Setup Samba as a Primary Domain Controller (PDC)
This article applies to: CentOS 5, Fedora 8
Contents
1. Overview
This short tutorial shows the steps and Samba configuration file needed for it to run as a primary domain controller. Since my network is only small, I'm using tdbsam for the password backend as oppose to LDAP. This allows us to synchronize user passwords between Windows and Linux (Samba and NIS/YP).
This tutorial assumes you are familiar with smb.conf and it's options, this tutorial does not go onto explain what each does.
2. Domain File Shares
Your domain will need a few file shares, you will need at least Profiles, Netlogon, you should already have a functioning home directory.
The profiles directory, which I prefer to keep in '/home/profiles' is used to store the roaming profiles, the permissions for the directory should be 755, each sub-directory should be named as the user's username, and have permissions of 700.
You will need to setup shares for these directories (see the bottom of the smb.conf below).
3. smb.conf
Below is the sections of the Samba configuration file that you need to set in order to create a PDC. Create a copy of your smb.conf and adjust the settings to match those below.
[global]
workgroup = savnet.local
server string = SavageNetwork Server
passdb backend = tdbsam
netbios name = optimus
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = \
/usr/sbin/useradd -s /bin/false -d /dev/null \
-g machines %u
logon script = logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\homedir
domain logons = yes
security = user
os level = 35
domain master = yes
preferred master = yes
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smbusers
wins support = yes
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homedir]
comment = Home Directory
path = /home/%u
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
[Profiles]
path = /home/profiles
browseable = yes
guest ok = yes
writable = yes
4. Samba Users
Next we need to import user accounts, we can get these from /etc/passwd, or alternatively, if you're using NIS, we can retrieve them from ypcat.
/etc/passwd:
cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
NIS/YP:
ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
This will not set passwords for the user accounts, which you will need to set manually. When I was performing this myself, I got an error from the 'ypcat' command, so had to manually add user accounts with:
smbpasswd -a username
4.1 Domain Admins
To have domain administrators, you first need to create a local user group called domadm. You then map this user group to the Samba user group Domain Admins.
groupadd domadm
net groupmap add ntgroup="Domain Admins" unixgroup=domadm
Finally assign any users you want to be administrators to the domadm group.
4.2 Machine Accounts
Each computer that you want to join your domain requires a machine account on the server. This requires two steps:
useradd -C Machine -d /dev/null -s /bin/false machine_name$
smbpasswd -a -m machine_name
The '$' sign is required to create the new user account.
5. Finally
Restart the Samba service, and ensure your firewall has port 139 open, and you should now be able to join Windows NT, 2000, XP and Vista machines to your domain.
Note: When prompted for the administrator password on a Windows box, I have often had to type it in as 'domain\username' otherwise Windows would not recognise the user account.
