Simple domain based on ROSA Enterprise Linux Server and Samba 3 with roaming profile support
Introduction
Continuation of a series of tutorials. Previous parts:
" Deploying DNS / DDNS and DHCP server on ROSA Enterpise Linux Server in a few minutes "
" Mail server based on ROSA Server Enterpise Linux in a few minutes "
As I wrote in one of the previous articles, in a more or less large company, sooner or later there is a need for centralization. One of the generally accepted practices in this case is the need to create a unified authentication service to control accounts and policies.
So what do we need? We will consider that we have already installed ROSA Enterpirse Linux Server (hereinafter referred to as RELS) and ROSA Directory Server (hereinafter referred to as RDS) on it. We also stipulate network details in advance.
The server is located at 192.168.100.1. It will be assigned a FQDN rels.int. The server and other computers are located on the 192.168.100.0/24 subnet. The main DNS server will be located in the same domain where it will be given the name named.rosa.int.
')
Beginning of work
Before starting the configuration, make sure that the hostname -f command gives something like:
If any error appears like “Host name not found”, then open the / etc / hosts file and set the FQDN name manually. In our case, it will look like this:
If this is not done, then during the installation of the necessary components, you can catch an error message due to the fact that the ROSA Directory Server cannot find the FQDN of the server. Because of this, further installation of RDS components will be interrupted.
Installation and Setup
If you installed the server from scratch by specifying ROSA Directory Server in the list of components, then on the desktop after logging in you can see the ROSA Server Setup icon (hereinafter referred to as RSS). We launch it and our view shows the login page to the initial setup and installation of the RDS components.
If it turned out that you installed RELS without an RDS component, then for this we need to install the following packages with the yum install command:
mss-modules-base
mmc-agent
python-mmc-base
python-mmc-core
The remaining missing packages should be pulled up as dependencies. If everything is done correctly, then two icons will appear in the “Administration” section of the main menu: ROSA Server Setup and ROSA Management Console.
After starting the RSS, for further setup, click on the link “Go to ROSA Server Setup”. By the way, since this is a web configurator, it is possible to configure not on the server itself, but from the local network from the system administrator's computer. To do this, contact: ip_address_server : 8000 / mss /. For example, in our case it will be 192.168.100.1 : 8000 / mss /.
After selecting the item “Go to ROSA Server Setup”, a message about untrusted connection will appear. Ignore the warning and add our server certificate to security exceptions. Then, in the window that opens, enter the username and password of the root user.
After entering the credentials, we get to the page with two separate blocks:
The section “Server Services and Tools” is not required for us now, so we choose ROSA Directory Server. After selecting the required item, we will go to the section with a list of components that can be additionally installed via the ROSA Server Setup web interface. To install the PDC components, we need to select two items: “Samba PDC and file server” and “DNS server with RDS backend”. After selecting the desired components, click "Install components" at the very bottom.
Next, there will be a window confirming the choice of installed components, and then, as a next step, you can directly observe the process of checking and installing additional components, if they have not been installed before.
The next step is to have the initial settings process for the LDAP server, Samba, and DNS server. All the settings we discussed at the very beginning of the article. If you forgot, you can return to the beginning of the article. The only note is that you must enter the password in the “RDS Password” column. We will need this password in the future to access the server management console and, ideally, it should not be the same as the root user password, or the password for ROSA Server Setup.
You should also be careful when setting the checkbox "Password Policy".
This point should be considered very carefully. When specifying the “use password policy” option, the passwords you specify must be at least eight characters in length and contain letters and numbers. Otherwise, it will not be accepted. Also, if you specify the “Password Policy” option, the time limit for using the password and account validity will be applied to the user being created. All settings related to the password policy can be further changed in the user management panel. The expiration date of the administrator account is, by default, 27 years.
The Netbios name for our server, which will be displayed in the Network Neighborhood, can be arbitrarily set, but for convenience, it is the same as the host name. About the password and login of the domain administrator, I think, there is no need to explain. Click "Continue", confirm your actions in the next step of the wizard by pressing the "Perform configuration" button and the initial setup is complete.
