Samba as a Primary Domain Controller

Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize user and machine credentials. Samba can also use multiple backends to store the user information.

Primary Domain Controller

This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.

First, install Samba, and libpam-smbpass to sync the user accounts, by entering the following in a terminal prompt:

sudo apt-get install samba libpam-smbpass
Next, configure Samba by editing /etc/samba/smb.conf. The security mode should be set to user, and the workgroup should relate to your organization:

workgroup = EXAMPLE
...
security = user
In the commented “Domains” section add or uncomment the following:

domain logons = yes
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u
domain logons: provides the netlogon service causing Samba to act as a domain controller.

logon path: places the user's Windows profile into their home directory. It is also possible to configure a [profiles] share placing all profiles under a single directory.

logon drive: specifies the home directory local path.

logon home: specifies the home directory location.

logon script: determines the script to be run locally once a user has logged in. The script needs to be placed in the [netlogon] share.

add machine script: a script that will automatically create the Machine Trust Account needed for a workstation to join the domain.

In this example the machines group will need to be created using the addgroup utility see the section called “Adding and Deleting Users” for details.

Also, rights need to be explicitly provided to the Domain Admins group to allow the add machine script (and other admin functions) to work. This is achieved by executing:

net rpc rights grant "EXAMPLE\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

If you wish to not use Roaming Profiles leave the logon home and logon path options commented.

Uncomment the [homes] share to allow the logon home to be mapped:

[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
When configured as a domain controller a [netlogon] share needs to be configured. To enable the share, uncomment:

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no

The original netlogon share path is /home/samba/netlogon, but according to the Filesystem Hierarchy Standard (FHS), /srv is the correct location for site-specific data provided by the system.

Now create the netlogon directory, and an empty (for now) logon.cmd script file:

sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
You can enter any normal Windows logon script commands in logon.cmd to customize the client's environment.

With root being disabled by default, in order to join a workstation to the domain, a system group needs to be mapped to the Windows Domain Admins group. Using the net utility, from a terminal enter:

sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d

Change sysadmin to whichever group you prefer. Also, the user used to join the domain needs to be a member of the sysadmin group, as well as a member of the system admin group. The admin group allows sudo use.

Finally, restart Samba to enable the new domain controller:

sudo restart smbd
sudo restart nmbd
You should now be able to join Windows clients to the Domain in the same manner as joining them to an NT4 domain running on a Windows server.

Backup Domain Controller
With a Primary Domain Controller (PDC) on the network it is best to have a Backup Domain Controller (BDC) as well. This will allow clients to authenticate in case the PDC becomes unavailable.

When configuring Samba as a BDC you need a way to sync account information with the PDC. There are multiple ways of accomplishing this scp, rsync, or by using LDAP as the passdb backend.

Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time. However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts. See the section called “Samba and LDAP” for details.

First, install samba and libpam-smbpass. From a terminal enter:

sudo apt-get install samba libpam-smbpass
Now, edit /etc/samba/smb.conf and uncomment the following in the [global]:

workgroup = EXAMPLE
...
security = user
In the commented Domains uncomment or add:

domain logons = yes
domain master = no
Make sure a user has rights to read the files in /var/lib/samba. For example, to allow users in the admin group to scp the files, enter:

sudo chgrp -R admin /var/lib/samba
Next, sync the user accounts, using scp to copy the /var/lib/samba directory from the PDC:

sudo scp -r username@pdc:/var/lib/samba /var/lib

Replace username with a valid username and pdc with the hostname or IP Address of your actual PDC.

Finally, restart samba:

sudo restart smbd
sudo restart nmbd
You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a Windows client joined to the domain.

Another thing to keep in mind is if you have configured the logon home option as a directory on the PDC, and the PDC becomes unavailable, access to the user's Home drive will also be unavailable. For this reason it is best to configure the logon home to reside on a separate file server from the PDC and BDC.

Howto Samba Active Directory Integration

Samba Directory Server Integration

1. 
   Once part of an Active Directory domain, Samba can provide file and print services to AD users.
   The simplest way to join an AD domain is to use Likewise-open.
   

Once part of the domain, enter the following command in the terminal prompt:

sudo apt-get install samba smbfs smbclient

Since the likewise-open and samba packages use separate secrets.tdb files, a symlink will need to be created in/var/lib/samba:

sudo mv /var/lib/samba/secrets.tdb /var/lib/samba/secrets.tdb.orig
sudo ln -s /etc/samba/secrets.tdb /var/lib/samba

Next, edit /etc/samba/smb.conf changing:

workgroup = EXAMPLE
   ...
   security = ads
   realm = EXAMPLE.COM
   ...
   idmap backend = lwopen
   idmap uid = 50-9999999999
   idmap gid = 50-9999999999

Restart samba for the new settings to take effect:

sudo restart smbd
sudo restart nmbd

You should now be able to access any Samba shares from a Windows client. However, be sure to give the appropriate AD users or groups access to the share directory. See the section called “Securing a Samba File and Print Server” for more details.

Centos Directory Services Install

Installing the CentOS Directory Server packages

1. CentOS Directory server is available from the Extras Repository for CentOS-5. Install the same using following command :

   yum install centos-ds
   

2. After installing directory server, the supporting packages listed below require to be installed:

   yum install xorg-x11-xauth bitstream-vera-fonts dejavu-lgc-fonts urw-fonts
   

Setup the Directory Server

1. Refer to Installation Guide to setup the Directory server. Keep in mind on following points:
   1. Anywhere that there is a redhat- script, substitute centos- instead.
   2. Anywhere that java-1.5.0-ibm is referenced, substitute java-1.6.0-openjdk.
   3. Anywhere that up2date is used to install a package, instead use yum to install that package.

UBoot - Kurobox - Supported Commands

Supported Commands

?       - alias for 'help'
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp    - invoke DHCP client to obtain IP/boot params
diskboot- boot from IDE device
echo    - echo args to console
erase   - erase FLASH memory
ext2load- load binary file from a Ext2 filesystem
ext2ls  - list files in a directory (default /)
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
ide     - IDE sub-system
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version

UBoot - Kurobox

Net Console

The net console is the U-Boot driver which uses the UDP protocol with a default port of 6666 to send the console output to and receive the console input from a remote computer. You need to run netcat on the remote computer to communicate with the U-Boot net console. The communication is bidirectional. Netcat will display on your screen the console output received from U-Boot and will send your keyboard input back to U-Boot.

If U-Boot cannot contact the remote computer, it switches the console to the serial port. To show that it changed the console, U-Boot makes the HDD LED blink with the pattern corresponding to the serial console (see The Reset Button below). The timeout period is 20 sec.

Minimal Console

U-Boot for the LinkStation is designed to allow some control over the boot process even in the absence of a console. For this, it uses the power button (the big button at the front) and the reset button (the small red button at the back).

Before installing U-Boot, when the LinkStation is switched on, the power LED starts blinking, the original boot loader starts executing and, very quickly, it starts booting the kernel from flash. If U-Boot is installed, the power LED will change from blinking quickly to blinking very slowly. The blink pattern is the same as the one used to indicate sleep mode in normal operation. When the power LED starts blinking slowly at boot, U-Boot has taken over and it is counting down the boot delay before booting the kernel. The default boot delay is 10 sec. From the moment when the power LED starts blinking slowly and for the duration of the boot delay, you can control the boot process with the power and reset buttons.

The Power Button

If you push the power button and keep it pressed for more than 1 sec, the boot process will stop and the LinkStation will wait for a command. A stopped boot process is indicated by the power LED being lit solid. The effect is the same a pressing 's' on the console.

A long push of the power button acts as a toggle. If the boot delay count down is in progress, a long push of the power button stops the boot process. If the boot process is stopped (U-Boot is at the command prompt, even if you can't see it), a long push of the power button restarts the boot process resetting the boot delay to its original value. The restart of the boot process is indicated by the power LED blinking slowly.

By default U-Boot supports three pre-configured boot commands:

1. The first boot command will attempt to load and boot a file named boot/vmlinux.UBoot from the first hard disk partition, /dev/hda1. The file can be in any of the U-Boot bootable formats but uImage is the preferred format. If the file is missing or corrupted, U-Boot will fall back to booting the original kernel from flash. 
2. The second boot command will boot the original kernel from flash.
   Please note that the original kernel for the LinkStation 1 / KuroBox standard has a bug in the function that calibrates the decrementer and it will stop for up to 180 sec during boot. This bug is not an U-Boot bug but a kernel bug which is uncovered by the fact that U-Boot activates the decrementer where the original boot loader does not.
   The original kernel for LinkStation HG / KuroBox HG does not suffer from the above problem. 
3. The third boot command will attempt to boot in emergency mode (EM). It does this by passing the argument root=/dev/ram0 to the kernel.
   LinkStation / LinkStation HG owners should avoid booting in EM mode as the root password for this mode on the LinkStation is unknown.
   The original kernel for the LinkStation / KuroBox standard and for some of the earlier LinkStation HG / KuroBox HG models ignores the root argument. These models will boot normally from the on-board flash when the EM boot command is used. Read the section on EM mode if your LinkStation HG / KuroBox HG has a kernel that doesn't boot in EM mode using this boot command. 

