November 25, 200817 yr As unRAID includes a 3.x version of SAMBA I think it should be possible to get unRAID to act as a Windows Domain Controller. Right now my old Linux file server does this for me using SAMBA 3.0.24, and it would be nice to decommission it. Has anyone tried doing this? From what I recall it would only need some changes to the "smb.conf" file and to migrate across the account files from the old machine.
November 27, 200817 yr I'm curious what you are using a Domain Controller on your Home network for? I've setup domain controllers, dns, dhcp and email servers in the past just to see if I could do it. But then I formatted the disks and did something else with the computers. What do you use it for?
November 28, 200817 yr Author I'm curious what you are using a Domain Controller on your Home network for? I've setup domain controllers, dns, dhcp and email servers in the past just to see if I could do it. But then I formatted the disks and did something else with the computers. What do you use it for? Largely it was just a learning exercise, back in the days of NT 3.5/4.0 I was a subscriber to one of Microsoft's developer programs so got the various server packages to play with. I migrated my old NT4 based domain controller over to SAMBA a number of years ago to see how well SAMBA did it and to maintain the single sign on you get with a domain. Still, this feature could actually be quite useful for an unRAID box to have in a small business setting. Say for example a small clinic where there is a workstation that runs the billing software and a couple other stations for the practitioners to use (or they have their own laptops). In that situation maintaining passwords on the various machines as staff come and go can be a pain, so having a domain account system is quite nice (but a lot more expensive if you go the Microsoft Server route). Plus having a simple RAID box like unRAID to help protect the key files is good too. As far as I can see the current software should do this (there's a chance the current user account feature might interfere with things though) and the real cost might be support.
May 21, 201115 yr I'm just getting started with unRAID and came across this post when looking to see if others have tried this. In case others were wondering, I'll post my reasons for wanting to do so. Currently I am running an Ubuntu server as a domain controller for my home network. The reason behind this is the same as in an enterprise network: central authentication for users on the network. Currently there are 3 of us using various devices on the network. Obviously, I have full wide open access to everything. However, my wife and 10yo son don't need that kind of access. Also, my wife and I will want access to movies and music that our son should not have access to. Therefore, all current shares in out network are restricted accordingly based on centralized network authentication from the SAMBA PDC running on an Ubuntu VM. Since I am now adding unRAID which also uses SAMBA, I need to figure out how to have it use my existing domain users for user level security OR, more idealistically, configure unRAID to run as the PDC so I can get rid of the Ubuntu VM that is currently running solely as a PDC.
May 22, 201115 yr Author I am still interested in this, since I first asked the question I have migrated all the file storage from my old SAMBA PDC box over to my unraid box (as I found unraid much easier to administer/maintain/expand) and more recently I had to upgrade the SAMBA box (to support the Windows 7 PCs that have started appearing on my LAN) so I took the opportunity to replace the old box with a new one based on an Atom motherboard and a small SSD. I hadn't considered running the PDC in a VM like you do, perhaps you could do that on your unraid box? Regards, Stephen
May 24, 201115 yr That's what I'm considering right now and I'm working on building the development environment on my desktop to start some playing. However, seems like a waste of resources to allocate a VM on a machine already running SAMBA. The only reason I am doing that right now is to provide some separation of my PDC from the firewall this it is using as the host. If someone happens to hack into my firewall I wanted to make it a little harder for them to find the network credentials that would then give them access to everything on the network. But, since unRAID is using SAMBA... I was kinda hoping this would be something that would be considered for feature development. Think of unRAID as a centralized network server for all storage and authentication. I know I can man-handle the samba configs to get it to act as a PDC but is unRAID going to use the users I create for authentication of the shares? That's what I'm not sure of at this point and will find out, hopefully this weekend, when I have some time to really dig in.
May 25, 201115 yr Author That's what I'm considering right now and I'm working on building the development environment on my desktop to start some playing. However, seems like a waste of resources to allocate a VM on a machine already running SAMBA. The main thing it will take is some of your RAM, though with just a specific task (running the PDC and WINS services) this will probably be minimal - I did get this working once on an NSLU2 ( http://en.wikipedia.org/wiki/NSLU2 ) which only has 32MB of RAM, so it should be possible to configure the virtual machine with fairly limited RAM, maybe 128MB? The only reason I am doing that right now is to provide some separation of my PDC from the firewall this it is using as the host. If someone happens to hack into my firewall I wanted to make it a little harder for them to find the network credentials that would then give them access to everything on the network. I suppose that running the PDC in a VM on an unRAID might make it possible for someone who gains access to your LAN to just get access to the unRAID and then make a copy of the virtual machine disk image and then extract the network credentials from that... But, since unRAID is using SAMBA... I was kinda hoping this would be something that would be considered for feature development. Think of unRAID as a centralized network server for all storage and authentication. This is what I have been hoping for too. I know I can man-handle the samba configs to get it to act as a PDC but is unRAID going to use the users I create for authentication of the shares? That's what I'm not sure of at this point and will find out, hopefully this weekend, when I have some time to really dig in. This is the same issue I ran into. At one point I tried to set up a second Samba PDC along with a spare windows PC as a test client, but then I found out that it didn't like being on the same LAN as my first Samba PDC, so at that point the whole project got too painful and I didn't take it any further. Let us know what you find out. Regards, Stephen
