tarballed
April 30th, 2003, 16:48
Hello everyone. Well, I was doing some testing today with Samba acting as my PDC. (Getting geared up for setting up one when our new servers roll in)

Anyway, I went ahead and read a view how-to articles on how to get Samba up and running as a PDC. The one below seemed to help me out pretty well. I was able to add a workstation to the domain. Woo Hoo!

http://www-1.ibm.com/servers/esdd/tutorials/samba/index.html

However, where I am confused is in the part of actually creating the account on the PDC. What I mean is, from what I have read, I need to create both a Unix account and a samba account in order for the Workstation to be able to join the domain. Fair enough.

I do have some questions though: (Refer to the link above)

Ok. Specificall, go to the section in the tutorial called: "Directories, accounts and authentication."

Then go to page 3.

It was not until I did this, did it work: (meaning, getting the machine to join the domain)

[root@phoenix root]# /usr/sbin/useradd -g machines -d /dev/null -c "machine id" -s /bin/false machine_name$
[root@phoenix root]# passwd -l machine_name$
Changing password for user machine_name$
Locking password for user machine_name$

[root@phoenix root]# smbpasswd -a -m machine_name
Added user machine_name$

Now, that is the manual way to do things. However, I would like to do the automated approach. I then tried the script: (added it to my smb.conf file)

add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u

I thought that would work, but not so lucky.

Anyone have any idea on what exactly happened? I am trying to understand this more so I have a much better understanding of what is going on. I think I missed something, as that would be the only explanation. (Hey, i've been up for 8 hours already)

I would really be greatful if someone could explain this so I understand.

Thank you.

Tarballed

tarballed
April 30th, 2003, 20:44
Here is something interesting I noticed. Tell me if this is incorrect or correct.

Mind you, I am setting up samba to act as a PDC. All of our Win2k Pro clients will be joining the domain, and using roaming profiles.

I setup samba accordingly and everything is working correctly.

Now, here is where it get's interesting (This is after I have added the machine account, local account and samba account)

So, when I go to a Win2k Pro machine to change it from a workgroup to a domain network, it immediately prompts me for a username and password.

NOW! If I try and enter the username and password of the user logged in (username = goofy, password = idontknow, for example) it kicks me out with username and password not valid. Now, if I use the root account that I setup on the Samba PDC with the correct password, it lets me add the computer.

Is this correct? I am just curious because, well, I dont know. :)
I have a ton of reading to do and a lot to learn.

Tarballed

|MiNi0n|
April 30th, 2003, 22:23
Yes, that's correct. You have to enter the root account info on the samba pdc when you bind the Windoze box into the domain.

:D

tarballed
May 1st, 2003, 00:30
Cool. Thanks minion. I was a little confused there. :)

Now, I have to figured out how to use roaming profiles, however, the whole profile does not seem to get copied over. For instance, in doing my testing today, I noticed that when I tried to log into a second test machine with an account I was testing, it did not copy over all of the profile. SPecifically, it did not copy some of the files and folders that were on the desktop. :(

Time to dig into the books!

Tarballed

soup4you2
May 1st, 2003, 09:13
i think there is a ini file it gives you to where it states not to copy temp internet and desktop and other small things..

if you want to go in thw way of a fully functional PDC look into samba-tng


One of the biggest changes in SAMBA_TNG is the increase of daemons (around ten) from only smbd and nmbd. Each daemon is specialized to perform one specific task: network browsing, logon requests, exporting the SAM database via LDAP, etc. The idea behind this design change is that it allows Samba to be more modular. It enables daemons from different versions of Samba to be mixed and matched with each other for customized functionality. And if you don't need certain functions, you can disable the corresponding daemon.

Other additions are the tools: rpcclient, net, samedit, regedit, and others. These command-line programs interact with Windows NT or SAMBA_TNG systems using Microsoft protocols. The Samba team is trying its best in this area to create tools so that UNIX administrators do not need to directly log in to a Windows NT machine to administrate it. Eventually all necessary tasks will be performed remotely using the appropriate command-line tool.

tarballed
May 1st, 2003, 18:33
I am having a hard time getting roaming profiles up and running.

Anyone ever had experience setting these up? Maybe I could ask a couple of questions. (because I never do ask questions. :) )

Tarballed

soup4you2
May 1st, 2003, 18:39
I am having a hard time getting roaming profiles up and running.

Anyone ever had experience setting these up? Maybe I could ask a couple of questions. (because I never do ask questions. :) )

Tarballed

yes i have samba setup as a full pdc

tarballed
May 1st, 2003, 18:54
Have you setup roaming profiles for Win2k machines?

I've been able to get samba up and running as a PDC, now I am trying to get roaming profiles to work. I cant seem to get it working correctly.

