** Steps to recreating a Windows NT servers’ functions under Unbuntu .06 LTS Server. **

Written specifically to aid Administrators familiar with NT variants (Windows NT, Windows 2000 Server, Windows Server 2003), terminology and setup.

Assumptions

I assume that you know enough about PCs to construct properly termed Google searches as long as you know the programs and files you’re dealing with. I aim to provide a run down of what you need, leaving out lots of technical discussion. You should then know what you’re looking for and should be able to easily find more detailed instructions on what you’re interested in.

INSTALLING UBUNTU

Use a standard Ubuntu server install. The major advantage of Ubuntu is a lack of packages so that there aren’t lots of running processes and config files around by default that you don’t know anything about. This leaves a clean slate which you can add what you want to.

Partitioning

Best to create

  • 50MB /boot
  • small / (say 15GB)
  • decent /swap (say 3 or 4 times you physical memory size, on a separate drive to / if possible)
  • rest to /home for data
  • or /var for httpd or ftpd services

————————————————————–
| 1 15GB  |                     3 220GB                      |
|         /     |                       /home                        |
————————————————————–

————————————————————–
| 1 5GB | 2 10GB |                  3 220GB             |
|  swap |   /tmp |                   /backup                 |
————————————————————–

All of the Unix file system is stored under the / (pronounced root) directory.

QUICK TIPS

At this point you’ll find it useful to know the

sudo

ls

and

cp

commands. (man sudo, man ls or man cp for more info.)

sudo provides you with superuser (or Administrator) rights to perform administration. You’ll also find the programs

 man (gives manual pages for many commands and programs),

 nano (a text editor install by default on Ubuntu), and

 vi (a text editor installed by default on most Unix platforms) handy to know about. To quit from man or vi type :q.

Use the TAB key a lot as well. This will auto-complete file names on the command line (as long as you’ve typed in enough of the name for it to be unique) and can save a lot of typing and tpyos.

It’s also helpful to know that the setup for just about everything is  stored independently in configuration files rather than in a central location like the registry.

Another fun feature is the <ALT>-<F?> keys which give you different terminal logins. Sick of waiting for the apt-get command to download files or a big cp to finish, just press <ALT>-<F2> and log in again to continue with something else. Type logout to finish you session and press <ALT>-<F1> to get back to the first session. (This is how I typed most of these notes.)

APT-GET AND UPDATES

Once Ubuntu is installed you’ll need to update some apt-get files and make sure the system is up to date.

cd /etc

/etc is the main location for configuration files

cd apt
sudo cp sources.list sources.list.orig

to create a backup of the original conf file before editing, always a good idea.

sudo nano sources.list

You can comment out the cdrom entry (add a #) if you’d rather not have to find the CD all the time. It’s handy until you’ve finished the initial config, though. Uncomment the Universe software repository half way down and at the bottom of the file. Then write the file and exit nano.

sudo apt-get update

to update the repository database

sudo apt-get upgrade

to upgrade existing programs on the system (Source – 1, see below)

SERVICES TO BE PROVIDED

 Let’s just make it clear as to what services we want to replicate.

  1. File sharing
  2. Domain controller
  3. DNS Server
  4. DHCP Server
  5. NTP Server

Print services may be an issue but most printers now have built in print server controllers and if they don’t they’re connected to a users computer, not to the server.

Routing services are normally taken care of by a hardware router but could be integrated into the Ubuntu box if required. This article assumes a separate router without DNS or DHCP services enabled (as you get far more control over these with your own server). Note that you’ll need DHCP and DNS enabled on the router until you have everything installed on the server, though, as otherwise the apt-get commands won’t actually get you far. 192.168.1.1 has been assumed for the router address

The programs we’ll use for the above services are

  • Samba
  • DHCP3-server
  • BIND9

STATICALLY ASSIGNING AN IP ADDRESS

As this server will be your DHCP server it needs a static IP address.

cd /etc/network
sudo cp interfaces interfaces.orig
sudo nano interfaces

Change eth0 to static (instead of DHCP) and add

address 192.168.1.10
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

(Source 2)

You may ask ‘Where are the DNS and WINS entries?’ Obviously WINS is useless to a Unix server. DNS is configured in the /etc/resolv.conf file but for the moment we can leave it alone as we need DNS to apt-get ourselves the DNS server software before we can take over that role.

sudo /etc/init.d/networking restart

will restart the networking services and apply the above changes.

ifconfig

will give you details of the network interfaces (kind of the equivalent of NT’s ipconfig). Common utilities like ping and nslookup are available for testing and troubleshooting TCP/IP connections.

REMOTE ADMINISTRATION

You may be dreading the rest of your life spent in front of a text mode screen. Your LCD monitor may not even support it properly. One option is to install a GUI on the server, but it’ll take up resources that are better applied to other tasks. Although not recommended many may still want to do it. Look at (Source 3) for more info on this.

Another option is the webmin interface which integrates with a httpd server (commonly Apache) and provide a web based front end to administration. Can be handy for those who want to hide the Linux life as much as possible. (Source 3).

I would recommend simply installing an SSH server which allows a secure terminal session if used with an appropriate client.

sudo apt-get install ssh openssh-server

to install the SSH services.

(Source 2)

From this point on you can log in via a client PC, another Linux box, an NT box or any other OS. On Linux and Windows the recommended SSH client is PuTTY. You just need to type in the IP address (that you entered statically above) and port (22) and then accept the self assigned certificate (created during the apt-get process) and you can then log in and continue typing in commands as if you were sitting in front of the server.

If you want you can change the Port number for connection to the SSH server by editing /etc/ssh/sshd_config. Remember to restart the daemon,

sudo /etc/init.d/ssh restart

If you are presented with an error you may need to restart the computer.

Quick note – at this point you may wonder about firewalls. iptables is a firewall function built into the Linux kernel and is quite powerful. I don’t give details in this documentation but you may want to investigate it further once you have finished the initial server setup. By default it is set to allow all traffic so you server will need to be closed down a bit.

HOSTNAME

cd /etc
sudo nano hostname

As the DNS server will be serving our internal office domain we’ll want to change the hostname to include the domain. Add your appropriate domain, e.g. .office.com, to the hostname. Don’t restart yet otherwise you’ll lock yourself out (as sudo needs to be able to resolve the hostname and won’t be able to do that without a DNS server or hosts entry).

sudo nano hosts

This gives you the hosts file, same thing as %SystemRoot%\System32\Drivers\etc\hosts. As we don’t have the DNS server yet we want to add

192.168.1.10 fileserv.office.local

to the hosts file (at the top IPv4 section, you can leave the IPv6 section alone).

Restart the server

sudo shutdown -r now

and when it restarts up you’ll have your new hostname. You can type

hostname

to check on the name.

man shutdown

for more details on shutting down the server.

QUOTA

Linux supports quota settings to control disk usage on the server. To activate this (if you actually want it)

sudo apt-get install quota

Quota settings need to be added on a per partition basis. You need to add a ,usrquota,grpquota into the /etc/fstab (file system table file). This file directs Linux on what partitions to mount into the / filesystem. eg,

/dev/sda3 /home ext3 defaults,usrquota,grpquota 0 2

Once you’ve sorted the /etc/fstab file run:

sudo touch /quota.user /quota.group
sudo chmod 600 /quota.*
sudo mount -o remount /
sudo touch /home/quota.user /home/quota.group
sudo chmod 600 /home/quota.*
sudo mount -o remount /home
quotacheck -avugm
quotaon -avug

See (Source 1) for a little more depth

INSTALLING SAMBA

Samba provides SMB based file sharing, print sharing and domain services to the Windows clients and forms the heart of replicating a Windows NT Server’s functions. Later on we’ll create an alias for NT’s Administrator account, pointing it to Unix’s root account. This means we need to enable the root account. If you’re not going to use the Samba functions (just DNS and DHCP functions or other services) it’s best to stick with the sudo command rather than enable the root account.

To enable the root account

sudo passwd root

and choose a good password. Then you can

su

to log in with superuser (root) privileges if you want to, or you can continue to prefix commands with sudo. I’ll leave the sudo out from now on but add it if you don’t want to su root.

Next, install Samba.

apt-get install samba samba-common samba-doc libcupsys2-gnutls10 libkrb53 winbind smbclient

Now we get into the real .conf files.

nano /etc/samba/smb.conf

and add or change the following configurations.

[global]
 workgroup = OFFICE
 netbios name = FILESERVER
 server string =
 wins support = yes
 dns proxy = no
 name resolve order = wins hosts bcast

 log file = /var/log/samba/%m.log
 max log size = 1000
 log level = 3

 security = user
 encrypt passwords = yes
 passdb backend = tdbsam
 #invalid users = root
 password level = 6
 username level = 5
 smb passwd file = /etc/samba/smbpasswd
 unix password sync = Yes
 passwd program = /usb/bin/passwd %u
 passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
 username map = /etc/samba/smbusers
 domain logons = yes
 logon script = logon.vbs

 #These logon options are used for roaving profiles
 logon path =
 logon home =

 #Useradd scripts
 add user script = /usr/sbin/useradd -m %u
 delete user script = /usr/sbin/userdel -r %u
 add group script = /usr/sbin/groupadd %g
 delete group script = /usr/sbin/groupdel %g
 add user to group script = /usr/sbin/usermod -G %g %u
 add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u

 #If using GDI or similar printers
 cups options = raw
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 domain master = yes
 local master = yes
 os level = 64
 preferred master = yes
 idmap uid = 15000-20000
 idmap gid = 15000-20000

 [netlogon]
 comment = Network Logon Service
 path = /home/netlogon
 guest ok = yes
 writable = no
 share modes = no
 [OfficeData]
 comment = Shared office data
 path = /home/officedata
 writable = yes
 browseable = yes
 valid users = @users
 create mask = 0660
 directory mask = 0770
 vfs object = recycle
 recycle:repository=trash
 recycle:keeptree=True
 recycle:versions=True^

The important items in the [global] section of the file are

  • workgroup – the NT Domain for the site
  • netbios name – the server name, should be the same as your host name so that WINS and DNS entries will match
  • security – user security is needed for domain members. share security is the Windows 95 way of network security
  • domain logons – tells Samba to expect Domain logons
  • domain master – tells Samba that it’s the Domain controller
  • local master – sets the local browser master for NetBIOS purposes
  • preferred master – Samba is the PDC

Shares for the server are created by enclosing the name of the share in square brackets, eg. [share]. The options for the share are then listed underneath the share name. The path is the location of the files on the local server. valid users can be a list of users and groups separated by a comma. create mask and directory mask stop files from being only accessible to the original creator so that others in the office can use the files.

The vfs object = recycle provides a kind of recycle bin, something that you don’t get on a Windows server. The repository tells it what directory to put deleted files in. We’ll have a bit of a look at protecting this later on.

Other useful and powerful options for share are:

  • force create mode
  • force directory mode
  • force group
  • force user

man smb.conf or Google these terms for more info. The vfs object also contains some powerful features.

Now that you’ve created that configuration file you’ll need to add a few directories for the shares to access.

cd /home
mkdir netlogon
mkdir officedata

That that you’ve done those configurations

testparm

to check the file and make sure the settings are correct and there’s no typos.

Then restart the Samba service.

/etc/init.d/samba restart

We’ll need to set permissions on these directories so that they can be accessed by users, but we need to create some users first. (Source 1)

CREATING USERS AND GROUPS

You’ll need to set up you’re users with their accounts. You may also want to create a few groups depending on how your organise the data and control access to it.

