Mac OS X Server Samba Primary Domain Controller Configuration

—Brian Getsinger,

Updated 31 May 2002

Introduction
Installing
Configuring
Creating Users and Machine Accounts
Creating Dependent Directories
Finishing Up
Joining the Domain

Introduction

This document will guide you through the process of configuring Samba 2.2.x as an NT Primary Domain Controller in Mac OS X 10.1. This document is based on the guidelines available from ‘The Samba 2.2 PDC HowTo’ by David Bannon and other resources available from samba.org.

What have we been able to do?

• Become a Domain Controller
• Process and Authenticate User Logins
• Create Shares
• Implement Roving Profiles
• Run login scripts

What haven’t we been able to do?

• Work as a W2K Active Directory Controller
• Participate in Trust Relationships
• Work as a Backup Domain Controller
• Join a Windows XP Client

Installing

Installation, at least in the scope of this document, is done via OS 10.1 Server installation.

Configuring

Configuration is done in two parts and utilizes the utility ‘Server Admin’ for initial setup and Terminal to edit the smb.conf file.

Part 1:

Initial setup for Samba can be done by Server Admin . Launch ‘Server Admin’ from the dock and access ‘Windows’ configuration from the ‘File & Print’ tab.

General Tab:

• Server Name – Netbios Name
• Workgroup – Domain Name
• Description – Server Description viewed in Network Neighborhood
• Code Page
• Start Windows Services on System Startup

     

Access Tab:

• Depending on your environment select the appropriate access level.

Logging Tab:

Set the detail level of logging.

• 1. None – No access events are logged. Only errors and warnings are logged.
• 2. Minimal – Logs service start and stops authentication failures, warning and error messages, browser name registration, events.
• 3. Verbose – Logs file access events plus the information logged at the ?Minimal? level.

Neighborhood Tab:

• WINS Registration
  1. Select 'Off' if you do not need Netbios to IP name registration
  2. For Samba to act as a WINS server check 'Enable WINS Server'
  3. or enter a WINS server address.
• Workgroup/Domain Services – In this case we are acting as both Master Browser and Domain Master Browser.

 

Once these are set start the service from ‘Server Admin’. The smb.conf located in /etc/ will look similar to this:

Samba config file created using RADMIN
[global]
   local master = YES
   guest account = unknown
   max smbd processes = 0
   encrypt passwords = YES 
   print command = /usr/sbin/PrintServiceAccess printps %p  %s 
   lpq command = /usr/sbin/PrintServiceAccess jobs %p 
   lprm command = /usr/sbin/PrintServiceAccess remove %p  %j 
   lppause command = /usr/sbin/PrintServiceAccess hold %p  %j 
   lpresume command = /usr/sbin/PrintServiceAccess release %p  %j 
   printer admin = unknown, @staff 
   server string = OS X Server 
   client code page = 437
   coding system = utf8 
   log file = /Library/Logs/WindowsServices/WindowsFileService.log 
   netbios name = ETSxServer 
   workgroup = ETS 
   log level = 2 
   wins support = NO 
   wins server = 100.100.100.100 
   domain master = YES 
[Home]
   path = /Users 
   public = YES 
   read only = NO
   comment = Users Home Directory 
   valid users = @staff 
[Shared]
   path = /Users/Shared 
   public = YES 
   writable = YES 
   valid users = @staff

Part 2:

The next step is to edit the smb.conf to reflect the changes needed to configure samba as a domain controller. Utilizing Terminal, navigate to /etc and from the prompt, edit the file to resemble the one below:

sudo vi smb.conf

Example smb.conf file.

Samba config file created using RADMIN
[global]
   local master = YES 
   guest account = unknown 
   max smbd processes = 0 
   encrypt passwords = YES 
   print command = /usr/sbin/PrintServiceAccess printps %p  %s 
   lpq command = /usr/sbin/PrintServiceAccess jobs %p 
   lprm command = /usr/sbin/PrintServiceAccess remove %p  %j 
   lppause command = /usr/sbin/PrintServiceAccess hold %p  %j 
   lpresume command = /usr/sbin/PrintServiceAccess release %p  %j 
   printer admin = unknown, @staff 
   server string = OS X Server 
   client code page = 437 
   coding system = utf8 
   log file = /Library/Logs/WindowsServices/WindowsFileService.log 
   netbios name = ETSxServer 
   workgroup = ETS 
   log level = 2 
   wins support = NO 
   wins server = 100.100.100.100 
   domain master = YES 
   time server = TRUE 
   domain admin group = @admin 
   security = user 
   local master = YES 
   preferred master = YES 
   domain logons = YES 
   logon drive = H: 
   logon home = \\ETSxServer\Home\%u 
   logon path = \\ETSxServer\Profiles\%u 
   logon script = %u.bat [Netlogon]
   path = /etc/samba/netlogon 
   public = YES 
   read only = YES 
   comment = Netlogon Share 
   valid users = @staff 
   browseable = NO [Home]
   path = /Users 
   public = YES 
   read only = NO 
   comment = Users Home Directory 
   valid users = @staff [Shared]
   path = /Users/Shared 
   public = YES 
   writable = YES 
   valid users = @staff [Profiles] 
   path = /Profiles 
   public = YES 
   read only = NO 
   comment = Users Profiles 
   browseable = NO

There are a range of parameters that may appear in a smb.conf file. Some that may be of interest to a PDC are:

encrypt passwords = YES This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you should) you must use encrypted passwords.

domain admin group = @admin This specifies which group becomes “administrator” on their local box when logging in. In this case, anyone who is a member of the admin group becomes “administrator” on their local box. You may choose not to use this at all, or only for certain users you deem capable, or for every user. It depends on the policy you have within your department. It should be noted that this also allows them to become administrator on ANY machine in the domain, as well as gives them other domain privileges. With the newer versions of Samba, this functionality has changed somewhat and will need to be updated.

time server = TRUE This allows the time on the local workstation to be synchronized with the time on the server. This can only be done if the client logon holds sufficient privileges, otherwise it will fail. Therefore, the user logging in must be administrator or hold the specific privilege of setting the date and time.

security = USER Samba can operate in two security modes, Share Level or User Level. The default with Samba 2.0 or higher is User Level. User Level requires authentication when you access the server for any shares. Share Level does not require server authentication, but they will have to supply a per-share password before connecting to each share.

domain master = YES This parameter tells nmbd to claim a special domain-specific NETBIOS name that identifies it as a domain master browser for a given workgroup. This enables clients to receive the domain wide browse list, instead of just the list for their broadcast-isolated subnet.

preferred master = YES If set to “yes,” nmbd will force an election at startup and will have an advantage in winning the election. It is recommended to use this in conjunction with “domain master = yes” so that your Samba machine can be almost guaranteed to become a domain master.

domain logons =YES This parameter must be turned on to utilize the PDC capabilities of Samba. It enables nmbd to process requests which are used by Win9x clients to log into the domain and by clients to find a domain controller.

logon drive = H: This specifies which drive letter will be used when mapping the user’s logon home (home directory).

logon home = \\ETSxServer\%u This parameter specifies the UNC path to use for mapping the previously mentioned logon drive. In this case “ETSxServer” is the server’s name and “%u” is a samba macro which holds the username. So at login, user “xyz” would have H: automatically mapped to \\ETSxServer\xyz.

logon path=\\ETSxServer\Profiles\%u Lets you specify where you would like users profiles kept. The default, that is in the users home directory, does encourage a bit of fiddling.

logon script=%u.bat This specifies the path and filename to be used for domain logon script processing. “%u” is a Samba macro that holds the username.

Share Definitions:

[Netlogon]	<-- share definition
PATH = /etc/samba/netlogon	<-- The directory that is shared
public = YES	<-- Will this directory be publicly?
read only = YES	<-- Is the directory writeable?
comment = Netlogon	<-- Share Directory Information
valid users = @staff	<-- What users have rights to the dir?
browseable = NO	<-- Is it listed in Network Neighborhood?

Creating Users and Machine Accounts

We will first add users and machines to NetInfo and use user Brian Jones as an example.

Adding Users

From 'Server Admin' we will select 'Users and Groups' and add Brian Jones as a user. Brian Jones will be used as the long name, brianj as the short name, he will have logon rights, but not be able to administer the server. In the advanced tab he will have a Primary Group 20 (staff), no login shell, local Home Directory, and Share Point will be set to User.

General	Advanced	Comment

Adding Machines

We add machines using the same procedure as adding users. To keep the Machine accounts and User accounts organized we have named the Machine Long Name 'Brian Jone’s Computer' and the short name 'brianjs'. We added an 's' at the end of the shortname because NetInfo does not allow us to use the $ character. We will replace the 's' with '$' by manually editing the name in NetInfo. We have also set the Login Shell to none and home directory to none.

General	Advanced	Comment

We will now need to edit the Machine to include a '$' at the end of the name. Open NetInfo Manager and authenticate as root. Navigate to the Users directory and select the above machine: brianj. Edit all the fields that have brianjs and change it to brianj$. Choose update and save.

Before	After

 

The next step is to add users and machines to Samba. Note that Samba stores user information separately, but before a user can exist in Samba it must exist in NetInfo.

Adding Samba Users and Machines

You must add root to Samba or you’ll never add a user to a domain.

  smbpasswd –a root

Enter the same password as your root password on the server.

Next add the users and set their password:

  smbpasswd –a brianj

Next add the machine account:

  smbpasswd –a –m brianj

The –m tag tells samba this is a machine. You don’t need to add the $ when creating a machine. Samba does that for you.

