Monday, May 01, 2006

Joining a Fedora Core 4 Workstation/Server to a Windows NT4 Domain

Prepared by Pascal Chong

At the minimum, you will need:

  • samba-common-3.x

  • samba-client-3.x

  • samba-3.x

Winbind, the component you need to join a Windows domain, is in the samba package.


Overview of the Process

Here is what we will need to do:

Joining the Domain

  1. On the Windows NT 4 Domain Controller, create an account in the Server Manager application for the Linux server, using the Linux server's NetBIOS name.

  2. Install the Samba packages or the "Windows File Server" package group, if you have not already done so.

  3. Backup the system configuration files you will be changing.

  4. Edit /etc/nsswitch.conf to add Winbind.

  5. Edit /etc/samba/smb.conf to define the domain and "shared folders". Adjust the permissions on the shared directories, so that users can write and read from them.

  6. Edit /etc/pam.d/login to add Winbind authentication.

  7. Add exceptions to firewall rules to allow Windows clients to connect to shared folders.

  8. Start Samba and Winbind services.

  9. Test on the Linux system that you can retrieve login and group information from the Windows domain.

  10. Test on Windows clients that they can connect to the Linux system, browse shares, read and write files.

If all goes well, hopefully, you will have a functioning Linux Samba server that can service Windows clients.

Notice that I am not using the authconfig utility here. I found it a dead-end when I used it, as it did not configure everything like I expected it to -- automagically! You may have more success with it though, as essentially, it does the same (I think) changes to the system configuration files as described here.


Backup the System Configuration Files

I will assume that the server's NetBIOS name has been added to the Server Manager, and that the necessary Samba packages have been successfully installed.

The files you will need to backup are:

  • /etc/nsswitch.conf

  • /etc/samba/smb.conf

  • /etc/pam.d/login

It is absolutely essential that you backup these files! If there are any typo errors or mistakes, it could result in a locked system which you cannot login to. You will also need to keep your Fedora Rescue CD handy. If things turn bad, you may need to use it to boot to single user mode and restore the backup configuration files.


Edit /etc/nsswitch.conf

You will need to add winbind to several lines as shown below:

Example 1. Additions to /etc/nsswitch.conf

passwd:           files   winbind
shadow: files winbind
group: files winbind

Edit /etc/pam.d/login

You will need to add a couple of lines into this file. I can't figure out how to color code them in Docbook, so you will need to compare the file below with your own file to see where the changes are. A hint: they all contain the string pam_winbind.so.

Example 2. Additions to /etc/pam.d/login

#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

Samba configuration via /etc/samba/smb.conf

Here's where it can get complicated. You will need to use the information you gathered earlier about your Windows domain and plug the values into various parts of your smb.conf, and also define the "folders" that you want to share (I hate using the term "folders", which is a Windows metaphor, but I guess I'll have to use it here because it is most appropriate, if not entirely accurate, from a purist perspective.

You will need to locate and change the values in several lines. Assuming we have a domain called TEMASEK, and a WINS server address of 192.168.1.10, and our server name is FCSAMBA, then these are the lines you will need to locate and change:

Example 3. Define the Windows Domain

# workgroup = NT-Domain Name or Workgroup-Name
workgroup = TEMASEK

Next, you need to define the NetBIOS name.

Example 4. Define the NetBIOS name

# server string is the equivalent of the NT Description field
server string = Fedora Samba Server
netbios name = FCSAMBA

Now, we specify the WINS server address:

Example 5. Specify the WINS server address

# WINS Server - Tells the NMBD components of Samba to be a WINS client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.1.10

Now, just before the Share Definitions, we add some Winbind parameters:

Example 6. Winbind parameters

   winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash

Under the Share Definitions section, you need to add:

Example 7. idmap parameters

   idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

I'm not exactly sure what the lines above do or define, but they were mentioned in some articles, so I just added them in.

Now we can define some shares. For simplicity, I am defining one shared directory, accessible by everybody.

Example 8. A public share

[public]
path = /shares
public = yes
writable = yes

Because we are giving universal access to the directory /shares, we will need to adjust the permissions for that folder:

[root@localhost ~]# chmod go+rw /shares 

Now you should connect your machine to the network, if you have not already done so, and get ready to test.


Add Exceptions to Firewall Rules

Fedora blocks Samba traffic in the default firewall rules, so you will need to add a few exceptions to the rules in order to give access to shared resources. At the minimum, this is what you need:

[root@localhost ~]# iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --destination-port 139,445 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -p udp -m multiport --source-port 137,138 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -p tcp -m multiport --source-port 139,445 -j ACCEPT
[root@localhost ~]# /sbin/iptables-save > /etc/sysconfig/iptables

Starting Samba and Winbind

You will need to be root user. We will use the service utility in Fedora to start Samba and Winbind.

[root@localhost ~]# /sbin/service samba start
[root@localhost ~]# /sbin/service winbind start

Both services should start OK. Once started, we will be ready to test.

If you are experiencing problems starting Samba, you should restore your old smb.conf file and see if that starts OK. Also, check if there are any typos inside the file that you edited.


Joining the Domain and Testing

Let's try to join the domain now. As root user,

[root@localhost ~]# net rpc join -W TEMASEK -U
administrator

Here, we are trying to join the domain called TEMASEK using the domain administrator account. If you have a domain account, you can use that too. If all goes well, you should be prompted for a passsword. Key in the NT administrator's password and you should get a message that says:

Joined domain TEMASEK

If you have a large domain and a lot of domain accounts, you may get a spurious error:

rpc command function failed! (NT_STATUS_ACCESS_DENIED)

If you have a large domain and a lot of accounts, the time to get to the Password prompt can be extremely long, like 5 minutes or more. If you are unable to login the first time, try several more times. The error could be the result of a timeout because the server cannot authenticate fast enough. This problem is not peculiar to Linux. When I join a new Windows system to the domain, I sometimes get a similar error. I'm not sure how to fix this in the long term, but I find that retrying several times usually does the trick.

Once you have successfully joined the domain, you can test that your server can gather information about domain groups and users. Note again that if you have a large domain these queries can take a very long time to complete and may scroll off the screen. Spurious errors may also be thrown.

To check that you are successfully joined to the domain,

[root@localhost ~]# wbinfo -t
checking the trust secret via RPC calls succeeded

Check that you can grab the domain groups.

[root@localhost ~]# wbinfo -g 

Check that you can get the domain users. This process may take a very long while (about 5 minutes for 1,000+ accounts) or throw spurious errors.

[root@localhost ~]# wbinfo -u 

If you are able to get successful results from the last few commands, you can try to check if you can browse the shared resources from another Windows computer on the same domain. Simply launch Network Neighbourhood or My Network Places and browse to the domain, displaying all the computers that are currently on the domain. try to locate your Linux server there and click on it. You should see the shared resources.


Some Observations

One of the first things I noticed was how much more responsive my Samba server was in serving files, compared to the Windows file servers that I had on the same network, even though the Samba server was a lower-powered machine, with less RAM and a slower processor.

I hope this article was useful to you. It took a long while for me to get to this stage, and I know that there are still a lot more configuration nuances that I have not explored yet. If you spotted any errors, please do let me know!


End of Document

No comments: