LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-29-2004, 09:39 PM   #1
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Rep: Reputation: 15
How does one join an NT domain?


As I posted in another thread, I am wondering how to get my fedora machine to join an NT domain. How has anyone gone about doing it?
 
Old 03-30-2004, 04:36 AM   #2
sandiegocal
LQ Newbie
 
Registered: Mar 2004
Location: san diego
Posts: 16

Rep: Reputation: 0
devfreak

I am using Debian, which I installed from Knoppix 3.3, so I can't answer any Fedora specific questions, but this should be pretty close, if not exact. This answer assumes that you are using Samba 3.0.2, because Samba 2.. uses different mechanisms. I am basing my answer on two guides that I used to accomplish this:
http://faculty.acu.edu/~westk/winbind.html
and
http://us1.samba.org/samba/docs/Samb...Collection.pdf

create an empty text file called etc/samba/smb.conf and add these lines:
[global]
netbios name = <name of your linux server>
security = domain
workgroup = <domain name>
password server = *
winbind uid = 10000-20000
winbind gid = 10000-20000

where you fill in the appropriate <name of your linux server> and <domain name>. I used something like netbios name = linux01 and for example, workgroup = microsoft (I used just the domain name WITHOUT a .local extension, or .com, or whatver. You may need to use the extension, however, but I did not). The line "password server = *" will cause samba to search your domain for the appropriate server. The last two lines, if detected, cause winbind to run.

Next, change these two lines in the file /etc/nsswitch.conf file:
passwd: compat
group: compat

to read:

passwd: compat winbind
group: compat winbind

start the services by typing at the root:
nmbd
smbd

you can test if winbind started by typing at the root:
getent passwd

you should see not only your local users, but also ALL users from the domain listed. if not, you can manually start winbind by typing:
/etc/init.d/winbind start
smbd restart

Add your linux server to the domain by typing:
net join -S <your Windows PDC> -U <administrator>%<password>

where <your Windows PDC> is the netbios name for your PDC, something like winserver01, or whatever, without the domain extension, such as .local. You will join using an account with rights to join a domain, such as administrator or someone with administrator rights, and their password.

when you create a share on your linux server, it will modify your smb.conf automatically and add the share. for example, if I create a directory in my root called projects, and share it, smb.conf would have these lines added:
[ROOTPROJECTS]
path = /root/projects
comment = /root/projects
public = yes
guest = ok
writeable = no
wide links = no

Change this line:
writeable = no

to read:

writeable = yes

Otherwise, you will not be able to add or edit files from Windows.

And you must remember to do this on each new share that you create.

On your windows server, open My Network Places>Entire Network>Microsoft Windows Network> <domain> > <linux server>. Click the linux server, and you should see the ROOTPROJECTS share.

please, out of courtesy, write back to close this thread by telling us that the solution worked, did not work, or you solved it by...
people that leave threads open do not get answered in future threads.

Last edited by sandiegocal; 03-30-2004 at 10:30 AM.
 
Old 03-30-2004, 10:35 AM   #3
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
I will get to this and reply how it went the moment I get a chance to do this. Must go to class now.
 
Old 03-30-2004, 03:52 PM   #4
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
I said call me Aaron. Just kidding.

Ok, so I got it to work on my fedora box, and I hope to God all my fellow Fedora users who want to join nt domains find this post, because I'm sure they're having as little luck finding resources as I did.

I came upon some differences, and I'll explain how I basically did what you said and made some adjustments.

First of all my nmbd and smbd files were in /usr/sbin and not /usr/bin, so that was just a matter of copying the files from one to the other, I assure you, that works fine, I've had to do that with several files on other occasions, fedora stores some files in sbin that can be copied just fine.

Also, if you are a fedora user listen to me now, our nsswitch files are different!! They key point is that you just need to append winbind at the end! I stupidly just made my entries say compact winbind and I had to run phlak just to fix it back! Mine say:
/etc/nsswitch.conf
passwd: files nis winbind
shadow: files nis winbind
group: files nis winbind

I repeat, don't break things, just append winbind at the end.

