Guest's picture

Is there a guide to seting up Turnkey Primary Domain Controler ?

Forum: 
Liraz Siri's picture

Compared with a regular installation TurnKey PDC is easy because we've pre-integrated everything for you. OTOH, less experienced users might benefit from a little extra hand holding. We need the perspective of a less experienced user to do that, because for an expert it can be difficult to anticipate the pitfalls you are going to run into.

What would help is if you could take notes and share your experience trying to get up and running with TurnKey PDC. We can use that to improve the documentation and maybe create such a guide.

Jesse Neu's picture

Sorry for the double post, technical difficulties.

Admin note: double post removed

 

I now have an account to make contacting me easier.

Neil Aggarwal's picture

Jesse:  Post your questions here and people will try to answer them.

Jesse Neu's picture

So I've been doing a little research so I can post somewhat informed questions (does that even make sense?) and so far what I can see is that the PDC drop in doesn't really come configured for LDAP or Active Directory. In fact it doesn't seem to be configured for PDC at all. This leads me to conclude I don't really have a clue how this is set up, as opposed to the PDC not really being set up as a PDC.

So here is my first questions:

How do you manage the user database?

What does this server use for authentication? (kerberos, etc)

how do you add pam to linux clients for netlogon services?

I'm working on some walkthrus that are supposed to work for base linux installs. so far upgrading the turnkey PDC image to the latest ubuntu release has proven to be less than favorable. I have found tutorials for ubuntu versions 7.04, 7.10, 8.04, and 8.10 that claim to be solid. I will be testing them with this PDC to learn how to configure the system and hopefully provide feedback for those like me do not fully understand all of the config files that need to be edited.

I am not above collaboration if anyone would like to share in the glory (j/k) but seriously I'm pretty lost so far. I'll have more tomorrow.

Alon Swartz's picture

The domain-controller appliance is preconfigured to allow windows client machines to register and log onto the domain with the netlogon service, roaming profiles and printing support.

The following notes were taken from the changelog
  • configured netlogon service
    • limit domain login to Domain Users and Domain Admins
    • logon/home drive mapped to H:
    • synchronize time at login with PDC
    • default permissions set owner full permissions, only.
  • configured roaming profiles:
    • public storage mapped to S:
    • default permissions set owner full permissions, everyone read
  • configured printing support:
    • setup point-and-print (PnP)
    • installed PDF printer (drops printed docs to $HOME/PDF)
    • configured cupsys web interface to bind to all interfaces and support SSL
To answer your question, the current version of domain-controller does not use LDAP, as it added too much complexity for the initial release, instead samba user accounts are set to synchronize with unix user accounts.

For added usability, the samba webmin module is included, which you can use to manage the domain and other settings through the web browser.

I hope the above helps...

As a side note, I recently came across a blog post about the domain-controller.
Jesse Neu's picture

So the PDC doesn't authenticate users to the domain it just provides domain logon services for shared resources?

Seems like a good start, I'm looking for more tho, I would really like to use this for access control as well. I'm sure I could get this working for what I want with modification. What would help you guys to add this feature? From the research I've done so far it looks like I would need to start with 9.10, however due to some new configuration in slapd and openLDAP. I do not yet understand enough to be able to articulate what that is (or the old version to know the difference) but I have found tutorials on building it. I'm hoping to develop an interface to make configuration easier, not sure if webmin is quite ready for this yet. Perhaps an Active Directory equivalent?

Jesse Neu's picture

If I use the PDC drop in as configured straight out of the box, am I to understand that domain login is possible as is if I add users as Samba users?

 

Please forgive my ignorance, when I initially downloaded the PDC image (I take all the blame for the misconception by the way) it was difficult to understand how to use it. This is of course comming from a newbie to the linux server world. Until now I had only used linux server for file shareing. I'm trying to find the time to learn more about programming (currently learning how to use Gambas) so that I might develop a UI that may make configuring your PDC simpler. My thought is sort of a remote configuration tool similar to AD that will allow you to edit the files nessessary to make configuring more of a painless process. Any thoughts?

Jeremy Davis's picture

I'm not sure whether I can still call myself a linux noob (as I've been using TKL for a while now) but I still think of myself as one. Whilst Webmin is really powerful and useful and does provide a more noob friendly admin environment (compared to a blinking CLI prompt) for an ex-windows-poweruser-linux-noob it can still be a little confusing.

Not sure if I'd use it myself now but I probably would've if it had been available when I started with TKL PDC.

Alon Swartz's picture

There seems to be some confusion on what the domain-controller appliance is meant for, what it can do, and how.

I am now convinced that we need documentation to get users off the ground. I have added this to my ever growing todo list, but anyone interested in helping out is welcome (and urged to do so).

Some notes in the meantime:

  • The current status quo is that samba is not a *full* replacement for a Windows Active Directory Domain Controller, but it provides a lot of the needed functionality.
  • OpenLDAP is nice to have, but is not required. The domain-controller should be able to support small to medium deployments effeciently, and is configured to support roaming profiles, network shares, printing services, etc.
  • Reminder, joining a workstation to the domain requires domain admin privileges, as it creates a machine account for the workstation. Once the workstation is part of the domain, a domain user can then log in.

I hope the above helps.

Codehead's picture

Once you have joined a machine to the domain, you can add users from the System > User and Groups menu option in WebMin/Samba.

I found that users created before a machine joined the domain didn't seem to work from the Windows side. Once a machine had joined, all the users I created appeared on the Windows side.

You'll have to add them smbusers and users groups in order to get proper access to the home directory/network shares.

HTH


Timothy's picture

when I login to samba from windows 7 pro I get an error "Trust Relationship Between Workstation and Primary Domain Failed" How Can I fix this error?

Cavan Kelly's picture

Not easily.

The version of Samba included with Ubuntu 8.04 does not support Windows 7 domain authentication.  You need, at minimum, Samba 3.3.7.  The good news is that Ubuntu 10.04 is being released today with a more recent Samba implementation.  Hopefully we'll see updates from the TKL team soon.

Cavan Kelly

Codehead's picture

I haven't tried Win7 on the PDC, but when we used to get that error back in the NT days it meant that the computer account on the domain was invalid or broken.

Try deleting the computer account and re-joining the domain.


Codehead's picture

I've put together a quick start guide for the PDC. http://www.turnkeylinux.org/node/1223

That should get an XP client on the domain for those that are struggling with it.

Let me know if I've made any glaring errors. The process worked fine for me on bare metal and VM installs.


Alon Swartz's picture

I created an alias for the documentation: http://www.turnkeylinux.org/docs/domain-controller/quickstart
Timothy's picture

Could you Make A Quick Start Guide For Setting up Windows 7 Pro with Turnkey Domain Controller?

Codehead's picture

I haven't tried Windows 7 on the TKL PDC. However, there do seem to be some gotchas.

http://wiki.samba.org/index.php/Windows7 states some registry tweaking is required on the client and even then only Samba 3.3+ support Win 7. IIRC the TKL Samba version is 3.0.28.

I've been tinkering with Lucid 10.4 and Samba4 but it's all very ropey at the moment. I'm reluctant to do much more with the current PDC as I imagine a 10.4 TKL core with be with us soon.


Timothy's picture

How did you setup samba4 on turnkey linux core beta 10.04 Lts? and how did you get group policies to work?

Jeremy Davis's picture

To install the version in Lucid repos (4.0.0~alpha8+git20090912-1):

apt-get update
apt-get install samba4

If you want a more recent version then you will need to need to download the source and compile yourself (have a look here). The Samba team have a really recent Samba4 PPA here, but it is only for Maverick (which may or may not work on Lucid too).

As for setup I have no idea. In my experience Samba3 is tricky enough and I would expect that Samba4 would be at least as complex (if not more so). I suggest that the Samba4 Wiki is probably a good place to start (either here or here). Asking on the relevant Samba mailing list is probably worth a try too if you can't find the answers you need on the Wiki. There doesn't seem to be an official Samba forum although  the Ubuntu forums (TKL beta is obviously based on Lucid/10.04) may also be worth a try.

Samba 3.4.7 is also available from the Lucid repos (apt-get install samba) which apparently works with Win7 (with some reg tweaks in Win7 - links and details in this thread - above). Samba 3.5+ apparently supports SMB2 but you'll need to download and install from source (or use the PPA as I just posted above).

If you manage to get it working, it'd be great if you can post back (perhaps start a new thread) detailing what you discovered as I'm sure other TKL users would be interested.

Good luck!

Ryan Gravel's picture

 

TKL

I was excited to being using TKL and get some appliances up and running with easy Amazon backups.  At this point, the only thing that may be easy is the Amazon backup.  This PDC replacement is not working out for me.  I realize that samba3 is not an ad replacement and didn't expect it to work that way.  This appliance may be usable in a small environment where you can spend some time with each workstation to get them joined and tweaked for the environment without any member servers.

Pros - Wicked low resource requirement, Ubuntu/Debian is rock solid (I have servers with +600 days of up time), webwin is great, packages pre-installed, Amazon backup, able to join WinXP and Win7(with reg hack), TKL File Server did join and authenticate to domain.

Cons - You need at least an intermediate level of samba experience if not expert to even know where to start, administrator account didn't have super user rights to domain users on windows clients (this may be something I goofed up but was the last straw for me on this appliance).

The problem really is with Samba3 which is still a bit clumsy, not TKL.  The permissions are odd, hard to troubleshoot and don't behave well.  Most of the tools to check what is going on with authentication are not there in TKL and have to be installed manually which made me feel like I may break other packages.

Jeremy Davis's picture

I reckon that the devs will find this info useful.

It's a pity that there isn't at least a Samba4 Webmin module (or other WebUI) as Samba4 seems to a better option really.

BTW which tools were you hoping to use? Perhaps they should be considered for inclusion with the default appliance? There will be a maintenance release as some point. Even if they don't get included it could at least be documented.

Add new comment