- The Installation
- Part 1: DHCP and DNS
- Part 2: NTP
- Part 3: OpenLDAP
- LDAP Indices
- AutoFS LDAP
- Sudo LDAP
- Part 4: Kerberos
- Authentication on the Server
- Kerberised SSH
- Part 5: NFS
- Part 6: Account Management
- Management Scripts Configuration
- Managing Users
- Part 7: Connecting Ubuntu Clients
- Configuring NFS
- Admin Rights
- LightDM - The Login Screen
- Part 8: Connecting Microsoft Windows Clients
- Server Configuration
- Connecting Windows 7 Clients
- Part 9: Connecting Mac OS X Clients
- Changes to the Server
- Kerberos Configuration
- LDAP Configuration
- Part 10: Secondary Server - DHCP & DNS
- Secondary DHCP
- Part 11: File Backups (Bacula)
- Coming Soon
- Managing Clients - Puppet
- Comments (129)
Part 8: Connecting Microsoft Windows Clients
To get this working we’re going to need to make some changes to the server, installing Samba to act as an Active Directory Primary Domain Controller… thankfully, that’s a lot easier than it sounds!
sudo apt-get install samba libpam-smbpass
That will install Samba and import all of your user accounts for use with Samba. Furthermore, new user accounts will automatically be synchronised with their Samba counterparts.
Let’s create a Kerberos principal for the Samba service to use, ssh into the server and run the following:
sudo kadmin.local -q "addprinc -randkey cifs/neo.danbishop.org" sudo kadmin.local -q "addprinc -randkey cifs/neo" sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo.danbishop.org" sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo"
Be sure to include the encryption type when running ktadd. The default encryption type is not compatible with the Samba client utilities. You’ll notice both the FQDN and the hostname of the server have been added. I hope to clean this up soon, but at the moment this is the only way I’ve managed to be sure it will work.
Now we need to configure Samba:
sudo nano /etc/samba/smb.conf
This file contains a comprehensive and well commented list of all of Samba’s configuration settings and is well worth reading through, the changes we’re particularly interested in are detailed below though:
workgroup = danbishop.org security = user realm = DANBISHOP.ORG kerberos method = system keytab domain logons = yes logon path = \\%N\%U\windowsprofile logon drive = H: logon home = \\%N\%U logon script = logon.cmd add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
Most of the above simply need a # or a ; deleting from the beginning of their line in the config file to enable them.
We also need to enable some shares in the configuration file, these are found towards the end of the file under the title “Share Definitions”
[homes] comment = Home Directories browseable = no read only = no valid users = %S [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes read only = yes share modes = no
Now we need to create the netlogon folder and an empty netlogon.cmd (this will be used later to run commands each time a user logs on – perhaps to mount another share, etc.):
sudo mkdir -p /home/samba/netlogon sudo touch /home/samba/netlogon/logon.cmd
Now we just need to restart Samba to make the changes take effect:
sudo service smbd restart sudo service nmbd restart
we also need to create a group called “machines” for Samba to use when the add machine script is run. This will happen whenever you join a new Windows machine to your domain.
sudo ldapaddgroup machines
To be able to recognise your Unix admins as Windows admins we need to map the windows admin group to the unix admin group like so:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins rid=512 type=d
You also need to give admins who are allowed to add machines to the network explicit rights to do so. The following command gives the user dan the ability to use the add machine script and therefore join windows machines to the domain.
net rpc rights grant -U dan "danbishop.org\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
You will almost certainly get an authentication error here, check that you have added your realm information to /etc/krb5.conf on the server (in this case neo). See the Kerberos section of this guide for how to do that. Then log out of the ssh session and back in. This will sync your samba account with your LDAP account.
Connecting Windows 7 Clients
Windows 7 requires a registry change to be able to connect to a Samba domain. Download and run this registry entry on the client machine. Once added to the registry, restart the machine (or at least the lanman service).
Now would also be a good time to run the optimisations reg file. These tweaks are NOT necessary, but they do improve login speed.
Then go to Control Panel, System and Security, System and under “Computer name, domain and workgroup settings” click “Change settings”. Click the “Change” button on the dialogue that appears and enter “DANBISHOP.ORG” in the domain box. Click ok.
You will then be prompted for the domain administrators details to join the domain, in this case username dan and associated password. It will take sometime to connect to the domain, but eventually you will be shown a dialogue box welcoming you to the DANBISHOP.ORG domain. Restart the computer and you’ll be able to login as any of your domain users.
If you get a username/password not recognised error, log the user into a linux machine (or the server itself via ssh) and you should see “Added user.” printed to the terminal. The user can now use the Samba domain.