Samba PDC configuration (Home Media CE)
|Warning: Carrying out this procedure probably voids your warranty. You do this all at your own risk!|
This article explains how to configure the built-in Samba daemon to act as a Windows® Primary Domain Controller (PDC). This allows you to store the user's profile on the Home Media NAS. Although the first steps are performed using the web GUI, this how-to assumes that you already gained root access to your NAS as described here in this wiki.
To configure samba to act as a PDC is usually a quite easy task: you just amend the Samba configuration file smb.conf with the necessary parameters and create a new share that will contain the user's profiles, that's all. In case of the Home Media CE it's not that easy. The content of smb.conf is being generated by the web GUI engine on every reboot and with every new share being created from a template file that is stored on the read-only "apps" file system. To make things more complicated, many daemons (including Samba) are controlled by a service called "appmd", which is poorly implemented. But don't droop, there are ways around all these obstacles :-)
First of all, enable the security mode (if not already enabled) to be able to use different users on your NAS device. This is being done by starting the web GUI and navigating to System → Security. Switch the mode to "on" and choose a user name which will serve as the new web GUI admin user, e.g. "admin". It's a good idea to enable network communication encryption as well for additional security. Remember, this procedure will reset the password of the user "root" to 'soho<admin password>', e.g. 'sohoabc123'.
Set The Domain Name
Now navigate to System → Device Identification and enter the designated domain name into the "Workgroup Name" field. You may also use the opportunity to change the "Device Name" to a value that suits your environment.
Now navigate to Storage → Shares and create a new share called "profiles" with read and read/write permission for everyone (which is default). As the name indicates, this share will hold the user's profiles. Make sure to tick the "Allow users to change file level security" checkbox, otherwise Windows clients will refuse to use this share due to "incorrect security settings".
If you like, create a second share called "netlogon" with the same permissions. This share should be created if you plan to use netlogon scripts.
This step was the last that could be done using the web GUI. The rest of the configuration has to be done using shell commands.
Change The Samba Configuration
First of all, it's helpful to add the path of the Samba binaries to the path variable of the user root. The easiest way is to edit the file /etc/profile and to append "/usr/local/samba/bin" to the PATH variable. Furthermore, add a MANPATH variable to have the Samba manual pages handy:
if [ "`id -u`" -eq 0 ]; then PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin" MANPATH="/usr/local/samba/share/man" else PATH="/usr/local/bin:/usr/bin:/bin:/usr/games" fi
Afterwards, execute "source /etc/profile" to activate the new path settings.
Mount The Apps Volume
As stated before, the template file for the Samba configuration is stored on the read-only "apps" volume. To be able to edit the file, the apps volume must be mounted read-write. For some reason, re-mounting the apps volume does not work, probably because the underlying loop device is read-only. For the time being, we have to mount the apps volume to a different mount point using a new loopback device:
mkdir /appsvol mknod /dev/loop3 b 7 3 mount -o loop /boot/images/apps /appsvol
Editing The Samba Configuration File
Now create a backup copy of the file /appsvol/usr/local/cfg/Shares.xml, open it in an editor and change the <Global Tag> and <Workgroup Tag> sections to the following content:
<Global Tag="netbios name" Value="PDC"/> <Global Tag="server string" Value="PDC (%h)"/> <Global Tag="encrypt passwords" Value="yes"/> <Global Tag="passdb backend" Value="smbpasswd"/> <Global Tag="obey pam restrictions" Value="no"/> <Global Tag="unix password sync" Value="no"/> <Global Tag="passwd program" Value="/usr/bin/passwd %u"/> <Global Tag="passwd chat" Value="*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n ."/> <Global Tag="hide files" Value="/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/"/> <Global Tag="wins support" Value="no"/> <Global Tag="socket options" Value="TCP_NODELAY"/> <Global Tag="map to guest" Value="Bad User"/> <Global Tag="host msdfs" Value="yes"/> <Global Tag="null passwords" Value="no"/> <Global Tag="restrict anonymous" Value="0"/> <Global Tag="strict allocate" Value="no"/> <Global Tag="printcap name" Value="lpstat"/> <Global Tag="printing" Value="cups"/> <Global Tag="printable" Value="no"/> <Global Tag="load printers" Value="yes"/> <Global Tag="max smbd processes" Value="500"/> <Global Tag="getwd cache" Value="yes"/> <Global Tag="display charset" Value="UTF-8"/> <Global Tag="log level" Value="0"/> <Global Tag="syslog" Value="0"/> <Global Tag="max log size" Value="50"/> <Global Tag="use sendfile" Value="yes"/> <Global Tag="peek command type" Value="yes"/> <Workgroup Tag="security" Value="user"/> <Workgroup Tag="local master" Value="yes"/> <Workgroup Tag="preferred master" Value="yes"/> <Workgroup Tag="os level" Value="200"/> <Workgroup Tag="domain master" Value="yes"/> <Workgroup Tag="domain logons" Value="yes"/> <Workgroup Tag="logon home" Value="\\PDC\profiles\%U"/> <Workgroup Tag="logon path" Value="\\PDC\profiles\%U"/> <Workgroup Tag="logon drive" Value="P:"/> <Workgroup Tag="profile acls" Value="yes"/> <Workgroup Tag="invalid users" Value="bin daemon adm sync shutdown halt mail news uucp gopher"/>
Unmount The Apps Volume And Reboot The System
Now unmount the appsvol mount and reboot the system in order to activate the Samba configuration:
cd / umount /appsvol shutdown -r now
After the system comes up again, check with smbclient, testparm and pdbedit if Samba uses the new configuration:
root@hmnhd-TI1S0O:/# smbclient -L localhost Password: <--- Just press 'Return' here Anonymous login successful Domain=[...] OS=[Unix] Server=[Samba 3.0.32] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (PDC (hmnhd-TI1S0O)) netlogon Disk profiles Disk TimeMachine Disk Pictures Disk Music Disk Movies Disk Documents Disk Backups Disk Anonymous login successful Domain=[...] OS=[Unix] Server=[Samba 3.0.32] Server Comment --------- ------- PDC PDC (hmnhd-TI1S0O) Workgroup Master --------- ------- ... PDC
root@hmnhd-TI1S0O:/# testparm Load smb config files from /etc/samba/smb.conf Processing section "[Printers]" Processing section "[Backups]" Processing section "[Documents]" Processing section "[Movies]" Processing section "[Music]" Processing section "[Pictures]" Processing section "[TimeMachine]" Processing section "[profiles]" Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions ...
root@hmnhd-TI1S0O:/# pdbedit -L -v --------------- Unix username: admin ...
Create Computer and User Accounts
For each computer that shall join the domain a certain user account is necessary. The user name should be in uppercase letters and must be followed by a "$" symbol. For example, if your computer's name is "foobar" execute the following commands:
useradd -s /bin/false FOOBAR$ smbpasswd -a -m FOOBAR$
Now add a user account for each user that shall be able to login to the domain. Note that the user's password will be managed using the command "smbpasswd". Also a directory for the user's profile has to be created (replace 'USER' with the user's name):
useradd -s /bin/false USER smbpasswd -a USER mkdir /mnt/pools/A/A0/profiles/USER chown USER:USER /mnt/pools/A/A0/profiles/USER chmod 700 /mnt/pools/A/A0/profiles/USER
Remember to give the new user read and read/write permission on the profile and netlogon shares.
Add Windows Clients To The Domain
For Windows XP, right-click on "My Computer", select "Properties" and go to the "Computer Name" tab. Click on "Change" and enter the domain name in the "Domain" field. Click on "OK" and a new window containing "Welcome to the <name> domain" should appear.
Now you should be able to login to the Windows system using the user name and password you defined above. Check the directory /mnt/pools/A/A0/profiles/<user name> to see if the user's profile is being created on the NAS drive.