With apologies to Karen for two geeky posts in a row, I present “What I did last night”. I promise I'll post a picture of Julian in the next post.
As I alluded to in my previous post, I recently decided to scratch a nagging itch and setup a Windows Domain at Casa Del Lacey. I've been wanting to do this for a while, but it's recently come to a head with two Windows desktops, a linux box, Mac laptop, Windows laptop, network storage box and the Xbox 360.
Having separate accounts and associated passwords plus having to setup the desktop “just how I like it” when moving to a new machine, browser bookmarks being different, etc… was just becoming a pain. I was also relying on my wireless router to provide DNS services (which was flaky).
Something had to be done.
Initially I thought about heading over to Best Buy and picking up the cheapest machine capable of running Microsoft Small Business Server. I'd had such a great experience with it at SwitchGear that it seemed like the logical choice, but it's expensive, even at the company store.
But then I thought “I bet those clever Open Source folks have figured this all out”.
And sure enough they have.
Samba supports operating as a Primary Domain Controller, serving up all that great single password, machine trust and roaming profile goodness. So with that, the plan of attack was to install all necessary software on my Linux box (an Apple PowerMac G5 running the Linux Debian distro
Now, at this point I could have configured the magic whereby the DHCP server assigns addresses dynamically and updates the DNS server in the process, but that would have required setting up keys and trust, etc… between the two services, and I didn't have that much patience.
This part was fairly easy apart from one gotcha that I'll get to later. Basically I'm running pretty much with defaults, the trick is getting the clients set up. The following is my configuration file (/etc/samba/smb.conf) with a few modifications to protect the innocent:
This is a pretty standard setup and it gets you some cool features:
So, setting up a new user on the domain is pretty easy.
Pretty simple, huh? The first command creates a new unix account (you can skip this step if the users already have accounts) and the second command adds the user to samba's domain users.
You'll also need to make sure that you add a samba account for root as by default he's the domain administrator.
Next up, adding machine accounts. Except you don't need to. Just go to the Windows machine, and from the system control panel applet join the machine to the domain - you'll need to enter the domain account and password for THIS_DOMAIN\root that you created in the previous paragraph. All is good, just reboot the Windows box and log in to the domain!
And now the problem that I encountered.
Ahhh, roaming profiles. These are a wonderful thing. They enable your settings (desktop themes, start menu choices, browser bookmarks, etc…) to be cached on the server so that when you move from machine to machine your experience is exactly the same. It's a wonderful thing to behold (and interestingly wasn't enabled at Microsoft when I was there).
For me, a problem occurred because I didn't actually create the per user directory where the profile is stored. It's the only part of the process that isn't automated, which means that I didn't do it.
When I logged into the domain from a Windows box for the first time, Windows told me that it couldn't find the profile and was giving me a temporary one.
Ooops, I thought. I figured out what was wrong - I needed to create /var/lib/samba/profiles/steve and chown steve.users it.
So I did that, but Windows was stuck on the temporary roaming profile - no amount of restarting and rebooting either box could fix it.
The only way I could resolve the issue was by having the Windows box leave the domain, delete the machine account from samba, delete the normal unix account for it and then rejoin the Windows box to the domain.
For reference, the machine accounts are machinename$, but you can skip the trailing '$' when talking to samba:
And that's it! It all works! Even my new Infrant NAS joined and participated in the domain without any problems.
After that I needed to geek out some more and installed an NTP server which goes out to the network timeservers and serves time for all the internal machines…