Written specifically to aid Administrators familiar with NT variants (Windows NT, Windows 2000 Server, Windows Server 2003), terminology and setup.
Assumptions
I assume that you know enough about PCs to construct properly termed Google searches as long as you know the programs and files you’re dealing with. I aim to provide a run down of what you need, leaving out lots of technical discussion. You should then know what you’re looking for and should be able to easily find more detailed instructions on what you’re interested in.
INSTALLING UBUNTU
Use a standard Ubuntu server install. The major advantage of Ubuntu is a lack of packages so that there aren’t lots of running processes and config files around by default that you don’t know anything about. This leaves a clean slate which you can add what you want to.
Partitioning
Best to create
- 50MB /boot
- small / (say 15GB)
- decent /swap (say 3 or 4 times you physical memory size, on a separate drive to / if possible)
- rest to /home for data
- or /var for httpd or ftpd services
————————————————————–
| 1 15GB | 3 220GB |
| / | /home |
————————————————————–
————————————————————–
| 1 5GB | 2 10GB | 3 220GB |
| swap | /tmp | /backup |
————————————————————–
All of the Unix file system is stored under the / (pronounced root) directory.
QUICK TIPS
At this point you’ll find it useful to know the
sudo
ls
and
cp
commands. (man sudo, man ls or man cp for more info.)
sudo provides you with superuser (or Administrator) rights to perform administration. You’ll also find the programs
man (gives manual pages for many commands and programs),
nano (a text editor install by default on Ubuntu), and
vi (a text editor installed by default on most Unix platforms) handy to know about. To quit from man or vi type :q.
Use the TAB key a lot as well. This will auto-complete file names on the command line (as long as you’ve typed in enough of the name for it to be unique) and can save a lot of typing and tpyos.
It’s also helpful to know that the setup for just about everything is stored independently in configuration files rather than in a central location like the registry.
Another fun feature is the <ALT>-<F?> keys which give you different terminal logins. Sick of waiting for the apt-get command to download files or a big cp to finish, just press <ALT>-<F2> and log in again to continue with something else. Type logout to finish you session and press <ALT>-<F1> to get back to the first session. (This is how I typed most of these notes.)
APT-GET AND UPDATES
Once Ubuntu is installed you’ll need to update some apt-get files and make sure the system is up to date.
cd /etc
/etc is the main location for configuration files
cd apt
sudo cp sources.list sources.list.orig
to create a backup of the original conf file before editing, always a good idea.
sudo nano sources.list
You can comment out the cdrom entry (add a #) if you’d rather not have to find the CD all the time. It’s handy until you’ve finished the initial config, though. Uncomment the Universe software repository half way down and at the bottom of the file. Then write the file and exit nano.
sudo apt-get update
to update the repository database
sudo apt-get upgrade
to upgrade existing programs on the system (Source – 1, see below)
SERVICES TO BE PROVIDED
Let’s just make it clear as to what services we want to replicate.
- File sharing
- Domain controller
- DNS Server
- DHCP Server
- NTP Server
Print services may be an issue but most printers now have built in print server controllers and if they don’t they’re connected to a users computer, not to the server.
Routing services are normally taken care of by a hardware router but could be integrated into the Ubuntu box if required. This article assumes a separate router without DNS or DHCP services enabled (as you get far more control over these with your own server). Note that you’ll need DHCP and DNS enabled on the router until you have everything installed on the server, though, as otherwise the apt-get commands won’t actually get you far. 192.168.1.1 has been assumed for the router address
The programs we’ll use for the above services are
- Samba
- DHCP3-server
- BIND9
STATICALLY ASSIGNING AN IP ADDRESS
As this server will be your DHCP server it needs a static IP address.
cd /etc/network sudo cp interfaces interfaces.orig sudo nano interfaces
Change eth0 to static (instead of DHCP) and add
address 192.168.1.10 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1
(Source 2)
You may ask ‘Where are the DNS and WINS entries?’ Obviously WINS is useless to a Unix server. DNS is configured in the /etc/resolv.conf file but for the moment we can leave it alone as we need DNS to apt-get ourselves the DNS server software before we can take over that role.
sudo /etc/init.d/networking restart
will restart the networking services and apply the above changes.
ifconfig
will give you details of the network interfaces (kind of the equivalent of NT’s ipconfig). Common utilities like ping and nslookup are available for testing and troubleshooting TCP/IP connections.
REMOTE ADMINISTRATION
You may be dreading the rest of your life spent in front of a text mode screen. Your LCD monitor may not even support it properly. One option is to install a GUI on the server, but it’ll take up resources that are better applied to other tasks. Although not recommended many may still want to do it. Look at (Source 3) for more info on this.
Another option is the webmin interface which integrates with a httpd server (commonly Apache) and provide a web based front end to administration. Can be handy for those who want to hide the Linux life as much as possible. (Source 3).
I would recommend simply installing an SSH server which allows a secure terminal session if used with an appropriate client.
sudo apt-get install ssh openssh-server
to install the SSH services.
(Source 2)
From this point on you can log in via a client PC, another Linux box, an NT box or any other OS. On Linux and Windows the recommended SSH client is PuTTY. You just need to type in the IP address (that you entered statically above) and port (22) and then accept the self assigned certificate (created during the apt-get process) and you can then log in and continue typing in commands as if you were sitting in front of the server.
If you want you can change the Port number for connection to the SSH server by editing /etc/ssh/sshd_config. Remember to restart the daemon,
sudo /etc/init.d/ssh restart
If you are presented with an error you may need to restart the computer.
Quick note – at this point you may wonder about firewalls. iptables is a firewall function built into the Linux kernel and is quite powerful. I don’t give details in this documentation but you may want to investigate it further once you have finished the initial server setup. By default it is set to allow all traffic so you server will need to be closed down a bit.
HOSTNAME
cd /etc sudo nano hostname
As the DNS server will be serving our internal office domain we’ll want to change the hostname to include the domain. Add your appropriate domain, e.g. .office.com, to the hostname. Don’t restart yet otherwise you’ll lock yourself out (as sudo needs to be able to resolve the hostname and won’t be able to do that without a DNS server or hosts entry).
sudo nano hosts
This gives you the hosts file, same thing as %SystemRoot%\System32\Drivers\etc\hosts. As we don’t have the DNS server yet we want to add
192.168.1.10 fileserv.office.local
to the hosts file (at the top IPv4 section, you can leave the IPv6 section alone).
Restart the server
sudo shutdown -r now
and when it restarts up you’ll have your new hostname. You can type
hostname
to check on the name.
man shutdown
for more details on shutting down the server.
QUOTA
Linux supports quota settings to control disk usage on the server. To activate this (if you actually want it)
sudo apt-get install quota
Quota settings need to be added on a per partition basis. You need to add a ,usrquota,grpquota into the /etc/fstab (file system table file). This file directs Linux on what partitions to mount into the / filesystem. eg,
/dev/sda3 /home ext3 defaults,usrquota,grpquota 0 2
Once you’ve sorted the /etc/fstab file run:
sudo touch /quota.user /quota.group sudo chmod 600 /quota.* sudo mount -o remount / sudo touch /home/quota.user /home/quota.group sudo chmod 600 /home/quota.* sudo mount -o remount /home quotacheck -avugm quotaon -avug
See (Source 1) for a little more depth
INSTALLING SAMBA
Samba provides SMB based file sharing, print sharing and domain services to the Windows clients and forms the heart of replicating a Windows NT Server’s functions. Later on we’ll create an alias for NT’s Administrator account, pointing it to Unix’s root account. This means we need to enable the root account. If you’re not going to use the Samba functions (just DNS and DHCP functions or other services) it’s best to stick with the sudo command rather than enable the root account.
To enable the root account
sudo passwd root
and choose a good password. Then you can
su
to log in with superuser (root) privileges if you want to, or you can continue to prefix commands with sudo. I’ll leave the sudo out from now on but add it if you don’t want to su root.
Next, install Samba.
apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient
Now we get into the real .conf files.
nano /etc/samba/smb.conf
and add or change the following configurations.
[global] workgroup = OFFICE netbios name = FILESERVER server string = wins support = yes dns proxy = no name resolve order = wins hosts bcast log file = /var/log/samba/%m.log max log size = 1000 log level = 3 security = user encrypt passwords = yes passdb backend = tdbsam #invalid users = root password level = 6 username level = 5 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usb/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smbusers domain logons = yes logon script = logon.vbs #These logon options are used for roaving profiles logon path = logon home = #Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u #If using GDI or similar printers cups options = raw
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain master = yes local master = yes os level = 64 preferred master = yes idmap uid = 15000-20000 idmap gid = 15000-20000 [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no share modes = no
[OfficeData] comment = Shared office data path = /home/officedata writable = yes browseable = yes valid users = @users create mask = 0660 directory mask = 0770 vfs object = recycle recycle:repository=trash recycle:keeptree=True recycle:versions=True^
The important items in the [global] section of the file are
- workgroup – the NT Domain for the site
- netbios name – the server name, should be the same as your host name so that WINS and DNS entries will match
- security – user security is needed for domain members. share security is the Windows 95 way of network security
- domain logons – tells Samba to expect Domain logons
- domain master – tells Samba that it’s the Domain controller
- local master – sets the local browser master for NetBIOS purposes
- preferred master – Samba is the PDC
Shares for the server are created by enclosing the name of the share in square brackets, eg. [share]. The options for the share are then listed underneath the share name. The path is the location of the files on the local server. valid users can be a list of users and groups separated by a comma. create mask and directory mask stop files from being only accessible to the original creator so that others in the office can use the files.
The vfs object = recycle provides a kind of recycle bin, something that you don’t get on a Windows server. The repository tells it what directory to put deleted files in. We’ll have a bit of a look at protecting this later on.
Other useful and powerful options for share are:
- force create mode
- force directory mode
- force group
- force user
man smb.conf or Google these terms for more info. The vfs object also contains some powerful features.
Now that you’ve created that configuration file you’ll need to add a few directories for the shares to access.
cd /home mkdir netlogon mkdir officedata
That that you’ve done those configurations
testparm
to check the file and make sure the settings are correct and there’s no typos.
Then restart the Samba service.
/etc/init.d/samba restart
We’ll need to set permissions on these directories so that they can be accessed by users, but we need to create some users first. (Source 1)
CREATING USERS AND GROUPS
You’ll need to set up you’re users with their accounts. You may also want to create a few groups depending on how your organise the data and control access to it.
A users group already exists for use with normal users. You probably also want to
groupadd -g 500 ntadmins
to create a group that will be used for your Domain Admins. The -g options specifies the group ID (or GID). You then need to tell Samba which Linux groups to match to which NT Groups.
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins net groupmap modify ntgroup="Domain Users" unixgroup=users
(Source 1)
For administration purposes you’ll also need to map the NT superuser account, Administrator, to the Unix superuser account, root, and enable the root account for Samba use.
echo "root = Administrator" > /etc/samba/smbusers smbpasswd -a root
This adds the line to the end of the smbusers file, effectively creating an alias. (Source 1)
To add an Admin user (who will also get access to the Linux server)
useradd -g ntadmins -m username
The -g option defines the users intial group. The -m option tells Linux to create a home directory for them. You’ll then want to give them a password.
passwd username
(Source 4)
You’ll then need to enable the account on the Samba server which can be done by
smbpasswd -a username
This adds a new Samba user and will request a password. Keep it the same as the Unix account password for password syncing. If a user is created that you want to add to another group simply adduser existing-user existing-group
adduser user1 users
The may be needed for your ntadmins members to access standard users’ resources.
To add a standard network user without any Unix login priviledges
useradd -g users -d /dev/null -s /dev/null ntuser
The gives a null shell and home directory denying any login ability. You then need to add their Samba account with
sbmpasswd -a ntuser
(Source 5)
To change a users Samba password at a later stage use the
smbpasswd username
command.
SETTING FILE PERMISSIONS
Now that you have your users and groups set up you’ll need to set appropriate privileges on the directories to be shared on the network.
cd /home ls -l
will give a directory listing including the user ownership and group ownership of the directories.
chown root:users netlogon chmod 755 netlogon
will set appropriate permissions on the netlogon directory. For the other directories to be shared you’ll want
chown user:users officedata chmod 770 officedata
The chown (change ownership) command is the equivalent of Take Ownership in NT. The chmod (change mode) command changes the permissions on files and directories. The 770 is an octal representation of Unix permissions.
man chmod
for more information on this.
This brings us back to our vfs recycle directory (defined above as trash) discussion. Often the purpose of this is to stop users from deleting valuable data from the server either inadvertently or maliciously. If this directory had the same permissions as other directory users given access to the share would have full control. To restrict this control:
cd officedata mkdir trash chown user:users trash chmod 330 trash
This will give only write and execute permissions to the directory. NT clients will not be able to see the contents of the directory, stopping any modification of it. If you need to have a look at the data in a trash directory log in to the server and su yourself an ls command. You can then cp (copy) or mv (move) the files to another location to restore the data.
Don’t forget to limit the users who can access the share in the smb.conf file if you want to restrict access to the share.
CREATING NT MACHINE ACCOUNTS
As you may know, NT domain security is based around computer accounts as well as user accounts, stopping someone from just connecting another PC to the domain and getting access to things they shouldn’t. To replicate the Domain Controller functions Samba therefore needs to know about the computer accounts as well.
Let’s create a group for these computer accounts to make them easy to distinguish.
groupadd -g 550 machines
To add a the Unix account (with a NetBIOS name of machinename)
useradd -g machines -d /dev/null -s /bin/false machinename$
The dollar sign appended to the end of the computer name describes it as a computer trust account. You’ll want to lock the password on the account so that it can’t be changed.
passwd -l machinename$
The last step is to add it to Samba’s database.
smbpasswd -a -m machinename
Notice that the name doesn’t need the $ appended to it, the -m option defines it as a trust account. Once completed you can then join the computer to the domain. (Source 8) In the setup of a system for a client I had a problem with the NT group maps and found (Source 9) helpful.
DHCP SETUP
DHCP greatly simplifies network management but the biggest lack of any low end router is a lack of either statically assigned address or logging of assigned address, as well as control over items like WINS and DNS server settings. Some firmware addresses some issues, some firmware other issue, but it rare that they get it spot on, and easier not to rely on it.
apt-get install dhcp3-server
to start the installation. The DHCP daemon will fail to start, but that’s because we haven’t configured it yet, so…
cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.orig nano /etc/dhcp3/dhcpd.conf
The file needs to look like
ddns-update-style none; option domain-name "office.com"; option domain-name-servers ns1.office.com; default-lease-time 86400; max-lease-time 604800; authoritative; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.199; option subnet-mask 255.255.255.0; option domain-name-servers 192.168.1.1; option domain-name "office.local"; option routers 192.168.1.1; option broadcast-address 192.168.1.255; }
You can also add reservations for IPs, but these must not fall in the range for dynamic assignment, eg.
host mail { hardware ethernet 00:00:a5:37:b2:61; fixed-address 192.168.1.30; }
(Source 6)
Setting up the DHCP server should be easy to follow to any who is used to a Windows Server setup. Although NT does it in a GUI the text file contains all the same configurations. If you are unfamiliar with items like network addresses and broadcast address pick up a good Windows Server book for an explanation.
Other options that you can add are:
option netbios-name-servers 192.168.1.10; option ntp-servers 192.168.1.10;
if you have enabled WINS services in Samba and installed an NTP server onto the Linux box. (Note that current Windows versions don’t use WINS anyway.)
Once you’ve got a good looking .conf file
/etc/init.d/dhcp3-server start
to get your DHCP running. At this point you can disable the DHCP server on your router, although you won’t have DNS functions until you setup the DNS server (as other PCs will be pointing at your server, not the router, for domain name resolution).
The first question I had after all this was: How do I find out what addresses have been leased? Fortunately I can now answer this for you.
nano /var/lib/dhcp3/dhcpd.leases
to have a look through the DHCP leases issued.
DNS SETUP
Microsoft made a major change in Windows 2000, moving away from WINS for NETBIOS name resolution to an integrated DNS approach. The upshot of this is that without a local DNS server on your network you are severely hampered. Let’s solve that problem by installing BIND
apt-get install bind9 dnsutils
DNS is another service that Microsoft has taken from the Unix would and added a GUI to, so hopefully the following terminology will be familiar. If not pick up that good Windows Server book again…
A few files make up the BIND configurations. The /etc/bind/named.conf is the name configuration file. /etc/bind/named.conf.local is the file for local or internal DNS configurations. The db.* files give a list of the servers running in each domain and can be used for foward or reverse lookups.
First let’s dive into
nano /etc/bind/named.conf.local
and add a zone for reverse and forward lookups
zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; }; zone "office.local" { type master; file "/etc/bind/db.office.local"; };
We then need to create two file, one for the reverse and one for the forwards zones.
nano db.192
and set it similar to
$TTL 604800 @ IN SOA fileserver. root.office.com ( 1 ; serial number 604800 ; refresh 86400 ; retry 2419200 ; expire 604800 ); Negative Cache TTL ; @ IN NS fileserver. 10. IN PTR localhost. 10. IN PTR fileserver. 10. IN PTR ns1.
Then
nano db.office.com
and set it simitar to
$TTL 604800 @ IN SOA ns1.office.local. root.office.local. ( 200610271 ; Serial - today's date + serial number 604800 ; refresh 86400 ; retry 2419200 ; expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1 ns1 IN A 192.168.1.10 fileserver IN A 192.168.1.10 mailserv IN A 192.168.1.30 mail IN CNAME mailserv.office.local.
