As some of you might know domains with active directory are a great way to make sure that your users are able to have a consistent experience across any machine they login to, while also providing adequate security. If you didn’t know that, well now you do.
You might also know that a copy of the Microsoft products to do the job aren’t cheap, and aren’t cost effective if you have a small business or want to set up a domain at your home.
Well the open source community has your solution, it is possible with just about any flavor of Linux, to create a fully functional domain complete with roaming profiles and active directory. I am not going to detail exactly how to go about doing that in this post, but I will be posting a decent how to in the near future.
Ok, so here’s the run down:
The samba software that comes with Linux has all the needed bits (or at least most of them) you need to get your domain up. You need to edit the smb.conf to have the required shares for your application as well as the profiles and netlogon shares needed for domain logins and network auhentication. The other things you will need include winbind, a DNS server, and a proxy if you want to filter the Internet traffic. (all of these programs will be available in what ever package manager comes with your distro)
The nice thing is that a Linux domain controller plays nicely with windows boxes with minimal work. It has the features needed to use LDAP to support having a PDC and multiple BDCs, meaning that it is scalable, other solutions like openVPN run great on a Linux domain controller and will give you the same features you would normally have to shell out big bucks for.
The beauty of this solution is you don’t need a massive rack mount server to do this, you need a cheap pc, you can even use older stuff thats just lying around as you will see.
I set this up at my previous place of employment, by myself, in the span of a weekend and it’s not to hard, and makes for a stable, secure network. The box that this is running on is a 500Mhz P2, 256MB RAM, and handled 7 computers by Ethernet, 4 by WiFi, as well as several VPN users. Over 11 months without a problem or reboot. It also lends it self to preventing accidental virus outbreaks, which as an IT person, I can tell you is a huge time saver.
The process is as follows:
- Obtain a computer to use as the domain controller
- Install Linux (Debian or Ubuntu are easy for a novice, but pretty much any flavor will work)
- Install DHCP sever to assign network ip address to the other machines
- Install BIND9 DNS server
- Install Samba and configure similar to this (/etc/samba/smb.conf):
workgroup = THIS_DOMAIN
netbios name = THIS_SERVERS_NETBIOS_NAME
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
#logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\profiles\%U
#logon path =
logon drive = H:
logon home = \\%L\home\%U
#logon home =
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
comment = Home Directories
valid users = %S
read only = No
browseable = No
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = No
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/axis
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
store dos attributes = Yes
- At this point we have configured Samba to do the following:
- A domain named THIS_DOMAIN. Create user and machine accounts and the world is wonderful.
- Each user’s home directory on the Linux box is magically available as H: on their Windows box when they log in.
- Roaming profiles.
- Setup new user accounts (you can skip this step if the users already have accounts on the linux box), see example below
root# /usr/sbin/useradd -g users -d /home/axiss -s /bin/bash -c "Ben F" Axis
root# /usr/bin/smbpasswd -a axis
chmod the directory where you told Samba to store the profiles, in our example:
chmod o+rw /var/lib/samba/profiles/
You’ll also need to make sure that you add a samba account for root as by default he’s the domain administrator. After making accounts, make sure you create a directory for each user at /var/lib/samba/profiles/ and chown user_name.users it. (where user_name is the username of the user.
Roaming profiles enable your settings (desktop themes, start menu choices, browser bookmarks, etc…) to be cached on the server so that when you move from machine to machine your experience is exactly the same.
if Windows gets stuck on a temporary roaming profile make sure that the folders are there, then remove the machine from the domain and remove the machine account (see below). Then you can reboot the Windows machine giving you an issue and add it back to the domain.
root# /usr/bin/smbpasswd -m -x machinename
root# /usr/sbin/userdel machinename$
- Samba Team Releases Samba 4.0 – 1st Free Software Active Directory Compatible Server (groklaw.net)
- Samba 4.0 Released, Supports Windows 8 (news.softpedia.com)
- Samba 4 arrives with full Active Directory support (go.theregister.com)
- Samba 4.0 released (samba.org)