Guest's picture

Is there a guide to seting up Turnkey Primary Domain Controler ?

Forum: 
Liraz Siri's picture

Compared with a regular installation TurnKey PDC is easy because we've pre-integrated everything for you. OTOH, less experienced users might benefit from a little extra hand holding. We need the perspective of a less experienced user to do that, because for an expert it can be difficult to anticipate the pitfalls you are going to run into.

What would help is if you could take notes and share your experience trying to get up and running with TurnKey PDC. We can use that to improve the documentation and maybe create such a guide.

AdrianLawrence's picture

 Hi

I have just installed the PDC and now have no clue where to start.

Please make a basic tutorial

Thanks

Jesse Neu's picture

I am a long time UBUNTU user, I'm not a newbie by any means to computing but as far as programming and understanding some of the inner workings of the software I'm at a great dissadvantage. I am planning on starting up my own business in a couple of years and having a windows free environment is my goal. I'm currently working with a tech at a community college to help transition some of their outdated windows machines to something more financially practical. At the moment the biggest challenge is the PDC, LDAP and Active directory. If anyone would like to help steer me in the right direction I would be happy to document my work on this project to benifit others.

Please shoot me an e-mail if the Turnkey Community would like to help me in this endevor and I will be happy to provide documentation and support in return.

Jesse Neu's picture

Sorry for the double post, technical difficulties.

Admin note: double post removed

 

I now have an account to make contacting me easier.

Neil Aggarwal's picture

Jesse:  Post your questions here and people will try to answer them.

Jesse Neu's picture

So I've been doing a little research so I can post somewhat informed questions (does that even make sense?) and so far what I can see is that the PDC drop in doesn't really come configured for LDAP or Active Directory. In fact it doesn't seem to be configured for PDC at all. This leads me to conclude I don't really have a clue how this is set up, as opposed to the PDC not really being set up as a PDC.

So here is my first questions:

How do you manage the user database?

What does this server use for authentication? (kerberos, etc)

how do you add pam to linux clients for netlogon services?

I'm working on some walkthrus that are supposed to work for base linux installs. so far upgrading the turnkey PDC image to the latest ubuntu release has proven to be less than favorable. I have found tutorials for ubuntu versions 7.04, 7.10, 8.04, and 8.10 that claim to be solid. I will be testing them with this PDC to learn how to configure the system and hopefully provide feedback for those like me do not fully understand all of the config files that need to be edited.

I am not above collaboration if anyone would like to share in the glory (j/k) but seriously I'm pretty lost so far. I'll have more tomorrow.

Alon Swartz's picture

The domain-controller appliance is preconfigured to allow windows client machines to register and log onto the domain with the netlogon service, roaming profiles and printing support.

The following notes were taken from the changelog
  • configured netlogon service
    • limit domain login to Domain Users and Domain Admins
    • logon/home drive mapped to H:
    • synchronize time at login with PDC
    • default permissions set owner full permissions, only.
  • configured roaming profiles:
    • public storage mapped to S:
    • default permissions set owner full permissions, everyone read
  • configured printing support:
    • setup point-and-print (PnP)
    • installed PDF printer (drops printed docs to $HOME/PDF)
    • configured cupsys web interface to bind to all interfaces and support SSL
To answer your question, the current version of domain-controller does not use LDAP, as it added too much complexity for the initial release, instead samba user accounts are set to synchronize with unix user accounts.

For added usability, the samba webmin module is included, which you can use to manage the domain and other settings through the web browser.

I hope the above helps...

As a side note, I recently came across a blog post about the domain-controller.
Jesse Neu's picture

So the PDC doesn't authenticate users to the domain it just provides domain logon services for shared resources?

Seems like a good start, I'm looking for more tho, I would really like to use this for access control as well. I'm sure I could get this working for what I want with modification. What would help you guys to add this feature? From the research I've done so far it looks like I would need to start with 9.10, however due to some new configuration in slapd and openLDAP. I do not yet understand enough to be able to articulate what that is (or the old version to know the difference) but I have found tutorials on building it. I'm hoping to develop an interface to make configuration easier, not sure if webmin is quite ready for this yet. Perhaps an Active Directory equivalent?

