This tutorial is taken from Bulltext’s and elsewhere, and includes a DNS server, time synch, Webmin, OpenSSH, etc. It has been tested to work on both 32-bit and 64-bit installations. By default it comes with roaming profiles enabled.
Throughout this you need to be consistent in replacing “myserver” with the name of your server, “mydomain” with the name of your domain, and “PassWD55” with your password. These need to be the same in all places. The text in green is typically something that needs to be typed or entered into forms. The best way to customize this to suit your needs my be to paste this tutorial into Writer or Word and use the replace function to replace myserver, mydomain, and PassWD55 respectively with what you're going to use. This is taken from my own notes, thus the colors, to help see all the places that need changing.
The options I used at install were:
For hostname put in the name you’re going to use for your server. In this tutorial I used “myserver”. At the partition editor I highly recommend configuring a partition for the OS and a partition for user data. This will enable you to backup your server configuration much easier than if they were mushed together. I configured a root partition of 6gb, a swap of 2gb (use the amount of RAM you have, or double the amount of RAM if your server’s going to get heavy use), then use the remainder of the drive mounted at /home. Size them as needed, if you're going to be running a database or something you'll need a larger root partition or different structure. For username I used “sysadmin”, password I used “PassWD55”. No automatic updates. Don’t install any extra software. When done remove the CD and reboot.
1. Login as sysadmin then give root a password:
sudo passwd root
PassWD55
Logout and log back in as root.
2. Optional: install the GUI. Having the GUI available on the server can make it easier to step through this guide. Here I'm assuming your server received an IP address via DHCP or you already configured a static IP. You can perform most tasks here using Webmin and PuTTY if you don’t want to install the GUI.
apt-get update
apt-get install ubuntu-desktop
reboot
3. Remove splash screen and GUI startup. Login as root then open a terminal window
mv /etc/init/gdm.conf /etc/init/gdm.conf.nostart
cp /etc/default/grub /etc/default/grub.bak
nano /etc/default/grub
change line to: GRUB_CMDLINE_LINUX_DEFAULT=""
update-grub
reboot
Sometimes after this reboot you don't get a login prompt, this seems to be a bug that gets fixed by the next boot. Hit alt-F1, login as root, and enter the GUI with
startx
4. Install OpenSSH Server, you may wish to use this to step through the tutorial. Download PuTTY to access the server from Windows.
apt-get install openssh-server
5. Install Webmin. Get the current link for the Debian package from Webmin.com. Right now its:
Code:
wget http://downloads.sourceforge.net/project/webadmin/webmin/1.530/webmin_1.530_all.deb?r=http://www.webmin.com -O webmin_1.530_all.deb
dpkg -i webmin_1.530_all.deb
If this times out, get it directly from webmin.com. If you get a dependency error try
apt-get install -f
6. Configure a static IP address. You can either navigate to https://localhost:10000 from the server GUI, login as root and go to Networking> Network Configuration> Network Interfaces> eth0. Change the IP as needed.
or
nano /etc/network/interfaces
Change text under "The primary network interface" to (change IP to suit your network):
auto eth0
iface eth0 inet static
address 10.0.1.110
netmask 255.255.255.0
gateway 10.0.1.100
Then:
/etc/init.d/networking restart
Check your IP is set correctly
ifconfig
ping 10.0.1.100 (ping your gateway)
ping google.com
7. Configure A Fully Qualified Domain Name
nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 myserver myserver.mydomain.local
leave other lines the same
nano /etc/hostname
myserver.mydomain.local
8. Since we're going to sync workstations to server time, we want the server to have correct time
apt-get install ntp
nano /etc/ntp.conf
Add "server pool.ntp.org" above "server ntp.ubuntu.com".
9. Install and configure the DNS server. This is simplest to do with Webmin.
apt-get install bind9
navigate to: https://10.0.1.110:10000 (Use the IP address you assigned to your server.)