You can cycle through the boot commands with the power button.

To see which of the three commands U-Boot is going to execute, press the power button quickly. The HDD LED (the third from the top) will start blinking. The number of times the LED blinks, shows the number of the active boot command. For example, a pattern short on - short off - short on - long off, means that the boot command number 2 is active. U-Boot will repeat the blinking cycle for a total duration of about 5 sec counting from the moment the power button is released.

A short press of the power button while the HDD LED is blinking will advance the boot command to the next one.

Changing the boot command does not change the boot status. If the boot is stopped, it will not be restarted. If the boot is in progress, it will not be stopped but the boot delay will be reset to the original value.

The Reset Button

Two consoles are currently configured, the serial console and the net console. The first console is the serial console and the second console is the net console (nc). The net console is the default console.

The reset button can be used, similarly to the power button, to switch consoles. A press on the reset button (here, it doesn't matter how long you keep the button pressed) displays the currently active console using the HDD LED. Repeatedly pressing the reset button while the HDD LED is blinking will toggle between the two consoles. The blinking pattern is different from the one showing the boot command. The pattern which shows that the second (net) console is active is short off - short on - short off - long on. U-Boot will repeat the blinking cycle for a total duration of about 5 sec counting from the moment the reset button is released.

Furthur information at http://www.linuxnotincluded.pwp.blueyonder.co.uk/linkstation/u-bootinstall.html

Kurobox Restore

**** Procedure to restore iNAS *****

Dis-assemble the Kurobox and place a new SSD / SATA drive

Start the machine and wait until power LED blinks

Hit start button twice this will take the machine to EM mode

Telnet using root and FTP using operator / operator

Make partitions as desired and copy following files
* debianlenny-2.6.25.1-kuroHG-20100722.tgz
* devices.tar
* 2.6.31.1-ppc.tar.gz

There are available on iBackup

Uncompress the package and its done

Extend life-time on CF cards based file system

Extend Life-time on CF cards

I use Smoothwall on a VIA custom server with 4 NICs. This board can accomodate only CF cards.
One of my observation CF cards lasted just 5 to 7 months, had to carry on Smoothwall maintance for every 6 months.

After some googling worked out following modifications can increase the lifetime of CF cards

1. Move /tmp to RAM by editing /etc/fstab and adding following entry

tmpfs /tmp tmpfs  size=512000m,exec,nosuid 0 0

2.  Update file system to ext2 partition, since ext3 does journalling as-well which means high IO.
Edit fstab and modify partition type.

UUID=a9425b1d-3d67-40fc-b2a7-4a4f686d8be9 /                  ext3    defaults        1 2

3. Add additional option noatime

UUID=a9425b1d-3d67-40fc-b2a7-4a4f686d8be9 /                  ext2    errors=remount-ro,noatime        1 2

Setup a NFS server and client

HOWTO: Setup a NFS Server & Client

In this tutorial, outlines the steps involved in setting up a NFS server & client. Typically this will be used to mount shares on the network, could be user home directory when authenticating via LDAP or media server.

This guide assumes a Debian Server -hostname iNAS- is ready to be converted as a NFS server.

Setup NFS Server

1. Logon to iNAS using root

2. Install NFS server package

~# apt-get install nfs-kernel-server

3. Create shared directory

~# mkdir -p /share /share/pictures /share/music /share/movies

4. Export this directory on exports file, vi /etc/exports and add the following line

/media                *(rw,sync,no_subtree_check,no_root_squash)

5. Restart NFS Service

~# service nfs-kernel-server restart

Setup NFS Client


1. Install NFS client

~# apt-get install nfs-common

2. Add NFS mount on fstab; edit /etc/fstab and add following line

iNAS: /share           /media        nfs  defaults 0 0

3. Restart client machine to confirm auto-mount works or mount the /media directory

~# mount /media

4. Check if it worked using df command