Jesse Neu's picture

If I use the PDC drop in as configured straight out of the box, am I to understand that domain login is possible as is if I add users as Samba users?

 

Please forgive my ignorance, when I initially downloaded the PDC image (I take all the blame for the misconception by the way) it was difficult to understand how to use it. This is of course comming from a newbie to the linux server world. Until now I had only used linux server for file shareing. I'm trying to find the time to learn more about programming (currently learning how to use Gambas) so that I might develop a UI that may make configuring your PDC simpler. My thought is sort of a remote configuration tool similar to AD that will allow you to edit the files nessessary to make configuring more of a painless process. Any thoughts?

Jeremy Davis's picture

I'm not sure whether I can still call myself a linux noob (as I've been using TKL for a while now) but I still think of myself as one. Whilst Webmin is really powerful and useful and does provide a more noob friendly admin environment (compared to a blinking CLI prompt) for an ex-windows-poweruser-linux-noob it can still be a little confusing.

Not sure if I'd use it myself now but I probably would've if it had been available when I started with TKL PDC.

Guest's picture

I  guess I am in the same boat, I installed Turnkey PDC and added a few users and added them to samba.  PDC as a file server works great, shows up on the windows machines network, and can be mapped for drives and printers.

 

I can't seem to actually use it as a Domain controller however.  In windows XP, I try and join the domain with no luck. I have tried all the really nice GUI fields in Turnkey PDC web interface but nothing seems to work.

Can Turnkey PDC work as a Primary Domain Controller for having windows clients attach to it as a computer domain, or is it only a simple samba file server?  I thought by the name it might actually be a Primary Domain Controller out of the box

Jesse Neu's picture

I believe (and I'm sure someone will correct me if I'm wrong) that the PDC drop in will not fucntion the way Windows Server does as a Domain controller without the adaptation of DIrectory services. Active Directory in windows is how the server sets up access rules and true "Domain Control' over domain authentication. Also XP would have to be set up with directory services in order to log in to that domain because by default XP uses computer login and has to be set up to use domain authentication. Thats the overal jist as I understand it. I'll look at this post again when I'm not sick to be sure. What I've found so far thru the research I've had time to do is that adding OpenLDAP will allow domain authentication and directory services (roaming profiles, network shares, network printing services) to be automatically added based on the rules set for each network user. So far I haven't seen an easy way to set this up in linux yet as the user database is essentially a text file that has to be edited manually. I'm sure the Turnkey guru's can back me on this, the process for adding openLDAP is easy but effectivly and simply managing user accounts on a medium size network (or even small networks for those of us new to linux server) is a difficult and time consuming process that does not currently have an 'easy out' like the active directory management console. but I'm looking.

I would definatly like to see the turnkey PDC come with openLDAP I would imagine the biggest hurdle at the moment is getting past the fact that openLDAP has recently changed and with the new ubuntu versions that have been released since 8.10 or 8.04 can't think at the moment which version turnkey is using, uses it and its dependancies differently and configuration is in some ways more difficult.

So I guess this is a learning oportunity for some more advanced Linux Programmers to teach us younguns a thing or two, I invite the lesson...

Alon Swartz's picture

There seems to be some confusion on what the domain-controller appliance is meant for, what it can do, and how.

I am now convinced that we need documentation to get users off the ground. I have added this to my ever growing todo list, but anyone interested in helping out is welcome (and urged to do so).

Some notes in the meantime:

  • The current status quo is that samba is not a *full* replacement for a Windows Active Directory Domain Controller, but it provides a lot of the needed functionality.
  • OpenLDAP is nice to have, but is not required. The domain-controller should be able to support small to medium deployments effeciently, and is configured to support roaming profiles, network shares, printing services, etc.
  • Reminder, joining a workstation to the domain requires domain admin privileges, as it creates a machine account for the workstation. Once the workstation is part of the domain, a domain user can then log in.

I hope the above helps.

Gavin's picture

I have downloaded the virtual disk image, run it and got most things running.  The file and printer sharing works out of the box as expected, however...

Alon mentions above (unless I misunderstood) that it IS possible to "join" to the Turnkey PDC using a  Windows machine.   I have tried this, to no avail.  I have registered two DNS entries (one A domain record and one *.domain SVR record).  The A record points to the IP address of the PDC and the SVR record points to the hostname of the PDC (the one defined in the A record).

