[Samba] Few questions on configuring Samba as a PDC

Sat Sep 27 19:06:23 GMT 2008

On Fri, Sep 26, 2008 at 8:57 PM, John H Terpstra <jht at samba.org> wrote:

>  On Friday 26 September 2008 14:34:31 Jesse Stone wrote:
> > Hi David,
> >
> > I'm not sure about your response but I research it shortly.
> >
> > In regards to John's response, I did change it slightly (I am trying to
> not
> > use room)
> > net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins
> > net groupmap add ntgroup="Domain Users" unixgroup=domainusers
> > net groupmap add ntgroup="Domain Guests" unixgroup=nogroup
> > I have then added two people into the domainadmins group (which I
> created)
> > and 1 person into the domainusers group.  The users on the domainadmins
> > group can connect to the domain (if I use the root user to add them which
> I
> > want to change) but they cannot save their profiles.
> >
> > I belive this is due to the permissions on the folders:
> > rwxrwxr-x 2 root domainusers 4096 2008-09-25 12:43 netlogon
> > drwxrwxr-x 3 root domainusers 4096 2008-09-26 01:40 profiles
> >
> > I could see how it would work if I kept things as they are as domain
> admins
> > would be in the root group and would have access to the folder but since
> I
> > am tryig to not use the root group I am at a loss how to set the
> > permissions on these folders.
> >
> > I haven't been able to try the user that is in the domainusers group as
> > that use runs Kubuntu and I'm not sure how to add a Linux machine onto
> the
> > domain.
> >
> > Thanks for both your responses!  Again, the main goal is to setup a PDC
> > with roaming profiles without the use of the root account or root group.
> >
> > -Jesse
> >
> > On Fri, Sep 26, 2008 at 11:18 AM, David Markey <admin at dmarkey.com>
> wrote:
> > > net rpc rights grant <username> SeMachineAccountPrivilege
> > >
> > >   On Fri, Sep 26, 2008 at 7:11 PM, John Drescher
> <drescherjm at gmail.com>wrote:
> > >>   On Fri, Sep 26, 2008 at 1:59 PM, Jesse Stone <jstone1999 at gmail.com>
> > >>
> > >> wrote:
> > >> > Please don't flame me.  I did attempt to search before posting this
> > >>
> > >> question
> > >>
> > >> > (through Gmail), if there's a better way, please let me know!
> > >> >
> > >> > I followed this article for implementing a Samba PDC:
> > >> > http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4
> > >> >
> > >> > Question 1)  The only accout that appears to be able to add an
> account
> > >>
> > >> onto
> > >>
> > >> > the domain is the root account.  There must be a way to change that
> to
> > >> > a standard account.  I'm using Ubuntu and do not use the root
> account
> > >> > for anything.
> > >> >
> > >> > I've tried changing "root = Administrator" in /etc/samba/smbusers to
> > >> > "otheruser = Administrator" but that doesn't seem to do it.
> > >>
> > >> Did you do this:
> > >> net groupmap modify ntgroup="Domain Admins" unixgroup=root
> > >> net groupmap modify ntgroup="Domain Users" unixgroup=users
> > >> net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup
> > >>
> > >> And assign users to the Domain Admins group?
> > >>
> > >> John
> > >>  --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> Please refer to chapter 15 of the Samba3-HOWTO available from:
>
> http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
>
> Any user can be granted the right to add users, add machines, or any other
> privilege from a Windows client using the "net rpc rights grant" toolset.
>
> Cheers,
> John T.
> --
> John H Terpstra
>
> "Don't do as I do; Show me better!" - Anonymous.
> --
>  To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

 Thanks John, I found that chapter and bookmarked it.  Exactly what I was
looking for!  I am redoing my Samba setup from scratch as I made changes
that I did not fully understand and now feel completely lost as to how to
fix some remaining problems.

  I am using this guide:
http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4

Most of the other questions I had above have been answered or as my
understanding increases, no longer apply.

Here are some things I'm still unsure about:

Question 1) Do Linux machines benefit from being added to a domain?  I would
like to add all my machines onto the domain but I'm not certain what I would
gain from doing so or how to do it.  I am not using LDAP or anything like
that.  I'm actually planning on using Python and MySQL to build my own user
management feature (long way down the road as I still have to learn Python).

Question 2) I do not need roaming profiles.  I only have two Windows
machines- 1 XP and 1 Vista 64 bit which would probably be difficult to setup
in a way to allow for proper roaming anyways.

I will research on my own how to stop the roaming profile portion of the
install.  I do want to implement a feature where as the "My Documents"
feature is saved periodically though for backup purposes.  Preferrably, a
local copy would exist on each machine and then sync'd periodically
throughout the day or late at night.  Can/should this be done through Samba?

Question 3)  I am an OpenVPN environment setup on a seperate subnet.  I want
my VPN users to only see themselves and the Samba server (not my family
machines) while connected through VPN.  Would this require a seperate
install of Samba or can I configure multiple configuring within 1 install of
Samba?

For example:

VPN using on 192.168.1.X sees the following in Network Neighbor or
smbclient:  Other VPN users and the Samba server.  The Samba server will
have shares which make access my family machines but no one will be able to
see or access my family machines directly.

My family users will only see other family machines (say we're on
192.168.0.X).

The only exception being me who will need to see everyone which I believe
will just require a bit of updated routing on my machine.

I am new to mailing lists so please let me know if it works to ask questions
in lists like this or if it's easier for me to write seperate emails for
each topic.

-Jesse