Ubuntu 12.04 Ultimate Server Guide

Part 8: Connecting Microsoft Windows Clients

To get this working we’re going to need to make some changes to the server, installing Samba to act as an Active Directory Primary Domain Controller… thankfully, that’s a lot easier than it sounds!

Server Configuration

sudo apt-get install samba libpam-smbpass

That will install Samba and import all of your user accounts for use with Samba. Furthermore, new user accounts will automatically be synchronised with their Samba counterparts.

Let’s create a Kerberos principal for the Samba service to use, ssh into the server and run the following:

sudo kadmin.local -q "addprinc -randkey cifs/neo.danbishop.org"
sudo kadmin.local -q "addprinc -randkey cifs/neo"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo.danbishop.org"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo"

Be sure to include the encryption type when running ktadd. The default encryption type is not compatible with the Samba client utilities. You’ll notice both the FQDN and the hostname of the server have been added. I hope to clean this up soon, but at the moment this is the only way I’ve managed to be sure it will work.

Now we need to configure Samba:

sudo nano /etc/samba/smb.conf

This file contains a comprehensive and well commented list of all of Samba’s configuration settings and is well worth reading through, the changes we’re particularly interested in are detailed below though:

workgroup = danbishop.org
security = user
realm = DANBISHOP.ORG
kerberos method = system keytab
domain logons = yes
logon path = \\%N\%U\windowsprofile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

Most of the above simply need a # or a ; deleting from the beginning of their line in the config file to enable them.

We also need to enable some shares in the configuration file, these are found towards the end of the file under the title “Share Definitions”

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   read only = yes
   share modes = no

Now we need to create the netlogon folder and an empty netlogon.cmd (this will be used later to run commands each time a user logs on – perhaps to mount another share, etc.):

sudo mkdir -p /home/samba/netlogon
sudo touch /home/samba/netlogon/logon.cmd

Now we just need to restart Samba to make the changes take effect:

sudo service smbd restart
sudo service nmbd restart

we also need to create a group called “machines” for Samba to use when the add machine script is run. This will happen whenever you join a new Windows machine to your domain.

sudo ldapaddgroup machines

To be able to recognise your Unix admins as Windows admins we need to map the windows admin group to the unix admin group like so:

sudo net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins rid=512 type=d

You also need to give admins who are allowed to add machines to the network explicit rights to do so. The following command gives the user dan the ability to use the add machine script and therefore join windows machines to the domain.

net rpc rights grant -U dan "danbishop.org\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

You will almost certainly get an authentication error here, check that you have added your realm information to /etc/krb5.conf on the server (in this case neo). See the Kerberos section of this guide for how to do that. Then log out of the ssh session and back in. This will sync your samba account with your LDAP account.

Connecting Windows 7 Clients

Windows 7 requires a registry change to be able to connect to a Samba domain. Download and run this registry entry on the client machine. Once added to the registry, restart the machine (or at least the lanman service).

Now would also be a good time to run the optimisations reg file. These tweaks are NOT necessary, but they do improve login speed.

Then go to Control Panel, System and Security, System and under “Computer name, domain and workgroup settings” click “Change settings”. Click the “Change” button on the dialogue that appears and enter “DANBISHOP.ORG” in the domain box. Click ok.

You will then be prompted for the domain administrators details to join the domain, in this case username dan and associated password. It will take sometime to connect to the domain, but eventually you will be shown a dialogue box welcoming you to the DANBISHOP.ORG domain. Restart the computer and you’ll be able to login as any of your domain users.

If you get a username/password not recognised error, log the user into a linux machine (or the server itself via ssh) and you should see “Added user.” printed to the terminal. The user can now use the Samba domain.