roam­ing pro­file good­ness. So with that, the plan of at­tack was to in­stall all nec­es­sary soft­ware on my Linux box (an Apple Pow­er­Mac G5 run­ning the Linux De­bian dis­tro

  • In­stall a DHCP server, and as­sign IP ad­dresses to all the ma­chines on the net­work.
  • In­stall the BIND9 name server, and have it serve up DNS lo­cally for one of my do­mains, cre­at­ing a 'home.​judesoftware.​com' DNS do­main in the process.

Now, at this point I could have con­fig­ured the magic whereby the DHCP server as­signs ad­dresses dy­nam­i­cally and up­dates the DNS server in the process, but that would have re­quired set­ting up keys and trust, etc… be­tween the two ser­vices, and I didn't have that much pa­tience.

  • In­stall samba and set it up as a pri­mary do­main con­troller.

This part was fairly easy apart from one gotcha that I'll get to later. Ba­si­cally I'm run­ning pretty much with de­faults, the trick is get­ting the clients set up. The fol­low­ing is my con­fig­u­ra­tion file (/etc/samba/smb.​conf) with a few mod­i­fi­ca­tions to pro­tect the in­no­cent:

workgroup = THIS_DOMAIN
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
#logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\profiles\%U
#logon path =
logon drive = H:
logon home = \\%L\home\%U
#logon home =
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000

comment = Home Directories
valid users = %S
read only = No
browseable = No

comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = No
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/steve

comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

This is a pretty stan­dard setup and it gets you some cool fea­tures:

  • A do­main named THIS_­DO­MAIN. Cre­ate user and ma­chine ac­counts and the world is won­der­ful.
  • Each user's home di­rec­tory on the Linux box is mag­i­cally avail­able as H: on their Win­dows box when they log in.
  • Roam­ing pro­files. More on this later.

So, set­ting up a new user on the do­main is pretty easy.

root# /usr/sbin/useradd -g users -d /home/sjl -s /bin/bash -c "Steve Lacey" steve
root# /usr/bin/smbpasswd -a steve

Pretty sim­ple, huh? The first com­mand cre­ates a new unix ac­count (you can skip this step if the users al­ready have ac­counts) and the sec­ond com­mand adds the user to samba's do­main users.

You'll also need to make sure that you add a samba ac­count for root as by de­fault he's the do­main ad­min­is­tra­tor.

Next up, adding ma­chine ac­counts. Ex­cept you don't need to. Just go to the Win­dows ma­chine, and from the sys­tem con­trol panel ap­plet join the ma­chine to the do­main - you'll need to enter the do­main ac­count and pass­word for THIS_­DO­MAIN\root that you cre­ated in the pre­vi­ous para­graph. All is good, just re­boot the Win­dows box and log in to the do­main!

And now the prob­lem that I en­coun­tered.

Ahhh, roam­ing pro­files. These are a won­der­ful thing. They en­able your set­tings (desk­top themes, start menu choices, browser book­marks, etc…) to be cached on the server so that when you move from ma­chine to ma­chine your ex­pe­ri­ence is ex­actly the same. It's a won­der­ful thing to be­hold (and in­ter­est­ingly wasn't en­abled at Mi­crosoft when I was there).

For me, a prob­lem oc­curred be­cause I didn't ac­tu­ally cre­ate the per user di­rec­tory where the pro­file is stored. It's the only part of the process that isn't au­to­mated, which means that I didn't do it.

When I logged into the do­main from a Win­dows box for the first time, Win­dows told me that it couldn't find the pro­file and was giv­ing me a tem­po­rary one.

Ooops, I thought. I fig­ured out what was wrong - I needed to cre­ate /var/lib/samba/pro­files/steve and chown steve.​users it.

So I did that, but Win­dows was stuck on the tem­po­rary roam­ing pro­file - no amount of restart­ing and re­boot­ing ei­ther box could fix it.

The only way I could re­solve the issue was by hav­ing the Win­dows box leave the do­main, delete the ma­chine ac­count from samba, delete the nor­mal unix ac­count for it and then re­join the Win­dows box to the do­main.

For ref­er­ence, the ma­chine ac­counts are ma­chi­ne­name$, but you can skip the trail­ing '$' when talk­ing to samba:

root# /usr/bin/smbpasswd -m -x machinename
root# /usr/sbin/userdel machinename$

And that's it! It all works! Even my new In­frant NAS joined and par­tic­i­pated in the do­main with­out any prob­lems.

After that I needed to geek out some more and in­stalled an NTP server which goes out to the net­work time­servers and serves time for all the in­ter­nal ma­chines…

What's next?

Sous-pages (1) : Voir aussi