Joining a Fedora Core 4 Workstation/Server to a Windows NT4 Domain

Prepared by Pascal Chong
Abstract

Configuring a Linux system to join a Microsoft Windows network as a member server or workstation can be a special kind of hell. Hopefully, this article will help save you some time -- and some hair.


Table of Contents
Preamble
Assumptions
Windows Domain Information You Will Need
Fedora Core 4 System Requirements
Overview of the Process
Backup the System Configuration Files
Edit /etc/nsswitch.conf
Edit /etc/pam.d/login
Samba configuration via /etc/samba/smb.conf
Add Exceptions to Firewall Rules
Starting Samba and Winbind
Joining the Domain and Testing
Some Observations

Preamble

When I first tried configuring a Linux server to join a Windows NT 4.0 domain, many years ago, I gave up in utter frustration. There were a lot of articles then, as there are now, about configuring Linux as a domain controller or as a standalone server in a workgroup, but almost nothing on configuring for a domain member. Now, with Microsoft Windows Server 2003 recently released and Windows Vista on the horizon (no pun intended), almost all articles have focused on Active Directory.

Recently, I had to configure a rather old desktop as a file server and a member of a NT 4 domain. After struggling for several weeks, I finally managed to set it up. There are a lot of things that are not mentioned in the existing articles and documents, and several special quirks that only Red Hat and Microsoft could provide to make something this simple, so infernally complicated. These instructions are a rough draft, not exhaustive or authoritative in any way, and I may have made some unnecessary changes. If you spot any mistakes, please let me know.


Assumptions

First, if you have never joined a Windows PC to a domain before, you will need to learn, as well as do it, at least once! This is important, because joining a domain -- even with Windows systems -- can sometimes be an exercise in patience and frustration. I'm going to assume that you already know how to join a Windows system to a domain and you just want to know how to join a Fedora Core 4 system to the NT 4 domain. If you are using a different Linux distribution, the steps here will certainly not be completely relevant, because Fedora does some strange things. If you are using an earlier (or later) version of Fedora, the steps may also have to be modified.

I will also assume that you already have a domain setup on your network, and that you are reasonably familiar with TCP/IP, that is, you know how to assign addresses to your systems so that they can talk to each other on the same network.

Before we start, you will need to get the following information about your domain. If you are not the administrator who setup the network, or maintains it, you will probably need to do some persuading.


Windows Domain Information You Will Need

Here's what you will need:

  1. Name of Windows NT Domain : _________________________

  2. WINS Server Address : _______________________

  3. Name of your Server : _______________________


Fedora Core 4 System Requirements

For your FC4 system, you will need to have Samba installed. For the sake of simplicity, just install the whole "Windows File Server" group of packages.


[root@localhost ~]# yum groupinstall "Windows File Server"

At the minimum, you will need:

Winbind, the component you need to join a Windows domain, is in the samba package.


Overview of the Process

Here is what we will need to do:

Joining the Domain

  1. On the Windows NT 4 Domain Controller, create an account in the Server Manager application for the Linux server, using the Linux server's NetBIOS name.

  2. Install the Samba packages or the "Windows File Server" package group, if you have not already done so.

  3. Backup the system configuration files you will be changing.

  4. Edit /etc/nsswitch.conf to add Winbind.

  5. Edit /etc/samba/smb.conf to define the domain and "shared folders". Adjust the permissions on the shared directories, so that users can write and read from them.

  6. Edit /etc/pam.d/login to add Winbind authentication.

  7. Add exceptions to firewall rules to allow Windows clients to connect to shared folders.

  8. Start Samba and Winbind services.

  9. Test on the Linux system that you can retrieve login and group information from the Windows domain.

  10. Test on Windows clients that they can connect to the Linux system, browse shares, read and write files.

If all goes well, hopefully, you will have a functioning Linux Samba server that can service Windows clients.

Notice that I am not using the authconfig utility here. I found it a dead-end when I used it, as it did not configure everything like I expected it to -- automagically! You may have more success with it though, as essentially, it does the same (I think) changes to the system configuration files as described here.


Backup the System Configuration Files

I will assume that the server's NetBIOS name has been added to the Server Manager, and that the necessary Samba packages have been successfully installed.

The files you will need to backup are:

It is absolutely essential that you backup these files! If there are any typo errors or mistakes, it could result in a locked system which you cannot login to. You will also need to keep your Fedora Rescue CD handy. If things turn bad, you may need to use it to boot to single user mode and restore the backup configuration files.


Edit /etc/nsswitch.conf

You will need to add winbind to several lines as shown below:

Example 1. Additions to /etc/nsswitch.conf


passwd:           files   winbind
shadow:         files   winbind
group:          files   winbind

Edit /etc/pam.d/login

You will need to add a couple of lines into this file. I can't figure out how to color code them in Docbook, so you will need to compare the file below with your own file to see where the changes are. A hint: they all contain the string pam_winbind.so.

