Howto: Setup Windows NT/2K Domain Using SAMBA and make Windows 2000 Logon to Linux

Howto: Setup and emulate a Windows NT Domain on Linux and make Windows 2000/XP log on

===========================================================================

 

HI all,

I'm back with another Tutorial in the Linux series. This time we're going to with an issue that is very

common in everyday networking and is implemented almost everywhere in some form or the other. The primary issue

here is to make two DIFFERENT Operating Systems talk to each other over the network and synchonize and share files

without letting off any hint about the complex protocols involved in between. Windows 2000/XP are used by most home

users as standalone workstation. Those who have cared to venture into Windows Networking and tried out the Host to

Domain logon model would have an idea where I'm getting at. Normally, a windows workstation would only log onto a

domain that is being served by a server called Primary Domain Controlled or PDC in Windows

Networking terms. Following this model if we have a machine running a Windows Server behaving as the PDC

and several Windows Workstations which allow individual users to log onto this server - what we get is a

massive sharing of resources by all these workstations at a One Pass Authentication, i.e. Whatever shared resources

are attached to the server (printers, tape drives - any kind of peripherals) - are made available to EACH workstation as soon as the user logs into the domain. One

DOES NOT need to enter a separate set of login credentials (username/password) to access each of these shared resources

as it happens when you setup a simple bus network using multiple windows workstations.

 

Fortunately for us, we have something called SAMBA on Linux, that is capable of emulating Windows Domains and can

let users running Windows log onto this emulated domain using their login credentials for Linux. In turn, they reap the

great benefits of a Linux Server (security, high uptime & stability etc.) while being able to work on all their favourite

applications on Windows. The home drives that are created on Linux for each user (usually in the /home/ folder

are directly mapped on as an extra Physical Drive Letter (say, H:, I:, J: ... whatever you choose it to be) on your

Windows machine - and whatever you save into this drive gets automatically transferred to your home drive on the Linux

Server. The origin of the name SAMBA is from SMB which stands for Server Message Blocks - a protocol used to share

files between different Operating Systems with relative transparency. Find out more about SAMBA @ https://www.samba.org/

 

My experimental platform is exactly the same as what I'd used for setting up the Domain Name Server on Linux. Today

I successfully managed to setup this Windows Domain on Linux and here I am sharing a little more of my adventures on taming

the "Linux Beast".

 

However, unlike the DNS configuration - this was a pleasant breeze. The process is very simple and surprisingly can be

accomplished in a very few steps. Besides, the only configuration file that we have to edit is smb.conf that resides

in the /etc/samba/ directory.

 

Requirements (for this experiment)

===================================

a. A Server running on Linux - that has the smbd or Samba Daemon up and running

b. A Windows XP/2000 Pro Workstation - physically connected to the server

===================================

If you are unsure about the smbd service, check with service --status-all | grep smb - this shoudld return you

a message like smbd (pid 5831) is running.... If not, you can fire up the service by simply typing smbd -D.

 

 

Step 1 - Editing the /etc/samba/smb.conf file

 

This is the one and only file used for configuring the Samba Daemon and there are only a few parameters that you have to

edit. Open this file in your favourite editor.

 

Right near the beginning you'll find a section called [workgroup]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# workgroup = NT-Domain-Name or Workgroup-Name

workgroup = asterix

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

The default smb.conf will contain some other name as the name of the workgroup - I set it to "asterix" for my

system. Feel free to change it to whatever you like - but keep it less than 15 characters. It can contain Alphabetic

characters, Numbers and Underscores ONLY.

 

Scroll down a little below till you find this line:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# Security mode. Most people will want user level security. See

# security_level.txt for details.

security = user

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

The line "security = user" might be commented out with a "#". If so, just remove the "#" at the beginning.

 

Go a little further down again and find the line:

 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# You may wish to use password encryption. Please read

# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.

# Do not enable this option unless you have read those documents

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Once, again, the

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

lines are likely to be commented. Remove the comments. You can choose an alternate location for the

samba password file, but leaving it where it is wont harm in any way.

 

 

A little further down you'll meet another large block of commented out statements.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# Browser Control Options:

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

local master = yes

 

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

; os level = 65

 

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

domain master = yes

 

# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election

preferred master = yes

 

# Enable this if you want Samba to be a domain logon server for

# Windows95 workstations.

domain logons = yes

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Uncomment the line "local master = yes", "domain master = yes", "preferred master = yes" and "domain logons = yes".

If any of them equate to "no", set it to "yes". The "os level = 65" is usually set to a much lower value, but setting it

to 65 gives a big performance boost according to man pages.

 

Right in the next block, you'll find these statements:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# if you enable domain logons then you may want a per-machine or

# per user logon script

# run a specific logon batch file per workstation (machine)

; logon script = %m.bat

# run a specific logon batch file per username

logon script = %U.bat

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Both the "logon script = %m.bat" and "logon script = %U.bat" and commented out. I am using a logon script on per user

basis - so that's the one I uncommented. A word about logon scripts here. This logon script will reside on the Linux Server

itself, but it is actually a MS-DOS BATCH FILE. It's not directly run by Linux, but dished out to the Windows workstation

once the login credentials are settled. This logon script may contain any number of commands, ranging from commands to map

your Linux HOME DRIVE to a logical windows drive and/or synchronizing your workstations CLOCK with the Server's Clock.

We'll come to this later on towards the end of the tutorial. If you uncomment the "logon script = %m.bat" line, then your

logon script's name has to be WindowsNameOfYourWorkStation.bat. If you are using per-user basis like me, then you'll

have to create a copy of this script with the name of every user that intends to log onto your domain. As you can guess,

the %m and %U variables expand to take on the machine name and user name respectively. DONOT, under any

circumstances uncomment BOTH. That could lead to a lot of confusion for the Domain Controller. More later.

 

Towards the bottom end of the file you are going to find a large section dedicated to mapping different shares between

Windows and Linux. Find the following section named "netlogon":

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# Un-comment the following and create the netlogon directory for Domain Logons

[netlogon]

comment = Windows Network Logon Service

path = /home/netlogon

; guest ok = yes

writable = no

public = no

; share modes = no

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

In my default .conf file, the comment was different and I changed it to the "Windows Network...." - you can modify

it to whatever you feel like. Next the line "path = /home/netlogon" - uncomment this and set the path to point to whatever

directory you want to keep your logon scripts in. Set "writable" and "public" to "no". Comment out "guest ok = yes"

and "share modes = no".

 

THAT'S IT. Save the file and quit.

 

 

Step 2 - Setting up Machine Account & User Accounts in SAMBA

 

All the Windows machines that will log onto the Linux Domain are required to have an entry corresponding to their Windows

names, in the samba database. The machine names as well as the user names are to be added to a group called "smbuser"

which doesn't exist on its own. So first create this group:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> groupadd smbuser

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Next, we create an entry with the name of the Workstation that is going to hook onto this domain controller. Find out

the Windows name of your system (Desktop > My Computer > Right-Click > Properties > Network Identification TAB > Properties).

In the dialog box that comes up you'll find a field called Computer Name. That is the name of your machine. In my case

the windows name of my workstation IS "WorkStation". So I used that here. Replace it with yours.

This name (it was "Workstation" in my case) added with a "$" sign at its back is going to be your machine name in

samba. So "Workstation" becomes "workstation$". Next use the following command to add this to Samba.

Note: The name that you find on your Windows system might contain MIXED CHARACTER CASING - but for Linux, convert the whole

name to LOWERCASE and then add the "$" sign.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> useradd -g smbuser -d /dev/null -s /bin/false workstation$

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Next, add this windows client to the samba password databse.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> smbpasswd -a -m workstation

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Note, that this time we DO NOT INCLUDE the "$" at the end of the computer name. The option -a tells samba to

add the client name and option -m specifies that this name is the name of a computer and NOT a user.

