new blog 2.0


0x04. [LPIC-302] Samba Advanced Config - DCs, SWAT and Internationalization

Domain Control

Candidates should be able to setup and maintain primary and backup domain controllers, and manage Windows/Linux clients' access to the domain

To control a domain means to have a central point of command from which the users and machines within the domain can be authenticated and authorized and resources accessed.

There are three main types of domain controllers:
  • NT4 PDC (P stands for Primary) - This is a server on the network that initiates new domain control database. By definition, the clients should refer to the BDCs prior to consulting a PDC, so it doesn't have to be the strongest machine in your domain.

  • NT4 BDC (B is for Backup) - synchronizes its authentication database with a PDC and plays a key role in answering authentication requests from the clients. It answers most of the authentications requests from the clients. PDC responds to authentication call only if BDC is heavily loaded.

    On a Microsoft network it is possible, that PDC and BDC swap their roles, however, Samba does not implement this feature and PDC/BDC have to be specifically defined (a rather excessive feature anyway). What Samba offers and Microsoft Systems NOT, is the ability to change the role of the server between a PDC, BDC, domain member and a standalone server. The Redmond team tells us to reinstall everytime we want a change.

  • ADS DC (Active Directory Service DC) - while Samba3 fully supports ADS domain membership, it couldn't act as a full-featured DC. There are some efforts to make it happen, but still in an experimental phase, so officially no support for:
    machine policy files, Group Policy Objects, synchronously executed AD logon scripts, AD management tools.

Domain membership

Microsoft Systems can organize themselves on a network in two types of gatherings: Workgroups and Domains.

A workgroup is nothing but an informal organization of computers that employs no security and every machine can become a member just by assigning itself to a particular workgroup (a very common name for a workgroup would be WORKGROUP itself).

A domain is a security organized gathering of computers that involves security machine accounts called Machine Trust Account. A user account with local admin rights can attach a computer onto a domain. During this process a machine account is created on the Domain Controller and is used for further authentication. Benefits of being a part of the domain comprise e.g.:
  • Single Sign-On for all shares and printers on the domain
  • Central management of users access control
  • Ability of desktop profiles and policies usage
When creating machine accounts in Samba we need to remember that they have to be available in /etc/passwd too. The difference between them and normal accounts is the $ (dollar) sign appended to the end of their name. You smbpasswd -a machine account names without the $ sign at the end.

Samba howto explains how to configure a {P,B}DC. Please revert to it and play around.

Roaming profiles
An excerpt from Chapter 27 of Samba Howto:

Roaming profiles allow an administrator to make available a consistent user desktop as the user moves from one machine to another. This chapter provides much information regarding how to configure and manage roaming profiles.

A very useful feature for companies employing a greater number of users than computers and on top of this working in different shifts, so that every now and then a user has to sit at a different computer.

System policies
In order to avoid confusion you need to understand a difference between two things: NT 4.0 System Policies and Group Policy Objects. GPOs are a part of AD, which samba 3 does not support, hence we'll focus on System Policies.
System policies are applied during users logon. Samba client connects to the domain controller and looks for the NETLOGON share. If it's found, the client would look further for ntconfig.pol file and if found and successfully read, it will try to modify clients system registry.
System policies can be modified with help of Policy Editor, provided with WinNT 4.0 SP.

SWAT Configuration

Description: Candidates should be able to install and configure the Samba web administration tool, and be comfortable with configuring changes to Samba within it.

Samba Web Administration Tool is a very handy browser based config file creation tool. It comes with the Samba distribution and is meant to be run from within xinetd, it's main binary lives in /usr/sbin/swat. Once you have your SWAT configured as per Samba Howto, you can access it via http://localhost:901 url in your favourite browser. Don't forget to "smbpasswd -a root" and set its password, otherwise SWAT won't let you in.
SWAT consists of a web-based interface with all the options available in the current version of Samba. With its help you can add shares and printers and tweak their configuration. It also contains a wizard to walk the user through. From the Howto we read:

The purpose of the SWAT Wizard is to help the Microsoft-knowledgeable network administrator to configure Samba with a minimum of effort.

Fair play to the authors for the choice of language and sense of humour.
I'm not going to guide you through SWAT, which however powerful, is easy enough to grasp. Good luck, leaving you to it, but don't worry, because the Samba Howto is really well documented. It describes a simple way to run SWAT over SSL and Internalization support.

Candidates should be able to work with internationalization character codes and code pages

Before Unicode was introduced computers in non-English countries used to exchange data using codepages. They are character encoding tables allowing you to use extra characters like the Polish łóżźąęćś. Samba 3 talks Unicode by default and will be understood by WinNT/ME/XP. Older clients, however, will still use DOS charsets, like CP850. This can be customized in smb.conf with "dos charset" option. If you want to check what is the default charset on your Samba installation run "testparm -v|grep 'dos charset'" and hit enter.

No comments: