| Abstract |
|
Configuring a Linux system to join a Microsoft Windows network as a member server or workstation can be a special kind of hell. Hopefully, this article will help save you some time -- and some hair. |
When I first tried configuring a Linux server to join a Windows NT 4.0 domain, many years ago, I gave up in utter frustration. There were a lot of articles then, as there are now, about configuring Linux as a domain controller or as a standalone server in a workgroup, but almost nothing on configuring for a domain member. Now, with Microsoft Windows Server 2003 recently released and Windows Vista on the horizon (no pun intended), almost all articles have focused on Active Directory.
Recently, I had to configure a rather old desktop as a file server and a member of a NT 4 domain. After struggling for several weeks, I finally managed to set it up. There are a lot of things that are not mentioned in the existing articles and documents, and several special quirks that only Red Hat and Microsoft could provide to make something this simple, so infernally complicated. These instructions are a rough draft, not exhaustive or authoritative in any way, and I may have made some unnecessary changes. If you spot any mistakes, please let me know.
First, if you have never joined a Windows PC to a domain before, you will need to learn, as well as do it, at least once! This is important, because joining a domain -- even with Windows systems -- can sometimes be an exercise in patience and frustration. I'm going to assume that you already know how to join a Windows system to a domain and you just want to know how to join a Fedora Core 4 system to the NT 4 domain. If you are using a different Linux distribution, the steps here will certainly not be completely relevant, because Fedora does some strange things. If you are using an earlier (or later) version of Fedora, the steps may also have to be modified.
I will also assume that you already have a domain setup on your network, and that you are reasonably familiar with TCP/IP, that is, you know how to assign addresses to your systems so that they can talk to each other on the same network.
Before we start, you will need to get the following information about your domain. If you are not the administrator who setup the network, or maintains it, you will probably need to do some persuading.
Here's what you will need:
Name of Windows NT Domain : _________________________
WINS Server Address : _______________________
Name of your Server : _______________________
For your FC4 system, you will need to have Samba installed. For the sake of simplicity, just install the whole "Windows File Server" group of packages.
[root@localhost ~]# yum groupinstall "Windows File Server" |
At the minimum, you will need:
samba-common-3.x
samba-client-3.x
samba-3.x
Winbind, the component you need to join a Windows domain, is in the samba package.
Here is what we will need to do:
Joining the Domain
On the Windows NT 4 Domain Controller, create an account in the Server Manager application for the Linux server, using the Linux server's NetBIOS name.
Install the Samba packages or the "Windows File Server" package group, if you have not already done so.
Backup the system configuration files you will be changing.
Edit /etc/nsswitch.conf to add Winbind.
Edit /etc/samba/smb.conf to define the domain and "shared folders". Adjust the permissions on the shared directories, so that users can write and read from them.
Edit /etc/pam.d/login to add Winbind authentication.
Add exceptions to firewall rules to allow Windows clients to connect to shared folders.
Start Samba and Winbind services.
Test on the Linux system that you can retrieve login and group information from the Windows domain.
Test on Windows clients that they can connect to the Linux system, browse shares, read and write files.
If all goes well, hopefully, you will have a functioning Linux Samba server that can service Windows clients.
Notice that I am not using the authconfig utility here. I found it a dead-end when I used it, as it did not configure everything like I expected it to -- automagically! You may have more success with it though, as essentially, it does the same (I think) changes to the system configuration files as described here.
I will assume that the server's NetBIOS name has been added to the Server Manager, and that the necessary Samba packages have been successfully installed.
The files you will need to backup are:
/etc/nsswitch.conf
/etc/samba/smb.conf
/etc/pam.d/login
It is absolutely essential that you backup these files! If there are any typo errors or mistakes, it could result in a locked system which you cannot login to. You will also need to keep your Fedora Rescue CD handy. If things turn bad, you may need to use it to boot to single user mode and restore the backup configuration files.
You will need to add a couple of lines into this file. I can't figure out how to color code them in Docbook, so you will need to compare the file below with your own file to see where the changes are. A hint: they all contain the string pam_winbind.so.
Example 2. Additions to /etc/pam.d/login
#%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so multiple open |
Here's where it can get complicated. You will need to use the information you gathered earlier about your Windows domain and plug the values into various parts of your smb.conf, and also define the "folders" that you want to share (I hate using the term "folders", which is a Windows metaphor, but I guess I'll have to use it here because it is most appropriate, if not entirely accurate, from a purist perspective.