Next problem I had was that, at my school, internally our NT DOMAIN goes by SEIBERT, but externally it goes by SUSQU.EDU. This proved to make life difficult, and it took me a few tries to find that my smb.conf file wanted SEIBERT, my net join -S wanted SUSQU.EDU, and my net join -U wanted SEIBERT/smiley.

/etc/samba/smb.conf
[global]
netbios name = Smiley_Fedora
security = domain
workgroup = SEIBERT
password server = *
winbind uid = 10000-20000
winbind gid = 10000-20000


and either
/usr/sbin/nmbd
and
/usr/sbin/smbd

or copy them to bin and just run them

and my net join looks like:
net join -S SUSQU.EDU -U seibert/smiley%pass

I must point out that locally I am user aaron and on the NT domain I am user smiley. Those with similar disimilarities should make a note of where I use smiley (everywhere)

I originally tested this by going into konkqueror or nautilus and trying smb://server/share but i still got the annoying prompts. For kicks I tried mounting a share, that worked and now I can browse without being spammed for permission. My mount looks like this:
mount -t smbfs //web/wwwroot$ /home/aaron/mounts/web -o username=smiley,password=pass,fmask=777,dmask=777,rw

Note that I didn't have to prepend my internal domain name, and the password is my nt domain account's password.



Now the only problem I have is that windows machines can't access my linux machine.
They get the error message:
Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.
And that goes for just opening up \\smiley_fedora, or \\i-232 (which is also the machine), OR \\xxx.xxx.xxx.232, which is also the machine. It goes for trying to access a share, like \\smiley_fedora\aaron, which local user aaron has been granted access to with a samba user named aaron. It's funny, because people could connect to me fine before that. Maybe it's because I nuked the rest of my smb.conf file and started from blank?

Last edited by devfreak; 03-30-2004 at 04:14 PM.
 
Old 03-30-2004, 04:28 PM   #5
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
That wasn't it, I went back to my old smb.conf file and changed somethings to match the one I had started from blank and people still can't connect to me, but I found something else that might be it.
Now when I boot I get hung up on trying to find an NIS server, and it fails. It doesn't make any sense because my /etc/resolv.conf file contains the correct IPs of the nameservers!
Could this be the problem? I am willing to bet it. Any ideas?

After some banging around I still can't get it working, I've tried a bunch of things, will try some more.

You know, this would make a great firewall, since I can access everything fine, just that no one can get in to me!

Last edited by devfreak; 03-30-2004 at 06:47 PM.
 
Old 03-30-2004, 08:01 PM   #6
sandiegocal
LQ Newbie
 
Registered: Mar 2004
Location: san diego
Posts: 16

Rep: Reputation: 0
Quote:
It's funny, because people could connect to me fine before that.
What does "that" refer to?
 
Old 03-30-2004, 08:50 PM   #7
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
Wow, it's working now. There were two more variables I had to set in my smb.conf file, I'm not sure which one or if both fixed it.



[global]
netbios name = Smiley_Fedora
security = domain
workgroup = SEIBERT
password server = *
idmap uid = 10000-20000
idmap gid = 10000-20000
paranoid server security = no
domain logons = yes


But my senses tell me it's the second one.
I should mention I also enabled wins. This didn't fix things when I enabled it, but it might have contributed in the end. It's wonderful, I can be accessed as \\smiley_fedora now. Damn cool.

Last edited by devfreak; 03-31-2004 at 09:05 AM.
 
Old 03-30-2004, 09:57 PM   #8
sandiegocal
LQ Newbie
 
Registered: Mar 2004
Location: san diego
Posts: 16

Rep: Reputation: 0
Excellent!!

I am surprised that either of those two parameters would have an effect. The Samba HOWTO Collection lists the "domain logons = yes" as a statement to include when setting up your linux server as a PDC.

And the only mention of paranoid server security is as a new protocol parameter, but does not discuss it further.

You can download the official Samba HOWTO and Reference Guide:
http://us1.samba.org/samba/docs/Samb...Collection.pdf

(I believe the name is somewhat misleading. You will understand it a whole lot better now that you have a working example, but it leaves a lot to be desired as a HOWTO manual)

Anyway, I am very glad you got this working. I was hoping that one person's knowledge could be built apon in a succession to create some working solutions. It just should not be this difficult.

