TurnKey Linux Virtual Appliance Library

Quick Start Setup Guide

The TKL PDC is ready to go straight out of the box. A vanilla XP install on the same subnet will join the domain with just a little network configuration...

Before you start...

  • TurnKey PDC is not an Active Directory replacement: The v12.x (and previous versions) of TKL PDC uses Samba 3. If you're looking for a Server 200x Active Directory full replacement, this isn't going to do the job. With this PDC acting as the DC on your network, you're going to have a NT domain. However if you follow these  instructions then you can add it to your existing AD domain.
  • Windows Home versions can't join a domain: None of the Windows Home versions [Starter (XP, Vista, Win7),  Home (XP), MCE (XP), Home Basic (Vista, Win7), Home Premium (Vista, Win7) or Windows 8 (Windows 8 without a suffix title is the successor to Win7 Home Premium)] are capable of joining a domain. You'll need to use a 'professional' version [Pro (XP, Win8) Business (Vista), Professional (Win7), Enterprise (Vista, Win7, Win8) or Ultimate (Vista, Win7, Win8)].

Setting Up

Build your TKL PDC or get the VM up and running (e.g., VirtualBox installation tutorial). You should set up the network address, PDC name, domain name and root password before you do anything else. DO NOT TRY TO CREATE ANY WINDOWS USERS AT THIS POINT.

You can set the PDC IP on the config console when the machine boots up. To set the PDC and Domain names, fire up a browser, point it a the PDC address and select the Samba icon. After you've logged in, you can change the domain and PDC settings via the 'Windows Networking' icon.

On the XP client networking settings, set the WINS address to the PDC IP. NT domains rely heavily on NETBIOS so you don't need to worry about DNS.

Make sure you can ping the PDC from the client and vice versa to prove the network configuration. Ping by IP and by name to ensure that everything appears as expected.

If you are using a VirtualBox XP build for testing and you can't join the domain, you probably have a network misconfiguration. The default network setting for VirtualBox machines is NAT, this won't work. You need to bridge the virtual network to your physical network. Take a look at the network settings on the TKL PDC virtual machine, it's set up with bridging by default.

Joining the Domain

Log on to the client with the local admin account and

  • Right click 'My Computer' and select 'Properties'
  • Select the 'Computer Name' tab on the system properties dialog.
  • Selecting the 'Change' button brings up the computer name changes dialog.
  • Select the 'Domain' option and type the name of your domain into the text box.

If all is well, you should be prompted for a username and password to join the domain. Enter the Samba username 'administrator' and the password ('turnkey' is the default).

If all is well, you should get a short wait followed by a 'Welcome to the domain' message. Once the client is rebooted, you can log on with the Samba administrator account (remember to select the domain at the logon prompt).

Adding Users

Now you can create domain/Samba users on the PDC, they will be automagically be available for logon on the client. There are a few gotchas with creating users, groups and policies, but that's beyond the scope of this guide.

If you are getting an error message such as "windows cannot locate server copy roaming profile" on login, then please ensure that your Linux user is in the Linux group "smbuser" and that Linux users and Samba users are synced.

Comments

How Do you Ping From the Server to Windows? From Webmin?

How Do you Ping From the Server to Windows? From Webmin?

Codehead's picture

Pinging from the server

Once you've done the IP config on the server, you can back out of the config console and you'll end up at a command prompt. Log in and you can ping from there.

Alternatively, logging in via a SSH client or the browser based web shell (https://[your server ip]:12320) will give you a prompt you can ping from too.

 

BTW, if you can't ping from the server to XP with service pack 2+, the Windows firewall is probably blocking it.


RE: Where we can find the Installation guide

Where we can find the detailed installation/administration guide?

(Provided link to the installation guide not working.)

Jeremy's picture

Not sure about that one

but the generic tutorial here should get you going. Its using VirtualBox but the instructions installing from ISO are pretty much the same for bare metal install. If there's anything your having problems with, post in the Suppport forum and someone should be able to help you out.

L. Arnold's picture

Has anyone ever tried "Replacing" Domain Control (ie. same name)

I have an errant win2K/NT Domain that I would love to just get rid of but I am worried about losing my shares/rights etc.

Has anyone ever "taken over" a Domain w/ this appliance?  (I mean this in a friendly way).

thanks for any help here.

Jeremy's picture

No and TBH I imagine that it would be easier to start again!

I've had very little experience with 2k/NT domains so perhaps my apprehension is more to do with my experiences with 2k3.

Despite my apprehension, I think that it could be an interesting excercise if you have the patience :)

Liraz Siri's picture

Removed broken link

Tried contacting the guy who made that tutorial. No response. This is why we should avoid relying on third party websites. Anyhow for now I removed the broken link and linked to the virtualbox tutorial instead.

I've got this working... for

I've got this working... for the admin account. It does not work for additional users added (roaming profile cannot be created error) even after adding the groups and syncing with samba. Ideas?

 

EDIT: capitalizing users is bad. It works now.


more on pdc

Hello, 

I have 2 questions as we are trying to rollup the turnkeylinux pdc appliance as a domaine controller in our small company. 

One, why it is said at the top of the page that this appliance is not an active directory replacement and is just for nt domains?

Second, did any of you has tried to setup 2 of these appliances as master and slave or as a pdc and sdc.

Please help, 

I will let you know about our progress on this task, it is very exciting and if we succeed , it will be great , no more viruses and unstable pdc. We are coming out of a week of downtime due tu viruses in our pdc. 

bye

mimi

Jeremy's picture

The current PDC is based on Samba3

So it an NT domain, not a full AD replacement.

If you're keen for a little DIY action then have a look at Samba4 (TKL PDC uses Samba3). I haven't used it myself but others have reported success with it. There is a package in the Ubuntu repos but you may be better off getting it from upstream (it seems to be under pretty heavy development). I have seen plenty of tutorials about so you should be able to find something suitable online. Just keep in mind that TKL v11 is Ubuntu 10.04 under the hood. You may also be better off starting from TKL Core rather than the PDC appliance.

L. Arnold's picture

Well in our Case... We are thinking the same way it seems.

The question was from another post (not mine) sorry abou that.

Right now ours is "Mixed Mode" Win2K Domain (ie NT/2K Mixed)

----------

lets explore this - I have not tested the appliance yet though

---------

I can see a pretty easy Route "if" Samba could be registered as a "Backup Domain Controller", get replication, then the Primary Domain Controllers be taken off line leaving Samba to take the PDC role.

I may just do this with an NT Box.  The reality is that Microsoft is really good at taking a good thing and turning it into a frape (active directory)...

I will explore soon.  A bit short on time just now... but need to work on this.

(on another front, is there any DNS Server/Host Server within the Turnkey stable).   This could be helpful rather than running it through our hosting company.  This is "arguably" one of the advantages of Active Directory... but there should be alternatives.  Will explore the Samba subject more.

TKL PDC + LDAP?

Has anyone had any luck adding an LDAP server to this appliance? This would bring it closer to being an Active Directory replacement.

turnkey domain controller + existing ldap integration

Yep, i just have finished getting automount mounts from ldap, (shared via samba for the windows users), ldap user accounts,   ldap account integration, (computer accounts created in ldap when joined to the domain), when adding a "samba" user using either smbpasswd -a username, or via the webmin module, OR ldap plugin for webmin, it adds the relevent samba fields into their ldap account, and also ldap/samba password sync, they change their samba password, and it will update their ldap login (for ssh, linux desktop etc) Also, mapped "Domain Users" to unix group 20 which all the users are a member of, and created a "Domain Admin" ldap group, with ldap users in there, and groupmapped them to "Domain Admins" as a domain group. - So far, seemless integration. Its as good as i can get with samba3 and openldap..

 

I did try samba4 - and that is great.. ability to use group policies, manage users from ADUC, and all that guff. The ldap tree looks nuts in that.. very much like adsiedit under Active Directory - however, i wasnt able to integrate that with our existing ldap server, which is why the turnkey appliance was a great base to build on.

Built-in domain groups are invisible

Hi All,

Just installed Turnkey PDC and added an XP machine.

Trying to use User Manager for Domains (from NT4) to add new admins.

Unfortunately standard Domain Admins and Domain Users groups are not listed in user/group picker.

Any ideas?

if all of your users are part

if all of your users are part of smbusers or another group, then just groupmap that unix group to "Domain Users" and similarly, for "Domain Admins", group map that to smbadmins

Check this link... down the bottom.. this is how i mapped my ldap groups

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping....

Nuno Cabeca's picture

Netlogon

Hello!

Firstly, congratz for your amazing job!

I saw in the main features, something refering "netlogon", like:

  • Limit domain login to Domain Users and Domain Admins.
  • Logon/home drive mapped to H:
  • Synchronize time at login with PDC.
  • Default permissions: owner full permissions.

I was expecting a pre configured logon script wich we could had to the user.

Where can I find that documentation?

Thanks in advance and congratz again!

Nuno


Alon Swartz's picture

smb.conf and logon.bat

The 2 files that you are looking for are /etc/samba/smb.conf and /srv/storage/netlogon/logon.bat. That should give you a very good starting point for customizations and understanding how everything is put together.

Hope that helps.

Domain admins not local admins

Hi.

After days of searching my ass off in the error logs and on internet I wanted to share what I found out:

I am using the turnkey 11.3 DC and tried to join a Windows 7 x64 Enterprise Edition machine. Both machines are in Virtual Box VMs, both using bridged networking, registry keys modified in Windows 7 (accoriding to Samba wiki).

The Windows 7 machine successfully joined the Samba domain, the users I added on the Samba DC could log on, however domain admins did not have admin privileges on the Windows machine. After searching through logfiles, docs and websites I found out that neither Windows nor Linux recognized the groups, more precisely the command

net rpc group members "Domain Admins"

returned "none". No error message, and it did ask my password.

Turns out something with the group mappings was wrong.

net groupmap list

listed the group mappings which seemed to be correct, but when I removed and readded them my domain admins suddenly were local admins too.

DNS/DHCP

I was expecting the domain controller to also have a DNS and DHCP service installed with dynamic DNS configured. I have no problem doing this manually if needed, but new to Turnkey and Webmin. 

Is there an existing Turnkey appliance with DNS & DHCP?

If not, guidance integrating it into the Domain Controller appliance would be welcome to shortcut the learning curve.

Jeremy's picture

No TKL DNS/DHCP appliance

But they can be installed relatively easily using apt-get install. The DNS package is called bind9 and IIRC DHCP is called dhcp3. There are also webmin modules available (webmin-bind8 and webmin-dhcp). Personally I found following an online tutorial using commandline the easiest way to get started. Then use Webmin to maintain and update. I don't recall which tutorial i used but there should be plenty about. Just keep in mind that TKL v11.x is based on Ubuntu 10.04/Lucid and you should find plenty of info via google.

Sean O'Rourke's picture

default drive mappings

So each user gets two drives mapped to the server, an H: (for home?) and an S: (for share?)

I can see in /srv/storage/netlogon/logon.bat  where the S: drive is configured

and I can see in /etc/samba/smb.conf, where it's setting the login drive to H:

logon path = \\%L\profiles\%U
logon script = logon.bat
logon drive = H:
     
But where is configuration that maps the H: drive? 

problems in users folders

i have a problem in using samba users and folders.

i have 2 samba users,an administrator and a user,

and i can't open and save files in both the user folders.

how i can manage it?

thank you for help me

daniel

Jeremy's picture

Just like with Windows there are 2 levels of permissions

There are share level (i.e. via Samba users) and file system levels (via Linux users). By default the Linux and Samba users should be synced but perhaps double check. Also check file level permissions for your users. It sounds like your users have share permissions but not file permissions (but I'm only guessing).

FWIW I have always used share level users to control read or no read access and file permissions to control read only or read/write. I'm not sure whether that is best practice, but it's what I used with Windows shares...

Adding Windows 7 clients to a domain

I got the following error: "The Specified Domain Either Does Not Exist or Could Not Be Contacted" when joining a Windows 7 client (virtual machine) to the PDC domain. A Win XP machine joined with no problems.

Just to say that this appears to be the problem: http://wiki.samba.org/index.php/Windows7

Essentially in Win 7 MS normally requires that a domain server offering active directory services is used. See note in article that points out that this PDC does not support Active Directory.

The same article gives a registry edit solution, which works. It did not need the additional hot fix they refer to. Maybe it was included in service pack 1.