August 11, 201213 yr Well... it's been over a year! I just recently got back to this (in the last week) and was able to figure out the required config based on a working Samba PDC. It's actually a quite easy customization. The migration of users from one domain to this new domain is beyond the scope of this guide. Instructions On Settings tab in unRAID GUI set the following: Enable SMB = Yes Security Mode = Workgroup Local master = Yes Workgroup = [your domain name] Copy the following to smb-extra.conf in /boot/config on your flash # Required settings in additon to netbios name, workgroup and security settings domain logons = yes domain master = yes # Set this server as the preferred master browser # with a ranking higher than any version of windows (see samba.org for more info) preferred master = yes os level = 255 # Identify location on flash to store Samba persistent state information such as group mappings # create the directory if necessary state directory = /boot/config/samba # Disable Roaming Profiles by setting the following to nothing logon path= logon home= # Enable WINS support if your network will need it wins support = yes # Enable PAM support for changing passwords from Windows Clients pam password change = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . # Scripts for user/group functions add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -c "Machine %u" %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u As part of the PDC configuration you need to have a Domain Admins group available for adding machines to the domain and to provide administration privileges. Telnet to your unRAID server and perform the three commands below to create following two groups: 1. domainadmins : Used for administration privileges 2. machines : Used to add user accounts for PC that are added to the domain The last command adds the "root" user to the domainadmins group as this is the only known user for all systems (customize at will) groupadd -g 200 domainadmins groupadd -g 201 machines usermod -G domainadmins root Obviously these changes will not be persistent with reboots. Therefore we must update the bzroot file to have the additions to the /etc/group file persist through reboots. For updating the bzroot file you can reference the following URL: http://lime-technology.com/wiki/index.php/Building_a_custom_kernel Basically we are looking at the bzroot-extract.sh and bzroot-create.sh scripts for updating the bzroot file. Once extracted, copy your now modified LIVE /etc/group to the extracted ...whatever... /etc/group file. Optionally you may want to edit the /usr/local/emhttp/plugins/webGui/UserList.php file to prevent the display of machine users. When a machine is added to the domain it will have a $ appended to it's netbios name. The following change will prevent displaying those users in the web GUI so an accidental deletion or modification does not occur. Change this: <? foreach ($users as $user): ?> <tr> <td><a href="<?=$path;?>/UserEdit?name=<?=$user['name'];?>"><?=$user['name'];?></a></td> <td><?=$user['desc'];?></td> </tr> <? endforeach; ?> To this: <? foreach ($users as $user): if(!strpos($users['name'],"$")) { ?> <tr> <td><a href="<?=$path;?>/UserEdit?name=<?=$user['name'];?>"><?=$user['name'];?></a></td> <td><?=$user['desc'];?></td> </tr> <? } endforeach; ?> Now repackage with the bzroot-create.sh and copy it to your flash. At this point you should be ready to reboot and test. Assuming that everything goes well with the reboot, you will now need to provide the windows domain group mapping which will be stored on the flash per the state directory configuration option above. net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins rid=512 type=d net rpc rights grant -U root "[your_domain_name]\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege Your domain controller is now complete. You can add PC's to the domain with your "root" user and password and create logins using the unRAID webGUI to create users and passwords.
November 26, 201213 yr Hi jroberge, Thanks for taking the time to post this. I am on unRAID 5rc8, and I have managed to get through all but the last step, "net rpc..." I get : Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE I have tried setting the local and samba root passwords as follows: smbpasswd -L root passwd root cp /etc/passwd /etc/shadow /etc/samba/private/smbpasswd /boot/config/ In addition I have set the root password in WEB UI, even though it only seems to control the web page access. I'm a bit stumped as to what to try next... Any help is appreciated! Thanks, Shawn
November 27, 201213 yr I'm not sure why you would get that error when executing the net rpc command. What you are doing in that command is granting the root user the specified privileges as part of the Domain Admins group. Perhaps the modification of the bzroot didn't take. After you rebooted did you check to make sure the /etc/group file has the two new groups in it and that root is a member of the domainadmins group in that file?
February 15, 201313 yr FYI... I found an issue with this where after about 30 days or so the machine trust acount was apparently changing the password and it was not in sync. The symptom would be that everything was fine until you tried mapping a new drive or the machine (not unRAID) was rebooted and then it would say the domain was not available. Unfortunately, this was at the front of a technology "perfect storm" so I have not been able to find a resolution and have since "dumbed down" the house rather than go through a lengthy divorce process. Good luck to any who attempt to push on with this effort.
March 16, 201313 yr http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html Snippet from that page: As said a few times before, use of this method is broken and flawed. Machine trust accounts will go out of sync, resulting in a broken domain. This method is not recommended. Try using LDAP instead. Can I Do This All with LDAP? The simple answer is yes. Samba's pdb_ldap code supports binding to a replica LDAP server and will also follow referrals and rebind to the master if it ever needs to make a modification to the database. (Normally BDCs are read-only, so this will not occur often).
March 26, 201511 yr ... Obviously these changes will not be persistent with reboots. Therefore we must update the bzroot file to have the additions to the /etc/group file persist through reboots. For updating the bzroot file you can reference the following URL: http://lime-technology.com/wiki/index.php/Building_a_custom_kernel Basically we are looking at the bzroot-extract.sh and bzroot-create.sh scripts for updating the bzroot file. Once extracted, copy your now modified LIVE /etc/group to the extracted ...whatever... /etc/group file. ... And this ist exactly where it's going professional chinese to me.
Archived
This topic is now archived and is closed to further replies.