To complete the deployment of the domain, we will need to carry out a small additional configuration of the DNS server. To do this, open the main menu and find the Administration> ROSA Management Console. If you are setting up a server from a local network, the configuration console is available at ip_your_server / mmc .
After entering the root username and password, which we set up during the initial configuration of the ROSA Directory Server, we will go to the server settings management page.
If you look at the screen, then on the right we will see the “Network” section, where the menu items responsible for DNS server settings are listed below. Click "Add DNS-zone" and go to the section responsible for adding DNS zones. Actually, the settings are presented in the illustration below. I repeat, we described the necessary parameters at the very beginning of the article. Everything is configured extremely simple. It is impossible to make a mistake, since the entered parameters are checked for correctness.
After clicking on the "Create" button at the bottom of the screen, a notification about the successful creation of the zone will appear. After that, you need to restart the DNS server by going to the “Network Services Management” section.
The next step is to configure the server to work with roaming user profiles.
To do this, you need to login as root on the server and edit the contents of /etc/samba/smb.conf. We are looking for the # profiles # section there and bring it to this form:
The drive letter can be any, just not busy with something else. Now go to the very end of the smb.conf file and fully uncomment the contents of the [profiles] section. By default, user profiles will be stored in / home / samba / profiles /% username%. At will, paths can always be redefined. After all edits, save the changes and restart the Samba daemon.
It is time to go to create a user, in addition to the already created user admin, to test the domain.
Go to the main page of the ROSA Management Console and select the item “Add user”. In the opened window with the form, fill in the fields with the username and password.
At the very bottom of the form, do not forget to uncheck the “Access to mail” box if you have not previously configured your mail server . Otherwise, without filling in the “Mailing Address” field you will not be able to create an account.
After clicking “Confirm” the account will be created. If you have a Windows machine, you will be able to log into the newly created domain.
Windows XP operating systems connect to this domain without any problems. But before connecting, it is recommended to do the following: log in as a local administrator on a Windows computer, then run gpedit.msc. In the group policy that opens, find the Computer Configuration> Administrative Templates> System> User Profiles section (in Russian-language Windows, this will be Computer Configuration> Administrative Templates> System> User Profiles). There, find the item “Do not check for Roaming Profile Folders” (in the Russian version of Windows “Do not check user rights of the roaming profile directories”) and set it to Enabled, then restart the computer and connect to the domain.
For computers running Windows 7, some actions are also required. It will be necessary for the local administrator to import the following .reg file before entering the domain: bugzilla.samba.org/attachment.cgi?id=4988&action=view Then restart. Additional details on using Windows 7 in the Samba domain can be found here: wiki.samba.org/index.php/Windows7
By default, the Samba server also provides file server storage capabilities. In the initial configuration we described above, the Public directory opens for access.
Now we will configure the server so that it connects this share automatically for each user.
Go to the directory / home / samba / netlogon and create a file there logon.bat with the following contents:
We save and try to enter the user created by us. In My Computer, you will see a mounted H drive: which is actually a share.
For further work in a real enterprise network, I recommend reconfiguring paths for user directories like “My Documents” so that they are stored on a network drive without having to drag the entire profile content over the network each time the user connects. Since this moment is somewhat beyond the scope of the article, I leave it to you for homework. :)
Conclusion
That's it. You have a ready-made full-fledged authentication server based on Samba 3 for Windows and Linux machines. Of course, this does not pretend to be a full replacement of Active Directory from Microsoft, but nevertheless, some additional functionality based on this can be screwed.
In advance of answering the question about creating a tool for deploying and managing a domain on the Samba 4 base, which can completely replace Active Directory - yes, it is planned. But I cannot name the deadlines yet.
Questions, reasonable criticism and comments are traditionally welcome.
