4.3 Domain Control Example Configuration

4.3 Domain Control ” Example Configuration

The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf . An example smb.conf for acting as a PDC can be found in Example 4.1.

Example 4.1 smb.conf for being a PDC
  [global]   netbios name = BELERIAND   workgroup = MIDEARTH   passdb backend = tdbsam   os level = 33   preferred master = yes   domain master = yes   local master = yes   security = user   domain logons = yes   logon path = \%N\profiles\%u   logon drive = H:   logon home = \homeserver\%u\winprofile   logon script = logon.cmd   [netlogon]   path = /var/lib/samba/netlogon   read only = yes   write list = ntadmin   [profiles]   path = /var/lib/samba/profiles   read only = no   create mask = 0600   directory mask = 0700  

The basic options shown in Example 4.1 are explained as follows :

passdb backend” This contains all the user and group account information. Acceptable values for a PDC are: smbpasswd, tdbsam, and ldapsam . The " guest " entry provides default accounts and is included by default, there is no need to add it explicitly.

Where use of backup Domain Controllers (BDCs) is intended, the only logical choice is to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files cannot effectively be distributed and therefore should not be used.

Domain Control Parameters” The parameters os level, preferred master, domain master, security, encrypt passwords, and domain logons play a central role in assuring domain control and network logon support.

The os level must be set at or above a value of 32. A Domain Controller must be the Domain Master Browser, must be set in user mode security, must support Microsoft-compatible encrypted passwords, and must provide the network logon service (domain logons). Encrypted passwords must be enabled. For more details on how to do this, refer to Chapter 10, Account Information Databases .

Environment Parameters” The parameters logon path, logon home, logon drive, and logon script are environment support settings that help to facilitate client logon operations and that help to provide automated control facilities to ease network management overheads. Please refer to the man page information for these parameters.

NETLOGON Share” The NETLOGON share plays a central role in domain logon and Domain Membership support. This share is provided on all Microsoft Domain Controllers. It is used to provide logon scripts, to store Group Policy files (NT-Config.POL), as well as to locate other common tools that may be needed for logon processing. This is an essential share on a Domain Controller.

PROFILE Share” This share is used to store user desktop profiles. Each user must have a directory at the root of this share. This directory must be write-enabled for the user and must be globally read-enabled. Samba-3 has a VFS module called " fake-permissions " that may be installed on this share. This will allow a Samba administrator to make the directory read-only to everyone. Of course this is useful only after the profile has been properly created.



The above parameters make for a full set of parameters that may define the server's mode of operation. The following smb.conf parameters are the essentials alone:

  netbios name = BELERIAND   workgroup = MIDEARTH   domain logons = Yes   domain master = Yes   security = User  

The additional parameters shown in the longer listing above just makes for a more complete explanation.

Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net