Confirurar SAMBA como PDC con Ubuntu

By 26 de octubre de 2006 Linux, Ubuntu One Comment

ubuntu logoCon este tutorial de 'cut & paste' se pretende configurar un PDC para grupos pequeños que puede funcionar tanto con máquinas Window$ como con máquinas Linux.

La versión que se utiliza de Ubuntu, en este caso, es la 5.10 (Breezy Badger), pero las aplicaciones a las que se hace referencia tienen la misma configuración a día de este post.

En cualquier caso, va a ayudarnos mucho a la hora de crear un PDC para clientes Window$, sólo habrá que echarle un poco de imaginación 😉

Dicho tutorial está en ingles:

Una versión levemente extendida la he recopilado en un documento PDF:

SAMBA (Domain Controller) Server For Small Workgroups With Ubuntu 5.10 "Breezy Badger"

Installing And Configuring The Rest Of The System

Enable root user

Now I can login with the username and password i entered above. First I enable the root user for ease of installation. You can disable it later if you want.

sudo passwd root
su

Now we are logged in as root user.

Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth0

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Edit /etc/hosts and add your new IP address(es):

127.0.0.1 localhost.localdomain localhost server1
192.168.0.100 server1.example.com server1

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Setting The Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. It should look like this:

# deb cdrom:[Ubuntu 5.10 _Breezy Badger_ - Release i386 (20051012)]/ breezy main restricted

deb http://de.archive.ubuntu.com/ubuntu breezy main restricted
deb-src http://de.archive.ubuntu.com/ubuntu breezy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu breezy-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu breezy universe
deb-src http://de.archive.ubuntu.com/ubuntu breezy universe

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu breezy-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu breezy-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu breezy-security main restricted
deb-src http://security.ubuntu.com/ubuntu breezy-security main restricted

deb http://security.ubuntu.com/ubuntu breezy-security universe
deb-src http://security.ubuntu.com/ubuntu breezy-security universe

Then run

apt-get update
apt-get upgrade

Install SSH Daemon

apt-get install ssh openssh-server

The Next Steps...

Now you can login to your Server with an SSH Client like putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/). Its easier to follow this howto if you connect to your server with putty and copy and paste the commands. If you want to edit config files on the server, you can use commandline editors like vi, pico or joe or use a program like WinSCP (http://winscp.net/eng/index.php) to edit the files over your SSH connection in a Windows client.

Quota

apt-get install quota

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to the partitions with the mount point / and /home):

# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0
/dev/sda3 / ext3 defaults,errors=remount-ro,usrquota,grpquota 0 1
/dev/sda1 /boot ext3 defaults 0 2
/dev/sda4 /home ext3 defaults,usrquota,grpquota 0 2
/dev/sda2 none swap sw 0 0
/dev/hdc /media/cdrom0 udf,iso9660 ro,user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

Then run:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
touch /home/quota.user /home/quota.group
chmod 600 /home/quota.*
mount -o remount /home
quotacheck -avugm
quotaon -avug

Install And Configure The SAMBA Server

In order to install SAMBA, run

apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient

Edit /etc/samba/smb.conf so that it looks like this

[global] workgroup = MYWORKGROUP
netbios name = SERVER1
server string = %h server (Samba, Ubuntu)

passdb backend = tdbsam
security = user
username map = /etc/samba/smbusers
name resolve order = wins bcast hosts
domain logons = yes
preferred master = yes
wins support = yes

# Set CUPS for printing
printcap name = CUPS
printing = CUPS

# Default logon
logon drive = H:
logon script = scripts/logon.bat
logon path = \\server1\profile\%U

# Useradd scripts
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
idmap uid = 15000-20000
idmap gid = 15000-20000

# sync smb passwords woth linux passwords
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
passwd chat debug = yes
unix password sync = yes

# set the loglevel
log level = 3

[homes] comment = Home
valid users = %S
read only = no
browsable = no

[printers] comment = All Printers
path = /var/spool/samba
printable = yes
guest ok = yes
browsable = no

[netlogon] comment = Network Logon Service
path = /home/samba/netlogon
admin users = Administrator
valid users = %U
read only = no

[profile] comment = User profiles
path = /home/samba/profiles
valid users = %U
create mode = 0600
directory mode = 0700
writable = yes
browsable = no

Remark: The "netbios name" in the smb.conf must be the same then the hostname of your server.

workgroup = MYWORKGROUP specifies the Windows domain that the Windows workstations use.

logon drive = H: is the drive letter under which the SAMBA share will appear in the Windows Explorer.