By default the DNS server will look to the root servers for lookups. You can add some forwarders to your ISPs DNS servers which may make lookups faster. We can now revisit the DNS resolution settings as promises at this beginning by
nano /etc/resolv.conf
This file will contain the DNS that Ubuntu originally obtained from your old DHCP server (possibly your router). This might just be the routers IP address but it’s quite likely it is the address of your ISPs DNS servers. If not have a look at your ISPs support pages to find their DNS server IP addresses. BIND doesn’t need them, but it is good practice. Make a note of these server addresses and then replace them with a single line with your local IP address, eg.
nameserver 192.168.5.5
Then
nano /etc/bind/named.conf.options
and uncomment the forwarders section. Add your ISP’s DNS server (removing the 0.0.0.0;) and don’t forget the semi-colons.
Your server is now references itself for DNS lookups and your client workstations will find the IP addresses on your network in a flash. All you need to do is
/etc/init.d/bind9 restart
Adapted from (Source 7)
For DNS servers a little extra security is recommended. This has been tackled quite clearly in (Source 2 and Source 11). I recommend following the installation steps in (Source 11) for the apt-get commands before customizing the .conf files for the ideal setup. I assume here that the DNS server is only accessible to a trusted local network.
LOGON SCRIPT
I originally used a .vbs logon script on some Windows Server 2003 Active Directory systems. With a little bit of modification it runs on top of Samba OK. If you have similar login scripts put the files into you /home/netlogon directory then
chown root:users * chmod 444 *
while in the /home/netlogon directory. You’ll need to edit the .vbs script to map the correct path and drives on your network.
BACKUPS
For an easy backup method using a second Hard Disk Drive you can partition it during installation and mount it in the file system to /backup or something similar.
Once all the above has been set you can then set up a Cron scheduled task to run a cp (copy) command to update you backup HDD with the current information. To edit the system crontab file
nano /etc/crontab
This file is fairly easy to understand given the small hints in the file.
man cron
for more information on the cron daemon. You can add the line
00 02 * * * root cp -pur /home/officedata/* /backup/officedata >> /backup/cron.backup.log
to the file. This runs the cp command at 2am each day. The -pur options tell cp to -p, preserve mode and owner information; -u to update files already existing (copies new or changed files, doesn’t copy existing files); -r, recursive, copying all subdirectories as well. The >> appends the stdout data to the named log file so you can check what is going on. You can add the v (verbose) option if you want more information added to the log file.
FINAL COMMENTS
A good start to command line tools can be found at (Source 10).
– References/Sources
- http://www.howtoforge.com/samba_setup_ubuntu_5.10
- http://www.howtoforge.com/perfect_setup_ubuntu_6.06
- http://www.cjfay.com/lamp.html
- http://node1.yo-linux.com/cgi-bin/man2html?cgi_command=passwd&cgi_section=
- http://www.freeos.com/articles/3842
- http://www.howtoforge.com/dhcp_server_linux_debian_sarge
- http://www.howtoforge.com/two_in_one_dns_bind9_views
- http://www.enterprisenetworkingplanet.com/netos/article.php/1151091
- http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html
- http://www.karakas-online.de/gnu-linux-tools-summary/book1.html
- http://www.linode.com/wiki/index.php/Install_BIND9_in_Ubuntu_(Breezy)
– Other good references
– Notes
- check out www.cjfay.com/lamp.html
- for http://ubuntuforums.org/showthread.php?t=217009
- ntfs http://ubuntuos.wordpress.com/2006/08/02/howto-write-to-windows-ntfs-drive-from-ubuntu-ntfs-3g/
- access fs-driver.org
- groups are found in /etc/groups and users are found in /etc/passwd
- locate – can be helpful for finding those files that you now should exist but don’t know where in setup, had a problem with nt group maps and found
- http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html helpful
- integrate cleanup of workstation temp files into logon script
- rsync is a handing utility for backups or copying, rsync -aHv –delete-after –progress source destination
- groups command will list groups that a user belongs to
File attributes
File attribtues can only be changed by the owner of the files, rather than by people in the same group as the owner. On a Windows Server system anyone with write access to the file can change it’s attributes. This may be a problem in some cases where people rely on the read-only attribute. If this is the case you can use chown -R to make sure all files in the share are owned by a single user and then add a
force user = username force group = users_group
to make all users of the share access the files as if they were the user listed. This means that they will all be operating on the files as if they are the owner of them and will be able to change file attributes on them.