Domain Server

Questions about using Windows AD service.
Post Reply
Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Re: Domain Server

Post by Eraser-EMC2- »

Hi, the script is still in an other post of me: http://forum.qnap.com/viewtopic.php?f=2 ... =40#p54633

Stefan
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup
svn
Getting the hang of things
Posts: 63
Joined: Mon Oct 20, 2008 3:24 am

Re: Domain Server

Post by svn »

Hi guys,

I've played around a bit and managed to get a domain running with roming profiles and all :) there is only one thing I can't get to work. Users can only log in as a normal window's user. When I try to make some user a (domain) power user or a (domain) administrator trough the web interface (just make a user member of the ntdomadministrator group) it won't work. Any ideas?

thnx in advance! Sven

edit:
ereaser, I've tried your script but can confirm it is not working on a TS-219P. Altough a HDA_DATA share is present, qnap creates shares under MD0_DATA. Even after adapting those values (and moving the shares to MD0_DATA) the user profile is still in a temporary directory on the local pc because the share cannot been accessed.

My most succesfull attempt is to create the shares trough the web interface, then I have roaming profiles working. Still I can't figure out why I can't use the domain accounts
Eraser-EMC2-
Been there, done that
Posts: 711
Joined: Sat Oct 13, 2007 5:26 pm
Location: Germany

Re: Domain Server

Post by Eraser-EMC2- »

Hi Sven,

you have to login as Domain/admin first on your workstation and add your Users there to the group "power users".
svn wrote:When I try to make some user a (domain) power user or a (domain) administrator trough the web interface (just make a user member of the ntdomadministrator group) it won't work. Any ideas?
That wont work, because the linux group "ntdomadministrator" are only for the management of the user permissions.
You have to use the script for adding a user to a domain group, because samba manage the domain group/user binding in an internal database.

Stefan
_________________
Windows 7 32/64bit, German
TS-439 , 1x 512GB SSD/1x 512GB Samsung ; SAMBA as NT4 PDC, DHCP/DNS-Server
TS-431+, 1x 1TB WD green, 2x 3TB WD red , 1x 2TB Samsung
TS-220 , 2x 2TB Samsung, for Backup
bramschats
Easy as a breeze
Posts: 440
Joined: Thu Apr 23, 2009 1:51 am

Re: Domain Server

Post by bramschats »

Hello all,

I have been trying to set this up for quite a long time now even with a lot of help from Eraser-EMC2- but despite all the effort it is still not working well.

Is it possible for anyone who has set this up to write a clear how to on creating a samba domain controller?

btw. i also don't understand why qnap isn't supporting this feature at all, why don't they make a qpkg for it.

thanks in advance.
Qnap TS-453D
svn
Getting the hang of things
Posts: 63
Joined: Mon Oct 20, 2008 3:24 am

Re: Domain Server

Post by svn »

Hi Stefan,

thanks for your quick reply, after some heavy reading yesterday evening I already suspected it wouldn't work that way. Is here any way to control user permissions on the local workstation from the NAS? Might openldap in combination with the pgina client do the job?

Hi Bramschats,

I'm really close to write a how to, I'm documenting every step I've taken so far. Maybe next weekend I've some time to finish it. Why should Qnap do something while it is just configuration? Yes it could be more accessible, but then again linux can be configured a million ways. I mean they can't make it all accessible trough the web interface because somebody could want it. In the essence it's still a NAS not a server. Qnap gives plenty of access for hacking in to make something great even better ;)

Best regards, Sven
bramschats
Easy as a breeze
Posts: 440
Joined: Thu Apr 23, 2009 1:51 am

Re: Domain Server

Post by bramschats »

Sven,

Let me know when it is finished!

thnx in advance.
Qnap TS-453D
bramschats
Easy as a breeze
Posts: 440
Joined: Thu Apr 23, 2009 1:51 am

Re: Domain Server

Post by bramschats »

Hi Bramschats,

I'm really close to write a how to, I'm documenting every step I've taken so far. Maybe next weekend I've some time to finish it.