Continuation of a series of tutorials. Previous parts:
" Deploying DNS / DDNS and DHCP server on ROSA Enterpise Linux Server in a few minutes "
" Mail server based on ROSA Server Enterpise Linux in a few minutes "
As I wrote in one of the previous articles, in a more or less large company, sooner or later there is a need for centralization. One of the generally accepted practices in this case is the need to create a unified authentication service to control accounts and policies.
So what do we need? We will consider that we have already installed ROSA Enterpirse Linux Server (hereinafter referred to as RELS) and ROSA Directory Server (hereinafter referred to as RDS) on it. We also stipulate network details in advance.
The server is located at 192.168.100.1. It will be assigned a FQDN rels.int. The server and other computers are located on the 192.168.100.0/24 subnet. The main DNS server will be located in the same domain where it will be given the name named.rosa.int.
')
Beginning of work
Before starting the configuration, make sure that the hostname -f command gives something like:
user @ rels ~ $ hostname -f
rels
If any error appears like “Host name not found”, then open the / etc / hosts file and set the FQDN name manually. In our case, it will look like this:
cat / etc / hosts
192.168.100.1 rels rels.int
If this is not done, then during the installation of the necessary components, you can catch an error message due to the fact that the ROSA Directory Server cannot find the FQDN of the server. Because of this, further installation of RDS components will be interrupted.
Installation and Setup
If you installed the server from scratch by specifying ROSA Directory Server in the list of components, then on the desktop after logging in you can see the ROSA Server Setup icon (hereinafter referred to as RSS). We launch it and our view shows the login page to the initial setup and installation of the RDS components.
If it turned out that you installed RELS without an RDS component, then for this we need to install the following packages with the yum install command:
mss-modules-base
mmc-agent
python-mmc-base
python-mmc-core
The remaining missing packages should be pulled up as dependencies. If everything is done correctly, then two icons will appear in the “Administration” section of the main menu: ROSA Server Setup and ROSA Management Console.
After starting the RSS, for further setup, click on the link “Go to ROSA Server Setup”. By the way, since this is a web configurator, it is possible to configure not on the server itself, but from the local network from the system administrator's computer. To do this, contact: ip_address_server : 8000 / mss /. For example, in our case it will be 192.168.100.1 : 8000 / mss /.
After selecting the item “Go to ROSA Server Setup”, a message about untrusted connection will appear. Ignore the warning and add our server certificate to security exceptions. Then, in the window that opens, enter the username and password of the root user.
After entering the credentials, we get to the page with two separate blocks:
- ROSA Directory Server
- Server Services and Tools
The section “Server Services and Tools” is not required for us now, so we choose ROSA Directory Server. After selecting the required item, we will go to the section with a list of components that can be additionally installed via the ROSA Server Setup web interface. To install the PDC components, we need to select two items: “Samba PDC and file server” and “DNS server with RDS backend”. After selecting the desired components, click "Install components" at the very bottom.
Next, there will be a window confirming the choice of installed components, and then, as a next step, you can directly observe the process of checking and installing additional components, if they have not been installed before.
The next step is to have the initial settings process for the LDAP server, Samba, and DNS server. All the settings we discussed at the very beginning of the article. If you forgot, you can return to the beginning of the article. The only note is that you must enter the password in the “RDS Password” column. We will need this password in the future to access the server management console and, ideally, it should not be the same as the root user password, or the password for ROSA Server Setup.
You should also be careful when setting the checkbox "Password Policy".
This point should be considered very carefully. When specifying the “use password policy” option, the passwords you specify must be at least eight characters in length and contain letters and numbers. Otherwise, it will not be accepted. Also, if you specify the “Password Policy” option, the time limit for using the password and account validity will be applied to the user being created. All settings related to the password policy can be further changed in the user management panel. The expiration date of the administrator account is, by default, 27 years.
The Netbios name for our server, which will be displayed in the Network Neighborhood, can be arbitrarily set, but for convenience, it is the same as the host name. About the password and login of the domain administrator, I think, there is no need to explain. Click "Continue", confirm your actions in the next step of the wizard by pressing the "Perform configuration" button and the initial setup is complete.