When attempting to join the domain (using System Properties) in Windows XP, it fails.  It said that it found the SVR record, which points to the A record (which I know goes to the correct IP address), and then it failed.

Have I misunderstood something?  Is there a particular port number I should use?

Many thanks in advance.

Jeremy Davis's picture

but I remember when I set it up it wouldn't conect for me either. I recall thinking it was a problem with DNS. I was trying (hoping) to build a Win Server 2k3 replacment (to prove to my boss it could be done basically, rather than the need as I have a Win 2k3 server). After I hit that snag I added it to my 'todo' list (it's a VERY long list!) and have never got back to it.

Sorry I'm not actually any use to you. Hopefully someone who has successfully done it may be able to retrace the steps they took and walk you (and others) through the steps required.

Good luck!

Rami Abu-Aus's picture

Hi men ,I am new here so I want to help me ,please I downloaded Directory Appliance as vmware copy and then turn on it after that I saw the configuration I lift the default Configuration then I reach to username and password .I entered them as root user ,now I stay in root@domain-controller:~#

What is after that please help me how can I enterd to the GUI

Iam waiting the replay

Jeremy Davis's picture

All these appliances are basically designed to be run as headless servers. So after initial install you should not need to access the appliance in the way you would a normal PC.

But first I suggest you register for an acount & subscribe to this topic so you will be notified of responses.

The main web based GUI is called Webmin and is accessable via a web browser. You can access it easily from your appliances main page. Browse to http://your-server-name-or-ip/ and you will see many of the options available to you. Alternatively you can navigate directly to Webmin using https://your-server-name-or-ip:12321.

Hope that helps.

Ashi's picture

So let me see if I can understand this in a nutshell...

First, Can I:

Create Users and Groups
Or
Use the users and groups I have on an LDAP server already?

Can I share off a NAS device that supports a windows domain?

Can I discover network printers and share those on a per user or group level? Or at all?

-----

For my needs I would like to setup a small business network with lets say 50 users, 20 workstations and a handful of printers. I would like each user to have their own H: drive created and mapped for them to use (permissions for them only). I would also require a shared drive with read only permissions for all users to access.

Correct me if I'm wrong, but for me this means I would need one server (I will be running Turnkey-Linux PDC as a virtual on ESXi assuming this does what it appears to). I will be using a Buffalo Terastation or Openfiler box as the NAS share, or maybe both, and I will need to be able to get all the users and groups from my existing LDAP server (located on my Openfiler box) automatically to my PDC. The PDC will need to securely allow for user access at the workstation level, from any workstation, and possible laptops later down the road.

Ashi's picture

KK, while waiting to see some feedback from the forums here, I've downloaded and installed Turnkey-Linux PDC.

So far. It is very confusing.

I think this product could benefit from some sort of "WIZARD" system.

Here are a few things I've noticed off the bat.

  • The systems verbiage is confusing at best.
  • Descriptions of what each function does or how it works are almost entirely non existent. I would like to vote for an onHover tool-tip like system. 
  • Everything appears to be "module" based, but I was unable to find anything to tell me how to control, install, remove or even list these modules. (at a glance)
  • Nearly everything I've clicked on (out of the box) has stated it's not usable or installed. (LDAP for example, even tried the click to submit system information button and that failed)
  • Breadcrumbs should be implemented.

 

Ashi's picture

I have installed many of the updates for this appliance and many of the items I posted about have been addressed.

I could still use some examples or something to better help me understand how to setup the system

Jeremy Davis's picture

Of all the appliances I have used this one is probably the trickiest! As I just mentioned above I too have had problems setting it up.

As it seems you have already discovered, LDAP is not used installed in this appliance so as such it is not a complete 'drop-in replacement' for Server 2k3 but once we work out how to set it all up it probably provides most if not all of the functions that many use Win Server 2k3 for.

Also (as you may well have noticed) the default Webmin includes only the relevant modules, once you update Webmin it includes them all. This is why it is saying stuff isn't installed etc. As for your comment about your ideas for Webmin (tooltips, breadcrumbs etc) how about you suggest them upstream. Webmin's website is here.