 

 

Next, what we are going to do is CREATE user accounts in Samba, which will be used to login from the Windows machines.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> useradd -g smbuser -d /dev/null -s /bin/false microscopicearthling

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

One word here - notice we are alloting a null directory and null shell to the users and the machine name - since

these users won't need shell access & can login directly from windows.

 

If you already have some users setup in your Linux Server, you can skip this step and add the user directly to the samba

password database. If that case the samba user will inherit the home folder that had been created while creating the user

account. Say, I have an existing user acount called "someone". I'll use the following command to add him to the samba db.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> smbpasswd -a someone

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

Notice that I've removed the "-m" option, since this is an actual USER that we are adding. For any other user, replace the

"someone" with the corresponding username. You can change the PASSWORD that the user will use, by using:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> smbpasswd someone

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

But make sure that the user has been added to the samba db through the step right before this - or else "smbpasswd" will

spit out some error message like:

Failed to find entry for user someone.

Failed to modify password entry for user someone

 

Another important point: the user you are adding to the samba db - has to exist as a valid user of the Linux Server, i.e. the user has to have an active account on the server created with the command "useradd". Only then, he can be added to the samba db as a remote logon user.

 

Next, add the user "root" into the smbpasswd db the same way:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> smbpasswd -a root

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

 

Step 3 - Configure the netlogon.bat - LOGIN SCRIPT file

 

Recall that while we were editing the smb.conf file, we came across a line: "path = /home/netlogon" towards the end

of the file. Switch over to this directory now. The directory wouldn't be created automatically, so you need to change to

/home and create one called netlogon in it. Now enter this directory and fire up your editor. Create a file

called "netlogon.bat" that will server as a template for all users. Whenever you add a new user to the samba db, you

have to make a copy of this file as that username.bat So for a new user, "someonelse" we'll simply copy over

netlogon.bat as someonelse.bat.

 

The contents of the batch file will be as follows:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

net use H: /HOME

NET TIME \\getafix /SET /YES

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

The first entry maps your Linux Home folder as a DRIVE named H:\ in Windows. So whatever you save in drive H: gets

saved directly to your home folder on the Linux Server - and the files/folders - all acquire the strong security settings

that Linux offers. Thus no one else should be able to view your files - unless you set their attributes such that they get

shared with others in your group or domain.

The second line, sets the TIME of your Workstation by syncing it with the time of the server. The \\getafix is

the hostname of my server. Replace it with whatever your Linux server hostname is.

Save the file and quit.

 

 

Step 4 - Restart smbd

 

The Samba daemon needs to be restarted so as to load the new configuration options. Simple step, just do:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

shell> smbd -SIGHUP

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

 

Step 5 - FINAL Step: Make your Windows Workstation join the Linux Domain

 

Once again do Desktop > My Computer > Right-Click > Properties > Network Identification TAB > Properties. The

lower part of the dialog box should comain two fields with radio buttons namely, Domain and Workgroup. Normally,

you'd see some random entry in the workgroup field - usually from the settings that you had specified during windows installation.

Click the radio button beside the DOMAIN and enter the name of the domain that you'd specified in your smb.conf file right

at the beginning using the clause "workgroup = asterix". In my case, I entered asterix as the domain name here and clicked

OK.

 

There will be a short delay, after which you'll be asked to enter a pair of login credentials that has authority to join

the samba domain. Use your root/password combination. After another short wait, you'll be informed that your workstation has

successfully joined the domain and that you should restart your computer for the changes to take effect.

 

Upon reboot, you'll see a completely different kind of splash screen that you've never seen before in standalone mode. It'll

tell you to press Ctrl-Alt-Del to login and thats what you should do. Next, you'll be presented the standard login

screen. Click on the Options and you'll see one more dropdown list titled "Log onto:" - click on that and you'll

be presented with TWO options. One is the name of your Windows machine - which will be selected by default. If you use this -

you'll log on locally - as you'd do on a standalone sytem. The OTHER one is the name of the Linux Domain that you just joined.

Select that and enter the username/password that you had created for yourself or "someone" in the samba password db.