You will need to locate and change the values in several lines. Assuming we have a domain called TEMASEK, and a WINS server address of 192.168.1.10, and our server name is FCSAMBA, then these are the lines you will need to locate and change:
Example 3. Define the Windows Domain
# workgroup = NT-Domain Name or Workgroup-Name workgroup = TEMASEK |
Next, you need to define the NetBIOS name.
Example 4. Define the NetBIOS name
# server string is the equivalent of the NT Description field server string = Fedora Samba Server netbios name = FCSAMBA |
Now, we specify the WINS server address:
Example 5. Specify the WINS server address
# WINS Server - Tells the NMBD components of Samba to be a WINS client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.1.10 |
Now, just before the Share Definitions, we add some Winbind parameters:
Example 6. Winbind parameters
winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash |
Under the Share Definitions section, you need to add:
I'm not exactly sure what the lines above do or define, but they were mentioned in some articles, so I just added them in.
Now we can define some shares. For simplicity, I am defining one shared directory, accessible by everybody.
Because we are giving universal access to the directory /shares, we will need to adjust the permissions for that folder:
[root@localhost ~]# chmod go+rw /shares |
Now you should connect your machine to the network, if you have not already done so, and get ready to test.
Fedora blocks Samba traffic in the default firewall rules, so you will need to add a few exceptions to the rules in order to give access to shared resources. At the minimum, this is what you need:
[root@localhost ~]# iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT [root@localhost ~]# iptables -I INPUT -p tcp -m multiport --destination-port 139,445 -j ACCEPT [root@localhost ~]# iptables -I OUTPUT -p udp -m multiport --source-port 137,138 -j ACCEPT [root@localhost ~]# iptables -I OUTPUT -p tcp -m multiport --source-port 139,445 -j ACCEPT [root@localhost ~]# /sbin/iptables-save > /etc/sysconfig/iptables |
You will need to be root user. We will use the service utility in Fedora to start Samba and Winbind.
[root@localhost ~]# /sbin/service samba start [root@localhost ~]# /sbin/service winbind start |
Both services should start OK. Once started, we will be ready to test.
If you are experiencing problems starting Samba, you should restore your old smb.conf file and see if that starts OK. Also, check if there are any typos inside the file that you edited.
Let's try to join the domain now. As root user,
[root@localhost ~]# net rpc join -W TEMASEK -U administrator |
Here, we are trying to join the domain called TEMASEK using the domain administrator account. If you have a domain account, you can use that too. If all goes well, you should be prompted for a passsword. Key in the NT administrator's password and you should get a message that says:
Joined domain TEMASEK |
If you have a large domain and a lot of domain accounts, you may get a spurious error:
rpc command function failed! (NT_STATUS_ACCESS_DENIED) |
If you have a large domain and a lot of accounts, the time to get to the Password prompt can be extremely long, like 5 minutes or more. If you are unable to login the first time, try several more times. The error could be the result of a timeout because the server cannot authenticate fast enough. This problem is not peculiar to Linux. When I join a new Windows system to the domain, I sometimes get a similar error. I'm not sure how to fix this in the long term, but I find that retrying several times usually does the trick.
Once you have successfully joined the domain, you can test that your server can gather information about domain groups and users. Note again that if you have a large domain these queries can take a very long time to complete and may scroll off the screen. Spurious errors may also be thrown.
To check that you are successfully joined to the domain,
[root@localhost ~]# wbinfo -t checking the trust secret via RPC calls succeeded |
Check that you can grab the domain groups.
[root@localhost ~]# wbinfo -g |
Check that you can get the domain users. This process may take a very long while (about 5 minutes for 1,000+ accounts) or throw spurious errors.
[root@localhost ~]# wbinfo -u |
If you are able to get successful results from the last few commands, you can try to check if you can browse the shared resources from another Windows computer on the same domain. Simply launch Network Neighbourhood or My Network Places and browse to the domain, displaying all the computers that are currently on the domain. try to locate your Linux server there and click on it. You should see the shared resources.
One of the first things I noticed was how much more responsive my Samba server was in serving files, compared to the Windows file servers that I had on the same network, even though the Samba server was a lower-powered machine, with less RAM and a slower processor.
I hope this article was useful to you. It took a long while for me to get to this stage, and I know that there are still a lot more configuration nuances that I have not explored yet. If you spotted any errors, please do let me know!