Domain Server

[Eraser-EMC2-]

Hi motionblurrr,

I have two questions for you as you seem to be the resident expert!

i am not, but i like to hear it .

1) This situation is not normal, you must recreate the groupmapping only after a firmware update,
because some samba files will overwrite while a firmware update where the groupmappings are stored.
Do you run your own scripts on start of the NAS ?

2) You can still modify the share permissions on the WebGUI of the NAS.

[motionblurrr]

Eraser-EMC2,

Something strange is going on on my NAS then. I'm not using any custom startup scripts. As soon as I run '/etc/init.d/smb.sh restart' my group mappings are wiped out. Take a look:

First I run the command to list the groups and you'll see everything is there:

Code: Select all

# /usr/local/samba/bin/net groupmap list
Backup Operators (S-1-5-21-780744606-1995231755-3153718939-551) -> ntbackup
Power Users (S-1-5-21-780744606-1995231755-3153718939-547) -> ntpowerusers
Domain Users (S-1-5-21-780744606-1995231755-3153718939-513) -> ntdomusers
Backup Operators (S-1-5-32-551) -> BUILTIN\backup operators
Power Users (S-1-5-32-547) -> BUILTIN\power users
Administrators (S-1-5-21-780744606-1995231755-3153718939-544) -> ntadmins
Replicators (S-1-5-21-780744606-1995231755-3153718939-552) -> ntreplicator
Account Operators (S-1-5-21-780744606-1995231755-3153718939-548) -> ntaccount
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Domain Guests (S-1-5-21-780744606-1995231755-3153718939-514) -> ntdomguests
Domain Computers (S-1-5-21-780744606-1995231755-3153718939-553) -> ntdomcomputer
Account Operators (S-1-5-32-548) -> BUILTIN\account operators
Users (S-1-5-21-780744606-1995231755-3153718939-545) -> ntusers
Print Operators (S-1-5-21-780744606-1995231755-3153718939-550) -> ntprint
Guests (S-1-5-21-780744606-1995231755-3153718939-546) -> ntguests
System Operators (S-1-5-21-780744606-1995231755-3153718939-549) -> ntsystem
Domain Admins (S-1-5-21-780744606-1995231755-3153718939-512) -> ntdomadmins
Users (S-1-5-32-545) -> BUILTIN\users
Print Operators (S-1-5-32-550) -> BUILTIN\print operators
Guests (S-1-5-32-546) -> BUILTIN\guests

Next I restart samba and list the groups again:

Code: Select all

# /etc/init.d/smb.sh restart
Restarting SMB services:
Shutting down SMB services: smbd nmbd.
Shutting down Winbind services: done.
Starting SMB services: smbd nmbdStarting Winbind services: done.
.
done.
# /usr/local/samba/bin/net groupmap list
#

It comes back blank.

Any ideas?

Here's my smb.conf (except for some share definitions)

Code: Select all

[global]
workgroup = MYSAMBAPDC
security = USER
server string = SAMBA NAS
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 1000
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768 SO_RCVBUF=32768
os level = 32
preferred master = yes
dns proxy = No
config file = /etc/config/smb.conf
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = yes
dos charset = ISO8859-1
force directory security mode = 0000
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/
delete veto files = yes
hide dot files = yes
map archive = no
map system = no
map hidden = no
map read only = yes
time server = yes
use sendfile = yes
wins support = yes
local master = yes
dos filetimes = yes
logon path = ""
logon drive = H:
logon home = \\%N\%U
logon script = login.cmd
log file = /var/log/samba/log.%m
idmap gid = 10000-20000
idmap uid = 10000-20000

case sensitive = auto
deadtime = 10
display charset = UTF8
[homes]
path = /share/HDA_DATA/User/%u
comment = Home Directories
valid users = %u
read only = no
browseable = no

[Netlogon]
path = /share/HDA_DATA/Netlogon
comment = Network Logon Service
guest ok = Yes
browsable = no
read only = yes
write list = admin

[Profiles]
path = /share/HDA_DATA/User/%u
comment = User Profiles
read only = no
create mask = 0600
directory mask = 0700
browsable = no
inherit owner = yes
profile acls = yes

EDIT: I did another quick test and determined that the group mappings disappear after an '/etc/init.d/smb.sh stop'. So it's something about the 'stop' that kills it, not the subsequent 'start'.

