Mapping Groups
You need to map your unix groups to the domain groups using the 'net' command. The 'net' command is relatively new to Samba. To view a list of the commands available type 'net view' at the console.
net groupmap modify ntgroup="Domain Admins" unixgroup=admins
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Teachers" unixgroup=teachers
net groupmap add ntgroup="Students" unixgroup=students
The Login Script
Setup a login script named 'logon.bat' in the /home/samba/netlogon directory. This script MUST be in DOS format meaning that it must have a CRLF at the end of each line as opposed to the Linux LF only way. It is easiest to do the logon script in Notepad and put it in a share on the server, then use the 'mv' command to move it to the /home/samba/netlogon dir.
Oddly enough, Microsoft doesn't include an 'if member of group' in the login script processor so you need to download a DOS 'ifmember.exe' executable and place it in the netlogon share manually in order to perform mappings based on group membership. You can download it from here . This login script also syncs the workstation time to the server time.
TITLE Domain Login script
net time \\FS1 /set /y
net use h: /home
net use g: \\FS1\apps
:a
%logonserver%\netlogon\ifmember "teachers"
if not errorlevel 1 goto quit
net use f: \\fs1\teachers
goto quit
:quit
Workstation Policies
Policies allow an administrator to 'lock down' a workstation. For instance, with policies the adminstrator and teachers can have access on the workstations to change control panel settings and add new programs while students can be denied access to the control panel, display settings, command prompt, etc.
Use 'poledit.exe' to create an 'ntconfig.pol' permissions file and place it in the \\server\netlogon share. This file will contain the permissions for the 'Domain Admins', 'Teachers', and 'Students' groups. Poledit.exe is available from the NT Resource Kit ( from http://www.microsoft.com ) but in order to support XP workstations, custom control files (called ADM files) need to be downloaded and loaded into the Poledit utility. The custom ADM files can be downloaded from - http://www.snipes.org/admfiles.zip .
Importing Workstations
In order to import the Windows 2000/XP workstations into your new Samba domain, you MUST run add the following registry entries into the workstation. The easiest way is to save the following text as a file called 'samba.reg' and then double-click to run it from the workstation.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
After rebooting, right-click on the 'My Computer' icon and choose properties. On the resulting screen change the computer from Workgroup to Domain and enter an administrator username and password (ie. a user that is in the 'Domain Admins' group). You will be thanked for joining and you will be told to reboot.
Finishing Thoughts
Setting up Samba can be a very interesting adventure but well worth the effort. Once the basics are understood, a new lab can be setup in just a couple of hours and should require very little maintenance. There are many online references for Samba. I suggest going to your closest Samba mirror via http://www.samba.org and looking at the documentation section for further info.
About the Author:
Brian Snipes' Certifications: RHCE, LCP, MCNE, MCP, CCNA. Brian is the President of Dynamic Network Integrations, Inc.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
- "Setting up Samba, Page 1/2"
- "Setting up Samba, Page 2/2"
