Domain Server

Questions about using Windows AD service.
Post Reply
mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Domain Server

Post by mrmoosehead » Thu Dec 06, 2007 4:20 am

Is it possible to use the Samba stuff on the box to run the 209 as a Primary Domain Server for a Windoze network?

TIA.
M.

User avatar
QNAPIvan
Experience counts
Posts: 1021
Joined: Mon Jul 02, 2007 4:03 pm

Post by QNAPIvan » Thu Dec 06, 2007 8:48 pm

Dear mrmoosehead
Do you mean PDC (Primary Domain Controller)?
TS-209 supports it.

Cheers,
________________________________________
Product Marketing Director
USA Online Support: http://www.qnap.com/i/useng/before_buy/con_show.php?op=showone&cid=2
Support email: q_supportus@qnap.com
USA Technical Support: +1 909 595 2782

mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead » Thu Dec 06, 2007 9:02 pm

Right. Good-oh.

Um.


<littlevoice>How?</littlevoice>

I have it as a Domain Master, but reading the docs, this is not the same thing.

mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead » Sun Dec 09, 2007 4:47 am

Anyone tell me how to do this?

User avatar
QNAPIvan
Experience counts
Posts: 1021
Joined: Mon Jul 02, 2007 4:03 pm

Post by QNAPIvan » Tue Dec 11, 2007 1:20 am

Dear mrmoosehead:
Sorry for my mistake.
PDC is NOT supported by TS-209 but it works as domain browser.

Cheers,
________________________________________
Product Marketing Director
USA Online Support: http://www.qnap.com/i/useng/before_buy/con_show.php?op=showone&cid=2
Support email: q_supportus@qnap.com
USA Technical Support: +1 909 595 2782

mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead » Tue Dec 11, 2007 6:59 pm

ah.

That explains why I couldn't find it.

Does the 209Pro do this?

Is the samba thingy that is running on the 209 a full version of samba?

Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- » Fri Dec 14, 2007 3:19 am

I think, it is possible.

I get it to run on a TS-109 with standard samba settings.
But there are no special domain groups as we know on windows nt/2000 server.

Read this :

http://de5.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id328751

special this minimum for a pdc with samba:

Code: Select all

[global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup

mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead » Fri Dec 14, 2007 3:42 am

cool. I'll have a go.

mirh
New here
Posts: 5
Joined: Tue Dec 18, 2007 10:14 pm

Post by mirh » Thu Dec 20, 2007 6:34 pm

So it is possible to autenthicate users (Windows XP) on TS-109 Pro during login, I mean TS-109 work as PDC?
I have small net (10 PC) and like to setup Domain Controler on TS-109Pro.

Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- » Fri Dec 21, 2007 12:17 am

It is possible, i got it to work with Windows 2000 and XP.

This is a part of my smb.conf :

Code: Select all

[global]
   workgroup = MYDOMAIN
   security = USER
   server string = SAMBA %v
   encrypt passwords = Yes
   username level = 8
   map to guest = Bad User
null passwords = yes
   max log size = 10
   socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
   os level = 32
   preferred master = yes
   dns proxy = No
   config file = /etc/config/smb.conf
   smb passwd file=/etc/config/smbpasswd   
   username map = /etc/config/smbusers
   guest account = guest
   directory mask = 0777
   create mask = 0777
oplocks = yes
   locking = yes
   disable spoolss = yes
   dos charset = ISO8859-1
   force directory security mode = 0000
   template shell = /bin/sh
   veto files = /.AppleDB/.AppleDouble/.AppleDesktop/.DS_Store/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/
   delete veto files = yes
   hide dot files = yes
   map archive = no
   map system = no
   map hidden = no
   map read only = yes
   host msdfs = yes
   time server = yes

use sendfile = yes
   wins support = yes
   domain master = yes
   local master = yes
   domain logons = yes
   dos filetimes = yes

   logon path = \\%N\profiles
   Logon drive = P:
   logon home = \\%N\%U
   logon script = login.cmd

[homes]
path = /share/HDA_DATA/User/%u
comment = Home Directories
valid users = %u
read only = no
browseable = no

[Netlogon]
path = /share/HDA_DATA/Netlogon
comment = Network Logon Service
guest = yes
browsable = no
read only = yes
write list= admin

[Profiles]
path = /share/HDA_DATA/User/%u/ntprofile/%a
read only = no
create mask = 0600
directory mask = 0700
browsable = no

[DFS]
comment = DFS
path = /share/HDA_DATA/DFS
msdfs root = yes
browsable = yes
public = yes
invalid users = guest
read list = @"everyone"
write list =
valid users = admin,@"everyone"
inherit permissions = yes


and i add with this code the special groups and domain groups :

Code: Select all

addgroup -g 512 ntdomadmins
addgroup -g 513 ntdomusers
addgroup -g 514 ntdomguests
addgroup -g 544 ntadmins
addgroup -g 545 ntusers
addgroup -g 546 ntguests
addgroup -g 547 ntpowerusers
addgroup -g 548 ntaccount
addgroup -g 549 ntsystem
addgroup -g 550 ntprint
addgroup -g 551 ntbackup
addgroup -g 552 ntreplicator
addgroup -g 553 ntdomcomputer

