Change H: on SMB PDCs

Samba can be a PDC, allowing Windows clients to join a single line domain name and then access domain resources (such as roaming profiles) as though the domain were Windows NT-based. When you set this up the default behavior for Mac OS X Server based domains is to create a drive mapping for H: to the users profile path (as specified in the homeDirectory attribute) on the server. H: is kinda’ low for some computers with a lot of drives and it can also conflict with other drive mappings you may choose to use. Therefore you may find that in some cases you need to change the H:. To do change the drive letter that the logon drive uses, look to the /var/db/smb.conf file. Here, you’ll notice a logon drive variable which is set (funny enough) to H:. Specify any letter of the alphabet that you’d like it to use (preferably higher than H:) and then save the changes to the file and restart the service. Now you should see a new drive letter assigned at your next login event. You can also change a number of other variables in these files, so it’s recommended to back the file up before making any changes.

Delegating DirAdmin to Windows Clients

The default behavior of a Windows Server NT4 through 2008 based domain is to allow a Domain Admin account to manage Windows clients. A number of environments have been moving over to using the PDC emulator on Mac OS X as a means of replacing aging Windows servers. One of the biggest annoyances is that the Open Directory administrative accounts they use to bind the Windows computers to are not local administrators. When you bind Mac OS X to Active Directory you can specify which Active Directory groups are administrators of Mac OS X client systems so you would imagine you can do the same thing on an OS X Server providing directory services to Windows computers. You can. This comes into play based on Samba Relative Identifiers (SMBRID). When you create a group you need to add an attribute for SMBRID. You can do this in Workgroup Manager or using dscl: If you notice, we used the SMBRID of 512.  You could also use any of the following to emulate the corresponding Windows functionality:
  • Domain Administrator – 500
  • Domain Guest – 501
  • Domain KRBTGT – 502
  • Domain Admins – 512
  • Domain Users – 513
  • Domain Guests – 514
  • Domain Computers – 515
  • Domain Controllers – 516
  • Domain Certificate Admins – 517
  • Domain Schema Admins – 518
  • Domain Enterprise Admins – 519
  • Domain Policy Admins – 520
  • Builtin Admins – 544
  • Builtin users – 545
  • Builtin Guests – 546
  • Builtin Power Users – 547
  • Builtin Account Operators – 548
  • Builtin System Operators – 549
  • Builtin Print Operators – 550
  • Builtin Backup Operators – 551
  • Builtin Replicator – 552
  • Builtin RAS Servers – 553
You can create a group per required SMBRID.  Once done, you can add users into the groups and delegate administrative access in this fashion, emulating many of the options that stem from the Windows NT 4 PDC emulation features of Samba, included in Mac OS X Server’s implementation.  But if you do this, don’t go updating your smb package manually.  I’ve found that when I update fully that the SMBRID is no longer supported and I break permission delegation.

openssl and Signatures

A checksum can be used to determine if a file has been tampered with at a later date.  To run a checksum use the following command:
openssl dgst -HASHTYPE path_to_file
HASHTYPE would then be md2, md4, md5, mdc2, rmd160, sha or sha1.  Let’s go ahead and do a checksum of our smb.conf file:
openssl dgst -md5 /var/db/smb.conf
You should then see output similar to the following:
MD5(/var/db/smb.conf)= e4b58a63c6682b298aeca3ad40734c1e
MD5(/var/db/smb.conf)= e4b58a63c6682b298aeca3ad40734c1e