Set the Machine password:

  smbpasswd brianj$

Creating Dependent Directories

Netlogon

In our smb.conf we set the share [netlogon] that points to PATH = /etc/samba/netlogon. By default this directory does not exist. Using Terminal, navigate to /etc and type in these commands to create the directory and set the appropriate rights.

mkdir samba
chown root samba
chgrp staff samba
cd samba
mkdir netlogon
chown root netlogon
chgrp staff netlogon

Profiles

In our smb.conf we also set the share [netlogon] that points to PATH = //Profiles. By default this directory does not exist. Using Terminal, navigate to / and type in these command to create the directory and set the appropriate rights.

mkdir Profiles
chown root Profiles
chgrp staff Profiles
chmod 777 Profiles

Finishing Up

After you have the smb.conf file the way you want it, you need to get the smb process to reload the configuration.

ps –aux | grep smb

This will return something like this:

root 424   0.0  0.1   3360 136  ??  Ss   0:00.01 /usr/sbin/smbd -D -l /Library/Logs/WindowsServices/WindowsFileService.log 
root 444   0.0  0.2   3576 640  ??  S    0:00.28 /usr/sbin/smbd -D -l /Library/Logs/WindowsServices/WindowsFileService.log

The first number after root, the user that the process is running under, is the process ID. We need to restart the process to make the changes take effect. So, far each instance of smb running

sudo kill –HUP <process ID>

Or

sudo kill –HUP 444

in our example. Once the servers have been restarted you will want to make sure that Server Admin will not be able to rewrite your config script. To do this we will set the uchg, or immutable, flag on the smb.conf file.

sudo chflags uchg /etc/smb.conf

And your configuration file is safe between reboots. To change your file you will first need to unset the immutable flag by

sudo chflags nouchg /etc/smb.conf

Joining the Domain

Now we must join the machine to the domain.

WINDOWS NT

• Log on as a local “Administrator".
• Go to Start, Settings, Control Panel, then Network.
• Click the “Change” button.
• Enter your domain name (from smb.conf).
• Press OK, wait for confirmation, and reboot.

WINDOWS 2000

• Log on as a local “Administrator".
• Go to Start, Setting, Control Panel, then Network and Dialup Connections.
• Pull down the “Advanced” menu, choose “Network Identification,” and click on Properties.
• Select “Domain” and then enter your domain name (from smb.conf). Press OK.
• When prompted enter the username and password of an account that has permission to join the domain. At the present time this MUST be root.
• Wait for confirmation and reboot.

---

31 May 2002: Reader Mike Visintainer forwarded the following potential solution to the problem of Windows XP machines not being able to join a Domain, from the IBM Developer Site:

Client configuration: Windows XP
Enter Windows XP, and the most complex beast of the lot. But first a word of warning for those unaware: Windows XP Home Edition cannot join a Windows domain. For domain functionality, you must use Windows XP Professional. Second, sometimes joining an XP machine to a Samba PDC involved all the steps below; on other occasions, however, you can get away with just the registry patch. Don’t ask--I haven’t a clue.

To join a Windows XP machine to a domain:
1. Open the Local Security Policy editor (Start -> All Programs -> Administrative Tools -> Local Security Policy).

2. Locate the entry “Domain member: Digitally encrypt or sign secure channel (always)". Disable it.

3. Locate the entry “Domain member: Disable machine account password changes". Make sure it’s disabled as well.

4. Locate the entry “Domain member: Require strong (Windows 2000 or later) session key". Disable it.

5. Next, download the WinXP_SignOrSeal registry patch from www.samba.org. Apply it by double-clicking and answering Yes to the dialog prompt.

6. Now join the domain the same as you would for Windows NT or 2000.

Right-click My Computer, select Properties, Computer Name, and Change. Or click the Network ID button and run the Network Wizard.

---

31 May 2002: Reader Espen Koht alerted us to some additional information that may make the Samba PDC solution more effective:

1) This might be more generally applicable to a NetInfo-based setup, but only came up when I was working on the PDC issue. If you have a NetInfo hierarchy set up, you may well have more than one 'root' account on the server (for example top and machine level). When Samba is performing certain actions which have to be done as root, you might get authentication failures because your root passwords in NetInfo don’t match each other. In our case, we had all sorts of problems until we discovered that the root password in the top level of the NetInfo hierarchy hadn’t been reset during a password change. Normally this didn’t matter, because NetInfo would look at the local machine accounts too, but for some reason Samba didn't.

2) Don’t use upper-case characters for machine names on the PC clients. Unfortunately there is a mismatch between the way Windows and Samba deal with case-sensitivity of account names. If you give a PC an upper-case name, Windows will automatically convert it to lower-case when attempting to register it in the domain. If you have created the machine account with upper-case letters in Samba too, the names will not match, because Samba does not treat its upper-case entry the same as the lower-cased registration attempt it gets from the windows machine. To avoid this problem, simply stick to lower-case names.