Hopefully, someone will look at this example, and take it to the next level.
 
Old 03-31-2004, 09:01 AM   #9
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
I am with you completely
 
Old 04-11-2004, 12:47 PM   #10
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
Bah! Bad new, muchachos! I have noticed that people around my campus are having a hard time logging on to their computers when they restart them lately, all over campus, and these are the 2000, xp people who log on with their domain accounts.

It's easter break, I'm still here with my girlfriend, and she can't log on. I get this idea that maybe it's my fault! I turn off my box and she logs right on!! I've broken my entire school's domain! The office of IT said they thought it was a wireless router, which makes me think maybe I'm accidently running a domain server?

Help! My university needs you!!
 
Old 04-11-2004, 01:22 PM   #11
sandiegocal
LQ Newbie
 
Registered: Mar 2004
Location: san diego
Posts: 16

Rep: Reputation: 0
Quote:
I am surprised that either of those two parameters would have an effect. The Samba HOWTO Collection lists the "domain logons = yes" as a statement to include when setting up your linux server as a PDC.
1. Look at my comment earlier. Get rid of the "domain logons = yes" line, at least. The network is probably trying to use your linux server as a PDC.

2. Change only the two lines in nsswitch that I pointed out earlier - do not change your shadow line. This involves the shadow passwords. You don't need this.

3. Go to samba.org and download the document called Samba HOWTO Collection. I gave you a link for that earlier. Start looking for answers there. It is 745 pages - but you will recognize the parts that you already have experience with, as far as joining the domain.

Personally, I would not change or add any lines other than what I told you (except as necessary to use a different distro of linux), as this was the necessary minimum to join a domain, until you find out what they are used for.

Good luck.
 
Old 04-12-2004, 10:12 AM   #12
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
It's weird but the domain logons=yes is exactly what allows people to address my computer as \\smiley_fedora from windows. Otherwise they get a bizarre error about my information not being complete. I will definitely look into this.
 
Old 04-12-2004, 10:20 AM   #13
BIACS
Member
 
Registered: Apr 2004
Location: Arlington, TX
Distribution: Fedora Core 4 64bit
Posts: 95

Rep: Reputation: 15
Quote:
Originally posted by devfreak
I turn off my box and she logs right on!! I've broken my entire school's domain! The office of IT said they thought it was a wireless router, which makes me think maybe I'm accidently running a domain server?
Check to make sure your box isn't setup to be a MasterBrowser, that could be why it is keeping your girlfriends PC from logging on until you turn yours off.

Last edited by BIACS; 04-12-2004 at 10:21 AM.
 
Old 04-27-2004, 04:33 PM   #14
devfreak
Member
 
Registered: Mar 2004
Location: Maine
Distribution: gentoo 2004.1, ubuntu 4.10, FC3
Posts: 97

Original Poster
Rep: Reputation: 15
Finally got it working:
netbios name = Smiley_Fedora
security = DOMAIN
workgroup = seibert
password server = *
idmap uid = 10000-20000
idmap gid = 10000-20000
browse list = No
local master = No
preferred master = No
domain logons = yes
 
Old 04-27-2004, 04:47 PM   #15
AutOPSY
Member
 
Registered: Mar 2004
Location: US
Distribution: Redhat 9 - Linux 2.6.3
Posts: 836

Rep: Reputation: 31
local master = No
preferred master = No
domain logons = yes

These settings are needed in case their is more than 1 logon server running in the newtork.
Set these to yes if yours is the only one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help using 'net join' to join a windows domain Wapo Linux - Networking 1 04-28-2006 02:30 AM
tdbdump and domain join kcv Linux - Networking 0 09-30-2005 09:54 AM
Can't join my Samba Domain subaruwrx Linux - Networking 53 09-30-2004 10:29 AM
How to join a NT Domain caddalyst Linux - Networking 2 04-27-2004 04:34 PM
How to join domain? young911 Linux - Networking 2 02-24-2004 06:49 AM


All times are GMT -5. The time now is 05:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration