QNAP NAS Community Forum

[mrmoosehead]

Is it possible to use the Samba stuff on the box to run the 209 as a Primary Domain Server for a Windoze network?

TIA.
M.

[QNAPIvan]

Dear mrmoosehead
Do you mean PDC (Primary Domain Controller)?
TS-209 supports it.

Cheers,

[mrmoosehead]

Right. Good-oh.

Um.


<littlevoice>How?</littlevoice>

I have it as a Domain Master, but reading the docs, this is not the same thing.

[mrmoosehead]

Anyone tell me how to do this?

[QNAPIvan]

Dear mrmoosehead:
Sorry for my mistake.
PDC is NOT supported by TS-209 but it works as domain browser.

Cheers,

[mrmoosehead]

ah.

That explains why I couldn't find it.

Does the 209Pro do this?

Is the samba thingy that is running on the 209 a full version of samba?

[Eraser-EMC2-]

I think, it is possible.

I get it to run on a TS-109 with standard samba settings.
But there are no special domain groups as we know on windows nt/2000 server.

Read this :

http://de5.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id328751

special this minimum for a pdc with samba:

Code: Select all

[global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No


[mrmoosehead]

cool. I'll have a go.

[mirh]

So it is possible to autenthicate users (Windows XP) on TS-109 Pro during login, I mean TS-109 work as PDC?
I have small net (10 PC) and like to setup Domain Controler on TS-109Pro.

[Eraser-EMC2-]

It is possible, i got it to work with Windows 2000 and XP.

This is a part of my smb.conf :

Code: Select all

[global]
   workgroup = MYDOMAIN
   security = USER
   server string = SAMBA %v
   encrypt passwords = Yes
   username level = 8
   map to guest = Bad User
null passwords = yes
   max log size = 10
   socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
   os level = 32
   preferred master = yes
   dns proxy = No
   config file = /etc/config/smb.conf
   smb passwd file=/etc/config/smbpasswd   
   username map = /etc/config/smbusers
   guest account = guest
   directory mask = 0777
   create mask = 0777
oplocks = yes
   locking = yes
   disable spoolss = yes
   dos charset = ISO8859-1
   force directory security mode = 0000
   template shell = /bin/sh
   veto files = /.AppleDB/.AppleDouble/.AppleDesktop/.DS_Store/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/
   delete veto files = yes
   hide dot files = yes
   map archive = no
   map system = no
   map hidden = no
   map read only = yes
   host msdfs = yes
   time server = yes

use sendfile = yes
   wins support = yes
   domain master = yes
   local master = yes
   domain logons = yes
   dos filetimes = yes

   logon path = \\%N\profiles
   Logon drive = P:
   logon home = \\%N\%U
   logon script = login.cmd

[homes]
path = /share/HDA_DATA/User/%u
comment = Home Directories
valid users = %u
read only = no
browseable = no

[Netlogon]
path = /share/HDA_DATA/Netlogon
comment = Network Logon Service
guest = yes
browsable = no
read only = yes
write list= admin

[Profiles]
path = /share/HDA_DATA/User/%u/ntprofile/%a
read only = no
create mask = 0600
directory mask = 0700
browsable = no

[DFS]
comment = DFS
path = /share/HDA_DATA/DFS
msdfs root = yes
browsable = yes
public = yes
invalid users = guest
read list = @"everyone"
write list =
valid users = admin,@"everyone"
inherit permissions = yes


and i add with this code the special groups and domain groups :

Code: Select all

addgroup -g 512 ntdomadmins
addgroup -g 513 ntdomusers
addgroup -g 514 ntdomguests
addgroup -g 544 ntadmins
addgroup -g 545 ntusers
addgroup -g 546 ntguests
addgroup -g 547 ntpowerusers
addgroup -g 548 ntaccount
addgroup -g 549 ntsystem
addgroup -g 550 ntprint
addgroup -g 551 ntbackup
addgroup -g 552 ntreplicator
addgroup -g 553 ntdomcomputer

/usr/local/samba/bin/net groupmap add rid=512 type=domain unixgroup=ntdomadmins ntgroup="Domain Admins"
/usr/local/samba/bin/net groupmap add rid=513 type=domain unixgroup=ntdomusers ntgroup="Domain Users"
/usr/local/samba/bin/net groupmap add rid=514 type=domain unixgroup=ntdomguests ntgroup="Domain Guests"
/usr/local/samba/bin/net groupmap add rid=544 type=local unixgroup=ntadmins ntgroup="Administrators"
/usr/local/samba/bin/net groupmap add rid=545 type=local unixgroup=ntusers ntgroup="Users"
/usr/local/samba/bin/net groupmap add rid=546 type=local unixgroup=ntguests ntgroup="Guests"
/usr/local/samba/bin/net groupmap add rid=547 type=local unixgroup=ntpowerusers ntgroup="Power Users"
/usr/local/samba/bin/net groupmap add rid=548 type=builtin unixgroup=ntaccount ntgroup="Account Operators"
/usr/local/samba/bin/net groupmap add rid=549 type=builtin unixgroup=ntsystem ntgroup="System Operators"
/usr/local/samba/bin/net groupmap add rid=550 type=builtin unixgroup=ntprint ntgroup="Print Operators"
/usr/local/samba/bin/net groupmap add rid=551 type=builtin unixgroup=ntbackup ntgroup="Backup Operators"
/usr/local/samba/bin/net groupmap add rid=552 type=builtin unixgroup=ntreplicator ntgroup="Replicators"
/usr/local/samba/bin/net groupmap add rid=553 type=builtin unixgroup=ntdomcomputer ntgroup="Domain Computers"

/usr/local/samba/bin/net rpc rights grant "Domain Admins" SeMachineAccountPrivilege \
   SePrintOperatorPrivilege SeAddUsersPrivilege \
   SeDiskOperatorPrivilege SeRemoteShutDownPrivilege
/usr/local/samba/bin/net rpc rights grant "Administrators" SeMachineAccountPrivilege


but some of this group name are not shown in the group list on Windows.
I dont know why.

For each pc on your domain is a user account required as mypc$,
pcname with a $ at the end.
Now you can add your pc with name "mypc" to your domain.

I created under /share/HDA_DATA/User/ for each user account a folder with his name and there a folder "ntprofile" with subfolders for Win2000 ( Win2K ) and WinXP for the the roaming profiles.

But i have still some problems with the roaming profiles,
it use the standard settings at every login.

You need a restart of samba after changes on the smb.conf with

Code: Select all

/etc/init.d/smb.sh restart


I hope, i forgot nothing

EDIT:
i replaced the command "groupadd" with the correct command "addgroup".

[Eraser-EMC2-]

I found a solution for the not showing builtin groups:

1. Add this line to the smb.conf in the global section

Code: Select all

   
   idmap uid = 10000-20000
   idmap gid = 10000-20000


2. run this commands to add the builtin groups:

Code: Select all

/usr/local/samba/bin/net sam createbuiltingroup "Administrators"
/usr/local/samba/bin/net sam createbuiltingroup "Power Users"
/usr/local/samba/bin/net sam createbuiltingroup "Users"
/usr/local/samba/bin/net sam createbuiltingroup "Guests"
/usr/local/samba/bin/net sam createbuiltingroup "Account Operators"
/usr/local/samba/bin/net sam createbuiltingroup "System Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Print Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Backup Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Replicators"


and remove not used group mappings:

Code: Select all

/usr/local/samba/bin/net groupmap delete ntgroup="Administrators"
/usr/local/samba/bin/net groupmap delete ntgroup="Power Users"
/usr/local/samba/bin/net groupmap delete ntgroup="Users"
/usr/local/samba/bin/net groupmap delete ntgroup="Guests"


[Boris]

Hi all,

i managed to get Samba working as a PDC on my QNap TS-201. Since the QNap TS-201 has no "net" executable i'am not able to configure the groupmap to have the NT Groups. So i only have a "half" PDC.

Can anyone please upload his "net" executable, so i can create the group mappings on my TS-201.

I then would write a howto the next days

Thanks

Boris

Edit: Or is there anyway to make the groupmapping without having the "net" executable?

[Eraser-EMC2-]

I lost all domain groups and settings with the update to version 1.1.5,
all files inside of "/usr/local/samba/var" were overwritten.

[AndyChuo]

I lost all domain groups and settings with the update to version 1.1.5,
all files inside of "/usr/local/samba/var" were overwritten.

sorry to hear this and yes we did update several stuff on Samba compatibilities.

[AndersF]

What is the official Qnap policy regarding use of non Qnap supported features of the delivered open source software?

The use of the Qnap NAS as a PDC is one of the reasons I bought a Qnap NAS in the first place!

I can understand that there may be changes with new deliveries that can be harmful to non-supported use, That, however, is different from deliberately trying to block non-supported use. (for the purpose of trying to sell upgrades to "Pro" version from non-Pro for example)