Ubuntu home LAN server: Samba DC

Since I posted my configs for the DHCP and DNS servers, here is my Samba domain controller config:

smb.conf

I used an article from HowToForge as the main information resource to set it up. The section about mapping Windows domain groups to Unix groups was easy to understand.

One thing that really differs in my set up and the article is that I don’t have to manually add computer accounts to the server hosts file. Computer accounts are automatically set up when I join a PC to the domain. Also, the Domain Admins group is mapped to the ntadmins Unix group instead of the root group.

The set up is working well so far. When I log on to the domain from my XP laptop, I get the U: drive mapping to the user home directory on the server. The domain groups had to be added to the laptop groups (e.g. Domain Admins in the Local Admins group) manually in order to have the right permissions. I did test it a few times to be verify that the Domain Admins group has full control of the system and Domain Users group has limited control of the system. So far, so good.

Roaming profiles are not being used because they are the bane of networks. I’ve hated them on medium and large networks. I always vowed to never use them, no matter how small the network.

As with the previous configs, if you notice anything that could be improved, let me know in the comments. I’m constantly tweaking the file (improvements mostly) and will upload the latest when necessary.

Before it’s asked: No, I did not compile Samba from source. I used apt-get and installed from the Ubuntu repository. Don’t give me any crap about it either Hawk! :-p

There are no facts, only interpretations. - Friedrich Nietzsche

26.Jan.08 Linux Comments (3)

Ubuntu home LAN server: Dynamic DNS & DHCP

Ok, I know I said in the last post that I was going to post these configs “later”. Well, it’s now 12 days later so I think it’s time to post them. Without further ado:

• dhcpd.conf
• named.conf
• named.conf.options
• named.conf.local

If you’re wondering “Why the hell didn’t he just put everything into a single named.conf file?”, I have a good reason. It’s Ubuntu’s fault! The BIND installation split the configs and I just stuck with that! Sure, I could just combine it all but I just went with the flow.

To help understand what some of the IP settings in the configs mean, here is my network setup:

• Network: 192.168.10.0
• Domain: home.lan
• Server IP: 192.168.10.20 (DNS, DHCP & Domain Auth)
• Router (Gateway) IP: 192.168.10.1
• DHCP Range: 192.168.10.241 - 192.168.10.250
• Dynamic DNS updates require the TSIG key (SecDNS). The DHCP server uses the key to authenticate with BIND and update the local network zones. Client updates are ignored.
• The DNS server forwards unknown host request to OpenDNS.

I know it’s not “perfect” but it’s still being tweaked. See something I’m missing? Let me know in the comments!

I wish I would have gotten this posted sooner. Unfortunately, work has really picked up since the Chri….Winter Break. Things won’t be getting any better in February. That’s when my big project starts up. That project involves implementing the Cisco NAC in several schools. I can’t wait to get started on it because it will be a lot of fun learning how to operate it.

The urge to save humanity is almost always only a false-face for the urge to rule it. - H.L. Mencken

19.Jan.08 Linux, Networking Comment (1)

The Ubuntu domain controller lives!

This is just a quick update, more will be written later. I was able to get the Ubuntu 7.10 server set up as my home domain controller. Here is the current set up:

• Samba is running as the domain controller. It handles all domain logins. Machines joined to the domain, including Windows XP, are added to the Unix Users & Groups on the fly. No manual set up of the machine trust accounts.
• BIND9 handles all DNS request. A TSIG key is required in order to dynamically update records.
• DHCP3 handles, what else, DHCP. DNS records are dynamically updated by the DHCP server using a TSIG key.
• Remote administration is mostly handled through SSH. Password authentication, as well as root login, is disabled. Only RSA/DSA authentication is allowed.
• Webmin is installed to aid in some remote administration task.

It took a couple of days to make Samba work right. I used pieces of several How-To’s in order to get the configuration correct. Some of the guides said to enable the root login but I didn’t do that. I either would just use sudo to run the commands or I’d run sudo -s to switch to the root login. I’ll post all of the server service configs later in case they could help anyone else.

I know, I shouldn’t run all those services on a single box. I wouldn’t except for the fact that this is for a home LAN and not a corporate environment.

It behooves a father to be blameless if he expects his child to be. - Homer

07.Jan.08 Linux, Networking Comments (3)

The Ubuntu home server

So far, the installation of the Linux (Ubuntu) server is progressing very slowly. The first thing I did, after the initial install, was set up the DHCP and DNS servers. The DHCP server was to be set up to add DNS records whenever a client received an IP address. The clients would not be allowed to update DNS records.

I’ve installed both services before but this time I wanted to set it up as if it were in an enterprise environment. It took many Google searches and about three hours of time to make it work properly. Why did it take me that long? I wanted to implement some security on BIND. No reason to get sloppy just because it’s a home system.

The instructions found here are what I used to install and run BIND chrooted. Running BIND in a chroot jail prevents the BIND process from accessing files outside of it’s own directory. That narrows the damage done if the DNS server was compromised to just having to fix the BIND installation.

Next, I set up the dynamic DNS updates to use TSIG. This will help to prevent unauthenticated DNS updates. Bind9.net has a BIND 9 manual that is full of useful information. I followed the instructions for creating and implementing TSIG keys here to create a 256 bit TSIG key. The key was used in both the named.conf.local (BIND9 config) and the dhcpd.conf (DHCP3 config) files. The name of the key is used in the allow-updates directives for the forward and reverse zones.

Dynamic DNS updates are now working properly. The forward and reverse zones are being populated with the host information every time a new client connects. The next service I’m going to set up is Samba. Hopefully it won’t take as long as the DHCP/DNS set up did.

Happy new year!

Be always at war with your vices, at peace with your neighbors, and let each new year find you a better man. - Benjamin Franklin

01.Jan.08 Linux Comment (1)

Home domain

I’ve finally decided to set up a domain on my home network. I’m trying to decide if I should use Ubuntu Server or Windows Server 2003 (Standard Edition) as the domain controller. Currently, I have an Ubuntu server (6.06.1) running BIND9, DHCP, MySQL and Apache.

We use Windows 2000 & 2003 at work so I have more experience setting it up. I want to learn more about Linux administration, though, so that makes me lean toward Linux. There’s a write-up on HowtoForge about setting up a domain controller using Ubuntu 7.10 and Samba. I plan to follow that article if I go the Linux route.

Either OS will run fine on the system I have:

• 1.8 GHz processor
• 2 GB PC2700 RAM
• 160 GB, 7200 RPM hard drive
• Gigabit ethernet

The current Ubuntu server installation isn’t using many resources. Webmin shows that it’s only using 192 MB of RAM (out of 2 GB) and 0 MB of swap. I know that Windows 2003 would use more than that just with a base OS install.

I think I’ll try to get Ubuntu working first. If I can’t get it to work, I’ll load Windows 2003. Either way, I will have Apache and MySQL running because I use Jinzora as my media server. I’ve tried running Jinzora on IIS but it didn’t run as well as it does on Apache.

A nation of sheep will beget a government of wolves. - Edward R. Morrow

29.Dec.07 Linux, Networking, Windows Comments (3)