4.3 Domain Control ” Example Configuration
The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf . An example smb.conf for acting as a PDC can be found in Example 4.1.
Example 4.1 smb.conf for being a PDC
[global] netbios name = BELERIAND workgroup = MIDEARTH passdb backend = tdbsam os level = 33 preferred master = yes domain master = yes local master = yes security = user domain logons = yes logon path = \%N\profiles\%u logon drive = H: logon home = \homeserver\%u\winprofile logon script = logon.cmd [netlogon] path = /var/lib/samba/netlogon read only = yes write list = ntadmin [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700
The basic options shown in Example 4.1 are explained as follows :
passdb backend” This contains all the user and group account information. Acceptable values for a PDC are: smbpasswd, tdbsam, and ldapsam . The " guest " entry provides default accounts and is included by default, there is no need to add it explicitly.
Domain Control Parameters” The parameters os level, preferred master, domain master, security, encrypt passwords, and domain logons play a central role in assuring domain control and network logon support.
Environment Parameters” The parameters logon path, logon home, logon drive, and logon script are environment support settings that help to facilitate client logon operations and that help to provide automated control facilities to ease network management overheads. Please refer to the man page information for these parameters.
NETLOGON Share” The NETLOGON share plays a central role in domain logon and Domain Membership support. This share is provided on all Microsoft Domain Controllers. It is used to provide logon scripts, to store Group Policy files (NT-Config.POL), as well as to locate other common tools that may be needed for logon processing. This is an essential share on a Domain Controller.
PROFILE Share” This share is used to store user desktop profiles. Each user must have a directory at the root of this share. This directory must be write-enabled for the user and must be globally read-enabled. Samba-3 has a VFS module called " fake-permissions " that may be installed on this share. This will allow a Samba administrator to make the directory read-only to everyone. Of course this is useful only after the profile has been properly created.