A users group already exists for use with normal users. You probably also want to

groupadd -g 500 ntadmins

to create a group that will be used for your Domain Admins. The -g options specifies the group ID (or GID). You then need to tell Samba which Linux groups to match to which NT Groups.

net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins
net groupmap modify ntgroup="Domain Users" unixgroup=users

(Source 1)

For administration purposes you’ll also need to map the NT superuser account, Administrator, to the Unix superuser account, root, and enable the root account for Samba use.

echo "root = Administrator" > /etc/samba/smbusers
smbpasswd -a root

This adds the line to the end of the smbusers file, effectively creating an alias. (Source 1)

To add an Admin user (who will also get access to the Linux server)

useradd -g ntadmins -m username

The -g option defines the users intial group. The -m option tells Linux to create a home directory for them. You’ll then want to give them a password.

passwd username

(Source 4)

You’ll then need to enable the account on the Samba server which can be done by

smbpasswd -a username

This adds a new Samba user and will request a password. Keep it the same as the Unix account password for password syncing. If a user is created that you want to add to another group simply adduser existing-user existing-group

adduser user1 users

The may be needed for your ntadmins members to access standard users’ resources.

To add a standard network user without any Unix login priviledges

useradd -g users -d /dev/null -s /dev/null ntuser

The gives a null shell and home directory denying any login ability. You then need to add their Samba account with

sbmpasswd -a ntuser

(Source 5)

To change a users Samba password at a later stage use the

smbpasswd username

command.

SETTING FILE PERMISSIONS

Now that you have your users and groups set up you’ll need to set appropriate privileges on the directories to be shared on the network.

cd /home
ls -l

will give a directory listing including the user ownership and group ownership of the directories.

chown root:users netlogon
chmod 755 netlogon

will set appropriate permissions on the netlogon directory. For the other directories to be shared you’ll want

chown user:users officedata
chmod 770 officedata

The chown (change ownership) command is the equivalent of Take Ownership in NT. The chmod (change mode) command changes the permissions on files and directories. The 770 is an octal representation of Unix permissions.

man chmod

for more information on this.

This brings us back to our vfs recycle directory (defined above as trash) discussion. Often the purpose of this is to stop users from deleting valuable data from the server either inadvertently or maliciously. If this directory had the same permissions as other directory users given access to the share would have full control. To restrict this control:

cd officedata
mkdir trash
chown user:users trash
chmod 330 trash

This will give only write and execute permissions to the directory. NT clients will not be able to see the contents of the directory, stopping any modification of it. If you need to have a look at the data in a trash directory log in to the server and su yourself an ls command. You can then cp (copy) or mv (move) the files to another location to restore the data.

Don’t forget to limit the users who can access the share in the smb.conf file if you want to restrict access to the share.

CREATING NT MACHINE ACCOUNTS

As you may know, NT domain security is based around computer accounts as well as user accounts, stopping someone from just connecting another PC to the domain and getting access to things they shouldn’t. To replicate the Domain Controller functions Samba therefore needs to know about the computer accounts as well.

Let’s create a group for these computer accounts to make them easy to distinguish.

groupadd -g 550 machines

To add a the Unix account (with a NetBIOS name of machinename)

useradd -g machines -d /dev/null -s /bin/false machinename$

The dollar sign appended to the end of the computer name describes it as a computer trust account. You’ll want to lock the password on the account so that it can’t be changed.

passwd -l machinename$

The last step is to add it to Samba’s database.

smbpasswd -a -m machinename

Notice that the name doesn’t need the $ appended to it, the -m option defines it as a trust account. Once completed you can then join the computer to the domain. (Source 8) In the setup of a system for a client I had a problem with the NT group maps and found (Source 9) helpful.

DHCP SETUP

DHCP greatly simplifies network management but the biggest lack of any low end router is a lack of either statically assigned address or logging of assigned address, as well as control over items like WINS and DNS server settings. Some firmware addresses some issues, some firmware other issue, but it rare that they get it spot on, and easier not to rely on it.

apt-get install dhcp3-server

to start the installation. The DHCP daemon will fail to start, but that’s because we haven’t configured it yet, so…

cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.orig
nano /etc/dhcp3/dhcpd.conf

The file needs to look like

ddns-update-style none;
option domain-name "office.com";
option domain-name-servers ns1.office.com;
default-lease-time 86400;
max-lease-time 604800;
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
 range 192.168.1.100 192.168.1.199;
 option subnet-mask 255.255.255.0;
 option domain-name-servers 192.168.1.1;
 option domain-name "office.local";
 option routers 192.168.1.1;
 option broadcast-address 192.168.1.255;
}

You can also add reservations for IPs, but these must not fall in the range for dynamic assignment, eg.

host mail {
 hardware ethernet 00:00:a5:37:b2:61;
 fixed-address 192.168.1.30;
}

(Source 6)

Setting up the DHCP server should be easy to follow to any who is used to a Windows Server setup. Although NT does it in a GUI the text file contains all the same configurations. If you are unfamiliar with items like network addresses and broadcast address pick up a good Windows Server book for an explanation.

Other options that you can add are:

option netbios-name-servers 192.168.1.10;
option ntp-servers 192.168.1.10;

if you have enabled WINS services in Samba and installed an NTP server onto the Linux box. (Note that current Windows versions don’t use WINS anyway.)

Once you’ve got a good looking .conf file

/etc/init.d/dhcp3-server start

to get your DHCP running. At this point you can disable the DHCP server on your router, although you won’t have DNS functions until you setup the DNS server (as other PCs will be pointing at your server, not the router, for domain name resolution).

The first question I had after all this was: How do I find out what addresses have been leased? Fortunately I can now answer this for you.

nano /var/lib/dhcp3/dhcpd.leases

to have a look through the DHCP leases issued.

DNS SETUP

Microsoft made a major change in Windows 2000, moving away from WINS for NETBIOS name resolution to an integrated DNS approach. The upshot of this is that without a local DNS server on your network you are severely hampered. Let’s solve that problem by installing BIND

apt-get install bind9 dnsutils

DNS is another service that Microsoft has taken from the Unix would and added a GUI to, so hopefully the following terminology will be familiar. If not pick up that good Windows Server book again…

A few files make up the BIND configurations. The /etc/bind/named.conf is the name configuration file. /etc/bind/named.conf.local is the file for local or internal DNS configurations. The db.* files give a list of the servers running in each domain and can be used for foward or reverse lookups.

First let’s dive into

nano /etc/bind/named.conf.local

and add a zone for reverse and forward lookups

zone "1.168.192.in-addr.arpa" {
 type master;
 file "/etc/bind/db.192";
};
zone "office.local" {
 type master;
 file "/etc/bind/db.office.local";
};

We then need to create two file, one for the reverse and one for the forwards zones.

nano db.192

and set it similar to

$TTL 604800
@ IN SOA fileserver. root.office.com (
 1 ; serial number
 604800 ; refresh
 86400 ; retry
 2419200 ; expire
 604800 ); Negative Cache TTL
 ;
@ IN NS fileserver.
 10. IN PTR localhost.
 10. IN PTR fileserver.
 10. IN PTR ns1.

Then

nano db.office.com

and set it simitar to

$TTL 604800
 @ IN SOA ns1.office.local. root.office.local. (
 200610271 ; Serial - today's date + serial number
 604800 ; refresh
 86400 ; retry
 2419200 ; expire
 604800 ) ; Negative Cache TTL
 ;
@ IN NS ns1
 ns1 IN A 192.168.1.10
 fileserver IN A 192.168.1.10
 mailserv IN A 192.168.1.30
 mail IN CNAME mailserv.office.local.

By default the DNS server will look to the root servers for lookups. You can add some forwarders to your ISPs DNS servers which may make lookups faster. We can now revisit the DNS resolution settings as promises at this beginning by

nano /etc/resolv.conf

This file will contain the DNS that Ubuntu originally obtained from your old DHCP server (possibly your router). This might just be the routers IP address but it’s quite likely it is the address of your ISPs DNS servers. If not have a look at your ISPs support pages to find their DNS server IP addresses. BIND doesn’t need them, but it is good practice. Make a note of these server addresses and then replace them with a single line with your local IP address, eg.

nameserver 192.168.5.5

Then

nano /etc/bind/named.conf.options

and uncomment the forwarders section. Add your ISP’s DNS server (removing the 0.0.0.0;) and don’t forget the semi-colons.

Your server is now references itself for DNS lookups and your client workstations will find the IP addresses on your network in a flash. All you need to do is

/etc/init.d/bind9 restart

Adapted from (Source 7)

For DNS servers a little extra security is recommended. This has been tackled quite clearly in (Source 2 and Source 11). I recommend following the installation steps in (Source 11) for the apt-get commands before customizing the .conf files for the ideal setup. I assume here that the DNS server is only accessible to a trusted local network.

LOGON SCRIPT

I originally used a .vbs logon script on some Windows Server 2003 Active Directory systems. With a little bit of modification it runs on top of Samba OK. If you have similar login scripts put the files into you /home/netlogon directory then

chown root:users *
chmod 444 *

while in the /home/netlogon directory. You’ll need to edit the .vbs script to map the correct path and drives on your network.

BACKUPS

For an easy backup method using a second Hard Disk Drive you can partition it during installation and mount it in the file system to /backup or something similar.

Once all the above has been set you can then set up a Cron scheduled task to run a cp (copy) command to update you backup HDD with the current information. To edit the system crontab file

nano /etc/crontab

This file is fairly easy to understand given the small hints in the file.

man cron

for more information on the cron daemon. You can add the line

00 02 * * * root cp -pur /home/officedata/* /backup/officedata >> /backup/cron.backup.log

to the file. This runs the cp command at 2am each day. The -pur options tell cp to -p, preserve mode and owner information; -u to update files already existing (copies new or changed files, doesn’t copy existing files); -r, recursive, copying all subdirectories as well. The >> appends the stdout data to the named log file so you can check what is going on. You can add the v (verbose) option if you want more information added to the log file.

FINAL COMMENTS

A good start to command line tools can be found at (Source 10).

– References/Sources

  1. http://www.howtoforge.com/samba_setup_ubuntu_5.10
  2. http://www.howtoforge.com/perfect_setup_ubuntu_6.06
  3. http://www.cjfay.com/lamp.html
  4. http://node1.yo-linux.com/cgi-bin/man2html?cgi_command=passwd&cgi_section=
  5. http://www.freeos.com/articles/3842
  6. http://www.howtoforge.com/dhcp_server_linux_debian_sarge
  7. http://www.howtoforge.com/two_in_one_dns_bind9_views
  8. http://www.enterprisenetworkingplanet.com/netos/article.php/1151091
  9. http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html
  10. http://www.karakas-online.de/gnu-linux-tools-summary/book1.html
  11. http://www.linode.com/wiki/index.php/Install_BIND9_in_Ubuntu_(Breezy)

– Other good references

– Notes

  • check out www.cjfay.com/lamp.html
  • for http://ubuntuforums.org/showthread.php?t=217009
  • ntfs http://ubuntuos.wordpress.com/2006/08/02/howto-write-to-windows-ntfs-drive-from-ubuntu-ntfs-3g/
  • access fs-driver.org
  • groups are found in /etc/groups and users are found in /etc/passwd
  • locate – can be helpful for finding those files that you now should exist but don’t know where in setup, had a problem with nt group maps and found
  • http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html  helpful
  • integrate cleanup of workstation temp files into logon script
  • rsync is a handing utility for backups or copying, rsync -aHv –delete-after –progress source destination
  • groups command will list groups that a user belongs to

File attributes

File attribtues can only be changed by the owner of the files, rather than by people in the same group as the owner. On a Windows Server system anyone with write access to the file can change it’s attributes. This may be a problem in some cases where people rely on the read-only attribute. If this is the case you can use chown -R to make sure all files in the share are owned by a single user and then add a

force user = username
force group = users_group

to make all users of the share access the files as if they were the user listed. This means that they will all be operating on the files as if they are the owner of them and will be able to change file attributes on them.