Login as "root" and "PassWD55"
Under Servers or Un-used Modules find BIND DNS Server
Under "Existing DNS Zones" click "Create master zone"
Enter in the following information:
Zone type: Forward (Names to Addresses)
Domain name / Network: mydomain.local
Records file: Automatic
Master server: myserver.mydomain.local
Email address: sysadmin@mydomain.local
Click "Create" button
Click "Address (0)" at the top
Fill in with this information (customize to your needs):
Name: myserver.mydomain.local
Address: 10.0.1.110 (Use the IP address of your server)
Click "Create" button
Name: mydomain.local
Address: 10.0.1.110 (use the IP address of your server)
Click "Create" button
Click "Return to record types"
Click "Apply Zone" button
Click "Apply Configuration"
cp /etc/resolv.conf /etc/resolv.conf.original
nano /etc/resolv.conf
Edit the file so that the only lines in the file are the following:
search mydomain.local
nameserver 10.0.1.110
then
reboot
Make sure you can still ping google
ping google.com
10.
apt-get update
apt-get dist-upgrade
At this point I recommend imaging the sda1 partition using a utility like Ghost 4 Linux. This will allow you to return to this point in a few minutes in case the below fails (on an old laptop it was about 5 minutes to restore a 6GB partition). One error this doesn’t work and it's difficult to determine why.
...
11.
apt-get install slapd ldap-utils
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
12. You will need to modify the following to include your password and domain name.
nano backend.ldif
Add:
Code:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mydomain,dc=local
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mydomain,dc=local
olcRootPW: PassWD55
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=mydomain,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=mydomain,dc=local" write by * read
Then
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
13. Install Samba
apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools
Here is the smb.conf I use. The parts you need to edit are near the top. Where it shows “Workgroup”, use what you’ve been using for “mydomain”. For “Netbios Name”, use what you’ve been using for “myserver”. Also change the lines “LDAP Suffix and “LDAP Admin”. Specify a user to be Samba admin if you want. Leave “Logon Path” as is for roaming profiles, or change to “logon path =” for no roaming profiles.
nano smb.conf
Code:
[global]
# Customize these entries as needed
# Replace with your domain name
workgroup = mydomain
# Replace with your server name
netbios name = myserver
# Replace "mydomain" with the workgroup name you're using
ldap suffix = dc=mydomain,dc=local
ldap admin dn = cn=admin,dc=mydomain,dc=local
# Roaming profiles enabled. Replace "myserver" to match your netbios name
logon path = \\myserver\profiles\%U\%a
# No roaming profiles, uncomment
; logon path =
# Server Information
server string = SMB Server
# Specify global admin user, will have root in all shares
; admin users =
# PW Backend
obey pam restrictions = Yes
unix password sync = no
ldap passwd sync = yes
passdb backend = ldapsam:ldap://localhost
pam password change = Yes
# SMBLDAP Scripts
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
add user script = /usr/sbin/smbldap-useradd -m '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
delete user script = /usr/sbin/smbldap-userdel %u
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
# LDAP Configuration
ldap ssl = no
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
# Logon script located in netlogon share. Individual logon scripts uncomment
;logon script = %U.bat
logon script = allusers.bat
# Logging
max log size = 1000
syslog = 0
log file = /var/log/samba/log.%m
# Printing
printing = cups
printcap name = cups
load printers = yes
# Domain Controller
domain master = Yes
domain logons = Yes
wins support = true
os level = 35
server signing = auto
server schannel = Auto
panic action = /usr/share/samba/panic-action %d
dns proxy = No
; logon drive = H:
; logon home = \\%N\%U
# Allow file permissions change to group members
acl group control = yes
# Inherit permissions from parent
; inherit acls = yes
; inherit owner = yes
; map acl inherit = yes
; inherit permissions = yes
# Do NOT inherit permissions from parent
inherit acls = no
inherit owner = no
map acl inherit = no
inherit permissions = no
# Do not show files that are unreadable
hide unreadable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# to allow user 'guest account' to print.
guest ok = yes
writable = no
printable = yes
create mode = 0700
[Home]
security mask = 0770
writeable = yes
path = /home/userhome
force security mode = 0
force directory security mode = 0
directory security mask = 0770
[netlogon]
comment = Network Logon Service
writeable = yes
public = yes
path = /home/netlogon
[profiles]
browseable = no
printable = no
writable = yes
path = /home/profiles
store dos attributes = no
guest ok = no
comment = Users Profiles
# fixes everyone having read
create mode = 0700
directory mode = 0700
Once you modified the values type:
cp /etc/samba/smb.conf /etc/samba/smb.conf.original
cp -rf smb.conf /etc/samba/smb.conf
Everytime you edit your smb.conf you should:
testparm /etc/samba/smb.conf
If you see an rlimit_max: error you can ignore it.
