Using eBox As Windows Primary Domain Controller - Page 4

10. Configuring shares

We have already our domain active with its users, groups and computers. Now we want to add the file sharing service to ease the sharing of data between users.

We have three types of shares available in eBox:

  1. Users home directory shares
  2. Groups shares
  3. General shares

The users home directories shares are automatically created for each user. It will be automatically available to the user as a mapped drive with the letter configured in the General Settings tab. Only the user can connect to its home directory share so it is useful to have access to the same files regardless on which domain the user has logged on.

On the other hand, groups shares are not created automatically, you need to go to the Edit Group window and give a name for the share. All members of the group are granted access to it with the only restriction that they cannot modify or delete files that are owned by other members of the group.

form for setting of group sharing
directory

As for the third category of shares, eBox allows us to define multiple file shares each with its own access controls lists (ACL) which will determine what users and groups can read and write the files in that share.

To illustrate this feature we will create a share for the IT technical documentation, all members of the group IT should be able to read the files and the user pdcadmin should have permissions to update them.

To create a share select the Shares tab that can be found in File sharing in the left menu. We will see the list of shares but since we will have none created the list will be empty. To create the first share click on Add new, this will show you a form to setup the share.

The first parameter in the share is for enabling or disabling the share, we left the share enabled. However if we wanted to disable it temporally this setting would be useful.

Share name is the name to identify this share, in our example we will call the share IT documentation.

The comment field could explain the purpose of this share. Back to our example, we can write Documentation and knowledge base for the IT department there.

Finally we must choose the path of the share in the server, two options are available: Directory under eBox or File path. The second one is intended for already existent directories so in our example we will choose Directory under eBox and give as directory name itdoc.

Adding a new share

Once we have our share defined we will need to choose a correct set of ACLs for it. To do so we must go to the shares list, look for the line of the share and click on the Access Control field. Here we can add the ACLs for the share, each ACL give permissions to a user or a group. The permissions can be read, read< and write and administrator. The administrator permission allows to write and remove files owned by other users so it must be sparingly granted.

In our example, we will add a read permission to the IT group and a read and write permission to the user pdcadmin. This way the IT members can read the files but only pdcadmin can add or remove them.

Adding a new ACL to a share

Special shares. are created automatically by eBox and access is only granted to users with administration rights. They are ebox-internal-backups which contains the eBox backup files and ebox-quarantine which contains infected files.

 

11. File share antivirus

eBox can scan the shares files for viruses. The scan is done when a file is written or accessed so you can be sure that all files in the share have been checked by the antivirus. If an infected file is found it is moved to the ebox-quarantine share which is only accessible by users with administration rights. These users can browse this share and choose whether delete these files or to do another action with them.

To use this feature the antivirus module has to be enabled, so if you disabled it you should enable it again. The antivirus updates its virus database automatically each hour so you don't need to worry about updates.

To configure antivirus scan go to the File Sharing page and there under the Antivirus tab. The Scan setting determines if the files should be scanned or not.

We want the antivirus to scan the shares so we enable this for our example. In the Samba shares antivirus exceptions list we can add exceptions to the antivirus scan, the shares listed here will not be scanned regardless of the value of the Scan setting.

Antivirus settings

 

12. Accessing shares

We have our shares defined so we could want to access them now. But before we have to make sure that we have saved the last changes in the configuration like we have explained in the Saving changes section.

When login into a domain computer with a domain user you will be able to access the shares via the Entire network window, to open this window go to My PC -> Network Place and then click in the link in the Other places left panel.

Domain network view

Then you can click in the eBox server and all the shares known to the user will appear. You can try to access a share clicking on it, if the user has read access a browser page with the share contents will be shown.

Shares in PDC server

Additionally the user home directory will be mapped to a virtual drive with the letter set in the PDC configuration.

Alternative. In a GNU/Linux system you can use the program smbclient to access the shares. You can find a guide to use it here. Another option is using a file browser with SMB capabilities like the default ones in KDE or Gnome.

If you have the antivirus enabled you can test it trying to upload an infected file. For testing purposes we recommend the EICAR test file because is harmless.

 

13. Logon script

eBox supports the use of Windows logon script. This script will be downloaded and executed every time a user logs into a domain computer.

When writing this script you have take in account that it is executed into the computer where the user logs in, so you should do only things that could be done in every computer of your domain. Furthermore, it will be a Windows computer so you have take care that the file is written with DOS return/linefeed characters. To be sure of this you can write it in a Windows computer or use the Unix tool flip to convert between the two formats.