[motionblurrr]

Erasure,

I wonder if we're using different firmware versions? I'm on a TS-109 Pro using firmware 3.1.0 Build 0708T.

Care to post your samba startup script? Here's my /etc/init.d/smb.sh:

Code: Select all

#!/bin/sh
CONFIG=/etc/config/smb.conf
SMBD_LOCKS="/usr/local/samba/var/locks"
# Check that smb.conf exists.
[ -f $CONFIG ] || exit 0
/sbin/setcfg global "null passwords" yes -f ${CONFIG}
/sbin/setcfg global "use sendfile" yes -f ${CONFIG}
/sbin/setcfg global "case sensitive" auto -f ${CONFIG}
/sbin/setcfg global "deadtime" 10 -f ${CONFIG}
/sbin/setcfg global "username level" 0 -f ${CONFIG}
if [ `/sbin/getcfg System "Internal Model" -u -d TS-109` = TS-409 ]; then
        /sbin/setcfg global "oplocks" no -f ${CONFIG}
else
        /sbin/setcfg global "oplocks" yes -f ${CONFIG}
fi
mode=`/sbin/getcfg global "force directory security mode" -f ${CONFIG}`
if [ "x${mode}" = "x0777" ]
then
        /sbin/setcfg global "force directory security mode" 0000 -f ${CONFIG}
fi
/sbin/setcfg global "display charset" "UTF8" -f ${CONFIG}

# for Mac OS 10.5 smb catnot upload the file to the empty share
/sbin/setcfg global "veto files" "/.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/" -f ${CONFIG}

# move samba locks directory to data partition /share/XXX_DATA/.locks
_locks()
{
        if [ -d /mnt/HDA_ROOT/.locks ]; then
                /bin/rm -rf /mnt/HDA_ROOT/.locks
                /bin/rm $SMBD_LOCKS
        fi
        volume_test=`/sbin/getcfg Qmultimedia path -f /etc/smb.conf | cut -d '/' -f 3`
        [ "x${volume_test}" = "x" ] || volume=${volume_test}
        if [ ! -d /share/${volume}/.locks ]; then
                echo "samba locks directory is not exist, create it"
                /bin/mkdir /share/${volume}/.locks
                /bin/rm -rf $SMBD_LOCKS
                /bin/ln -sf /share/${volume}/.locks $SMBD_LOCKS
        else
                /usr/bin/readlink $SMBD_LOCKS 2>/dev/null 1>/dev/null
                if [ $? != 0 ]; then
                        # not symbolic link
                        /bin/rm -rf $SMBD_LOCKS
                        /bin/ln -sf /share/${volume}/.locks $SMBD_LOCKS
                else
                        # symbolic link
                        ret=`/usr/bin/readlink $SMBD_LOCKS`
                        if [ "${ret}" != "/share/${volume}/.locks" ]; then
                                /bin/rm -f $SMBD_LOCKS
                                /bin/ln -sf /share/${volume}/.locks $SMBD_LOCKS
                        fi
                fi
        fi
}

# See how we were called.
case "$1" in
  start)
  test -f /usr/local/samba/sbin/smbd || exit 0
        if [ `/sbin/getcfg Samba Enable -u -d TRUE` = FALSE ]
        then
            echo "Starting SMB Services: disabled."
            exit 0
        fi
        _locks
        if [ -f $SMBD_LOCKS/smbd.pid ]; then
                /bin/echo "$SMBD_LOCKS/smbd.pid found."
                /bin/pidof smbd 1>>/dev/null 2>>/dev/null
                [ $? = 0 ] || /bin/rm -f $SMBD_LOCKS/smbd.pid
        fi
        echo -n "Starting SMB services:"
        /sbin/daemon_mgr smbd start "/usr/local/samba/sbin/smbd -l /var/log -D -s $CONFIG"
        if [ "$?" = "0" ]; then echo -n " smbd"; fi
        /sbin/daemon_mgr nmbd start "/usr/local/samba/sbin/nmbd -l /var/log -D -s $CONFIG"
        if [ "$?" = "0" ]; then echo -n " nmbd"; fi
        /etc/init.d/winbind start
        echo "."
        touch /var/lock/subsys/smb
        ;;
  stop)
        echo -n "Shutting down SMB services:"