For instance, if I have desktop1 and desktop2, both connected to the domain and PDC.

If I log into desktop1 with elmore, make some changes to the desktop (icons, text file etc.) then log off so the profile can be updated to the PDC.

I then jump over to desktop2. I log in with elmore again, hoping to see that the desktop will be setup the way I had modified it on desktop1. Only problem is, it's not showing that.

Any ideas?

Tarballed

soup4you2
May 1st, 2003, 18:57
your conf has something similar to:

[code:1:b43b9beeac]
;user profiles and home directory
logon home = \\%L\%U\
logon drive = H:
logon path = \\%L\profiles\%U
logon script = netlogon.bat

;sync UNIX passwords
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *Enter*
new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd: *all*
authentication*tokens*updated*successfully*

[profiles]
comment = User Profiles
path = /home/samba/profiles
writeable = yes
browseable = no
create mask = 0600
directory mask = 0700
valid users = @smbusers administrator

[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
browseable = no
write list = tarballed
valid users = @smbusers



[/code:1:b43b9beeac]

tarballed
May 1st, 2003, 19:15
Yep. Here is mine:

[global]

# workgroup = NT-Domain-Name or Workgroup-Name
;Basic inital test settings
netbios name = smbtest
workgroup = disneyland

;PDC and Master browser settings
preferred master = yes
local master = yes
domain master = yes
os level = 65

;security and logging settings
security = user
encrypt passwords = yes
domain logons = yes
;log file = /var/log/samba/log.%m
;log level = 2
;max log size = 50
;hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0

;logon paths
logon path = \\%L\profiles\%u\%m
logon script = logon.bat

logon drive = H:

[netlogon]
path = /home/netlogon
writable = no
browsable = no

[profiles]
path = /home/samba/profiles
browsable = no
writable = yes
create mask = 0600
directory mask = 0700

[homes]
read only = yes
browsable = no
guest ok = no
map archive = yes

smb passwd file = /etc/samba/smbpasswd

unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*success fully*

pam password change = yes

obey pam restrictions = yes[/code:1:b79f8f8ec9]

Any thoughts?

Tarballed

soup4you2
May 1st, 2003, 19:21
i think i remember having a issue before about it not being able to write to the profiles dir. if you go into your profiles direcroty give the user acct 700 permissions and change the ownership to cybo:smbusers not that the group really matters.. and the profile dir should have 1770 permissions going to root and smbusers

tarballed
May 1st, 2003, 20:23
Ya, as of right now, I do have that.

However, I am rethinking the need of using Roaming Profiles. I am wondering if it is really necessary for my network. All my users right now use Win2k and all sit in the same place. I think, if I implemented roaming profiles, it could possibly cause a lot of network traffic and may take some time when copying down users roaming profiles.

Any thoughts?

One thing I want to really look into is the use of System Policies. If I am correct, I do not need roaming profiles to use system policies, correct?

Tarballed

soup4you2
May 1st, 2003, 20:40
well you do have a profiles dir correct? your going to need that.. make sure you have that /home/samba/profiles dir setup

tarballed
May 1st, 2003, 21:12
Yep. That is all setup. The directories, correct permissions etc.

Tarballed

elmore
May 1st, 2003, 21:27
the last time I tried roaming profiles with samba it failed pretty badly. I'm guessing 2.2.x has better support but.... You might consider looking at samba-tng it's in the ports right next to samba in FBSD. tng apparently has some really advanced features working well. Last I heard krusty was looking into it really hard. I have done nothing but a little reading on it.

soup4you2
May 1st, 2003, 21:56
i've had no problems w/ samba doing roming profiles.. but it still lacks of it's capabilities.. i do plan on playing w/ samba-tng here really soon..

getting bored need to play w/ new things...

tarballed
May 1st, 2003, 23:47
Hmm.

Let me ask this. As you can see in my smb.conf file, I have the users profiles going to /home/samba/profiles.

Once a user logs onto the domain, the user gets a directory inside /home/samba/profiles/elmore for example. Inside that directory, it holds a list of the computers that the user has logged in from, correct?

So if you logged in from a computer called TNG, SE and BSD, inside the /home/samba/profiles directory, you would have three directors: TNG, SE and BSD, correct? Because samba creates these directories for the computer.

I tried to setup some symlinks to make sure that any computer the user logged in from would go to one directory. I am still a bit confused. I am missing something very small I believe.

Tarballed

Strog
May 2nd, 2003, 00:36
There should only be one profile per user regardless of how many computers they are logging in from. It copies the profile down to the local machine the first time they log into that machine. It will update that profile every time you connect with that same machine. If for some reason it can't load the profile off the server, it will used the cached copy on the hard drive of the local machine.

soup4you2
May 2nd, 2003, 09:13
Strog is correct. here's a clip of whats inside your users profile dir

[code:1:ae97f3649a]
drwx------ 5 soup4you2 smbusers 512B Apr 29 19:06 Application Data
drwx------ 2 soup4you2 smbusers 1.5K May 1 22:38 Cookies
drwx------ 2 soup4you2 smbusers 512B Apr 29 19:06 Desktop
drwx------ 3 soup4you2 smbusers 512B May 1 22:38 Favorites
drwx------ 4 soup4you2 smbusers 512B May 1 22:38 My Documents
-rw------- 1 soup4you2 smbusers 1.2M May 1 22:38 NTUSER.DAT
-rw------- 1 soup4you2 smbusers 1.0K May 1 22:38 NTUSER.DAT.LOG
drwx------ 2 soup4you2 smbusers 512B Apr 29 19:06 NetHood
drwx------ 2 soup4you2 smbusers 512B Apr 29 19:06 PrintHood
drwx------ 2 soup4you2 smbusers 1.0K May 1 22:38 Recent
drwx------ 2 soup4you2 smbusers 512B May 1 22:38 SendTo
drwx------ 3 soup4you2 smbusers 512B May 1 22:38 Start Menu
drwx------ 2 soup4you2 smbusers 512B Apr 29 19:06 Templates
drwx------ 6 soup4you2 smbusers 512B May 1 22:38 UserData
-rw------- 1 soup4you2 smbusers 280B May 1 22:38 ntuser.ini
[/code:1:ae97f3649a]

tarballed
May 2nd, 2003, 13:50
Weird. Ok, let me do some additional testing today and post my results.

From what I remember, the profiles would be copied to the /home/samba/profiles/<user> directory. If they logged in from SUCKA, there would be a directory called SUCKA. Inside SUCKA was all the data that soup4you2 posted.

If they logged into a box called YOMOMMA, the same thing would happen as above. So if you looked at the directory, you would have two directories called SUCKA and YOMAMMA. Let me do some testing and post my results.

Tarballed

P.S. I've been thinking and I really think that I am not going to implement roaming profiles for a number of reasons. Specifically, network conjestion and user logon times. I've heard stories of it taking 10+ minutes for users to log onto.

elmore
May 2nd, 2003, 14:49
Those are machine profiles not user profiles.

tarballed
May 2nd, 2003, 17:19
That's what I meant. Machine profiles. :)

Tarballed

tarballed
May 5th, 2003, 21:26
Alright, time to throw another log onto the fire here.

Right now, I am doing a lot of testing with my Samba PDC and Windows Clients. So far, everything is working the way I want it to.
(I should mention, that I have decided against roaming profiles as I decided it would not benefit us at this time.)

Anyway, as I get further and further into my testing, I have some questions and thoughts that I would like to put down. :)

Our Samba Server PDC, is going to be hosting some of our application software and documents as well. Thus, it will be a central repository(?) which users will fire up their applications, which have been installed as network applications. (Some of our applications will run on Linux, some wont).

Now, as I test more and read more, I realize that I need to add all of my users to a certain group (good practice anyway) and then give the group access to a certain share. Thus, everyone in that group will be able to use the application or documents, correct?

For example: Let's say I have some applications in /stuff/application (Let's say its a application. I would need to make sure that my users are in a group called accounting, chgrp accounting /stuff/application as well as chmod 770.

That sound about right?

Dam, im tired and ready to go home.

I will chat with everyone tomorrow.

Tarballed

|MiNi0n|
May 5th, 2003, 21:59
That sound about right?

Dam, im tired and ready to go home.

Tired or not, you got it right 8)

tarballed
May 6th, 2003, 13:46
Thanks Minion. Good to know I am on the right track. :)

Also, I have been doing some testing with time syncing clients with the PDC. So far, it does not seem to be working the way I want it to.

What I have done is create a logon.bat file (For Win2k computers) that will be executed by each computer when they log onto the domain. Inside the little bat file is the following:

net time \\sambatest /set /yes

I also have set time server = yes in my smb.conf

However, my users are not syncing correctly with the PDC. They are anywhere from 30 seconds to 2 minutes off.

Any ideas on how I can correct this?

Thanks.

Tarballed

tarballed
May 6th, 2003, 16:31
Just wanted to get some suggestions on a partition layout.

I am setting up a Samba PDC on our network. It will obviously, be where all of our users authenticate against. We are planning on storing applications on the Samba PDC as well as documents on the PDC. Users will be using applications that will look to the PDC for it's database information.

I have a server currently with 4 SCSI 36gb drives setup in a RAID 5 array.

I wanted to get some suggestions on a partition scheme that I will not have to alter in the future. :)

Any suggestions?

I was thinking so far:

/boot = 100mb
/root = ?
/home =?
/var = ?

Suggestions are greatly appreciated .

Tarballed

elmore
May 6th, 2003, 17:53
So roughly you got about 108gb of available space after a stripe.

I'd probably do

/ 512mb
/swap 2x ram
/var 1024mb maybe 2048mb if you wanna keep lots of logs
/usr 2048mb maybe more depending on what all is getting loaded in /usr
/home the balance

that's what I'd do. This is really personal preference though. If you're gonna run FBSD on this you might wanna check outminions how-to on snapshotting.

soup4you2
May 6th, 2003, 18:49
what about /tmp ? you missed one or do you planning using /tmp inside the root. creating a /tmp i like better because you can further restrict it in the fstab

elmore
May 6th, 2003, 19:56
yeah I missed /tmp too. I usually just set aside anywhere from 10 to 100 mb for tmp I also make a WIP dir to

Work
In
Progress

All the down and dirty stuff goes there first. So I don't dirty up my filesystem. Like I said, this stuff is really personal preference.

soup4you2
May 6th, 2003, 21:13
hmmm a /wmp i havent thought of that... good idea.. normally i end up just doing ~/temp

tarballed
May 7th, 2003, 13:29
Ya. I will probably put a /tmp partition in with about 50-100mb in size.

I should mention that this particular server has a ServRAID card in it. Very nice card and setup. The boss wants a RAID 5 setup with this server.

I figure, each hard drive is 36gb and I could easily just set a RAID 5 array with no problems. I do have the option later to add hot spares to it, which will be nice in case a drive goes bad.

With that in mind, any other ideas?

Thanks.

Tarballed

tarballed
May 7th, 2003, 13:35
One other thing I wanted to mention.
Our PDC is going to be hosting a lot of applications that our users will call on throughout the day when they do their daily work. Not only will the application be on the server, but so will the data. (It's a mortgage company and we have a lot of data files that run on conjunction with the program...lots of files.)

With that in mind, should I create a seperate partition for the applications and such? Or make it part of a partition. I know its probably a matter of personal preference, but im trying to figure out a good way to lay this out so I can make everyone happy and have the nice fuzzy warm feeling. :D

Tarballed

soup4you2
May 7th, 2003, 15:15
i would suggest putting the share on a whole seperate drive. perhaps on a dedicated raid 5?

those scsi 40gb 15000 rpm drives are sure nice...

tarballed
May 7th, 2003, 15:36
Yes, those drives are nice.

I am working with the ServRAID, trying to learn as we speak.
From what I am gathering, I can setup an array of 3 SCSI 36gb drives in RAID 5 set. This ServRAID is pretty different than most RAID I have worked with, so I am trying to learn it. I will grab my specs and post what I have set so far, to get some feedback...

Onwards...

I have been reviewing my documentation that will go onto this server in particular. Here is a quick list of some things that will be on here. (Maybe we can brain storm additional ideas...)

-Samba PDC :)
-User files (my documents essentially)
-Miscelleanous files and documents to be used
-A major application program that 30+ users will be using...holds all the templates and data files

-A second, but not as major application..(not widely used, just yet)

That is about it for now.

Basically, we have one major application that will be holding data and templates that all users will be using on a daily basis.

Let's see:

/boot = 100mb
/ = I go back and forth here...1-2gb
/var =
/usr =
/home =
/swap = (Machine has 2gigs of RAM...1-2 gig swap?)
/tmp = 100mb (Maybe)

I am trying to decide where I am going to put the major application. I should mention, that this specific application holds data in many different directories. For example, on our current Windows Server, there is a wide range of directories that hold data and additional stuff for this app.
Probably in excess of 8+ directories on the Windows server.

Any other suggestions?

Tarballed

tarballed
May 7th, 2003, 19:26
Here it is, tentatively: (I have 70gb to work with)

/boot = 100mb
/ = 2gb
/var = 1.5gb
/usr = 5gb
/tmp = 100mb
/swap = 500mb (Server has 2.5gb RAM...suggestions here?)

This next part is where I keep going back and forth.

/home = rest?

Reason: I was planning on putting our user documents in here as well as our application and data. For instance, make a directory called:

/home/application(s)

Since this server will have about 3 applications that will be used by the clients (Just accessing data really) I figured, I could make a directories for specific apps:

/home/point = inside here would be all the folders that work with point
/home/docutech = same as point

I should also mention that I was planning on putting the /home partition at the beginning of the disk, for better performance.

Anyone care to comment on this?

I appreciate it.

Tarballed

soup4you2
May 8th, 2003, 10:25
So last night i was thinking about elmores suggestion of a /wip (work in progress) partition.. but i thought to myself.. i've got a voodoo 5 and the computer just sits in console mode..

so i took about 75% of the video memmory and made it my /wip directory.. wow nice and speedy...... i like..