Best regards, Sven
Any progress so far.

thnx in advance.
Qnap TS-453D
User avatar
Tiss
Starting out
Posts: 27
Joined: Fri Aug 27, 2010 5:36 am
Location: Amsterdam

Re: Domain Server

Post by Tiss »

I would also be very interested in an extensive how-to document.

Also, are there people who actually have a QNAP working as a domain controller in an office environment (not at home)?
svn
Getting the hang of things
Posts: 63
Joined: Mon Oct 20, 2008 3:24 am

Re: Domain Server

Post by svn »

Sorry for letting you guys wait, I do have a lot of birthday parties and other obligations at the moment.

I've got a TS-219p running at my father in law's office (3 local computers). the local pc's run w2k (still sufficient to do the job). I've configured a ntpolicy.pol and a startup script. the ntpolicy excludes some folders (like temporary internet files) to avoid profile growth and limits the profile size, in case some dumb-a.s.s places large files on the desktop. the startup script redirects the mydocuments and mypictures folder to the home/mydocuments(/mypictures) folder of the user on the TS-219p.

I'ts running fine so far, the only thing you can't do from samba is setting user rights on the windows machine, so a user made administrator in samba isn't automaticly administrator on the local windows machine, users created in samba can log on to the windows machine but only get user rights. If you want to control user rights you might want to dig in ldap and pgina, on the other hand it's better to leave users "users" ;)

b.t.w. my configuration is quite a heavy load on the network and nas because of the mydocuments redirect, but I don't think it's a big problem as long as the office isn't larger than 5 maybe 10 employees and they don't download a million mp3's a day
bramschats
Easy as a breeze
Posts: 440
Joined: Thu Apr 23, 2009 1:51 am

Re: Domain Server

Post by bramschats »

Ok, very nice that you have the domain up and running but i was actually waiting on a detailed howto...... for setting up my domain controller.

Are you working on this or does it not going to be posted?

Hope you can help us out.
Qnap TS-453D
svn
Getting the hang of things
Posts: 63
Joined: Mon Oct 20, 2008 3:24 am

Re: Domain Server

Post by svn »

yes, I will post, but as I said, I also have a lot other obligations and besides that murphy's law is haunting me (serious problems with my laptop --> replaced harddrive --> install from recovery dvd --> recovery dvd broken --> now trying ISO buster to recover the recovery dvd... who knows what's next)
bramschats
Easy as a breeze
Posts: 440
Joined: Thu Apr 23, 2009 1:51 am

Re: Domain Server

Post by bramschats »

SVN, thanks, looking forward to it.....

I hope murphy's law will soon end ;)
Qnap TS-453D
svn
Getting the hang of things
Posts: 63
Joined: Mon Oct 20, 2008 3:24 am

Re: Domain Server

Post by svn »

hopefully tonight, after 4 hours of bit crunching ISObuster managed to read the dvd and make an iso. Hopefully no corrupt files, it looks ok so far :) can't wait to go home and try it...
svn
Getting the hang of things
Posts: 63
Joined: Mon Oct 20, 2008 3:24 am

Re: Domain Server

Post by svn »

ok, this is what works for me, I'm running a TS-219p and W2K clients, for WINXP (W2K3) it's pretty much the same story except for the policy thing and the machine client account. First of all I'm not responsible for any dataloss, make backups! My starting point was a completely cleared TS-219p. Linux is capital sensitive, so when creating shares, files ed. take extra care!

- first of all I went to the web administration console and created three shares:
User
Profiles
Netlogon

- you can log on with ssh or telnet to your nas and check if the shares are created. In my case you can find them in /share/MD0_DATA, this could be different on other models

- then I copied this smb.conf from the local computer to the public share of the nas, note that I have left out almost all Qnap standard shares, modify these to whatever suits your need. Also you need to modify MYDOMAIN and MYNASSERVERNAME, and maybe the share locations (MD0_DATA might be something different on other models)

Code: Select all

[global]
workgroup = MYDOMAIN
security = USER
server string = MYNASSERVERNAME
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536
os level = 20
preferred master = no
dns proxy = No
config file = /etc/config/smb.conf
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = yes
load printers = yes
dos charset = ASCII
display charset = UTF8
force directory security mode = 0000
template shell = /bin/sh
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
use sendfile = yes
case sensitive = auto
deadtime = 10
wins support = yes
time server = yes
client ntlmv2 auth = yes
default service = Public
domain logons = yes
domain master = auto
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
logon drive = H:
logon home = \\%N\%U
logon path = \\%N\Profiles\%U
logon script = logon.bat

passdb backend = smbpasswd
unix extensions = no
store dos attributes = yes
min receivefile size = 4096
dos filetime resolution = yes
local master = yes

printcap name = /etc/config/printcap
show add printer wizard = no
print command = /usr/bin/lpr -r -P%p %s

[Public]
comment = System default share
path = /share/MD0_DATA/Public
browsable = yes
oplocks = yes
ftp write only = no
public = yes
invalid users =
read list =
write list = "admin",@"everyone","guest"
valid users = "root","admin",@"everyone","guest"
inherit permissions = yes

[Network Recycle Bin 1]
comment = [Mirror Disk Volume: Drive 1 2]
path = /share/MD0_DATA/Network Recycle Bin
browsable = yes
oplocks = yes
ftp write only = no
public = yes
invalid users = "guest"
read list = @"everyone"
write list = "admin"
valid users = "root",@"everyone","admin"
inherit permissions = yes

[printers]
writable = no
browsable = no
printable = yes
guest ok = yes
path = /mnt/HDA_ROOT/.spool

[homes]
comment = Home Directories
path = /share/MD0_DATA/User/%U
read only = no
browsable = no

[Profiles]
comment = User Profiles
path = /share/MD0_DATA/Profiles

[Homes]
comment = Home Directories
path = /share/MD0_DATA/User/%U
read only = no
browsable = no

[Profiles]
comment = User Profiles
path = /share/MD0_DATA/Profiles
read only = no
create mask = 0611
directory mask = 0711
browsable = no
profile acls = yes

[Netlogon]
comment = Network Logon Service
path = /share/MD0_DATA/Netlogon
guest ok = yes
- then you go back to your SSH or telnet session and do the following:
# cp /etc/config/smb.conf /etc/config/smb.old
# cp /share/Public/smb.conf /etc/config/smb.conf
this way you made a backup of your old smb.conf and you copied the new smb.conf over the old one, while keeping the access rights of the old smb.conf

- then you restart samba:
# /etc/init.d/smb.sh restart

- congratulations, your NAS is now running as a PDC... but you ain't there yet... the following steps are there so the windows machine and NAS do "understand" eachother. Enter the following commands in your SSH or Telnet session (yes this is a LOT of typing, I didn't script it yet)

Code: Select all

# addgroup -g 512 ntdomadmins
# addgroup -g 513 ntdomusers
# addgroup -g 514 ntdomguests
# addgroup -g 544 ntadmins
# addgroup -g 545 ntusers
# addgroup -g 546 ntguests
# addgroup -g 547 ntpowerusers
# addgroup -g 548 ntaccount
# addgroup -g 549 ntsystem
# addgroup -g 550 ntprint
# addgroup -g 551 ntbackup
# addgroup -g 552 ntreplicator
# addgroup -g 553 ntdomcomputer

# /usr/local/samba/bin/net groupmap add rid=512 type=domain unixgroup=ntdomadmins ntgroup="Domain Admins"
# /usr/local/samba/bin/net groupmap add rid=513 type=domain unixgroup=ntdomusers ntgroup="Domain Users"
# /usr/local/samba/bin/net groupmap add rid=514 type=domain unixgroup=ntdomguests ntgroup="Domain Guests"
# /usr/local/samba/bin/net groupmap add rid=548 type=builtin unixgroup=ntaccount ntgroup="Account Operators"
# /usr/local/samba/bin/net groupmap add rid=549 type=builtin unixgroup=ntsystem ntgroup="System Operators"
# /usr/local/samba/bin/net groupmap add rid=550 type=builtin unixgroup=ntprint ntgroup="Print Operators"
# /usr/local/samba/bin/net groupmap add rid=551 type=builtin unixgroup=ntbackup ntgroup="Backup Operators"
# /usr/local/samba/bin/net groupmap add rid=552 type=builtin unixgroup=ntreplicator ntgroup="Replicators"
# /usr/local/samba/bin/net groupmap add rid=553 type=builtin unixgroup=ntdomcomputer ntgroup="Domain Computers"

# /usr/local/samba/bin/net sam createbuiltingroup "Administrators"
# /usr/local/samba/bin/net sam createbuiltingroup "Power Users"
# /usr/local/samba/bin/net sam createbuiltingroup "Users"
# /usr/local/samba/bin/net sam createbuiltingroup "Guests"
# /usr/local/samba/bin/net sam createbuiltingroup "Account Operators"
# /usr/local/samba/bin/net sam createbuiltingroup "System Operators"
# /usr/local/samba/bin/net sam createbuiltingroup "Print Operators"
# /usr/local/samba/bin/net sam createbuiltingroup "Backup Operators"
# /usr/local/samba/bin/net sam createbuiltingroup "Replicators"

# /usr/local/samba/bin/net rpc rights grant "Domain Admins" SeMachineAccountPrivilege \
   SePrintOperatorPrivilege SeAddUsersPrivilege \
   SeDiskOperatorPrivilege SeRemoteShutDownPrivilege
# /usr/local/samba/bin/net rpc rights grant "Administrators" SeMachineAccountPrivilege
- restart samba one more time.. don't know if it's really neccesary, don't think so but just in case... it doesn't hurt ;)
# /etc/init.d/smb.sh restart

- after you have done all that you can now add machine accounts. Create these without a password! the name mypc has to be replaced with whatever you will identify your pc with on the network, note that the dollarsign in the end of the pc name is mandatory!
# adduser -h /tmp mypc$

- then you make user accounts and folders for each user, you can manage users by the adminstration console and just add or remove a user.

- This however doesn't make shares automatically for these users, So I'm planning on scripting this, but that will take some time. So far I created the shares by hand (edit ...username... for whatever you want)

# mkdir /share/MD0_DATA/User/...username...
# chmod -R 700 /share/MD0_DATA/User/...username...
# chown -R ...username... /share/MD0_DATA/User/...username...
# mkdir /share/MD0_DATA/Profiles/...username...
# chmod -R 700 /share/MD0_DATA/Profiles/...username...
# chown -R ...username... /share/MD0_DATA/Profiles/...username...

- now you can join your windows pc to the domain (note that you need a windows PROFESSIONAL edition to do this!)
- login as a local administrator
- right click computer
- click properties
- go to the networking tab
- click properties
- fill in the pc name (without $), choose domain and fill in the domain name, click ok
- you will be prompted for the domain administrator password, I used the admin password of the nas and click ok
- after several seconds you will get the "welcome to domain" message


hopefully this would do it for you guys!

edit1: you can not use usernames with spaces or capitals
Last edited by svn on Tue Sep 14, 2010 1:06 am, edited 1 time in total.
bramschats
Easy as a breeze
Posts: 440
Joined: Thu Apr 23, 2009 1:51 am

Re: Domain Server

Post by bramschats »

Svn,

thnx for the post, i am going to try that when i have a night off....

i let you know my findings.
Qnap TS-453D
Post Reply

Return to “Windows Domain & Active Directory”