To complete the deployment of the domain, we will need to carry out a small additional configuration of the DNS server. To do this, open the main menu and find the Administration> ROSA Management Console. If you are setting up a server from a local network, the configuration console is available at ip_your_server / mmc .
After entering the root username and password, which we set up during the initial configuration of the ROSA Directory Server, we will go to the server settings management page.
If you look at the screen, then on the right we will see the “Network” section, where the menu items responsible for DNS server settings are listed below. Click "Add DNS-zone" and go to the section responsible for adding DNS zones. Actually, the settings are presented in the illustration below. I repeat, we described the necessary parameters at the very beginning of the article. Everything is configured extremely simple. It is impossible to make a mistake, since the entered parameters are checked for correctness.
After clicking on the "Create" button at the bottom of the screen, a notification about the successful creation of the zone will appear. After that, you need to restart the DNS server by going to the “Network Services Management” section.
The next step is to configure the server to work with roaming user profiles.
To do this, you need to login as root on the server and edit the contents of /etc/samba/smb.conf. We are looking for the # profiles # section there and bring it to this form:
logon path = \\% N \ profiles \% U
logon drive = Z:
The drive letter can be any, just not busy with something else. Now go to the very end of the smb.conf file and fully uncomment the contents of the [profiles] section. By default, user profiles will be stored in / home / samba / profiles /% username%. At will, paths can always be redefined. After all edits, save the changes and restart the Samba daemon.
It is time to go to create a user, in addition to the already created user admin, to test the domain.
Go to the main page of the ROSA Management Console and select the item “Add user”. In the opened window with the form, fill in the fields with the username and password.
At the very bottom of the form, do not forget to uncheck the “Access to mail” box if you have not previously configured your mail server . Otherwise, without filling in the “Mailing Address” field you will not be able to create an account.
After clicking “Confirm” the account will be created. If you have a Windows machine, you will be able to log into the newly created domain.
Windows XP operating systems connect to this domain without any problems. But before connecting, it is recommended to do the following: log in as a local administrator on a Windows computer, then run gpedit.msc. In the group policy that opens, find the Computer Configuration> Administrative Templates> System> User Profiles section (in Russian-language Windows, this will be Computer Configuration> Administrative Templates> System> User Profiles). There, find the item “Do not check for Roaming Profile Folders” (in the Russian version of Windows “Do not check user rights of the roaming profile directories”) and set it to Enabled, then restart the computer and connect to the domain.
For computers running Windows 7, some actions are also required. It will be necessary for the local administrator to import the following .reg file before entering the domain: bugzilla.samba.org/attachment.cgi?id=4988&action=view Then restart. Additional details on using Windows 7 in the Samba domain can be found here: wiki.samba.org/index.php/Windows7
By default, the Samba server also provides file server storage capabilities. In the initial configuration we described above, the Public directory opens for access.
Now we will configure the server so that it connects this share automatically for each user.
Go to the directory / home / samba / netlogon and create a file there logon.bat with the following contents:
NET USE H: / DEL / YES
NET USE H: \\ Rels \ public
We save and try to enter the user created by us. In My Computer, you will see a mounted H drive: which is actually a share.
For further work in a real enterprise network, I recommend reconfiguring paths for user directories like “My Documents” so that they are stored on a network drive without having to drag the entire profile content over the network each time the user connects. Since this moment is somewhat beyond the scope of the article, I leave it to you for homework. :)
Conclusion
That's it. You have a ready-made full-fledged authentication server based on Samba 3 for Windows and Linux machines. Of course, this does not pretend to be a full replacement of Active Directory from Microsoft, but nevertheless, some additional functionality based on this can be screwed.
In advance of answering the question about creating a tool for deploying and managing a domain on the Samba 4 base, which can completely replace Active Directory - yes, it is planned. But I cannot name the deadlines yet.
Questions, reasonable criticism and comments are traditionally welcome.
Source: https://habr.com/ru/post/169127/
All Articles