Once you have written your logon script you have to save it as logon.bat under the /home/samba/netlogon directory in your eBox server.

To continue our example we will show a logon script that maps a share called timetable which contains the organization timetables to the drive Y:. Remember to create this share and grant access to it before trying this logon script!

# contents of logon.bat search server
# map timetable share
echo "Mapping timetable share to drive Y: ..."
net use y: \\ebox-server\timetable

 

14. The end

That's all folks. We hope the information and examples on this tutorial have helped you to use eBox as a Windows Primary Domain Controller and file server.

I'd like to thank Falko Timme who wrote a file-sharing howto for a previous version of eBox which has been a source of inspiration for this document.

Share this page:

14 Comment(s)

Add comment

Comments

From: Brian C at: 2010-09-05 06:59:52

In windows in order to be a domain controller you have to enable DNS, why would that not be true with ebox, just a thought? I will try this the way you have written it I am sure it was working for you before you wrote this, I was just wondering. Maybe this was just for a one server application with some sort of router for DHCP also. Dunno, any way thanks for the tutorial not trying to nit pick just trying to figure out the network environment for this setup is all.

From: Anonymous at: 2011-10-20 02:35:55

DNS is required for Active Directory. ebox sets up an NT style domain controller which did not require the DNS setup.

From: Emanuele at: 2009-11-27 00:25:52

Hello folks,

 I saw this good tutorial, but I still don't find a guide which can explain how to manage computer account.

 Simply, when you join a computer to the domain, you are able to login on the domain and use all the features and advantages dues to a centralized authentication and authorization system. But on ebox, there is no management interface section for domain users & computers, like "Users and computers" on m$ windows . Or, if exist, I still haven't found it.

 Please, anybody can explain to me how to manage computer accounts on Ebox ?

 

Best regards

Emanuele

PS : I apologize, I know this is very bad english, I hope you can understand what I'm searching for :-)

From: Josh at: 2010-06-24 20:09:57

I have the same question.  How are we to admin the users within the domain?

From: Camilo at: 2010-04-14 10:09:15

Hi guys, I have a little problem.... I erased domain admins and administrators groups and now I can't add computers to the domain. I created them again but it still won't work. Any idea?? Thank you a lot.

From: at: 2009-11-27 07:07:39

1) When Windows Server (2003 or 2008) is used as a PDC it isn't necessary to use an administrator account to add a PC to the domain. Can this be done with Linux+eBox?

2) Is there any way to have group policies for the domain just like when Windows Server is the PDC?

 

 

From: Don at: 2010-01-05 02:25:42

Greetings,

 in the screenshots of the ebox File Sharing Options, the domain name is set to ebox-server. In the Windows XP Compute Change Name dialog box, 'EBOX' is used for the domain.

 Shouldn't these be the same?

 Also, after joining the domain, the windows machine wants to reboot!?

From: Op3rat0r at: 2011-10-23 17:30:28

Hi,

as you can read in the text, it says "We will use ebox as domain name". You are right that the picture is wrong. In the picture the domina name should also be ebox.

It is normal that when you join a computer to a domain, that the computer has to reboot. Their are several adjustments that will be done with the computer....

Sry for my bad english!

 

Greetings from germany

Daniel

 

From: Anonymous at: 2009-12-03 15:25:26

I just wanted to thank you for your very informative tutorial. I have been looking for something like it for quite some time. I was wondering though what packages actually take care of the controller? OpenLDAP?

From: javivazquez at: 2009-12-05 16:09:33

Yes, it uses OpenLDAP.

You can check a full list of the software used by eBox in its trac:

http://trac.ebox-platform.com/wiki/Document/Documentation/Software

From: at: 2009-12-10 02:30:51

Great Work, Jav.

Can't wait to try this out on a server I am building.

Heeter

From: xrisse at: 2010-01-26 07:33:46

Great stuff - but what about windows 7 and joining ebox' domain? Can I manualy upgrade Samba? I've already backported Samba 3.3.4-2 on hardy (8.04). Any idears?

From: Op3rat0r at: 2011-10-23 17:37:25

Hi,

yes you can join Win7 Clients to an eBox PDC.

Sometimes just check the Zentyal Community....

http://trac.zentyal.org/wiki/Documentation/Community/HowTo/Windows7Support

 

greetz from germany

Daniel

From: philmills at: 2010-01-26 07:37:45

There's a great thread here which also explains how to map different shares to different user groups using a little vbs. Script is provided, and its really easy to use. Awesome!

http://forum.ebox-platform.com/index.php?topic=2019.0