With logon script = scripts/logon.bat you can specify a Windows batch script that is executed as soon as a Windows workstation logs in. If the script does not exist, you can comment out that line.

Create the directories for domain logons and profiles:

mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
mkdir /var/spool/samba
chmod 777 /var/spool/samba/
chown -R root:users /home/samba/
chmod -R 771 /home/samba/

Now we restart Samba:

/etc/init.d/samba restart

Edit /etc/nsswitch.conf. Change the line:

hosts: files dns

to:

hosts: files wins dns

Add all computers of your workgroup in the /etc/hosts file on the server.

192.168.0.100 server1
192.168.0.110 workstation1
192.168.0.111 workstation2
192.168.0.112 workstation3
192.168.0.113 workstation4

Add the root user to the SAMBA password database. The root user (alias: Administrator) will be our domain administrator. This account is needed to add new computers to the SAMBA domain.

smbpasswd -a root

Create the file /etc/samba/smbusers and add the line by executing:

echo "root = Administrator" > /etc/samba/smbusers

This will allow us to use the common windows username "Administrator" as alias for the Linux root user.

Now I will test if the setup is correct:

smbclient -L localhost -U%

The output should look similar to this:

Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.14a-Ubuntu]

Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
print$ Disk Printer Drivers
IPC$ IPC IPC Service (server1 server (Samba, Ubuntu))
ADMIN$ IPC IPC Service (server1 server (Samba, Ubuntu))
Domain=[MYWORKGROUP] OS=[Unix] Server=[Samba 3.0.14a-Ubuntu]

Server Comment
--------- -------
SERVER1 server1 server (Samba, Ubuntu)

Workgroup Master
--------- -------
MDKGROUP IPRG
MYWORKGROUP SERVER1

Setup the default domain groups for windows:

net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup

Adding Users To Our SAMBA Domain

Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

1) Add a linux user tom:

useradd tom -m -G users

2) Add the linux user tom to the SAMBA password database:

smbpasswd -a tom

Adding Shares

Now I will add a share that is accessible by all users.

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

[allusers] comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

Now we restart Samba:

/etc/init.d/samba restart

Installing CUPS

If you want your SAMBA server to act as a print server also, you have to install and configure CUPS:

apt-get install cupsys cupsys-client cupsys-driver-gimpprint cupsys-driver-gimpprint-data defoma fontconfig foomatic-db foomatic-filters libcupsimage2 libexpat1 libfontconfig1 libfreetype6 libgimpprint1 libjpeg62 libpaper1 libpng12-0 libpoppler0c2 libslp1 libtiff4 patch perl perl-modules ttf-bitstream-vera ucf (1 line!)

To get access to the web interface from my workstation, I will change cups to listen on the Server IP.
Edit /etc/cups/cupsd.conf in the section Network Options:

Listen 127.0.0.1:631
Listen 192.168.0.100:631

Set AuthGroupName to shadow in the section Security Options:

AuthGroupName shadow

To allow access only from my admin workstation (IP: 192.168.0.70), I add Allow From 192.168.0.70 the security options and set AuthClass to Group:
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#

AuthType Basic
AuthClass Group

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.0.70

#Encryption Required
Add the cupsys user to the shadow group:

adduser cupsys shadow

and restart the cups daemon:

/etc/init.d/cupsys restart

The cups webinterface is now accessible with any webbrowser from my workstation:

http://192.168.0.100:631/

Now I can login to the cups interface with username root and my root password.

Hint: If there is no linux driver available for your printer and you want to use this printer only from your windows workstations trough SAMBA, you can use the printer manufacturer RAW and install the correct driver on your windows workstation.

If you created a new printer in cups, you will have to add it to samba with the command:

cupsaddsmb -a

Have fun!

One Comment

  • Solusan dice:

    Sinecesitamos que 'todos' puedan imprimir deberemos poner esto en nuestro archivo de configuración:

    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin root
    public = yes
    force group = ntadmin
    create mask = 0664
    directory mask = 0775

    [printers]
    comment = All Printers
    path = /var/tmp
    printable = yes
    public = yes
    create mask = 0600
    guest ok = Yes
    use client driver = Yes
    browseable = no

Leave a Reply

Your email address will not be published.