        ## we have to get all the smbd process here instead of just the
        ## main parent (i.e. killproc) because it can take a long time
        ## for an individual process to process a TERM signal
        /sbin/daemon_mgr smbd stop /usr/local/samba/sbin/smbd
        /bin/sleep 1
        /bin/pidof smbd 1>>/dev/null 2>>/dev/null
        [ $? = 0 ] && /bin/sleep 5
        smbdpids=`/bin/pidof smbd`
        for pid in $smbdpids; do
                kill -TERM $pid
        done
        /bin/rm -f $SMBD_LOCKS/smbd.pid
        echo -n " smbd"
        /sbin/daemon_mgr nmbd stop /usr/local/samba/sbin/nmbd
        /bin/sleep 1
        nmbdpids=`/bin/pidof nmbd`
        for pid in $nmbdpids; do
                kill -TERM $pid
        done
        echo " nmbd."
        rm -f /var/lock/subsys/smb
        /bin/rm -f $SMBD_LOCKS/smbd.pid $SMBD_LOCKS/nmbd.pid
        /etc/init.d/winbind stop

        /bin/pidof smbd 1>>/dev/null 2>>/dev/null
        [ $? = 0 ] && /bin/sleep 5
        /bin/pidof smbd 1>>/dev/null 2>>/dev/null
        [ $? = 0 ] || /bin/rm -rf $SMBD_LOCKS/*
        /bin/sync
        ;;
  restart)
        echo "Restarting SMB services:"
        $0 stop
        $0 start
        echo "done."
        ;;
  *)
        echo "Usage: smb {start|stop|restart}"
        exit 1
esac

I don't see anything there that should wipe out my group mappings.

EDIT: I take that back! I did some more digging around and it looks like my group mappings are stored in this file: '/usr/local/samba/var/locks/group_mapping.ldb'. The '_locks' subroutine in the /etc/init.d/smb.sh script removes that entire directory! There are several places where the '_locks' sub does a rm -rf on that directory... it seems to want the locks directory to be in a specific place. Any thoughts on this? I'm really curious to see your '/etc/init.d/smb.sh' script now!

EDIT2: OK, I think I'm onto something. The '_locks" sub is only called when the "start" parameter is passed to '/etc/init.d/smb.sh', but there is also a '/bin/rm -rf $SMBD_LOCKS/*" under the section for stopping it. It looks like the stop parameter will delete the group mapping file (and everything else in $SMBD_LOCKS) if the smbd process doesn't stop after a short period of time. At this moment, smbd appears to shutdown before that command is getting executed, so my group mapping stays betwen restarts of samba.

whew... I had to do a refresh my memory on shell scripting to figure that one out...

I think i need to regroup now and figure out what else is wrong. I think I still can't edit the permissions from the Web UI, but that will be a task for another night.

[Eraser-EMC2-]

Hi motionblurrr,

the smb.sh seams to be the same.
I had no problem with a reboot of the NAS but when i restart the samba service all files in the folder ".lock" was deleted and with they the groupmappings.

i think, the problem in the smb.sh script is the line

Code: Select all

	[ $? = 0 ] || /bin/rm -rf $SMBD_LOCKS/*

In the start script of the TS-239 is no line as this.

[motionblurrr]

Eraser-EMC2,

When you use the WebUI to change permissions on the shares, do you see the accounts listed under local users or domain users or both?

Earlier, when updating the share permissions via the webui wasn't working, I was able to see my users in both listings...

I think I've fixed the issue with the webui now, and I no longer see any users or groups listed under "domain users" and "domain groups". I'm wondering if that is related to the problem, although I don't quite know what action I did when setting up the PDC caused it to show the users and groups there.

Here's what I did to get my WebUI working again with share permissions:

• - Made a backup of my smb.conf (the one that is configured as a PDC).
  - Used the webui to turn off Microsoft Networking (samba) altogether.
  - Used the webui to turn it back on (I noticed it ran /usr/bin/setup_smb.sh). The PDC was now gone.
  - Attempted to change share permissions in the webiu and it worked.
  - Shutdown samba
  - Changed the minimum in the smb.conf to make it a PDC again (see note below).
  - Startup samba
  - Attempted to change share permissions in the webiu and it still works!

