SAMBA PDC

Intro
PDC Main Doc
PDC Config Files
Client Config Files
Admin Quick Reference
Single Sign On Student Info Sheet

This project was researched, desinged and implented at the San Antonio College Computer Information Systems Department computer lab where I worked for about three years(work study). My supervisor told me he wanted a network logon server that all of the students could get users for and authenticate against from the client machines in the lab. He told me he wanted it to be a Linux server and that it should use openldap as a backend. Outside of these basic instructions I was left to my own device. This project was not fully documented but what documentation was done follows. Some information has been sanitized.
My main concern about using LDAP and a Linux server was compatibility with Windows 7 operating systems. Also I wanted to be able to give students the ability to do centralized profile configurations and have access to their files from any of the client machines. SAMBA can be set up as a PDC, it also supports the Windows file sharing protocols, roaming profiles(centralized configurations) and openLDAP. I used Oracle Enhanced Linux for the server, openldap used tls and SELINUX was left enabled. There are some down sides to my configuration. The smbldap-tools package I used does not provide efficient means of tracking user logon activity. I did perform some additions after the initial completion of this project. User home directory quotas were set and each user got a public_html directory in their home directory to practice web programming/design. I set the webserver to www on our dns server(which I configured for this project) and made an information page about the network server for students to view upon receiving their network user. If they browsed www they got the info page, if they went to www/~networkusername they got their web page(or whoevers username they entered).

Top

PDC Main Doc

General details: Samba 3
Running on Oracle Linux 6
SELINUX Enabled
OpenLDAP Backend with TLS enabled
All machines have staff account which is a sudoer
Four 250G hard drives in raid 0 as home dir partition.
Home directories served via Samba for Windows machines and nfs for Linux machines.
Each computer needs 2 seperate names, one for Windows and one for Linux.
The Windows boxes are named NTC-122-N**-W and the Linux boxes are named NTC-122-N**-L
LDAP database configured using smbldap-tools

Domain Controller

1. Install smbldap-tools, samba, samba-winbind, nfs, openldap-servers, openldap-clients
2. Configure /etc/samba/smb.conf, /etc/smbldap-tools/smbldap.conf, /etc/smbldap-tools/smbldap_bind.conf, /etc/openldap/slapd.conf and /etc/openldap/ldap.conf to match network configuration.
3. Follow guide at samba-ldap-howto

Windows 7 Clients

1. Windows Clients get roaming profiles
   • Roaming profiles must remain small because they get loaded into ram at login.
   • Roaming profiles should only be used environments customizations. (wallpapers, themes, favorites, bookmarks, etc...)
   • User files should be stored in home Directories.
2. Home directories show up as mapped drive Z: in my computer
   • Students may create desktop shortcuts to their mapped home directory for easy access.
3. Virtual Machines are stored in the Public(local) user account so that they may be accessed by all users.
   • C:\Users\Public\My Virtual Machines\
4. Windows 7 requires 2 registry entries to work with a Samba NT style PDC: They are,
   • HKLM\System\CCS\Services\LanmanWorkstation\Parameters
     • DWORD DomainCompatibilityMode = 1
     • DWORD DNSNameResolutionRequired = 0
   • For more info about Windows 7 in a Samba PDC Domain view:
     http://wiki.samba.org/index.php/Windows7
5. For some reason it usually takes multiple attempts to join a Windows 7 box to the domain, just keep trying.