/usr/local/samba/bin/net groupmap add rid=512 type=domain unixgroup=ntdomadmins ntgroup="Domain Admins"
/usr/local/samba/bin/net groupmap add rid=513 type=domain unixgroup=ntdomusers ntgroup="Domain Users"
/usr/local/samba/bin/net groupmap add rid=514 type=domain unixgroup=ntdomguests ntgroup="Domain Guests"
/usr/local/samba/bin/net groupmap add rid=544 type=local unixgroup=ntadmins ntgroup="Administrators"
/usr/local/samba/bin/net groupmap add rid=545 type=local unixgroup=ntusers ntgroup="Users"
/usr/local/samba/bin/net groupmap add rid=546 type=local unixgroup=ntguests ntgroup="Guests"
/usr/local/samba/bin/net groupmap add rid=547 type=local unixgroup=ntpowerusers ntgroup="Power Users"
/usr/local/samba/bin/net groupmap add rid=548 type=builtin unixgroup=ntaccount ntgroup="Account Operators"
/usr/local/samba/bin/net groupmap add rid=549 type=builtin unixgroup=ntsystem ntgroup="System Operators"
/usr/local/samba/bin/net groupmap add rid=550 type=builtin unixgroup=ntprint ntgroup="Print Operators"
/usr/local/samba/bin/net groupmap add rid=551 type=builtin unixgroup=ntbackup ntgroup="Backup Operators"
/usr/local/samba/bin/net groupmap add rid=552 type=builtin unixgroup=ntreplicator ntgroup="Replicators"
/usr/local/samba/bin/net groupmap add rid=553 type=builtin unixgroup=ntdomcomputer ntgroup="Domain Computers"

/usr/local/samba/bin/net rpc rights grant "Domain Admins" SeMachineAccountPrivilege \
   SePrintOperatorPrivilege SeAddUsersPrivilege \
   SeDiskOperatorPrivilege SeRemoteShutDownPrivilege
/usr/local/samba/bin/net rpc rights grant "Administrators" SeMachineAccountPrivilege


but some of this group name are not shown in the group list on Windows.
I dont know why.

For each pc on your domain is a user account required as mypc$,
pcname with a $ at the end.
Now you can add your pc with name "mypc" to your domain.

I created under /share/HDA_DATA/User/ for each user account a folder with his name and there a folder "ntprofile" with subfolders for Win2000 ( Win2K ) and WinXP for the the roaming profiles.

But i have still some problems with the roaming profiles,
it use the standard settings at every login.

You need a restart of samba after changes on the smb.conf with

Code: Select all

/etc/init.d/smb.sh restart


I hope, i forgot nothing

EDIT:
i replaced the command "groupadd" with the correct command "addgroup".
Last edited by Eraser-EMC2- on Sun Jun 29, 2008 9:42 pm, edited 1 time in total.
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup

Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- » Sat Dec 22, 2007 7:42 pm

I found a solution for the not showing builtin groups:

1. Add this line to the smb.conf in the global section

Code: Select all

   
   idmap uid = 10000-20000
   idmap gid = 10000-20000


2. run this commands to add the builtin groups:

Code: Select all

/usr/local/samba/bin/net sam createbuiltingroup "Administrators"
/usr/local/samba/bin/net sam createbuiltingroup "Power Users"
/usr/local/samba/bin/net sam createbuiltingroup "Users"
/usr/local/samba/bin/net sam createbuiltingroup "Guests"
/usr/local/samba/bin/net sam createbuiltingroup "Account Operators"
/usr/local/samba/bin/net sam createbuiltingroup "System Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Print Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Backup Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Replicators"


and remove not used group mappings:

Code: Select all

/usr/local/samba/bin/net groupmap delete ntgroup="Administrators"
/usr/local/samba/bin/net groupmap delete ntgroup="Power Users"
/usr/local/samba/bin/net groupmap delete ntgroup="Users"
/usr/local/samba/bin/net groupmap delete ntgroup="Guests"
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup

Boris
Starting out
Posts: 16
Joined: Tue Dec 11, 2007 6:50 pm

Post by Boris » Tue Dec 25, 2007 6:15 pm

Hi all,

i managed to get Samba working as a PDC on my QNap TS-201. Since the QNap TS-201 has no "net" executable i'am not able to configure the groupmap to have the NT Groups. So i only have a "half" PDC.

Can anyone please upload his "net" executable, so i can create the group mappings on my TS-201.

I then would write a howto the next days :)

Thanks

Boris

Edit: Or is there anyway to make the groupmapping without having the "net" executable?

Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- » Thu Dec 27, 2007 6:38 am

I lost all domain groups and settings with the update to version 1.1.5,
all files inside of "/usr/local/samba/var" were overwritten.
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup

User avatar
AndyChuo
Experience counts
Posts: 2396
Joined: Thu Sep 13, 2007 11:56 am
Location: Taipei, Taiwan

Post by AndyChuo » Thu Dec 27, 2007 12:58 pm

Eraser-EMC2- wrote:I lost all domain groups and settings with the update to version 1.1.5,
all files inside of "/usr/local/samba/var" were overwritten.


sorry to hear this and yes we did update several stuff on Samba compatibilities.
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>

AndersF
New here
Posts: 6
Joined: Wed Dec 12, 2007 3:35 pm
Location: Sweden

Post by AndersF » Thu Dec 27, 2007 6:38 pm

What is the official Qnap policy regarding use of non Qnap supported features of the delivered open source software?

The use of the Qnap NAS as a PDC is one of the reasons I bought a Qnap NAS in the first place!

I can understand that there may be changes with new deliveries that can be harmful to non-supported use, That, however, is different from deliberately trying to block non-supported use. (for the purpose of trying to sell upgrades to "Pro" version from non-Pro for example)
Best regards,
Anders

Post Reply

Return to “Windows Domain & Active Directory”