A domain member server is similar to a
stand-alone server that is logged in to a windows based (Server 2003) domain
controller. An example of a domain member server would be a departmental server
that is running Samba Server which has a machine account in Primary domain
controller on a windows machine (Server 2003). All of
the department's clients can authenticate with the PDC, and desktop profiles
and all network policy files are included. The difference is that the
departmental server has the ability to control printer and network shares.
Preparing
windows server 2003 as a domain controller:
Operating
System: Windows Server 2003 Enterprise Edition
Machine
Name: wdc01
Machine
IP: 210.207.201.100
Domain
Name: alphabd.net
FQDN: wdc1.alphabd.net
Step-1: Install
& Configure DNS server on windows server 2003
Start
→ Program → Administrative tools → Configure
Your Server Wizard → Next → Next → Custom
Configuration → Next → Select DNS
→ Next → Next → wait a moment → Next
Select
Create forward and reverse lookup zones
(2nd option) → Next → Select Yes
create a forward lookup zone now → Next → Primary zone → Next → Provide zone name into the Zone name field as
“alphabd.net” → Next → keep the
default settings → Next → Select “Allow
both nonsecure and secure dynamic update → Next
Select Yes create a reverse lookup zone now →
Next → Primary zone → Next → Type “210.207.201.” in to the Network ID field → Next → Keep the
default settings → Next → Select “Allow
both nonsecure and secure dynamic update → Next → Next → Cancel → Finish →
OK → Finish → Manager the server wizard
page will display, close the page.
Edit the DNS Resources Record
HOST
Add (A):
Start
→ Program → Administrative tools → DNS → Right click on “wdc01” → All tasks → Restart → Expand the Forward lookup zones → Right click on “alphabd.net” → New host (A) → Type “wdc01” in to the Name field → Type “210.207.201.100” in to the IP address field → Select the “Create associated pointer (PTR) record”
check box → Add Host → OK → Done
PTR
Record defines:
Expand
the Reverse lookup zone → Select “210.207.201.x Subnet” from the right
pane you will see that the PTR record is added automatically, if not added then
Right click on Right pane → Refresh
SOA
& Name Server Record define:
Expand Forward lookup Zone → Click alphabd.net
→ Double click on Start of Authority
(SOA) → Ensure that SOA tab is
selected → Click Browse from the Primary
server: section → Then double click on your machine name (in this case my
machine is wdc01) → Double click on
Forward lookup Zone → alphabd.net
double click → Select wdc01 → OK
Click Browse from the Responsible person: section → Then
double click on your machine name (in this case my machine is wdc01) → Double click on Forward lookup Zone → Select All Record From the Record type section → Double click on alphabd.net → Select wdc01 → OK → Just remove the wdc01 and type hostmaster → OK
Do the Same Task into the Reverse Lookup Zone file.
Name
Server Record Edit:
From the Forward lookup Zone Double Click on Name Server record → Edit → Type the Full name of the DNS domain
(wdc01.alphabd.net.) → Click Resolve → OK
Do
the Same Task into the Reverse Lookup
Zone file.
Prepare Samba for acting as
Member Server
Basic Configuration
Step-1: Check samba rpm package is installed or
not by following this command:
[root@srv1 ~]# rpm
-qa | grep –i samba* or
[root@srv1 ~]# rpm –qa samba*
samba-common-3.0.33-3.14.el5
samba-swat-3.0.33-3.14.el5
samba-3.0.33-3.14.el5
samba-client-3.0.33-3.14.el5
system-config-samba-1.2.41-5.el5
If
not installed then install the packages using yum command
[root@srv1 ~]# Yum Install samba* -y
Step-2: Check
and Configure the Network Card:
[root@srv1 ~]# vi
/etc/sysconfig/network-scripts/ifcfg-eth0
(Modified File):
#Broadcom Corporation Net link BCM57875 Gigabyte
Ethernet PCI Express
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:29: EB: B2: CA
ONBOOT=yes
TYPE=Ethernet
PEERDNS=no
USERCTL=no
IPV6INIT=no
IPADDR=210.207.201.8
NETMASK=255.255.255.0
NETWORK=210.207.201.0
BROADCAST=210.207.201.255
After changing
you have to reload/restart the NIC(eth0) card by following command:
[root@srv1 ~]# ifdown
eth0
[root@srv1 ~]# ifup
eth0
[root@srv1 ~]# service
network restart
Step-3: After complete
the NIC configure you have to change the host name by following this command:
[root@samba ~]# vi
/etc/sysconfig/network
(Modified
File):
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=srv1
Additional
configuration for Samba Server
Creating & Managing Users &
Groups:
Step-1:
Create A Group Named “samba-users”
& define a directory Named “Resources”
for sharing resources.
[root@srv1 ~]# groupadd samba-users
[root@srv1 ~]# mkdir /opt/Resources
Step-2:
Create some samba users with password & add them into “samba-users” group also defines the “Resources” directory for those users.
[root@srv1 ~]# useradd –g samba-users
–d /opt/Resources user1
[root@srv1 ~]# useradd –g samba-users
–d /opt/Resources user2
[root@srv1 ~]# useradd –g samba-users
–d /opt/Resources administrator
[root@srv1 ~]# smbpasswd –a user1
[root@srv1 ~]# smbpasswd –a user2
[root@srv1 ~]# smbpasswd –a
administrator
Step-3: Set samba
“root” password for login as “root” user from both windows & Linux machine.
[root@srv1 ~]# smbpasswd –a root
Step-4:
Assign the appropriate permission for “Resources”
directory against those users.
[root@srv1 ~]# chown root:samba-users
/opt/Resources/
[root@srv1 ~]# chmod 750 /opt/Resources/
Step-5:
Now create some sub directory into “Resources”
directory named “Documents”, “Software”, & “Others”
[root@srv1 ~]# mkdir –p
/opt/Resources/Documents
[root@srv1 ~]# mkdir –p
/opt/Resources/Software
[root@srv1 ~]# mkdir –p
/opt/Resources/Others
Step-6:
Now set the permission for those sub directories that owner can read, write
& delete but others users can not delete the files but should have read
& write permission.
[root@srv1 ~]# chown root:samba-users
/opt/Resources/Documents
[root@srv1 ~]# chown root:samba-users
/opt/Resources/Software
[root@srv1 ~]# chown root:samba-users
/opt/Resources/Others
[root@srv1 ~]# chmod 1770
/opt/Resources/Documents
[root@srv1 ~]# chmod 1770
/opt/Resources/Software
[root@srv1 ~]# chmod 1770
/opt/Resources/Others
Step-7:
Now create an anonymous accessible directory with read & write permission
that anonymous user can access this directory
[root@srv1 ~]# mkdir /opt/Public
[root@srv1 ~]# groupadd
anonymous-users
[root@srv1 ~]# useradd –g
anonymous-users –d /opt/Public guest
[root@srv1 ~]# useradd –g
anonymous-users –d /opt/Public nobody
[root@srv1 ~]# chown
root:anonymous-users /opt/Public/
[root@srv1 ~]# chmod 777 /opt/Public/
Step-8: Set blank
password for anonymous users that they can access this folder without password
[root@srv1 ~]# smbpasswd –a guest
[root@srv1 ~]# smbpasswd –a nobody
Server Configuration
Step-1: To configure Samba as a member server of windows domain controller edits the smb.conf file as like below
[root@srv1 ~]# vi /etc/samba/smb.conf
#==================== Global Settings
================
workgroup = ALPHABD
server
string = Member Server
netios
name = SRV1
hosts
allow = 127. 210.207.201.
# --------------------------- Logging
Options -----------------------------
log file =
/var/log/samba/%m.log
max log
size = 50
# ----------------------- Domain Members
Options ------------------------
security = ADS
passdb
backend = tdbsam
realm = ALPHABD.NET
password
server = *
encrypt
password = yes
# ----------------------- Browser
Control Options ----------------------------
local master = no
os level
= 33
preferred
master = no
#----------------------------- Name
Resolution -------------------------------
wins support = yes
# --------------------------- Printing
Options -----------------------------
printing = cups
#========================= Share
Definitions =====================
[Resources]
comment =
All Resources for domain uers
path = /opt/Resources
browseable
= yes
writable
= yes
valid
users = root user1 admin
public =
no
printable
= no
create
mask = 0765
write
list = @samba-users @Administrator
Step-2: Configure Kerberos authentication on
member server (on samba server)
Kerberos is an authentication protocol that is used to send data from one system to another in encrypted form.
[root@srv1 ~]# vi /etc/krb5.conf
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ALPHABD.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
ALPHABD.NET = {
kdc = wdc01.Alphabd.net:88
admin_server = wdc01.Alphabd.net:749
default_domain = Alphabd.net
}
[domain_realm]
.example.com = ALPHABD.NET
example.com = ALPHABD.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Step-3: Adding Samba as member Server of a Domain
(Windows Based Domain):
In order to join a member server to
an Active directory domain you have to complete the task step by step as below:
- Create a machine account of member server in to the domain controller.
- Associate the member server to the Active directory domain
Create
Machine Account:
To create the machine account & join the windows 2003
Active Directory, Kerberos must be initialized for the member server. To create
an administrative Kerberos ticket, type the following command as root on the
following command as root on the member server:
[root@srv1 ~]# kinit Administrator@ALPHABD.NET
The kinit command is a Kerberos initialization scripts
that references the Active Directory Administrator account & Kerberos
realm. Since Active Directory requires Kerberos tickets, kinit obtains &
caches Kerberos ticket-granting tickets for clients/server authentication.
To join Active directory server
(srv1.Alphabd.net) type the following command as root on the member server:
[root@srv1
~]# net rpc join -U Administrator%windows machine admin password
Since the machine samba was automatically found
in the corresponding Kerberos realm (kinit command succeeded), & net
command connects to the Active Directory Server using its required
administrator account & password. This creates appropriate machine account
on the Active Directory & grants permissions to the Samba domain member
server to the domain.
Note:
Although it is possible for Samba to be a member of an Active directory, but it
is not possible for Samba to operate as an Active directory domain controller.
Sharing & Accessing Samba Share
Step1: Accessing shared Resources from
Windows machine:
Double Click on My Network Place → Click
“Entire Network”→ Microsoft Windows Network → Double Click on ALPHABD icon →
here you will show the Samba Server & all Windows machine → Double Click
Samba Server → Double click your Share resources & create, delete,
copy/paste everything you can do now.
You
can also use your home directory by using Network Drive to do this Double Click
on My Computer icon → Follow the Network Device Section → Double click a Drive
then put you necessary documents in to it.
Step-2: Accessing
share resources by mounting Linux share on windows machine:
Samba
is a program which allows you to share your files between Linux and Windows.
Your Statistics Samba share contains all of your Linux files. By mounting the
Samba share on your Windows machine, you will be able to access your files
across the operating systems.
Scenario:
1.
Select
Start → Run and type “secpol.msc”. Press “Enter” or Start → Program → Administrative Tools
→ Local Security Policy.
2.
Expand the Local policies Container → Security
Options.
3.
Locate
“Network Security: LAN Manger authentication level” → Double Click.
4.
Change
the setting it from “Send LM & NTLM responses” to “Send LM & NTLM –
useNTLMv2 session security if negotiated” → OK.
5.
Open
My Computer → Tools → Map Network Drive.
6.
Click
on “Drive: “drop down menu & choose A drive Letter (Z :)
7.
Click
Browse → Select Entire Network → Microsoft windows Network → Choose you
workgroup/domain name → Select Samba Machine → Select A share folder that you
want to map with windows → OK.
8.
Make
Sure the “Reconnect at Logon” box is checked → Finish.
9.
Samba
should now be Visible in “My Computer”.
Step-3:
Sharing
windows Resources that you can access from Linux machine
You can also
share so many Resources of windows machine for accessing from Linux machine.
You can share CD-ROM, DVD, floppy or hard disk drive installed on a Windows
machine. In this section I'll show you how to share a CD-ROM drive from windows
machine & also how to access it from Linux machine.
The Windows client machine should
be setup first as a member of a Samba domain or workgroup. The next step is to
make the CD-ROM drive shared. The steps you used depend on which version of Windows
you have.
For Windows XP:
- Double click 'My Computer'
- Right click on the CD-ROM drive and choose ' Properties' then Sharing
- Set the Share Name as 'cdrom' and the appropriate access control
- Logout and login again as normal using your current login
Step-4:
Mount the shared CD-ROM drive on Linux machine and put a share
definition on smb.conf file that you can access it from both Linux & all other
windows machine. To do it follow the below.
[root@ srv1]# mkdir /opt/CDROM
[root@ srv1]# chown root:samba-users /opt/CDROM
[root@ srv1]# smbmount //IP or machine name/Share_name /opt/CDROM
OR
[root@ srv1]# mount –t smbfs //IP or machine name/share_name /opt/CDROM
After that you should permanently mount the drive that it can load the share on every restart.
[root@ ~]# vi /etc/fstab
Then type this path following by space or tab key
//windows_IP/Share_name /opt/CDROM smbfs username=nobody 0 0
Now put a share definition in to the share section on smb.conf
From Linux machine:
[root@ srv1]# smbclient –L //Win_IP
Now you can use various command like: - dir, cd, put, get, pwd, ls, mget, q etc
Testing the Samba Configuration File
To test the configuration file for syntax errors, use the “testparm” command. It will also list all settings currently in place, including defaults that may not appear in the configuration file.
[root@samba ~]# testparm –v
Testing
Share Configuration:
Use the smbclient command to test your share. You should substitute the name of your Windows client PC for "Client1," and in place of "username" provide a valid workgroup/domain username that normally has access to the Windows client. You should get output like this when using the username's corresponding password:
[root@srv1 ~]# smbclient -L Client1 -U user1