Fedora 14 Clients

1. Fedora 14 kernel replaced with Xen Kernel loading Fedora 13 Xen dom0 kernel.
2. Requirements for domain membership: samba samba-winbind, pam_ldap, nss-pam-ldapd, openldap-clients, nslcd, functional dns server with proper srv entries for domain controller.
   • Samba and winbind need to know the administrator password.
     • smbpasswd -w “password_here”
     • net idmap secret alloc “password here”
   • The following information is needed in the configuration files of most programs that will use ldap directly. (nslcd.conf and ldap.conf, some of this is need in smb.conf)
     • tls_checkpeer no
     • tls_reqcert never
     • ssl start_tls
     • pam_password md5
     • URI ldap://"your"."domain"."here":389
     • BASE dc="your",dc="domain",dc="here"
     • TLS_CACERTDIR /etc/openldap/cacerts
3. Requirements for mount home dirs at boot: pam_mount, oddjob-mkhomedir, consistent user id's
   • pam_mount configuration file is locate at /etc/security/pam_mount.conf.xml.
   • Consistent user id's required using ldap for user information and editing /etc/idmapd.conf
   • In /etc/idmapd.conf uncomment the Domain entry and insert the proper domain name.
   • In /etc/pam.d both system-auth and password-auth files must be edited to add the lines:
     • session optional pam_mount.so
     • session optional pam_mkhomedir.so
4. The certificate authority certificate must be on the client in order to use TLS for ldap communication.
   • Use authconfig-tui – select cache information, use ldap (do not select use winbind), authenticate via winbind (do not authenticate via ldap)
5. SELINUX
   • setsebool -P use_nfs_home_dirs on
   • setsebool -P allow_polyinstantion on
6. GDM3 – Disable user listing
   • sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set /apps/gdm/simple-greeter/disable_user_list true

Ghost Environment

ftp server with SELINUX enabled and ftp user chroot
domain controller image - domain_server.img
domain client image - domain_client _win7.img (sysprepped)
domain client image - domain_client_fed14.img

Updates and To Do List

TLS - Enable client certificates
With current setup ldap is encrypted but clients are not validated. Adding client certificates and validation would add additional security.
Not sure how this would affect/work with Windows clients.

Configure User Storage Quotas (Completed)
Configure Printer Quotas
Configure DNSSEC
Fix issue with hangin shutdown in Linux (I believe this has to do with users not logging out)
Set user to get logged out from inactivity instead of having screen locked.
Switched from pam_mount to autofs after being unable to get pam_mount to fetch proper user id's.

Top

PDC Config Files

ldap.conf
smb.conf
smbldap.conf
smbldap_bind.conf
slapd.conf

Top

Client Config Files

ldap.conf
smb.conf
pam_mount.conf.xml
system-auth
password-auth
idmap.conf
nsswitch.conf
nslcd.conf

Top

Admin Quick Reference

Top

Single Sign On Info Sheet

This information is very important, please read it thoroughly and completely. If you do not understand it, ask one of the lab workers to help you. This information pertains only to the CIS computer lab located in the Nail Technical Center room 122.

To get your single sign on user account consult a lab worker.

Once you have signed up for and received a sac-cislab user account you can use it to sign on to any of the Dell Vostro machines that are lined up against the left and right walls of the CIS computer lab. These computers run Microsoft Windows 7 and Fedora 14 Linux in a dual boot configuration. This means when the machine is initially turned on you are given a selection menu where you can choose to boot into either Operating System. Your network account will work in both. In Windows select other user before you enter your login credentials.

You get your own customizable profile which you can change to suit your needs and preferences. Only you will get your theme and settings and you will get them on any single sign on machine you access with your logon credentials. Your Windows and Linux themes are separate and must be configured separately.

Your Windows Roaming Profile is loaded into RAM. It should only be used to save theme settings (wallpaper, bookmarks, shortcuts, start menu and task bar customizations). Anything you save in your Roaming Profile will increase the load time when you log in! Documents and other files should be saved in your home directory. In Windows 7 your home directory is a mapped drive. You can access it from “My Computer”, it is drive Z:. You can create a desktop shortcut for easier access. Anything in your profile can only be seen from Windows but your home directory can be accessed by Windows and Linux. When you enter your home directory from Windows you will notice that there are Desktop, Documents, Downloads and other folders, these are your Fedora Linux profile files. Do not delete them!