Document is under hard construction … please be patient
About
Even there are a lot of tutorials / howtos about installing samba as a primary domain controller, I realized that no one explain clearly how it really works. So i decided to write the tutorial I would like found.
This tutorial explain how to install a samba as a primary domain controller without using LDAP or anything else. This kind of configuration is useful only if you have a small net. For large nets read this tutorial only to understand how samba works.
Installing
I am not going to explain how to install or compile a samba because there are a lot of variants from distribution to distribution. Just get a Samba on your server using what ever you like ( apt-get, emerge, rpm, wget+tar+configure+make+make install, etc … ) .
Configuring
Once you have installed a Samba server in your box ( wow! there was a lot of time since the last time i used that word ) … whatever, once you have installed Samba the only thing you need to do is configuring it.
smb.conf
let's edit the file that is usually found in /etc/samba/smb.conf
Global Directives
First we are configuring the global settings ( marked with the TAG global )
[global]
workgroup = DOMAIN
netbios name = DOMAINSRV
server string = %h server
passdb backend = tdbsam
security = user
name resolve order = wins bcast hosts
domain master = yes
domain logons = yes
preferred master = yes
wins support = yes
encrypt passwords = yes
logon path = \\DOMAINSRV\profiles\%U
I'll explain what this directives means, but if you are in doubt… refer to the smb.conf man page
- workgroup = DOMAIN
- This directive sets the domain name for Samba as a PDC or as a Domain Member. In our case as a PDC.
- netbios name = DOMAINSRV
- This sets the NetBIOS name by which a Samba server is known.
- server string = %h server
- This is the description of the server. %h will be replaced by the host name.
- name resolve order = wins bcast hosts
- Our server will try to resolve names using wins if its fail will try a broadcast and if it fails again will try using the hosts system file.
- passdb backend = tdbsam
- This directive indicates samba where to store user, groups, machines and other information. tdbsam is fine for us
- security = user
- This establish which schema of security implement. For the Primary Domain Controller we should use user, to indicate the Samba server to handle itself the user information.
- domain master = yes
- This option indicates the samba to behave as domain controller. Be aware if a NT controller is running in the same net, it will behave strangely and may fail.
- domain logons = yes
- This directive allows NT4 workstations to log into the domain.
- preferred master = yes
- When more than one Domain Controllers are in the same net, all will claim to be the PDC. With this directive we increase the chances to this server to be the PDC. It is recommendable to set this directive in one server only.
- wins support = yes
- Turns on the Samba wins server capabilities.
- encrypt passwords = yes
- Newer versions of Windows only log into domains that allows password encryption.
- logon path = \\DOMAINSRV\profiles\%U
- This directive indicates where the domain users should store theirs profiles. See Profiles Entry below. %U will be replaced with the logged user name.
Profiles Entry
We need to share a folder in our server to store the domain users profiles.
[profiles]
comment = User profiles
path = /home/samba/profiles
valid users = %U
create mode = 0600
directory mode = 0700
writable = yes
browsable = no
guest ok = no
- [profiles]
- This is the name of the shared folder. In our case, the share path will be \\DOMAINSRV\profiles
- comment = User profiles
- Description of the shared folder
- path = /home/samba/profiles
- The local path of the folder to be shared
- valid users = %U
- A list of valid users. %U will be replaced for the logged user name. This is tricky … the valid user will be the logged user.
- create mode = 0600
- This directive indicates the Samba that all files will be created with this permissions. Take note that the owner of the file will be the logged user.
- directory mode = 0700
- Same as create mode but for directories
- writable = yes
- Indicates the samba that this share can be written
- browsable = no
- This share can't be browsed or listed
- guest ok = no
- No guest user allowed
nsswitch.conf
nsswitch.conf establish the ways that Linux uses to resolve names ( users, hosts, services, etc ). Often located in /etc/nsswitch.conf
We need to edit this file on order to provide our system with NetBIOS host name resolve capabilities. There should be a line like :
host: files dns mdns
We need to add the wins option :
host: files wins dns mdns
Create the profile path
In this case will be something like
# mkdir -p /home/samba/profiles
Restart the Samba server
Again, i am not explaining how to do this because it depends on the distribution.
Adding Users
First thing to do is adding the root user to the Samba database ( we need root to join machines to the domain ) :
# smbpasswd -a root
Something to have in mind is that samba uses two authentication process to let you in th domain server. First it will check your user / password against its database, then it will ask for a session ( a UNIX user is required ) to the system. So in order to create a user domain we need to :
* Create a UNIX user account
* Create a Samba user / password pair
So… add the UNIX user account
# useradd rodo
Next… add the Samba account
# smbpasswd -a rodo
Then… we have a 'rodo' in our domain.
Note that UNIX password is not necessary.
Joining a Windows workstation to the domain
Now, you should be able to join a machine into the domain using the root samba account. And then login from that machine using the rodo account.