How to set Debian Linux up to be a Primary Domain Controller

(Utilising Samba, dhcp3 and webmin)

Install Debian

  1. Boot PC from Debain CD
  2. Select Language and Location
  3. Select Keyboard type
  4. Enter Hostname – e.g. HOST1
  5. Enter Domain Name – e.g.WORKGROUP
  6. Now the Partitioner runs
    1. Choose Manual
    2. Select whole drive, enter
    3. Select free space, enter
    4. Choose Automatic
    5. Choose Separate /home, /usr, /var and /tmp, enter
    6. Finish Partitioner
    7. Choose YES
  7. Set ROOT password
  8. Retype ROOT password
  9. Set new users full name – e.g. Administrator
  10. Set new users username – e.g. Administrator
  11. Set new users password
  12. Retype new users password
  13. Debain now installs BASE SYSTEM
  14. Choose YES to network mirror question
  15. Choose country nearest to you – e.g. UK
  16. Choose nearest ftp site – e.g. ftp.uk.debian.org
  17. Enter proxy address if present, leave blank if no proxy
  18. Debian now loads Select and install software
    1. Choose YES or NO to participate in survey
    2. Choose just DESKTOP and STANDARD SYSTEM
    3. Debian now downloads the files… (Go away and have a cup of tea or three!)
    4. Debain now installs the files (Time for more tea!)
  19. If prompted not to configure USWSUSP choose NO
  20. Debian now installs the GRUB Boot Loader
    1. If this is the only OS on the system, choose YES to install to MBR
  21. Remove CD-ROM and enter to reboot system
  22. Log in with username and password set up in steps 10 and 11
  23. Run Software Updates
    1. Enter ROOT password
    2. Select all, click Install Updates
    3. If warns about reboot, click forward and reboot once completed!
    4. Close window
  24. REBOOT!
  25. Log in as user set in steps 10 and 11 again
  26. Run Software Updates again, install any if present.
  27. Set IP address to static
    1. Open Root Terminal – type nautilus
    2. navigate to /etc/network/
    3. open interfaces in text editor
    4. Edit and save
  28. Restart network #/etc/init.d/networking restart
  29. Edit hosts file
    1. #nautilus
    2. /etc/hosts in text editor
    3. Set second line to new IP
  30. Restart network then reboot PC

DHCP Configuration

  1. Turn off DHCP on router!
  2. Run Root Terminal
  3. #apt-get install dhcp3-server
  4. Click OK
  5. ignore error messages
  6. #nautilus
  7. /etc/dhcp3/ backup dhcp3.conf (dhcp3.conforig)
  8. open dhcp3.conf in text editor
    1. Change option domain_name to the same as domain name set in step 5 of Install procedure
    2. change option domain_name_servers to equals DNS supplied by ISP or the IP of your router
    3. uncomment line about authoritative
    4. remove everything below authoritative line
    5. add a subnet declaration – e.g. subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.30 192.168.2.200; option routers 192.168.2.1; }
  9. Save file
  10. Restart DHCP Server – #/etc/init.d/dhcp3-server restart
  11. Check no errors are returned – If there are errors look in log file to see what the problem is – #tail /var/log/messages

Samba Configuration

  1. Open Root Terminal
  2. #apt-get install samba samba-common samba-doc
  3. Enter Workgroup name – Use Domain Name set in step 5 of install section
  4. Click OK
  5. Choose NO to modify smb.conf for WINS server info from DHCP
  6. #nautilus
  7. /etc/samba/ – backup smb.conf to smb.conforig open smb.conf in text editor
  8. Edit file to be the same as example file at end of document – replacing the relevant names and settings to match your network.
  9. Now create machine, samba users and an admin group
    1. # /usr/sbin/groupadd -g 200 admins
    2. # /usr/sbin/groupadd -g 201 machines
    3. # /usr/sbin/groupadd –g 202 smbusers
  10. Now create the directories named in the smb.conf you just created
    1. # mkdir –m 0775 /home/samba /home/samba/netlogon
    2. # chown root.admins /home/samba/netlogon
    3. # mkdir /home/samba/profiles
    4. # chown 1757 /home/samba/profiles
  11. Now create machine accounts for the computers that will be on the network
    1. # /usr/sbin/useradd –g machines –d /dev/null –c “machine nickname” –s /bin/false test$
    2. Create authentication and lock password
    3. # passwd –l test$
    4. Now add machine to /etc/samba/smbpasswd
    5. # /usr/bin/smbpasswd –a –m test
    6. Repeat for each machine on the network
  12. Now user accounts must be created.
    1. First your ROOT user account needs to also exist in Samba
    2. # smbpasswd –a root
    3. New SMB password: (Not the normal root password!)
    4. Retype new SMB password: (e.g. sambapass)
    5. Now you need to create users that can access Samba from another machine you added in step 11.
    6. First add the UNIX user and set the password
    7. # /usr/sbin/useradd –g smbusers –d /home/test –s /bin/false –m test
    8. # passwd test
    9. Changing password for User test
    10. New UNIX Password:
    11. Retype UNIX password:
    12. password updated successfully
    13. Now add the new user to SMB and set the same password.
    14. # smbpasswd –a test
    15. New SMB password:
    16. Retype SMB password:
    17. Added user test.
    18. Repeat steps 7 – 17 for each network user.
  13. Run testpram to check for any errors
  14. # testparm
  15. Restart Samba for changes to take effect
  16. # /etc/init.d/samba restart
  17. Now create the profile folder for each user account you have set up in /home/samba/profiles/ and give that user and the smbusers group permissions to use the folder.
  18. Log onto your Windows machines as a local administrator and for Windows Xp SP1 and above, and Windows 200 SP4 and above do the following:
    1. Run gpedit.msc
    2. Navigate to Computer Configuration > Administrative Templates > System > User Profiles
    3. Enable the setting for “Do not check for user ownership of Roaming Profile Folders” GPO
  19. Turn off offline files in folder options.
  20. Now join your windows machines to the domain using domain_name\root, password that was set in step 12 – 3
  21. Restart your computer and log in as one of the users you have created in the previous steps.
  22. Change the location of the “My Documents” folder from the default to the H: drive.

Webmin

  1. Visit http://www.webmin.com and download the debain package to the desktop
  2. Right click downloaded package and choose “Open with “GDebi Package Installer””
  3. Click “Install Package”
  4. Open your browser and type https://localhost:10000 and log in with your ROOT username and password
  5. Set a UNIX user to be a webmin user and disable settings you do not want them to access.
  6. Set the automatic samba to unix user synchronisation settings up so that the new user can add users through webmins system users and groups and automatically create unix and samba users.

Samba.conf

# Global Parameters
[global]
# workgroup can be NT Domain Name or Workgroup name
# netbios name is the domain controllers or file servers name
workgroup = retreat_net
netbios name = SambaPDC
# server string is same as Computer description field in NT
# %v shows the version and %h shows the hostname
server string = Samba PDC %v %h
# password encryption needed for all M$ versions past 95
# set the path to samba’s password file too.
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# The following is needed to allow password changing from
# Windows to update the UNIX password also.
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n*Please*retype*new*password* %n\n*password*successfully*
changed*
# this tells Samba that security level must be set to user
security = user
# Samba is the domain and master browser.
os level = 65
preferred master = yes
domain master = yes
# Browser control options
local master = yes
# Enable this if you want Samba to be a domain logon server
# for Windows95 workstations
domain logons = yes
# Where to store roaming profiles for Win NT systems
# %L substitutes for the servers net bios name set earlier
# %u is the username
# the profiles share must be set below!
logon path = \\%L\profiles\%u
# define allowed subnets for security
# set to your subnet, incluse 127 for local access
hosts allow = 192.168.2., 127.
# put a cap on the log file size to stop DOS attacks making it grow to huge
sizes.
# if /var is on a separate partition this is more secure too
max log size = 50
# automatically maps the home directory of the user, can be any drive
# letter you want.
# SambaPDC is the server netbios name set above.
# specify the logon script for users to run at start up
# could set time to match server’s redirect my documents to home drive etc
logon drive = h:
logon home = \\SambaPDC\%u
logon script = set_net_time.bat
#======= Shares =========
# necessary share for domain controller
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
writable = no
share modes = no
[homes]
comment = Home Directory
browseable = no
read only = no
[profiles]
path = /home/samba/profiles
writable = yes
browseable = no
create mode = 0600
directory mode = 0700
profile acls = yes
read only = no
inherit permissions = no
inherit acls = no
inherit owner = no
csc policy = disable

9 thoughts on “How to set Debian Linux up to be a Primary Domain Controller

  1. I am an student and i am willing to publish some part of this post to my university blog,can i do so.Also just require your permit just mail me if you are happy about it. i believe this post will be helpful for the information i am requiring to publish.

  2. When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four emails with the same comment.
    Is there any way you can remove people from that service?
    Thank you!

    1. Hi there,
      To be honest those boxes are a fairly new feature which must have been added from a recent WP update. I will look into it and get back to you…

      Jon

Leave a Reply to Jon Witts Cancel reply

Your email address will not be published. Required fields are marked *