This tutorial is taken from Bulltext’s and elsewhere, and includes a DNS server, time synch, Webmin, OpenSSH, etc. It has been tested to work on both 32-bit and 64-bit installations. By default it comes with roaming profiles enabled.

Throughout this you need to be consistent in replacing “myserver” with the name of your server, “mydomain” with the name of your domain, and “PassWD55” with your password. These need to be the same in all places. The text in green is typically something that needs to be typed or entered into forms. The best way to customize this to suit your needs my be to paste this tutorial into Writer or Word and use the replace function to replace myserver, mydomain, and PassWD55 respectively with what you're going to use. This is taken from my own notes, thus the colors, to help see all the places that need changing.


The options I used at install were:

For hostname put in the name you’re going to use for your server. In this tutorial I used “myserver”. At the partition editor I highly recommend configuring a partition for the OS and a partition for user data. This will enable you to backup your server configuration much easier than if they were mushed together. I configured a root partition of 6gb, a swap of 2gb (use the amount of RAM you have, or double the amount of RAM if your server’s going to get heavy use), then use the remainder of the drive mounted at /home. Size them as needed, if you're going to be running a database or something you'll need a larger root partition or different structure. For username I used “sysadmin”, password I used “PassWD55”. No automatic updates. Don’t install any extra software. When done remove the CD and reboot.

1. Login as sysadmin then give root a password:


sudo passwd root
PassWD55

Logout and log back in as root.

2. Optional: install the GUI. Having the GUI available on the server can make it easier to step through this guide. Here I'm assuming your server received an IP address via DHCP or you already configured a static IP. You can perform most tasks here using Webmin and PuTTY if you don’t want to install the GUI.

apt-get update
apt-get install ubuntu-desktop
reboot


3. Remove splash screen and GUI startup. Login as root then open a terminal window

mv /etc/init/gdm.conf /etc/init/gdm.conf.nostart
cp /etc/default/grub /etc/default/grub.bak
nano /etc/default/grub

change line to: GRUB_CMDLINE_LINUX_DEFAULT=""

update-grub
reboot

Sometimes after this reboot you don't get a login prompt, this seems to be a bug that gets fixed by the next boot. Hit alt-F1, login as root, and enter the GUI with

startx


4. Install OpenSSH Server, you may wish to use this to step through the tutorial. Download PuTTY to access the server from Windows.

apt-get install openssh-server


5. Install Webmin. Get the current link for the Debian package from Webmin.com. Right now its:

Code:
wget http://downloads.sourceforge.net/project/webadmin/webmin/1.530/webmin_1.530_all.deb?r=http://www.webmin.com -O webmin_1.530_all.deb

dpkg -i webmin_1.530_all.deb

If this times out, get it directly from webmin.com. If you get a dependency error try

apt-get install -f


6. Configure a static IP address. You can either navigate to https://localhost:10000 from the server GUI, login as root and go to Networking> Network Configuration> Network Interfaces> eth0. Change the IP as needed.

or


nano /etc/network/interfaces

Change text under "The primary network interface" to (change IP to suit your network):

auto eth0
iface eth0 inet static
address 10.0.1.110
netmask 255.255.255.0
gateway 10.0.1.100


Then:

/etc/init.d/networking restart

Check your IP is set correctly

ifconfig
ping 10.0.1.100 (ping your gateway)
ping google.com


7. Configure A Fully Qualified Domain Name

nano /etc/hosts

127.0.0.1 localhost
127.0.1.1 myserver myserver.mydomain.local

leave other lines the same

nano /etc/hostname

myserver.mydomain.local


8. Since we're going to sync workstations to server time, we want the server to have correct time

apt-get install ntp
nano /etc/ntp.conf

Add "server pool.ntp.org" above "server ntp.ubuntu.com".


9. Install and configure the DNS server. This is simplest to do with Webmin.

apt-get install bind9

navigate to: https://10.0.1.110:10000 (Use the IP address you assigned to your server.)

Login as "root" and "PassWD55"
Under Servers or Un-used Modules find BIND DNS Server
Under "Existing DNS Zones" click "Create master zone"
Enter in the following information:

Zone type: Forward (Names to Addresses)
Domain name / Network: mydomain.local
Records file: Automatic
Master server: myserver.mydomain.local
Email address: sysadmin@mydomain.local
Click "Create" button
Click "Address (0)" at the top

Fill in with this information (customize to your needs):
Name: myserver.mydomain.local
Address: 10.0.1.110 (Use the IP address of your server)
Click "Create" button
Name: mydomain.local
Address: 10.0.1.110 (use the IP address of your server)
Click "Create" button
Click "Return to record types"
Click "Apply Zone" button
Click "Apply Configuration"

cp /etc/resolv.conf /etc/resolv.conf.original
nano /etc/resolv.conf

Edit the file so that the only lines in the file are the following:

search mydomain.local
nameserver 10.0.1.110

then

reboot

Make sure you can still ping google

ping google.com


10.
apt-get update
apt-get dist-upgrade


At this point I recommend imaging the sda1 partition using a utility like Ghost 4 Linux. This will allow you to return to this point in a few minutes in case the below fails (on an old laptop it was about 5 minutes to restore a 6GB partition). One error this doesn’t work and it's difficult to determine why.


...
11.
apt-get install slapd ldap-utils
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif



12. You will need to modify the following to include your password and domain name.


nano backend.ldif

Add:

Code:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mydomain,dc=local
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mydomain,dc=local
olcRootPW: PassWD55
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=mydomain,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=mydomain,dc=local" write by * read
Then

ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif


13. Install Samba

apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools

Here is the smb.conf I use. The parts you need to edit are near the top. Where it shows “Workgroup”, use what you’ve been using for “
mydomain”. For “Netbios Name”, use what you’ve been using for “myserver”. Also change the lines “LDAP Suffix and “LDAP Admin”. Specify a user to be Samba admin if you want. Leave “Logon Path” as is for roaming profiles, or change to “logon path =” for no roaming profiles.


nano smb.conf


Code:
[global]

#  Customize these entries as needed
#  Replace with your domain name
	workgroup = mydomain

#  Replace with your server name
	netbios name = myserver

#  Replace "mydomain" with the workgroup name you're using
	ldap suffix = dc=mydomain,dc=local
	ldap admin dn = cn=admin,dc=mydomain,dc=local

#  Roaming profiles enabled. Replace "myserver" to match your netbios name
	logon path = \\myserver\profiles\%U\%a
#  No roaming profiles, uncomment
;	logon path =

	
#  Server Information
	server string = SMB Server


#  Specify global admin user, will have root in all shares
;	admin users = 


#  PW Backend
	obey pam restrictions = Yes
	unix password sync = no
	ldap passwd sync = yes
	passdb backend = ldapsam:ldap://localhost
	pam password change = Yes


#  SMBLDAP Scripts
	add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
	add user script = /usr/sbin/smbldap-useradd -m '%u'
	add machine script = /usr/sbin/smbldap-useradd -w '%u'
	add group script = /usr/sbin/smbldap-groupadd -p '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	delete user script = /usr/sbin/smbldap-userdel %u
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'


#  LDAP Configuration
	ldap ssl = no
	ldap user suffix = ou=Users
	ldap machine suffix = ou=Computers
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap


#  Logon script located in netlogon share. Individual logon scripts uncomment
	;logon script = %U.bat
	logon script = allusers.bat


#  Logging
	max log size = 1000
	syslog = 0
	log file = /var/log/samba/log.%m


#  Printing
	printing = cups
	printcap name = cups
	load printers = yes


# Domain Controller
	domain master = Yes
	domain logons = Yes
	wins support = true
	os level = 35
	server signing = auto
	server schannel = Auto
	panic action = /usr/share/samba/panic-action %d
	dns proxy = No
;	logon drive = H:
;	logon home = \\%N\%U


# Allow file permissions change to group members
	acl group control = yes


# Inherit permissions from parent
; 	inherit acls = yes
; 	inherit owner = yes
;	map acl inherit = yes
; 	inherit permissions = yes


# Do NOT inherit permissions from parent
	inherit acls = no
	inherit owner = no
	map acl inherit = no
	inherit permissions = no


# Do not show files that are unreadable
	hide unreadable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# to allow user 'guest account' to print.
   guest ok = yes
   writable = no
   printable = yes
   create mode = 0700

[Home]
	security mask = 0770
	writeable = yes
	path = /home/userhome
	force security mode = 0
	force directory security mode = 0
	directory security mask = 0770

[netlogon]
	comment = Network Logon Service
	writeable = yes
	public = yes
	path = /home/netlogon

[profiles]
	browseable = no
	printable = no
	writable = yes
	path = /home/profiles
	store dos attributes = no
	guest ok = no
	comment = Users Profiles
# fixes everyone having read
	create mode = 0700
	directory mode = 0700




Once you modified the values type:


cp /etc/samba/smb.conf /etc/samba/smb.conf.original
cp -rf smb.conf /etc/samba/smb.conf



Everytime you edit your smb.conf you should:
testparm /etc/samba/smb.conf

If you see an rlimit_max: error you can ignore it.


14.
smbpasswd -W

Enter the same password you’ve been using for “PassWD55

service smbd restart
smbclient -L localhost

Hit enter, do not type in password. This should show your server/workgroup information without error.

mkdir -v -m 1777 /home/profiles
mkdir -v -m 1777 /home/netlogon



15.
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

gzip -d /etc/ldap/schema/samba.schema.gz
nano schema_convert.conf

insert:
Code:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
Then:

mkdir /tmp/ldif_output

All one line:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/schema_samba.ldif

nano /tmp/schema_samba.ldif

At the top, edit

dn: cn{12}=samba,cn=schema,cn=config

to show

dn: cn=samba,cn=schema,cn=config

Edit

cn: {12}samba

to show

cn: samba

Delete the following from the end:

structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z



ldapadd -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f /tmp/schema_samba.ldif

Enter Password “PassWD55”, or the same one you’ve been using.

nano samba_indexes.ldif

Enter:
Code:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
Then

ldapmodify -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f samba_indexes.ldif

Enter Password “PassWD55”, or the same one you’ve been using.



16. The following should execute without error:

ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb


Enter Password “PassWD55”, or the same one you’ve been using.
Verify olcSuffix:, olcAccess:, olcAccess:, olcRootDN:, olcRootPW:.

net getlocalsid

Should run without error and look similar to
SID for domain MYSERVER is: S-1-5-21-2159403287-619955039-1086301409


17.
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
perl /usr/share/doc/smbldap-tools/configure.pl

Here hit Enter at all times except:
"Logon Home", put a “.” (period without quotes)
"Logon Path", put a "."
Default passwd validation time, I put 3650
When prompted for password, use your password or “PassWD55”.

Then:

smbldap-populate

Enter Password “PassWD55”, or the same one you’ve been using.


18. Move the home directory so personal data doesn’t fill mix with the shared folders.

mkdir -v /home/userhome
cp /etc/smbldap-tools/smbldap.conf /etc/smbldap-tools/smbldap.conf.original
nano /etc/smbldap-tools/smbldap.conf

Locate and change to: userHome="/home/userhome/%U"

Then:

/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start

smbldap-groupmod -m 'root' 'Administrators'


19.
apt-get --yes install ldap-auth-client

For LDAP server Uniform Resource Identifier, leave it as it is "ldapi:///"
For Distinguished name of the search base, put"dc=mydomain,dc=local"
For LDAP account for root, put"cn=admin,dc=mydomain,dc=local"
When it asks for LDAP password use "PassWD55" or the pw you’ve been using.


Use "dpkg-reconfigure ldap-auth-config"if you make a mistake.

Then

auth-client-config -t nss -p lac_ldap


20.
pam-auth-update ldap


Make sure there’s an asterisk next to all listed.

getent group

Should show similar to:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:root
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:


reboot


21. See if it lives. Add a user:

smbldap-useradd -a -m -P test
smbldap-groupmod -m test 'Domain Admins'

On a Windows 7 workstation, go to Control Panel> System> for Computer Name click Change Settings> Change> member of Domain, enter “mydomain” or the domain you’ve been using (ONLY the name of your domain, do not enter myserver.mydomain.local)> when prompted for username enter “root”, pw enter “PassWD55”, you may receive a DNS error, ignore it, click OK a few times then reboot Windows. Try to login as “Test”. Note: Sometimes after switching domains Windows will come up still configured to log into the local workstation. You may have to manually tell it to log into the domain.

If you have a working domain, now would be a good time to image/backup the sda1 partition.


22.Enable ACL for the home partition. This will allow for much more granularity and flexibility when setting file permissions.

apt-get install acl
cp /etc/fstab /etc/fstab.original
nano /etc/fstab

change the /home mount so it says "defaults,acl" instead of "defaults"

reboot

Test it:

mkdir -v /home/mp3
setfacl -R -m u:test:rwx /home/mp3
setfacl -R -d -m u:test:rwx /home/mp3

getfacl /home/mp3

Should show
# file: home/mp3
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:test:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

You should now be able to modify file/folder properties using Windows Explorer. Right-click the file, Properties> Security> Advanced. Note that Windows and POSIX permissions do not map identically, but this configuration is still more flexible than stock.


23. Add a logon script. The sample smb.conf is configured with one logon script for all users, to change to individual logon scripts change line to “logon script = %U.bat” in smb.conf. This script will also sync workstation time to the server. NOTE: For a user designated as “Admin Users =” in smb.conf, you have to manually set the owner of their profile directory to that username in order for roaming profiles to work, by default files created by the samba admin are owned by root which messes with Windows.

nano /home/netlogon/allusers.bat

Enter the following text, replace myserver with the name of your server:

@echo off
REM # SYNC THE TIME WITH THE SERVER
net time \\myserver /set /y

REM # MAP Home Drives
net use x: /delete
net use x: \\myserver\Home\%username%


Install flip to convert the file to something windows can use

apt-get install flip
flip -m /home/netlogon/allusers.bat

Miscellaneous:

24. As a sample, create a user “mp3user”, make an MP3 group, add the user to the group, make a folder for MP3s, set Linux permissions for the MP3 directory, add the MP3 Samba share, add a mapped drive in the login script.

Create the user:

smbldap-useradd -a -m -P mp3user

Add user to 'Domain Admins'. Optional - this makes user local admin on windows:

smbldap-groupmod -m mp3user 'Domain Admins'

Create the group:

smbldap-groupadd -a MP3

Add mp3user to the group:

smbldap-groupmod -m mp3user 'MP3'

Make the MP3 directory (note if you did the test above you already made this directory)

mkdir -v /home/mp3

Set permissions so group MP3 can access the mp3 folder:

setfacl -m g:MP3:rwx /home/mp3
setfacl -d -m g:MP3:rwx /home/mp3


The first adds the group MP3, the second adds it as a default group so new files inherit that permission.

Create the Samba share, open the smb.conf:

nano /etc/samba/smb.conf

Paste the following at the bottom of smb.conf:

[MP3]
writeable = yes
inherit permissions = yes
path = /home/mp3
force directory mode = 770
force create mode = 770
valid users = @MP3


Note that you can also configure Samba using the Samba module in Webmin.


Then:

service smbd restart

Add a map in the login script:

nano /home/netlogon/allusers.bat

Add the following:

REM # MAP MP3 Drive
net use m: /delete
net use m: \\myserver\MP3


then

flip -m /home/netlogon/allusers.bat

You should now be able to log in as mp3user and have a writable M:\ drive.


25. Other command line options:

* smbldap-groupadd - add a new group
* smbldap-groupdel - delete a group
* smbldap-groupmod - modify a group, including adding or removing members
* smbldap-groupshow - show the properties of a group, including members
* smbldap-passwd - change a user password
* smbldap-populate - populate LDAP database
* smbldap-useradd - add a new user account
* smbldap-userdel - delete a user account
* smbldap-userlist - list users and machines
* smbldap-usershow - show information for one user account
* smbldap-usermod - modify the Unix and Samba properties of a user account (many properties)
* smbldap-userinfo - modify gecos information in a user account (only a few properties)


26. You can configure windows to use this server as a DNS, in fact this may be necessary on some workstations before you can join the domain. In Windows 7 go to Control Panel> Network and Sharing Center> for your Local Area Connection (or wireless connection), click View Status> Properties> Double-click Internet Protocol Version 4> Use the following DNS Server Addresses, enter the IP address of your server. Use ipconfig /all to verify your change. You should then be able to ping myserver.mydomain.local and have this return your server's IP address.


27. To browse your LDAP tree you can use LDAP Admin. Make a new connection using the settings:

Host: myserver
Base: dc=mydomain,dc=local
Username: cn=admin,dc=mydomain,dc=local
Password:PassWD55
You can also use PHPLDAPAdmin or the LDAP Server module in Webmin.


28. Verify NTP is working

ntpq -p

Should show two servers, one with a * one with a +

date

Should show correct time. You can compare with time.gov.


29. You can see this hotfix about the Windows 7 DNS error: http://support.microsoft.com/kb/2171571
The error will not affect anything except the error message itself.


30. Users added to the 'Domain Admins' group will automatically receive local admin permissions on a Windows workstation. If you want the user to have only user level permissions then do not add the user to the 'Domain Admins' group.


31. To always prompt for username and password at login instead of icons (and showing the last username logged in)
Click Start> Run>Secpol.msc> Local Policies> Security Options> Interactive Login: Do Not Display Last Username> Enabled.


32. You can backup your server config with Ghost 4 Linux. DL, burn, boot, hit Enter a few times until you can type in G4L. Select Raw Mode, Local Use. Select "Pick Drive" and pick the sda6 partition (the destination drive - your large partition if you made one), or your external drive. "Config Filename", type in a name. Select "Backup", pick the sda1 partition and let it roll. Should take less than 10 minutes and you'll have an image you can restore in case your server develops a problem.