Domain Server

Questions about using Windows AD service.
Post Reply
mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Domain Server

Post by mrmoosehead »

Is it possible to use the Samba stuff on the box to run the 209 as a Primary Domain Server for a Windoze network?

TIA.
M.
User avatar
QNAPIvan
Experience counts
Posts: 1020
Joined: Mon Jul 02, 2007 4:03 pm

Post by QNAPIvan »

Dear mrmoosehead
Do you mean PDC (Primary Domain Controller)?
TS-209 supports it.

Cheers,
________________________________________
Product Marketing Director
USA Online Support: http://www.qnap.com/i/useng/before_buy/ ... wone&cid=2
Support email: q_supportus@qnap.com
USA Technical Support: +1 909 595 2782
mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead »

Right. Good-oh.

Um.


<littlevoice>How?</littlevoice>

I have it as a Domain Master, but reading the docs, this is not the same thing.
mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead »

Anyone tell me how to do this?
User avatar
QNAPIvan
Experience counts
Posts: 1020
Joined: Mon Jul 02, 2007 4:03 pm

Post by QNAPIvan »

Dear mrmoosehead:
Sorry for my mistake.
PDC is NOT supported by TS-209 but it works as domain browser.

Cheers,
________________________________________
Product Marketing Director
USA Online Support: http://www.qnap.com/i/useng/before_buy/ ... wone&cid=2
Support email: q_supportus@qnap.com
USA Technical Support: +1 909 595 2782
mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead »

ah.

That explains why I couldn't find it.

Does the 209Pro do this?

Is the samba thingy that is running on the 209 a full version of samba?
Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- »

I think, it is possible.

I get it to run on a TS-109 with standard samba settings.
But there are no special domain groups as we know on windows nt/2000 server.

Read this :

http://de5.samba.org/samba/docs/man/Sam ... l#id328751

special this minimum for a pdc with samba:

Code: Select all

[global]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup
mrmoosehead
Starting out
Posts: 25
Joined: Fri Nov 02, 2007 10:41 pm

Post by mrmoosehead »

cool. I'll have a go.
mirh
New here
Posts: 5
Joined: Tue Dec 18, 2007 10:14 pm

Post by mirh »

So it is possible to autenthicate users (Windows XP) on TS-109 Pro during login, I mean TS-109 work as PDC?
I have small net (10 PC) and like to setup Domain Controler on TS-109Pro.
Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- »

It is possible, i got it to work with Windows 2000 and XP.

This is a part of my smb.conf :

Code: Select all

[global]
	workgroup = MYDOMAIN
	security = USER
	server string = SAMBA %v
	encrypt passwords = Yes
	username level = 8 
	map to guest = Bad User
null passwords = yes
	max log size = 10
	socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
	os level = 32
	preferred master = yes
	dns proxy = No
	config file = /etc/config/smb.conf
	smb passwd file=/etc/config/smbpasswd	
	username map = /etc/config/smbusers
	guest account = guest
	directory mask = 0777
	create mask = 0777
oplocks = yes
	locking = yes
	disable spoolss = yes
	dos charset = ISO8859-1
	force directory security mode = 0000
	template shell = /bin/sh
	veto files = /.AppleDB/.AppleDouble/.AppleDesktop/.DS_Store/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/
	delete veto files = yes
	hide dot files = yes
	map archive = no
	map system = no
	map hidden = no
	map read only = yes
	host msdfs = yes
	time server = yes

use sendfile = yes
	wins support = yes
	domain master = yes
	local master = yes
	domain logons = yes
	dos filetimes = yes

	logon path = \\%N\profiles
	Logon drive = P:
	logon home = \\%N\%U
	logon script = login.cmd

[homes]
path = /share/HDA_DATA/User/%u
comment = Home Directories
valid users = %u
read only = no
browseable = no

[Netlogon]
path = /share/HDA_DATA/Netlogon
comment = Network Logon Service
guest = yes
browsable = no
read only = yes
write list= admin

[Profiles]
path = /share/HDA_DATA/User/%u/ntprofile/%a
read only = no
create mask = 0600
directory mask = 0700
browsable = no

[DFS]
comment = DFS
path = /share/HDA_DATA/DFS
msdfs root = yes
browsable = yes
public = yes
invalid users = guest
read list = @"everyone"
write list = 
valid users = admin,@"everyone"
inherit permissions = yes
and i add with this code the special groups and domain groups :

Code: Select all

addgroup -g 512 ntdomadmins
addgroup -g 513 ntdomusers
addgroup -g 514 ntdomguests
addgroup -g 544 ntadmins
addgroup -g 545 ntusers
addgroup -g 546 ntguests
addgroup -g 547 ntpowerusers
addgroup -g 548 ntaccount
addgroup -g 549 ntsystem
addgroup -g 550 ntprint
addgroup -g 551 ntbackup
addgroup -g 552 ntreplicator
addgroup -g 553 ntdomcomputer

/usr/local/samba/bin/net groupmap add rid=512 type=domain unixgroup=ntdomadmins ntgroup="Domain Admins"
/usr/local/samba/bin/net groupmap add rid=513 type=domain unixgroup=ntdomusers ntgroup="Domain Users"
/usr/local/samba/bin/net groupmap add rid=514 type=domain unixgroup=ntdomguests ntgroup="Domain Guests"
/usr/local/samba/bin/net groupmap add rid=544 type=local unixgroup=ntadmins ntgroup="Administrators"
/usr/local/samba/bin/net groupmap add rid=545 type=local unixgroup=ntusers ntgroup="Users"
/usr/local/samba/bin/net groupmap add rid=546 type=local unixgroup=ntguests ntgroup="Guests"
/usr/local/samba/bin/net groupmap add rid=547 type=local unixgroup=ntpowerusers ntgroup="Power Users"
/usr/local/samba/bin/net groupmap add rid=548 type=builtin unixgroup=ntaccount ntgroup="Account Operators"
/usr/local/samba/bin/net groupmap add rid=549 type=builtin unixgroup=ntsystem ntgroup="System Operators"
/usr/local/samba/bin/net groupmap add rid=550 type=builtin unixgroup=ntprint ntgroup="Print Operators"
/usr/local/samba/bin/net groupmap add rid=551 type=builtin unixgroup=ntbackup ntgroup="Backup Operators"
/usr/local/samba/bin/net groupmap add rid=552 type=builtin unixgroup=ntreplicator ntgroup="Replicators"
/usr/local/samba/bin/net groupmap add rid=553 type=builtin unixgroup=ntdomcomputer ntgroup="Domain Computers"

/usr/local/samba/bin/net rpc rights grant "Domain Admins" SeMachineAccountPrivilege \
	SePrintOperatorPrivilege SeAddUsersPrivilege \
	SeDiskOperatorPrivilege SeRemoteShutDownPrivilege
/usr/local/samba/bin/net rpc rights grant "Administrators" SeMachineAccountPrivilege
but some of this group name are not shown in the group list on Windows.
I dont know why.

For each pc on your domain is a user account required as mypc$,
pcname with a $ at the end.
Now you can add your pc with name "mypc" to your domain.

I created under /share/HDA_DATA/User/ for each user account a folder with his name and there a folder "ntprofile" with subfolders for Win2000 ( Win2K ) and WinXP for the the roaming profiles.

But i have still some problems with the roaming profiles,
it use the standard settings at every login.

You need a restart of samba after changes on the smb.conf with

Code: Select all

/etc/init.d/smb.sh restart
I hope, i forgot nothing

EDIT:
i replaced the command "groupadd" with the correct command "addgroup".
Last edited by Eraser-EMC2- on Sun Jun 29, 2008 9:42 pm, edited 1 time in total.
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup
Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- »

I found a solution for the not showing builtin groups:

1. Add this line to the smb.conf in the global section

Code: Select all

	
	idmap uid = 10000-20000
	idmap gid = 10000-20000
2. run this commands to add the builtin groups:

Code: Select all

/usr/local/samba/bin/net sam createbuiltingroup "Administrators"
/usr/local/samba/bin/net sam createbuiltingroup "Power Users"
/usr/local/samba/bin/net sam createbuiltingroup "Users"
/usr/local/samba/bin/net sam createbuiltingroup "Guests"
/usr/local/samba/bin/net sam createbuiltingroup "Account Operators"
/usr/local/samba/bin/net sam createbuiltingroup "System Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Print Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Backup Operators"
/usr/local/samba/bin/net sam createbuiltingroup "Replicators"
and remove not used group mappings:

Code: Select all

/usr/local/samba/bin/net groupmap delete ntgroup="Administrators"
/usr/local/samba/bin/net groupmap delete ntgroup="Power Users"
/usr/local/samba/bin/net groupmap delete ntgroup="Users"
/usr/local/samba/bin/net groupmap delete ntgroup="Guests"
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup
Boris
Starting out
Posts: 16
Joined: Tue Dec 11, 2007 6:50 pm

Post by Boris »

Hi all,

i managed to get Samba working as a PDC on my QNap TS-201. Since the QNap TS-201 has no "net" executable i'am not able to configure the groupmap to have the NT Groups. So i only have a "half" PDC.

Can anyone please upload his "net" executable, so i can create the group mappings on my TS-201.

I then would write a howto the next days :)

Thanks

Boris

Edit: Or is there anyway to make the groupmapping without having the "net" executable?
Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Post by Eraser-EMC2- »

I lost all domain groups and settings with the update to version 1.1.5,
all files inside of "/usr/local/samba/var" were overwritten.
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup
User avatar
AndyChuo
Experience counts
Posts: 2388
Joined: Thu Sep 13, 2007 11:56 am
Location: Taipei, Taiwan

Post by AndyChuo »

Eraser-EMC2- wrote:I lost all domain groups and settings with the update to version 1.1.5,
all files inside of "/usr/local/samba/var" were overwritten.
sorry to hear this and yes we did update several stuff on Samba compatibilities.
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
AndersF
New here
Posts: 6
Joined: Wed Dec 12, 2007 3:35 pm
Location: Sweden

Post by AndersF »

What is the official Qnap policy regarding use of non Qnap supported features of the delivered open source software?

The use of the Qnap NAS as a PDC is one of the reasons I bought a Qnap NAS in the first place!

I can understand that there may be changes with new deliveries that can be harmful to non-supported use, That, however, is different from deliberately trying to block non-supported use. (for the purpose of trying to sell upgrades to "Pro" version from non-Pro for example)
Best regards,
Anders
Post Reply

Return to “Windows Domain & Active Directory”