Windows network

Microsoft Windows™ interoperability is provided by Samba [1]. To install it, select the File Server module, or any other module that requires it.

NethServer configures Samba to act in a Windows network according to its role. You can choose the role from the Server Manager, in the Windows network page.

Currently the following roles are available:

  • Workstation
  • Primary Domain Controller
  • Active Directory Member

The differences between these roles concern where user database is stored and which hosts can access it. The user database contains the list of users of the system, their passwords, group membership and other information.

Workstation

In this role NethServer uses only its own local user database. Only local users can access its resources, by providing the correct user name and password credentials. This is the behaviour of a Windows standalone workstation.

Primary Domain Controller

When acting as Primary Domain Controller (PDC), NethServer emulates a Windows 2000/NT domain controller, by providing access to the local user database only from trusted workstations. People can log on any trusted workstation by typing their domain credentials, then have access to shared files and printers.

Active Directory member

In this role NethServer becomes a trusted server of an existing Active Directory domain. When accessing a resource from a domain workstation, user credentials are checked against a domain controller, and the access to the resource is granted.

Workstation

When acting as a workstation, NethServer registers itself as member of the Windows workgroup specified by the Workgroup name field. The default value is WORKGROUP.

From the other hosts of the Windows network, NethServer will be listed in Network resources, under the node named after the Workgroup name field value.

As stated before, to access the server resources, clients must provide the authentication credentials of a valid local account.

Primary domain controller

The Primary Domain Controller (PDC) is a centralized place where users and hosts accounts are stored. To setup a Windows network where NethServer acts in PDC role follow these steps.

  1. From the Server Manager, Windows Network page, select Primary Domain Controller, then SUBMIT the change.

    The Domain name by default is assumed to be the second domain part of the host name in capital letters (e.g. if the FQDN server host name is server.example.com the default domain name will be EXAMPLE. If the default does not fit your needs, choose a simple name respecting the rules:

    • length between 1 and 15 characters;
    • begin with a letter, then only letters, numbers, or the minus - char;
    • only capital letters.

    For more information refer to Microsoft Naming conventions [2].

  2. For each workstation of the Windows network, join the new domain. This step requires privileged credentials. In NethServer, members of the domadmins group can join workstations to the domain. Moreover, domadmins members are granted administrative privileges on domain workstations. By default, only the admin user is member of the domadmins group.

    Some versions of Windows may require applying a system registry patch to join the domain. From the Server Manager, follow Client registry settings link to download the appropriate .reg file. Refer to the official Samba documentation [3] for more information.

Active Directory member

The Active Directory member role (ADS) configures NethServer as an Active Directory domain member, delegating authentication to domain controllers. When operating in ADS mode, Samba is configured to map domain accounts into NethServer, thus files and directories access can be shared across the whole domain.

Joining an Active Directory domain has some pre-requisites:

  1. In DNS and DHCP page, set the domain controller as DNS. If a second DC exists, it can be set as secondary DNS.
  2. In Date and time page, set the DC as NTP time source; the Kerberos protocol requires the difference between systems clocks is less than 5 minutes.

After pre-requisites are set, proceed in Windows network page, by selecting the Active Directory member role:

  • Fill Realm and Domain fields with proper values. Defaults come from FQDN host name: maybe they do not fit your environment so make sure Realm and Domain fields are set correctly.
  • LDAP accounts branch must be set to the LDAP branch containing your domain accounts if you plan to install the Email module. It is not actually required by Samba.
  • SUBMIT changes. You will be prompted for an user name and password: provide AD administrator or any other account credentials with permissions to join the machine to the domain.

Nota

For Email integration with AD, refer also to Email in Active Directory.

Footnotes

[1]Samba official website http://www.samba.org/
[2]Naming conventions in Active Directory for computers, domains, sites, and OUs http://support.microsoft.com/kb/909264
[3]Registry changes for NT4-style domains https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains