AMABA PDC
1.It removes duplicate users and group from each stand alone server.
2.Coupled with Microsoft's networking facility that allows a user to log in to her local workstation via a domain account
ADVANTAGES AND DISADVANTAGES
1.Samba 3.0 can act as a Windows NT 4.0 domain controller
2.It does not implement the Windows System Account Manager (SAM) replication protocol
3.This means that it cannot participate as a domain controller with Windows DCs in either an NT 4.0 or mixed-mode Active Directory domain.
ENTER THE FOLLOWING CONFIIGURATION IN TO /etc/samba/smb.conf.
# mkdir -p /data/public
# mkdir -p /data/netlogon
# vi /etc/samba/smb.conf
[global]
netbios name = SERVER1
workgroup = SUPPORT
security = user
encrypt passwords = yes
// enable PDC functionality
domain master = yes
domain logons = yes
os level = 33 //
preferred master = yes // DC act as local master browser
local master = yes //
[public]
path = /data/public
read only = no
[netlogon] // emulates the NETLOGON service on Windows domain controller
comment = Net Logon service
path = /data/netlogon
read only = yes // share is read only
write list = +ntadmin // includes the ntadmin group in the write list
Save the file
Wait approximately one minute for nmbd to complete its name registration process.
Run the following command.
// Enabling the domain master parameter in the global section of smb.conf causes nmbd to register the DOMAIN<0x1b> name (ORA<0x1b> in our example). This name is used by Windows clients to locate the PDC for a domain. When searching for any domain controller, not necessarily just the PDC, a Windows client attempts to resolve the DOMAIN<0x1c> name. You can instruct nmbd to register this name (e.g., ORA<0x1c>) by setting the domain logons option in smb.conf.
# nmblookup 'SUPPORT#1b' 'SUPPORT#1c'
The output should be:
querying SUPPORT on 192.168.1.255
192.168.1.2 SUPPORT<1b>
querying SUPPORT on 192.168.1.255
192.168.1.2 SUPPORT<1c>
Also verify the nmbd log file.
# tail -f /var/log/samba/nmbd.log
The output is:
[2010/07/08 21:53:53, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*****
Samba name server STROK is now a local master browser for workgroup SUPPORT on subnet 192.168.1.12
become_logon_server_success: Samba is now a logon server for workgroup SUPPORT on subnet 192.168.1.12
*****
2.SETTING UP WINDOWS CLIENT ACCOUNT ON THE SAMBA DC
On joining a domain client establishes a password known to its self and to the domain controller. This password is called the machine trust account password and is used to prove the identity of the computer each time it contacts the DC. Windows 2000 and later require that you provide credentials for an administrative account that can potentially create the new machine account and assign it a random password.
Domain Admins
Domain Admins is a special group in Windows domains. The group's RID is always 512. When a Windows client joins a domain, it adds this domain group to its local Administrators group. The result is that members of Domain Admins automatically gain administrative privileges on all domain members. Samba honors membership in the Domain Admins group as well, by granting all Domain Admins the ability to manage the user rights assignments necessary to authorize users to join hosts to the domain.
# vi /etc/samba/smb.conf
add
the following line to the GLOBAL section
enable privileges = yes
save the file
# service smb restart
In order to create a group mapping entry for this special domain RID, you must first look up the SID of the ORA domain. You must be root for all the command examples in this section
# net getlocalsid SUPPORT
The output is:
SID for domain SUPPORT is: S-1-5-21-2126422966-4252198253-3505372293
Now append the Domain Admins RID to the domain SID and create a group mapping entry for it:
# net groupmap add sid=-S-1-5-21-2126422966-4252198253-3505372293-512 \
ntgroup="Domain Admins" unixgroup=ntadmin
The output is:
Successfully added group Domain Admins to the mapping db
Now all members of the ntadmin Unix group will be seen as domain administrators by both Samba and Windows clients.
No comments:
Post a Comment