Example 2. Additions to /etc/pam.d/login


#%PAM-1.0
auth       required     pam_securetty.so
auth       sufficient   pam_winbind.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open

Samba configuration via /etc/samba/smb.conf

Here's where it can get complicated. You will need to use the information you gathered earlier about your Windows domain and plug the values into various parts of your smb.conf, and also define the "folders" that you want to share (I hate using the term "folders", which is a Windows metaphor, but I guess I'll have to use it here because it is most appropriate, if not entirely accurate, from a purist perspective.

You will need to locate and change the values in several lines. Assuming we have a domain called TEMASEK, and a WINS server address of 192.168.1.10, and our server name is FCSAMBA, then these are the lines you will need to locate and change:

Example 3. Define the Windows Domain


# workgroup = NT-Domain Name or Workgroup-Name
   workgroup = TEMASEK

Next, you need to define the NetBIOS name.

Example 4. Define the NetBIOS name


# server string is the equivalent of the NT Description field
   server string = Fedora Samba Server
   netbios name = FCSAMBA

Now, we specify the WINS server address:

Example 5. Specify the WINS server address


# WINS Server - Tells the NMBD components of Samba to be a WINS client
#    Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
   wins server = 192.168.1.10

Now, just before the Share Definitions, we add some Winbind parameters:

Example 6. Winbind parameters


   winbind separator = +
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   template homedir = /home/winnt/%D/%U
   template shell = /bin/bash

Under the Share Definitions section, you need to add:

Example 7. idmap parameters


   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431

I'm not exactly sure what the lines above do or define, but they were mentioned in some articles, so I just added them in.

Now we can define some shares. For simplicity, I am defining one shared directory, accessible by everybody.

Example 8. A public share


[public]
   path = /shares
   public = yes
   writable = yes

Because we are giving universal access to the directory /shares, we will need to adjust the permissions for that folder:


[root@localhost ~]# chmod go+rw /shares

Now you should connect your machine to the network, if you have not already done so, and get ready to test.


Add Exceptions to Firewall Rules

Fedora blocks Samba traffic in the default firewall rules, so you will need to add a few exceptions to the rules in order to give access to shared resources. At the minimum, this is what you need:


[root@localhost ~]# iptables -I INPUT -p udp -m multiport --destination-port 137,138 -j ACCEPT
[root@localhost ~]# iptables -I INPUT -p tcp -m multiport --destination-port 139,445 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -p udp -m multiport --source-port 137,138 -j ACCEPT
[root@localhost ~]# iptables -I OUTPUT -p tcp -m multiport --source-port 139,445 -j ACCEPT
[root@localhost ~]# /sbin/iptables-save > /etc/sysconfig/iptables

Starting Samba and Winbind

You will need to be root user. We will use the service utility in Fedora to start Samba and Winbind.


[root@localhost ~]# /sbin/service samba start
[root@localhost ~]# /sbin/service winbind start

Both services should start OK. Once started, we will be ready to test.

If you are experiencing problems starting Samba, you should restore your old smb.conf file and see if that starts OK. Also, check if there are any typos inside the file that you edited.


Joining the Domain and Testing

Let's try to join the domain now. As root user,


[root@localhost ~]# net rpc join -W TEMASEK -U
administrator

Here, we are trying to join the domain called TEMASEK using the domain administrator account. If you have a domain account, you can use that too. If all goes well, you should be prompted for a passsword. Key in the NT administrator's password and you should get a message that says:


Joined domain TEMASEK

If you have a large domain and a lot of domain accounts, you may get a spurious error:


rpc command function failed! (NT_STATUS_ACCESS_DENIED)

If you have a large domain and a lot of accounts, the time to get to the Password prompt can be extremely long, like 5 minutes or more. If you are unable to login the first time, try several more times. The error could be the result of a timeout because the server cannot authenticate fast enough. This problem is not peculiar to Linux. When I join a new Windows system to the domain, I sometimes get a similar error. I'm not sure how to fix this in the long term, but I find that retrying several times usually does the trick.

Once you have successfully joined the domain, you can test that your server can gather information about domain groups and users. Note again that if you have a large domain these queries can take a very long time to complete and may scroll off the screen. Spurious errors may also be thrown.

To check that you are successfully joined to the domain,


[root@localhost ~]# wbinfo -t
checking the trust secret via RPC calls succeeded

Check that you can grab the domain groups.


[root@localhost ~]# wbinfo -g

Check that you can get the domain users. This process may take a very long while (about 5 minutes for 1,000+ accounts) or throw spurious errors.


[root@localhost ~]# wbinfo -u

If you are able to get successful results from the last few commands, you can try to check if you can browse the shared resources from another Windows computer on the same domain. Simply launch Network Neighbourhood or My Network Places and browse to the domain, displaying all the computers that are currently on the domain. try to locate your Linux server there and click on it. You should see the shared resources.


Some Observations

One of the first things I noticed was how much more responsive my Samba server was in serving files, compared to the Windows file servers that I had on the same network, even though the Samba server was a lower-powered machine, with less RAM and a slower processor.

I hope this article was useful to you. It took a long while for me to get to this stage, and I know that there are still a lot more configuration nuances that I have not explored yet. If you spotted any errors, please do let me know!


End of Document