I'm going to keep tweaking my smb.conf to make it more like the one that wasn't working for me before I disabled samba altogether and see if I can find the specific setting that broke it.

The only lines I changed to take the existing smb.conf and make it a PDC are these lines:
Changed "workgroup = WORKGROUP" to "workgroup = MYDOMAIN"
Added "time server = yes"
Added "local master = yes"
Added "log file = /var/log/samba/log.%m"

EDIT: Ouch... this is more complex than I thought... the PDC isn't working, I just thought it was because of cached credentials. Back to the drawing board.

[bramschats]

I to would love to have a complete procedure how to set up a domain server, i have tried it before but could not get it to work.

I have 3 pc's and 3 users at home on a ts219.

thnkx in advance.

[motionblurrr]

Bramschats,

I think I finally got my NAS/PDC (TS-109 Pro) working the way I want it to and I'd like to make a guide to setting up a QNAP NAS as a PDC, but my experience was not straightforward at all, so it's hard to say exactly what I had to do. I did a lot of things that I know were necessary and a lot of things that may or may not have been necessary. I probably spent a good 20 hours over the last week researching, tweaking, pulling my hair out, etc.. I almost want to back the data up off of my NAS and reset it to the factory defaults and try again, this time doing it right from A to Z so that I could make a proper guide. Not only for the good people on this forum, but for myself in case I blow up the NAS some day and have to rebuild it. I am hesitating to do that because it could mean another 5-10 hours of work.

So, instead of doing that, perhaps I could guide you through it and you could tell me what works and what doesn't. What's your experience level with Linux? Are you completely new to it? Are you familiar with the shell on your NAS such that you can get in there, navigate around, restart services, and edit configuration files? If you can follow some directions without the need for details on how to get around in Linux, I could probably help you set up your NAS as a PDC. I'm just afraid that if you've never used Linux it could be a long process.

[bramschats]

Motionblurr,

thnx for the reply, i know telnet commands can edit configuration files (vi), can navigate throug mapstructutres within telnet, etc, etc. i'm only strugling sometimes with the restart services commands.

Wich means, i know how to follow leads but i cannot find them out myself, that is to much to ask.

within Vista i have setup my roaming profiles using: http://computertips.toups.info/roaming/RoamingXPPro.htm but i now have windows 7 and it all doesn't seem to work anymore (accesrights etc, user conflicts). before that i've tried to setup my nas as pdc but failed to do so.

So if you want to help me setting this thing up, please do so.

Where do i start?

[motionblurrr]

bramschats,

Well, before we go anywhere with this, what is your goal? For me, I just wanted to have a single login on all of our computers so that after logging into Windows, I wouldn't (or more specifically, my girlfriend wouldn't) have to login again in order to access the NAS or each other's computers. Additionally, I wanted to be able to reset a password once instead of having to reset it on each PC and the NAS. I specifically didn't care about roaming profiles as that just seems like asking for trouble if you ask me.

[bramschats]

motionblurrr,

I would like to have the same profile as well as on my desktop as my laptop, my wife also and i want to be able to add users and computers to the domain. The roaming profiles are for eacht user and will be loaded after login...

If you need anymore information let me know.

[bramschats]

Motionblurr,

In the past i have tried to set up the domain server using this forum topic but failed to do it right.
http://forum.qnap.com/viewtopic.php?f=2 ... 0&start=40

Hope you can tell me what to do first to set up my domain server.

[Eraser-EMC2-]

Hi bramschats,

i think, you used my script ?
Did you get some error messages ?

[bramschats]

Eraser-EMC2,

I indeed used your script but could not figure out what went wrong, i pm'd you couple of times but we (i) could not figure out what went wrong....

The password question kept asking permission etc

this is a part of your pm.
I have still no idea, why the password fillout in the script not works. (search your pm's)

have you found the anwser yet or does the script still only works on other qnap's but mine?

[Eraser-EMC2-]

I think, bramschats and me found out the problem.
In his case was the password of the samba admin not the same as the normal admin account of the NAS.
We had reenter the password in the console with

Code: Select all

/usr/local/samba/bin/smbpasswd admin

and reenter the right admin passwort,
after this we could connect the pc to the domain.

[roe]

do you know if this works with windows 7 clients?
setting TS-509 to PDC and windows 7 as clients