These appliances are produced by a 2 man team (Liraz and Alon - with some support from the community).  and beyond configuration, some basic tethering together and a few custom scripts/modules etc, none of the individual included software is developed by the TKL Devs.

That is not to say that there couldn't be some better documentation but basically the Devs are flat out developing so we really need someone from the community with more knowledge and experience than me to step up to the mark and to develop this documentation.

Finally I suggest you sign up for an acount so you can be notified of replies.

Good luck!

geovanny's picture

Although I successfully got turnkey pdc installed and configured and I was able to successfully join an xp machine to the "DOMAIN" domain, I am unsure as to how to grant users access to log into the domain.  I can only log in using the administrator account.  Please help.  Thx

Geovanny

Codehead's picture

Once you have joined a machine to the domain, you can add users from the System > User and Groups menu option in WebMin/Samba.

I found that users created before a machine joined the domain didn't seem to work from the Windows side. Once a machine had joined, all the users I created appeared on the Windows side.

You'll have to add them smbusers and users groups in order to get proper access to the home directory/network shares.

HTH


geovanny's picture

Great, I will give that a try.  Thanks Codehead!

Timothy's picture

when I login to samba from windows 7 pro I get an error "Trust Relationship Between Workstation and Primary Domain Failed" How Can I fix this error?

Cavan Kelly's picture

Not easily.

The version of Samba included with Ubuntu 8.04 does not support Windows 7 domain authentication.  You need, at minimum, Samba 3.3.7.  The good news is that Ubuntu 10.04 is being released today with a more recent Samba implementation.  Hopefully we'll see updates from the TKL team soon.

Cavan Kelly

Charles Pippin's picture

Windows 7 is set to use secure communication for network authentication. I recently ran into an issue where a Windows 7 PC could not connect to a share on a Windows 2000 box. The issue was that the lan manager protocol was using the newer settings.

 

Check this link out - http://www.tomshardware.com/forum/75-63-windows-samba-issue

and this: http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm

Codehead's picture

I haven't tried Win7 on the PDC, but when we used to get that error back in the NT days it meant that the computer account on the domain was invalid or broken.

Try deleting the computer account and re-joining the domain.


Codehead's picture

I've put together a quick start guide for the PDC. http://www.turnkeylinux.org/node/1223

That should get an XP client on the domain for those that are struggling with it.

Let me know if I've made any glaring errors. The process worked fine for me on bare metal and VM installs.


Alon Swartz's picture

I created an alias for the documentation: http://www.turnkeylinux.org/docs/domain-controller/quickstart
Timothy's picture

Could you Make A Quick Start Guide For Setting up Windows 7 Pro with Turnkey Domain Controller?

Codehead's picture

I haven't tried Windows 7 on the TKL PDC. However, there do seem to be some gotchas.

http://wiki.samba.org/index.php/Windows7 states some registry tweaking is required on the client and even then only Samba 3.3+ support Win 7. IIRC the TKL Samba version is 3.0.28.

I've been tinkering with Lucid 10.4 and Samba4 but it's all very ropey at the moment. I'm reluctant to do much more with the current PDC as I imagine a 10.4 TKL core with be with us soon.


SDVE's picture

So, is better not use "TKL PDC" with "Win7", because right now is not compatible, with this "Samba" version? or its posible just update the "Samba" version in this "TKL PDC"?

Jeremy Davis's picture

but if you can't wait for the upcoming version (which is probably still a few months away), there are a couple of options:

It is theoretically possible to update Samba in the current TKL PDC but it is not newb friendly and I'm sure it would be quite painful.

Another option may be to try upgrading the current Stable TKL PDC (based on Ubuntu 8.04/Hardy) to Ubuntu 10.04/Lucid base. I certainly can't guarantee that'd work without breaking stuff but it might? If you were to test that, I'd start with a clean install, attempt upgrade first, then try setting up your domain.

The third option would be to start with the TKL Core Lucid beta and install Samba on top of that. That would probably be the most reliable way but will require you to set Samba up from scratch yourself. I imagine that it would be a bit tricky and certainly not at all newb friendly.

SDVE's picture

JedMeister
Thanx for answer; i will try to update samba and i will let you know the results; and if it still not works i will take the option two; thanx again.

Jeremy Davis's picture

Good luck and be great to hear how you go as others may be interested between now and the new TKL release.

Jeremy Davis's picture

While looking for some info to help Timothy (see below) I came across a PPA for Samba 3.5 for both Hardy (base of current stable TKL release) and Lucid (base of TKL beta release). Have a look here.

Just in case you aren't aware, PPAs are Private Package Archives which contain debs that have been built from code uploaded by other users. They are very easy to use. In my experience they can be very handy although sometimes buggy and potentially could raise security concerns. Ideally you should not add a PPA from someone you do not trust. It probably comes down to the level of security needed. As PPAs all have to be open source and only source code is uploaded I personally think they are generally pretty safe so I am happy to add them in my home environment. OTOH I would never add a PPA from someone I didn't know in a business environment, especially when dealing with sensitive data.

I can not vouch for this PPA but it may be worth a look. If you need more help around PPAs then post back and I'll see what I can do.

Timothy's picture

How did you setup samba4 on turnkey linux core beta 10.04 Lts? and how did you get group policies to work?

Jeremy Davis's picture

To install the version in Lucid repos (4.0.0~alpha8+git20090912-1):

apt-get update
apt-get install samba4

If you want a more recent version then you will need to need to download the source and compile yourself (have a look here). The Samba team have a really recent Samba4 PPA here, but it is only for Maverick (which may or may not work on Lucid too).

As for setup I have no idea. In my experience Samba3 is tricky enough and I would expect that Samba4 would be at least as complex (if not more so). I suggest that the Samba4 Wiki is probably a good place to start (either here or here). Asking on the relevant Samba mailing list is probably worth a try too if you can't find the answers you need on the Wiki. There doesn't seem to be an official Samba forum although  the Ubuntu forums (TKL beta is obviously based on Lucid/10.04) may also be worth a try.

Samba 3.4.7 is also available from the Lucid repos (apt-get install samba) which apparently works with Win7 (with some reg tweaks in Win7 - links and details in this thread - above). Samba 3.5+ apparently supports SMB2 but you'll need to download and install from source (or use the PPA as I just posted above).

If you manage to get it working, it'd be great if you can post back (perhaps start a new thread) detailing what you discovered as I'm sure other TKL users would be interested.

Good luck!

StevegotRobbed's picture

Huge time suck for nothing. Can't add a samba user. Why don't linux developers GET it? . Samba has been around forever and it's still the most primitive non-intuitive implementations. Ughhh get this off my computer and never come back.

Jeremy Davis's picture

Don't mean to rub your face in it but I don't think it gets a whole lot easier than Samba under TKL. Just because its different to how Windows does things doesn't make it bad, just means that it will be unfamilar at first. I think its a bit like learning to drive a manual car when you've only ever driven an auto. It is different and takes a bit of getting used to. That doesn't mean manuals are bad, just different. And if you're anything like me, once you get used to a manual you enjoy the extra control you have over your machine (and the fact that you can get a bit more go out of the same machine, and the cheaper price tag, and...).

Anyway, don't give up yet, have a try using Webmin.

In a web browser navigate to the Webmin page on your TKL PDC (https://<hostname-or-ip>:12321) and log in. I haven't got a TKL machine handy at the mo but its a simple case of adding a new Linux user (I think Users & Groups is under System) and then hit the Sync Linux users and Samba users button on the Samba page (from memory under Servers>>Samba) - Done!

bmullan's picture

I recently found an Open Source project named http://www.resara.org

They have taken Samba4 alpha 14 (the latest samba4 is alpha 15)  and integrated and built a Administrator's console etc.

It can be downloaded as source but they also provide:

  • binaries you can download
  • vmware & virtualbox pre-built VM server
  • and they also have an Ubuntu 10.04 PPA with everything pre-packaged.

Don't be put off by the "alpha" moniker of Samba4.   Its in its 15th "alpha" (over 3 years of development) and the lead developers expect to go from alpha 15 to release sometime in 2011.

see:   http://activedirectorymanagement.com/samba-4-will-break-desktop-monopoly-itwire/

Andrew Bartlett (mentioned in the article) works at cisco systems in the UK.   I also work for cisco but in the u.s. so I called Andrew and asked how stable Samba4 is and he stated the same as the article.  

He said its labeled "alpha" simply because they never got around to renaming it beta but he said there are some large organizations using it in production and its been performing very well for months.   They are expecting to release it in 2011.

Take 15 minutes and watch Samba.org's Samba4 video's 

Demo1 : Joining Windows 7 to a Samba domain

This video shows the initial provisioning of a Samba4 domain controller, then a domain join of a Windows7 client as a member of the domain. The Windows7 client is then used to manage the domain via the Active Directory Users and Computers tool

Ogg video: Joining a domain

Demo2 : Group Policy Management

This video shows the setup of Group Policy Object (GPO) management of Windows clients with a Samba4 domain.

Ogg video: Group Policies

Demo3 : Roaming Profiles

This video shows the setup of roaming profiles for Windows clients in a Samba4 domain.

Ogg video: Roaming Profiles

Demo4 : dcpromo

This video shows joining a Windows2008R2 server as an additional domain controller in a Samba domain

Ogg video: dcpromo

It may be worth a try.

I found Resara was almost too simple to setup.    I put it on an Ubuntu 10.4 server so my Active Directory PDC was going to be that Ubuntu machine.

I was then was able to join several Windows 2003 servers to it by logging into the windows server, changing my DNS to point to the Ubuntu PDC then change the "My Computer" Domain name to match what I configured on the Ubuntu PDC and it joined the domain.   Go back to the Resara Admin Management console (browser based) and setup your OU's, users, shares, etc.

There is a commerical version of Resara ($499) and it gives you quite a bit of additional support/service BUT it doesn't add a great deal extra over the Open Source version.

The Resara.org website is still a bit new so to read the Docs got to the commercial site (resara.com) and click on Documentation at the top.   There are some menu difference from the Open Source version but not many.

Maybe Resara could be TKL'ized.  

Jeremy Davis's picture

That sounds excellent! I'll definately have a look at that one.

At work we currently have a 2k3 domain with WinXP clients. I have been looking to upgrade to Ubuntu (both server and desktops) but unfortunately I have been told (by management) that we need MSOffice 2010 and my expeience under Wine was ok, but not really confidence inspiring so Win7 will be the upgrade path :(. I was hoping to avoid Server 2k8 because IMO it is overkill for what we need (shared files and roaming profiles). This seems like a great option.

And yes I agree that this would be an excellent potential TKL appliance.

Jeremy Davis's picture

And it all seems to install ok, but I've been having major issues configuring it with the GUI (installed on Ubuntu 10.04 desktop). It connects ok initially but losing connection during configuration. I have no idea what's going on.

Ryan Gravel's picture

 

TKL

I was excited to being using TKL and get some appliances up and running with easy Amazon backups.  At this point, the only thing that may be easy is the Amazon backup.  This PDC replacement is not working out for me.  I realize that samba3 is not an ad replacement and didn't expect it to work that way.  This appliance may be usable in a small environment where you can spend some time with each workstation to get them joined and tweaked for the environment without any member servers.

Pros - Wicked low resource requirement, Ubuntu/Debian is rock solid (I have servers with +600 days of up time), webwin is great, packages pre-installed, Amazon backup, able to join WinXP and Win7(with reg hack), TKL File Server did join and authenticate to domain.

Cons - You need at least an intermediate level of samba experience if not expert to even know where to start, administrator account didn't have super user rights to domain users on windows clients (this may be something I goofed up but was the last straw for me on this appliance).

The problem really is with Samba3 which is still a bit clumsy, not TKL.  The permissions are odd, hard to troubleshoot and don't behave well.  Most of the tools to check what is going on with authentication are not there in TKL and have to be installed manually which made me feel like I may break other packages.

Jeremy Davis's picture

I reckon that the devs will find this info useful.

It's a pity that there isn't at least a Samba4 Webmin module (or other WebUI) as Samba4 seems to a better option really.

BTW which tools were you hoping to use? Perhaps they should be considered for inclusion with the default appliance? There will be a maintenance release as some point. Even if they don't get included it could at least be documented.

Add new comment