 

That's it - you should log into a windows normally - but beware you wouldn't find most of the icons on your desktop that

you normally have when you log on locally as an administrator. You'll be presented with a bare minimum set of icons, determined by the windows access rights that you've specified for your system. Most of the common applications will be there in the Start Menu though. To log back in locally, just log out and switch the "log onto:" option to your local machine name.

 

When you click on My Computer you should see another drive called H: which as I said before is mapped onto your

home folder on Linux Server.

===========================================

 

WARNING: I had to come back and add this part - I believe it's very necessary to know what you are heading for when you setup a login process like this.

Windows 2000 and XP have something called "ROAMING PROFILES" which basically means that whatever you save on your Desktop - all your files, icons & registry and windows settings propagate to the Linux server when you log out and gets saved in your home folder. WHen you log back in these setting migrate back to your local windows system and take effect - creating the exact desktop state you'd left it in. This ensures all the personal preferences of every user using these systems remain intact. While the feature sounds good - it's a HUGE DRAWBACK from networking perspective - as it can create immense bottlenecks. These profiles are not small in size by any means - each profile is at least 4-5MB in size. When the network is small and consists no more than 10 computers - this is pretty all right to have enabled. But when you consider the a network of nearly 150 computers (like my school network) - with over 500 users logging in and out several times a day - you can imagine the amount of traffic this generates - just by downloading the profile when you log in and uploading it back when you log out. This alone can bring the whole network down in a matter of days.

SOLUTION: Turn off the Roaming Profiles in Win2k/XP on your windows workstatoin when you use this model. The performance gain achieved is thousand folds better than clogging the whole network just trying to save your icon settings. You can do so by opening the Start Menu > Run > and typing gpedit.msc in there - in both Win2k and XP. This will bring up the Group Policy Editor. Follow this route: Local Computer Policy > Computer Configuratoin > Administrative Templates > System > Logon. This brings you to a panel on the right where you can turn off the roaming profile. In XP it is very easy. There will be an option called Only allow local user profiles and Prevent Roaming Profile Change from Propagating to the Server. Enable these two and your job is done. For Windows 2000 - you have to look around in the same panel and have to enable/disable a combination of options to disable to roaming profile as a whole. More on Win2K later.

 

 

Have fun....and all the best

 

 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

LINUX: What Windows will NEVER BE

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

good god that looks long and copied....Meh though anothereven funner and easier way to use windows and linux is to download my favorite linux distro topologilinux or something like that....you just install it through windows and then once installed it will give you dual boot options...No need for partioning and it's a project that is being maintened!!! ...I think it works best on NTFS cuz on fat 32 I'm pretty sure it could only create a linux os that has only up to 5GB's...so yeah hopefully you have ntfs ...And ummm...I like to use the previous version and not the newest...I find the newest to be kinda buggy still but meh good luck and hope you try it

good god that looks long and copied....Meh though anothereven funner and easier way to use windows and linux is to download my favorite linux distro topologilinux or something like that....you just install it through windows and then once installed it will give you dual boot options...No need for partioning and it's a project that is being maintened!!! ...I think it works best on NTFS cuz on fat 32 I'm pretty sure it could only create a linux os that has only up to 5GB's...so yeah hopefully you have ntfs ...And ummm...I like to use the previous version and not the newest...I find the newest to be kinda buggy still but meh good luck and hope you try it

<{POST_SNAPBACK}>

Dude, NONE OF THIS IS COPIED. These are from my personal installation experiences after wading through thousands of man pages, converted into step by step instructions. Besides you are MISSING OUT the whole point here - this is for networked systems and not about making partition each others partition visible on the same local system with Win-Lin dual boot.

It looks like another great tutorial.I have to disagree with you spacewaste. The format, setup and language is comparable to the first great tutorial he presented.I did a few searches before I posted my positive comment the last time. I think this is genuine and he deserves the credit for taking the time to write it. It shows great knowledge and dedication to this community sharing his hard work.Nils

Hmm...Well I'd take ur word for it but I'm quite the paranoid one? I dunno if thats the word I wanna use but I will look for what he posted on the net just incaseAll though.....If it was his then wow... that is quite amazing

Edited February 3, 2005 by spacewaste (see edit history)

Compare the two posts, it's the same writing style and we used dogpile and google yesterday to do the search...
Howto: Domain Name Server In Linux


Nils

yes I'm satisfied now....That was quite the amazing post...I don't know where you found the time to put it all 2gether but it's damn good man...Sorry I thought it was forged...But I've seen a lot of forged tutorials on here just had to make sure... Sorry again man... But can I ask how long you've been working with linux for?

No probs You are always allowed to have th benefit of doubt. Well, if you mean "messing around with Linux" - I've seen Linux right since the beginning days - this is way back in the early 90's - my guess is around '93 - when my friend got his hands on a copy of what was Linux 0.6 or 0.7 - it hadn't yet reached the maturity to be called version 1.0. It came on 30 of those 1.44Meg floppies and was nothing short of "pull-all-your-hair-out-and-bang-your-head-as-hard-as-you-can" experience to install it on my 286 machine. I've been into computers since '89 I think. Anyways - from then on I got hold of every subsequent version of Linux and tried figuring out how to fine tune it. One drawback about Linux is that you can learn quite a bit on a standalone system - but you'd miss out on a major part of it - if you don't have a network (a small one to start with) with at least another Linux and Windows machine. Or else, you will never be ablt to explore the real power of Linux which lies in Networkin. That chance came when I joined one of my prior schools in Thailand - Webster University (http://www.webster.ac.th/). Though a very bad school for IT (rather pathetic - more of a good liberal arts school) - I managed to get a job on the IT helpdesk, which was quite fun. First few days I spent clearing up all the accumulated junk from over a 120 systems spread all over the campus and fine-tuning them. Once that was done - I was free to indulge myself in the ways of the Linux sitting in my small dark office inside the school library till the wee hours of dawn. Me and a couple of my friends who spent our time there came to be known as the creatures of the dark. It was over here that I first encountered this model of networking - all the student/staff workstations were running on '98/2k/xp and they all logged onto a cluster of linux servers which sat tight and hummed all throughout the year in another small, dark & extremely cold room right above my office. Till then I'd thought of Samba an just another Network Resource Sharing Tool which could make Linux folders visible to windows and vice-versa. I was quite amazed at what OTHER stuff it could do - and so began my explorations. I went through all the config files and man pages till I figured what all parameters were changed to achieve this model. Still, there's a big difference in KNOWING IT and KNOWING HOWTO DO IT HANDS ON. That - I didn't get a chance to, till a few days back - when I managed to set it up on the company server. So there... One word of advice here - if you start spending the amount of time I did on Linux - you are looking for intense troubled times in your social life... not to mention, GRAVE PROBLEMS WITH YOUR GIRLFRIEND. And yeah, I forgot to add something about Windows Roaming Profiles which might cause a lot of problems - I've put in an extra seciton now. That should help. All the best.

Hmm....Well then can I ask you this? What linux distros can you recommend to me...I plan on instlaling it on this machine..but for some reason the distro I went wiht on my old comp bought in 2000 didn't instlal on this one...I'm looking for a distro that doesn't need you to repartition your computer and that can be isntalled to do a multi boot with windows Xp? any suggestions would be greatly appreciated...The current distro I use is topologilinux..Or something liek that

Hmm....Well then can I ask you this? What linux distros can you recommend to me...I plan on instlaling it on this machine..but for some reason the distro I went wiht on my old comp bought in 2000 didn't instlal on this one...I'm looking for a distro that doesn't need you to repartition your computer and that can be isntalled to do a multi boot with windows Xp? any suggestions would be greatly appreciated...The current distro I use is topologilinux..Or something liek that

<{POST_SNAPBACK}>

Can you give me some more information about your present system - say, cpu, ram and how your current hdd partitioning scheme ?? That would be a lot more helpful in deciding. Once I have these info i can get back to you with a good recommendation

cheers..