When operating in a Windows NT domain, Samba can act either as a primary domain controller or as a domain member server. A.2.1 Primary Domain ControllerSetting up Samba as a primary domain controller is more complicated than the other configurations. However, the extra difficulty is offset by having a more secure network and additional features such as logon scripts and roaming profiles. In the following configuration file, we also include support for a Microsoft Dfs share: [global] # Replace "toltec" with the hostname of your system. netbios name = toltec # Replace "METRAN" with the name of your Windows NT domain. workgroup = METRAN # Run a WINS server wins support = yes # Always act as the local master browser # and domain master browser. Do not allow # any other system to take over these roles! domain master = yes local master = yes preferred master = yes os level = 255 # Perform domain authentication. security = user encrypt passwords = yes domain logons = yes # The location of user profiles for Windows NT/2000/XP. logon path = \%L\profiles\%u\%m # Users' Windows home directories and storage of Win95/98/Me roaming profiles. logon drive = G: logon home = \toltec\%u\.win_profile\%m # The following line is optional because # Samba always offers NetBIOS time service. # This causes it to also be advertised: time server = yes # The logon script used for all users, # Relative to [netlogon] share directory. logon script = logon.bat # The group identifying administrative users. # If you have domain users in the Domain Admins # group, use them here instead of "jay". domain admin group = root jay # For adding machine accounts automatically. # This example works on Linux. For other host # operating systems, you might need a different # command. add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u # Provide Microsoft Dfs support. host msdfs = yes # The netlogon share is required for # functioning as the primary domain controller. # Make sure the directory used for the path exists. [netlogon] path = /usr/local/samba/lib/netlogon writable = no browsable = no # The profiles share is for storing # Windows NT/2000/XP roaming profiles. # Use your own path, and make sure # the directory exists. [profiles] path = /home/samba-ntprof writable = yes create mask = 0600 directory mask = 0700 browsable = no [homes] comment = Home Directory browsable = no read only = no map archive = yes # The Dfs share. # Use your own path, making # sure the directory exists. [dfs] comment = Dfs share path = /usr/local/samba/dfs msdfs root = yes # A shared directory, accessible by all domain users. # Use your own share name and path. [d] comment = %u's Home Directory path = /d create mask = 0700 read only = no See Chapter 4 for more information on configuring Samba as a primary domain controller, and see Chapter 8 for more information about setting up a Microsoft Dfs share. A.2.2 Domain Member ServerIn a domain that already has either a Samba PDC or Windows NT/2000 Server PDC, additional Samba servers can be added as domain member servers using the following configuration file: [global] # Replace "mixtec" with the system's hostname. netbios name = mixtec # Replace "METRAN" with the name of your domain. workgroup = METRAN # Replace "172.16.1.1" with the # IP address of your WINS server. wins server = 172.16.1.1 os level = 33 security = domain encrypt passwords = yes password server = * # Home directories. [homes] comment = %u's Home Directory browsable = no read only = no map archive = yes # This is an example printers # share, which works for Linux. [printers] printable = yes printing = BSD print command = /usr/bin/lpr -P%p %s path = /var/tmp min print space = 2000 # A shared directory, accessible by all domain users. # Use your own share name and path. [d] path = /d create mask = 0755 read only = no See Chapter 10 for more information on sharing printers with Samba. |