|
This procedure creates a "member server" in a Windows Domain. It does NOT create a primary domain controller (PDC). Member servers provide domain users with secure access to network resources, and therefore require authentication, but unlike a PDC, they do not maintain a password database. They hand authentication off to the PDC, and automatically allow authenticated users access. This allows the use of a single password to access network resources on the PDC and on multiple member servers.
If you only have one server, but you'd still like to secure the resources made available by that server, consider using password-protected shares ("user-level" security) instead of domains. Domains are only useful with two or more servers.
The configuration below assumes the PDC is named "emachine", on IP address 192.168.1.201, and is running an NT4-style domain called TESTDOM. It also assumes the member server is named "array" and is on IP address 192.168.1.202, and that the member server is to join the TESTDOM domain.
This procedure does not define home directories, a netlogon directory, user profile directories or a login script - these are all handled by the PDC.
Note: the PDC should be built and online before commencing the process below.
Other pertinent design factors:
See also: troubleshooting Samba
pw useradd -g machines -n array\$ -s /sbin/nologin -c "machine account"
Note: If the hostname of the member server is array.yourdomain.com then the hostname to use is "array" (without the quotes). Note also, on FreeBSD, the \ MUST preceed the $ sign. The $ denotes a machine account, however pw does not permit $ signs in accountnames, unless they are escaped with \. Note also, the above command uses the group "machines" which, it is assumed, was created when the PDC was built. Lastly, note that this command uses the FreeBSD-specific pw utility (docs: manpage).
Repeat, this step must be done on the PDC, not the member server!
smbpasswd -a -m array
Note: do not include the $ sign here, it is automatically added.
Repeat, this step must be done on the PDC, not the member server!
echo 192.168.1.202 array >> /etc/hosts
Substitute the IP address and hostname of your member server here. Placing the member server in /etc/hosts may not strictly be necessary, but it's certainly useful for troubleshooting. You could try skipping this step - if you have name resolution issues, you know where to look first.
Repeat, this step must be done on the PDC, not the member server!
# smb.conf - member server [global] workgroup = TESTDOM server string = Samba Server [storage] security = domain password server = emachine hosts deny = ALL hosts allow = 192.168.1., 127. log level = 1 log file = /var/log/samba/log.%m max log size = 300 domain logons = no domain master = no preferred master = no os level = 20 wins server = emachine dns proxy = no name resolve order = lmhosts host wins bcast allow trusted domains = no winbind enum users = yes winbind enum groups = yes template shell = /sbin/nologin template homedir = /home/%D/%U idmap uid = 10000-20000 idmap gid = 10000-20000 hide dot files = yes logon script = logon path = logon home = encrypt passwords = yes lm announce = no lanman auth = no min protocol = NT1 [vol1] path = /data/smbspace read only = no valid users = "+TESTDOM\Domain Users" TESTDOM\root create mask = 0660 directory mask = 0771
echo 192.168.1.201 emachine >> /etc/hosts
Substitute the IP address and hostname of your PDC here. If, when attempting to connect to the member server, the message appears, "there are currently no logon servers available to service the logon request", check that the member server can resolve the hostname used in the "password server" setting.
vi /etc/nsswitch.conf
Set the group and password lines as follows:
group: files winbind
passwd: files winbind
echo samba_enable=\"YES\" >> /etc/rc.conf echo winbindd_enable=\"YES\" >> /etc/rc.conf
rehash net rpc join -Uroot
When prompted, enter root's SMB password (eg. the Samba password for the root account on the PDC). The rehash command is used here, to add the freshly-installed Samba binaries to the path.
A reboot is recommended here. This will verify that Samba and Winbind start automatically. The server should automatically rejoin the domain on startup. Don't forget to log back in as root before continuing.
mkdir /data mkdir /data/smbspace chgrp "TESTDOM\Domain Users" /data/smbspace chmod 770 /data/smbspace
This must be done AFTER Samba is started (as it uses a domain group).
Notes:
related articles: |