14.
smbpasswd -W
Enter the same password you’ve been using for “PassWD55”
service smbd restart
smbclient -L localhost
Hit enter, do not type in password. This should show your server/workgroup information without error.
mkdir -v -m 1777 /home/profiles
mkdir -v -m 1777 /home/netlogon
15.
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz
nano schema_convert.conf
insert:
Code:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
Then:
mkdir /tmp/ldif_output
All one line:
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/schema_samba.ldif
nano /tmp/schema_samba.ldif
At the top, edit
dn: cn{12}=samba,cn=schema,cn=config
to show
dn: cn=samba,cn=schema,cn=config
Edit
cn: {12}samba
to show
cn: samba
Delete the following from the end:
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
ldapadd -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f /tmp/schema_samba.ldif
Enter Password “PassWD55”, or the same one you’ve been using.
nano samba_indexes.ldif
Enter:
Code:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
Then
ldapmodify -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f samba_indexes.ldif
Enter Password “PassWD55”, or the same one you’ve been using.
16. The following should execute without error:
ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
Enter Password “PassWD55”, or the same one you’ve been using.
Verify olcSuffix:, olcAccess:, olcAccess:, olcRootDN:, olcRootPW:.
net getlocalsid
Should run without error and look similar to
SID for domain MYSERVER is: S-1-5-21-2159403287-619955039-1086301409
17.
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
perl /usr/share/doc/smbldap-tools/configure.pl
Here hit Enter at all times except:
"Logon Home", put a “.” (period without quotes)
"Logon Path", put a "."
Default passwd validation time, I put 3650
When prompted for password, use your password or “PassWD55”.
Then:
smbldap-populate
Enter Password “PassWD55”, or the same one you’ve been using.
18. Move the home directory so personal data doesn’t fill mix with the shared folders.
mkdir -v /home/userhome
cp /etc/smbldap-tools/smbldap.conf /etc/smbldap-tools/smbldap.conf.original
nano /etc/smbldap-tools/smbldap.conf
Locate and change to: userHome="/home/userhome/%U"
Then:
/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start
smbldap-groupmod -m 'root' 'Administrators'
19.
apt-get --yes install ldap-auth-client
For LDAP server Uniform Resource Identifier, leave it as it is "ldapi:///"
For Distinguished name of the search base, put"dc=mydomain,dc=local"
For LDAP account for root, put"cn=admin,dc=mydomain,dc=local"
When it asks for LDAP password use "PassWD55" or the pw you’ve been using.
Use "dpkg-reconfigure ldap-auth-config"if you make a mistake.
Then
auth-client-config -t nss -p lac_ldap
20.
pam-auth-update ldap
Make sure there’s an asterisk next to all listed.
getent group
Should show similar to:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:root
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
reboot
21. See if it lives. Add a user:
smbldap-useradd -a -m -P test
smbldap-groupmod -m test 'Domain Admins'
On a Windows 7 workstation, go to Control Panel> System> for Computer Name click Change Settings> Change> member of Domain, enter “mydomain” or the domain you’ve been using (ONLY the name of your domain, do not enter myserver.mydomain.local)> when prompted for username enter “root”, pw enter “PassWD55”, you may receive a DNS error, ignore it, click OK a few times then reboot Windows. Try to login as “Test”. Note: Sometimes after switching domains Windows will come up still configured to log into the local workstation. You may have to manually tell it to log into the domain.
If you have a working domain, now would be a good time to image/backup the sda1 partition.
22.Enable ACL for the home partition. This will allow for much more granularity and flexibility when setting file permissions.
apt-get install acl
cp /etc/fstab /etc/fstab.original
nano /etc/fstab
change the /home mount so it says "defaults,acl" instead of "defaults"
reboot
Test it:
mkdir -v /home/mp3
setfacl -R -m u:test:rwx /home/mp3
setfacl -R -d -m u:test:rwx /home/mp3
getfacl /home/mp3
Should show
# file: home/mp3
# owner: root
# group: root
user::rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:test:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
You should now be able to modify file/folder properties using Windows Explorer. Right-click the file, Properties> Security> Advanced. Note that Windows and POSIX permissions do not map identically, but this configuration is still more flexible than stock.
23. Add a logon script. The sample smb.conf is configured with one logon script for all users, to change to individual logon scripts change line to “logon script = %U.bat” in smb.conf. This script will also sync workstation time to the server. NOTE: For a user designated as “Admin Users =” in smb.conf, you have to manually set the owner of their profile directory to that username in order for roaming profiles to work, by default files created by the samba admin are owned by root which messes with Windows.
nano /home/netlogon/allusers.bat
Enter the following text, replace myserver with the name of your server:
@echo off
REM # SYNC THE TIME WITH THE SERVER
net time \\myserver /set /y
REM # MAP Home Drives
net use x: /delete
net use x: \\myserver\Home\%username%
Install flip to convert the file to something windows can use
apt-get install flip
flip -m /home/netlogon/allusers.bat
Miscellaneous:
24. As a sample, create a user “mp3user”, make an MP3 group, add the user to the group, make a folder for MP3s, set Linux permissions for the MP3 directory, add the MP3 Samba share, add a mapped drive in the login script.
Create the user:
smbldap-useradd -a -m -P mp3user
Add user to 'Domain Admins'. Optional - this makes user local admin on windows:
smbldap-groupmod -m mp3user 'Domain Admins'
Create the group:
smbldap-groupadd -a MP3
Add mp3user to the group:
smbldap-groupmod -m mp3user 'MP3'
Make the MP3 directory (note if you did the test above you already made this directory)
mkdir -v /home/mp3
Set permissions so group MP3 can access the mp3 folder:
setfacl -m g:MP3:rwx /home/mp3
setfacl -d -m g:MP3:rwx /home/mp3
The first adds the group MP3, the second adds it as a default group so new files inherit that permission.
Create the Samba share, open the smb.conf:
nano /etc/samba/smb.conf
Paste the following at the bottom of smb.conf:
[MP3]
writeable = yes
inherit permissions = yes
path = /home/mp3
force directory mode = 770
force create mode = 770
valid users = @MP3
Note that you can also configure Samba using the Samba module in Webmin.
Then:
service smbd restart
Add a map in the login script:
nano /home/netlogon/allusers.bat
Add the following:
REM # MAP MP3 Drive
net use m: /delete
net use m: \\myserver\MP3
then
flip -m /home/netlogon/allusers.bat
You should now be able to log in as mp3user and have a writable M:\ drive.
25. Other command line options:
* smbldap-groupadd - add a new group
* smbldap-groupdel - delete a group
* smbldap-groupmod - modify a group, including adding or removing members
* smbldap-groupshow - show the properties of a group, including members
* smbldap-passwd - change a user password
* smbldap-populate - populate LDAP database
* smbldap-useradd - add a new user account
* smbldap-userdel - delete a user account
* smbldap-userlist - list users and machines
* smbldap-usershow - show information for one user account
* smbldap-usermod - modify the Unix and Samba properties of a user account (many properties)
* smbldap-userinfo - modify gecos information in a user account (only a few properties)
26. You can configure windows to use this server as a DNS, in fact this may be necessary on some workstations before you can join the domain. In Windows 7 go to Control Panel> Network and Sharing Center> for your Local Area Connection (or wireless connection), click View Status> Properties> Double-click Internet Protocol Version 4> Use the following DNS Server Addresses, enter the IP address of your server. Use ipconfig /all to verify your change. You should then be able to ping myserver.mydomain.local and have this return your server's IP address.
27. To browse your LDAP tree you can use LDAP Admin. Make a new connection using the settings:
Host: myserver
Base: dc=mydomain,dc=local
Username: cn=admin,dc=mydomain,dc=local
Password:PassWD55
You can also use PHPLDAPAdmin or the LDAP Server module in Webmin.
28. Verify NTP is working
ntpq -p
Should show two servers, one with a * one with a +
date
Should show correct time. You can compare with time.gov.
29. You can see this hotfix about the Windows 7 DNS error: http://support.microsoft.com/kb/2171571
The error will not affect anything except the error message itself.
30. Users added to the 'Domain Admins' group will automatically receive local admin permissions on a Windows workstation. If you want the user to have only user level permissions then do not add the user to the 'Domain Admins' group.
31. To always prompt for username and password at login instead of icons (and showing the last username logged in)
Click Start> Run>Secpol.msc> Local Policies> Security Options> Interactive Login: Do Not Display Last Username> Enabled.
32. You can backup your server config with Ghost 4 Linux. DL, burn, boot, hit Enter a few times until you can type in G4L. Select Raw Mode, Local Use. Select "Pick Drive" and pick the sda6 partition (the destination drive - your large partition if you made one), or your external drive. "Config Filename", type in a name. Select "Backup", pick the sda1 partition and let it roll. Should take less than 10 minutes and you'll have an image you can restore in case your server develops a problem.
Bookmarks